Centre for Internet and Society

India's Aadhaar mandate for smartphone makers may rile global firms

praskrishna — 2016-09-15T02:25:31Z

They are unlikely to oblige to request to make changes in their operating system and devices to ensure Aadhaar authentication is done securely on smartphones.

The article by Alnoor Peermohammed was published in the Business Standard on September 14, 2016. Sunil Abraham was quoted.

India is asking global smartphone makers such asApple and Google to adopt locally designed standards on their devices or operating systems that would allow use of biometric scanners for Aadhaarauthentication, a move that could face resistance from global firms.

Apple, the world’s largest smartphone maker runs its own iOS closed ecosystem and mandates apps built by developers to be certified by the company. Its closest rival Google, which owns the Android operating software that runs on nine out of ten smartphones in India, has directives for device makers to comply with. Firms such as Samsung, Lenovo and Micromax build smartphones on the Android OS that are sold in India.

Most global companies are unlikely to oblige India’s request that would require to make changes in their operating system and devices to ensure Aadhaarauthentication is done securely on smartphones, say analysts.

“There is no clarity so far. As of now, it is impossible that they (global smartphone makers) would oblige for a hardware safe zone baked on the sensors,” says Sunil Abraham, executive director at Centre for Internet and Society, a Bengaluru-based researcher that works on emerging technologies. “Because the biometrics contain sensitive personal information, they (UIDAI) don’t want anybody — vmobile manufacturer, OS vendor, telco or ISP — to intercept it”.

India is hoping that global firms would accept the country’s plea considering that most of India’s population use a mobile phone as their only computing device and need them to authenticate on Aadhaar for using government and banking services.

“Right now we’re in consultation with all these device manufacturers as well as the operating system vendors,” said Ajay Bhushan Pandey, Director General of the Unique Identification Authority of India (UIDAI) in a phone interview. “Basically we’re trying to evolve our system wherein a manufacturer or the devices where those operating systems are being used will have a facility where Aadhaar authentication can be made possible in a secure manner.”

India has over 105 crore people or 98% of adult population with Aadhaar. Most government and private organisations use Aadhaar authentication to issue services or products such as opening a bank account, getting a ration card or buying a mobile connection.

Reliance plans to reduce paperwork and issue connections in less than an hour usingAadhaar and try to get its 100 million target market sooner.

Over a fifth of India’s one billion users own smartphones and as the country sees better mobile internet access, more people are expected to upgrade to smartphones and use apps to access their banks to transfer funds, do online shopping and access government services.

For more details visit http://editors.cis-india.org/internet-governance/news/business-standard-alnoor-peermohammed-september-14-2016-indias-aadhaar-mandate-for-smartphone-makers-may-rile-global-firms

India's 'Big Brother': The Central Monitoring System (CMS)

maria — 2013-12-06T09:39:20Z

In this post, Maria Xynou looks at India´s Central Monitoring System (CMS) project and examines whether it can target individuals´ communications data, regardless of whether they are involved in illegal activity.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Starting from this month, all telecommunications and Internet communications in India will be analysed by the government and its agencies. What does that mean? It means that everything we say or text over the phone, write, post or browse over the Internet will be centrally monitored by Indian authorities. This totalitarian type of surveillance will be incorporated in none other than the Central Monitoring System (CMS).

The Central Monitoring System (CMS)

The Central Monitoring System (CMS) may just be another step in the wrong direction, especially since India currently lacks privacy laws which can protect citizens from potential abuse. Yet, all telecommunications and Internet communications are to be monitored by Indian authorities through the CMS, despite the fact that it remains unclear how our data will be used.

The CMS was prepared by the Telecom Enforcement, Resource and Monitoring (TREM) and by the Centre for Development of Telematics (C-DoT) and is being manned by the Intelligence Bureau. The CMS project is likely to start operating this month and the government plans on creating a platform that will include all the service providers in Delhi, Haryana and Karnataka. The Information Technology Amendment Act 2008 enables e-surveillance and central and regional databases will be created to help central and state level law enforcement agencies in interception and monitoring. Without any manual intervention from telecom service providers, the CMS will equip government agencies with Direct Electronic Provisioning, filters and alerts on the target numbers. The CMS will also enable Call Data Records (CDR) analysis and data mining to identify the personal information of the target numbers.

The estimated set up cost of the CMS is Rs. 4 billion and it will be connected with the Telephone Call Interception System (TCIS) which will help monitor voice calls, SMS and MMS, fax communications on landlines, CDMA, video calls, GSM and 3G networks. Agencies which will have access to the CMS include the Research and Analysis Wing (R&AW), the Central Bureau of Investigation (CBI), the National Investigation Agency (NIA), the Central Board of Direct Taxes (CBDT), the Narcotics Control Bureau, and the Enforcement Directorate (ED). In particular, last October, the NIA approached the Department of Telecom requesting its connection with the CMS, which would help it intercept phone calls and monitor social networking sites without the cooperation of telcos. However, the NIA is currently monitoring eight out of 10,000 telephone lines and if it is connected with the CMS, the NIA will also get access to e-mails and other social media platforms. Essentially, the CMS will be converging all the interception lines at one location and Indian law enforcement agencies will have access to them. The CMS will also be capable of intercepting our calls and analyzing our data on social networking sites. Thus, even our attempts to protect our data from ubiquitous surveillance would be futile.

In light of the CMS being installed soon, the Mumbai police took the initiative of setting up a ´social media lab´ last month, which aims to monitor Facebook, Twitter and other social networking sites. This lab would be staffed by 20 police officers who would keep an eye on issues being publicly discussed and track matters relating to public security. According to police spokesman Satyanarayan Choudhary, the lab will be used to identify trends among the youth and to plan law and order accordingly. However, fears have arisen that the lab may be used to stifle political debate and freedom of expression. The arrest of two Indian women last November over a Facebook post which criticized the shutdown of Mumbai after the death of politician Bal Thackeray was proof that the monitoring of our communications can potentially oppress our freedom and human rights. And now that all our online activity will be under the microscope...will the CMS security trade-off be worth it?

Surveillance in the name of Security

In a digitised world, threats to security have been digitised. Terrorism is considered to be a product of globalisation and as such, the Internet appears to be a tool used by terrorists. Hence governments all around the world are convinced that surveillance is probably one of the most effective methods in detecting and prosecuting terrorists, as all movement, action, interests, ideas and everything else that could define an individual are closely being monitored under the ´surveillance umbrella´ True; if everything about our existence is being closely monitored and analysed, it seems likely that we will instantly be detected and prosecuted if engaged in illegal activity. But is that the case with big data? According to security expert Bruce Schneier, searching for a terrorist through data mining is like looking for a needle in a haystack. Generally, the bigger the amount of data, the bigger the probability of an error in matching profiles. Hence, when our data is being analysed through data mining of big data, the probability of us being charged for a crime we did not commit is real. Nonetheless, the CMS is going to start operating soon in an attempt to enable law enforcement agencies to tackle crime and terrorism.

A few days ago, I had a very interesting chat with an employee at SAS Institute (India) Pvt. Ltd. in Bangalore, which is a wholly owned subsidiary of SAS Institute Inc. SAS is a company which produces software solutions and services to combat fraud in financial services, identify cross-sell opportunities in retail, and all the business issues it addresses are based on three capabilities: information management, analytics and business intelligence. Interestingly enough, SAS also produces social network analysis which ´helps institutions detect and prevent fraud by going beyond individual and account views to analyze all related activities and relationships at a network dimension´. In other words, social network analysis by SAS would mean that, through Facebook, for example, all of an individual's´ interests, activities, habits, relationships and everything else that could be, directly or indirectly, linked to an individual would be mapped out in relation to other individuals. If, for example, several individuals appear to have mutual interests and activities, there is a high probability that an individual will be associated with the same type of organization as the other individuals, which could potentially be a terrorist organization. Thus, an essential benefit of the social network analysis solution is that it uncovers previously unknown network connections and relationships, which significantly enables more efficient investigations.

According to the SAS employee I spoke to, the company provides social network analysis to Indian law enforcement agencies and aims at supporting the CMS project in an attempt to tackle crime and terrorism. Furthermore, the SAS employee argued that their social network analysis solution only analyzes open source data which is either way in the public online domain, hence respecting individuals´ online privacy. In support of the Mumbai ´social media lab´, cyber security expert, Vijay Mukhi, argued:

´There may be around 60 lakh twitter users in the city and millions of other social media network users. The police will require a budget of around Rs 500 crore and huge resources such as complex software, unique bandwidth and manpower to keep a track of all of them. To an extent, the police can monitor select people who have criminal backgrounds or links with anti-social or anti-national elements...[...]...Even the apprehension that police is reading your tweet is wrong. The volume of networking on social media sites is beyond anybody's capacity. Deleting any user's message is humanly impossible. It is even difficult to find the origin of messages and shares. However, during the recent Delhi gangrape incident such monitoring of data in public domain helped the police gauge the mood of the people.´

Another cyber security expert argued that the idea that the privacy of our messages and online activity would be intercepted is a misconception. The expert stated that:

´The police are actually looking out for open source intelligence for which information in public domain on these sites is enough. Through the lab, police can access what is in the open source and not the message you are sending to your friend.´

Cyber security experts also argued that the purpose of the creation of the Mumbai social media lab and the CMS in general is to ensure that Indian law enforcement agencies are better informed about current public opinion and trends among the youth, which would enable them to take better decisions on a policy level. It was also argued that, apparently, there is no harm in the creation of such monitoring centres, especially since other countries, such as the U.S., are conducting the same type of surveillance, while have enacted stringent privacy regulations. In other words, the monitoring of our communications appears to be justified, as long as it is in the name of security.

CMS targeting individuals: myth or reality?

The CMS is not a big deal, because it will not target us individually...or at least that is what cyber security experts in India appear to be claiming. But is that really the case? Lets look at the following hypothesis:

The CMS can surveille and target individuals, if Indian law enforcement agencies have access to individuals content and non-content data and are simultaneously equipped with the necessary technology to analyse their data.

The two independent variables of the hypothesis are: (1) Indian law enforcement agencies have access to individuals´ content and non-content data, (2) Indian law enforcement agencies are equipped with the necessary technology to analyse individuals´ content and non-content data. The dependent variable of the hypothesis is that the CMS can surveille and target individuals, which can only be proven once the two independent variables have been confirmed. Now lets look at the facts.

The surveillance industry in India is a vivid reality. ClearTrail is an Indian surveillance technology company which provides communication monitoring solutions to law enforcement agencies around the world and which is a regular sponsor of ISS world surveillance trade shows. In fact, ClearTrail sponsored the ISS world surveillance trade show in Dubai last month - another opportunity to sell its surveillance technologies to law enforcement agencies around the world. ClearTrail´s solutions include, but are not limited to, mass monitoring of IP and voice networks, targeted IP monitoring, tactical Wi-Fi monitoring and off-the-air interception. Indian law enforcement agencies are equipped with such technologies and solutions and thus have the technical capability of targeting us individually and of monitoring our ´private´ online activity.

Shoghi Communications Ltd. is just another example of an Indian surveillance technology company. WikiLeaks has published a brochure with one of Shoghi´s solutions: the Semi Active GSM Monitoring System. This system can be used to intercept communications from any GSM service providers in the world and has a 100% target call monitor rate. The fact that the system is equipped with IMSI analysis software enables it to extract the suspect´s actual mobile number from the network without any help from the service provider. Indian law enforcement agencies are probably being equipped with such systems by Shoghi Communications, which would enable the CMS to monitor telecommunications more effectively.

As previously mentioned, SAS provides Indian law enforcement agencies social network analysis solutions. In general, many companies, Indian and international, produce surveillance products and solutions which they supply to law enforcement agencies around the world. However, if such technology is used solely to analyse open source data, how do law enforcement agencies expect to detect criminals and terrorists? The probability of an individual involved in illegal activity to disclose secrets and plans in the public online sphere is most likely significantly low. So given that law enforcement agencies are equipped with the technology to analyse our data, how do they get access to our content data in order to detect criminals? In other words, how do they access our ´private´ online communications to define whether we are a terrorist or not?

Some of the biggest online companies in the world, such as Google and Microsoft, disclose our content data to law enforcement agencies around the world. Sure, a lawful order is a prerequisite for the disclosure of our data...but in the end of the day, law enforcement agencies can and do have access to our content data, such as our personal emails sent to friends, our browsing habits, the photos we sent online and every other content created or communicated via the Internet. Law enforcement requests reports published by companies, such as Google and Microsoft, confirm the fact that law enforcement agencies have access to both our content and non-content data, much of which was disclosed to Indian law enforcement agencies. Thus, having access to our ´private´ online data, all Indian law enforcement agencies need is the technology to analyse our data and match patterns. The various surveillance technology companies operating in India, such as ClearTrail and Shoghi Communications, ensure that Indian law enforcement agencies are equipped with the necessary technology to meet these ends.

The hypothesis that the CMS can surveille and target us individually can be confirmed, since Indian law enforcement agencies have access to our content and non-content data, while simultaneously being equipped with the necessary technology to analyse our data. Thus, the arguments brought forth by cyber security experts in India appear to be weak in terms of validity and reliability and the CMS appears to be a new type of ´Big Brother´ upon us. But what does this mean in terms of our privacy and human rights?

The telephone tapping laws in India are weak and violate constitutional protections. The Information Technology Amendment Act 2008 has enabled e-surveillance to reach its zenith, but yet surveillance projects, such as the CMS, lack adequate legal backing. No privacy legislation currently exists in India which can protect us from potential abuse. The confirmed CMS hypothesis indicates that all individuals can potentially be targeted and monitored, regardless of whether they have been involved in illegal activity. Yet, India currently lacks privacy laws which can protect individuals from the infringement of their privacy and other human rights. The following questions in regards to the CMS remain vague: Who can authorise the interception of telecommunications and Internet communications? Who can authorise access to intercepted data? Who can have access to data? Can data monitored by the CMS be shared between third parties and if so, under what conditions? Is data monitored by the CMS retained and if so, for how long and under what conditions? Do individuals have the right to be informed about their communications being monitored and about data retained about them?

Immense vagueness revolves around the CMS, yet the project is due to start operating this month. In order to ensure that our right to privacy and other human rights are not breached, parliamentary oversight of intelligence agencies in India is a minimal prerequisite. E-surveillance regulations should be enacted, which would cover both policy and legal issues pertaining to the CMS project and which would ensure that human rights are not infringed. The overall function of the CMS project and its use of data collected should be thoroughly examined on a legal and policy level prior to its operation, as its current vagueness and excessive control over communications can create a potential for unprecedented abuse.

The necessity and utility of the CMS remain unclear and thus it has not been adequately proven yet that the security trade-off is worth it. One thing, though, is clear: we are giving up a lot of our data....we are giving up the control of our lives...with the hope that crime and terrorism will be reduced. Does this make sense?

This was cross-posted in Medianama

For more details visit http://editors.cis-india.org/internet-governance/blog/indias-big-brother-the-central-monitoring-system

India WhatsApp Privacy Fight May Affect Multinationals

praskrishna — 2017-02-02T02:28:23Z

The Indian Supreme Court’s review of Facebook Inc.'s and WhatsApp Inc.'s data security practices may lack teeth but also presages a desire for a stronger privacy regime and oversight of multinationals, internet and privacy specialists told Bloomberg BNA.

The article by Nayanima Basu was published by Bloomberg BNA on February 1, 2017. Pranesh Prakash was quoted.

WhatsApp revised its privacy policy in August 2016 to share data with owner Facebook and allow targeted ads and messages from businesses, laying the groundwork for the free messaging service to monetize such data. But a public interest complaint, akin to a class action in the U.S., filed by two Indian students and regulatory inquiries have resulted in India’s top court asking Facebook and WhatsApp about their data protection practices.

The court’s move Jan. 17 to seek the information may make multinational companies jittery, Rahul Khullar, former secretary of commerce for India’s Ministry of Commerce and Industry, told Bloomberg BNA. Although stronger data privacy enforcement is needed, all the high court has done is aggravate Facebook and other large multinationals, he said.

Facebook is the second largest media company in the world with a $367 billion market capitalization, Bloomberg data show. It acquired WhatsApp in 2014 for approximately $18 billion, data show. Facebook didn’t immediately respond to Bloomberg BNA’s e-mail request for comments.

Khullar, who is also the former chairman of the Telecom Regulatory Authority of India, said multinationals need to be more careful in sharing their data because of the “distinction between digital non-commercial data and digitally sensitive data,” he said. A strong national data privacy law would resolve some of these issues, he said.

An U.S. official based at the U.S. Embassy in New Delhi, speaking on background, told Bloomberg BNA that any maneuver that restricts the free flow of data may harm the operations of U.S.-based multinationals and similar companies.

Clarity, Stronger Laws Needed

Some internet and privacy specialists say that Facebook and WhatsApp failed to provide effective data protection under Indian law.

Pranesh Prakash, policy director at the nonprofit digital technologies advocate Centre for Internet and Society, told Bloomberg BNA that Facebook and WhatsApp are in violation of Section 43A of the Information Technology Act that lays out “reasonable security practices and procedures.”

Indian citizens are reaching out to the courts for data protection enforcement because lawmakers have “failed to do so,” he said. That highlights the need for robust data protection laws in India and, he said, hopefully “goads the government and Parliament into enacting a privacy and data protection law.”

In lieu of further legislative action, companies may be able to resolve some issues by establishing clearer privacy policies, Niraj Gunde, a Mumbai-based attorney and consumer advocate, told Bloomberg BNA. Most software agreements have a clandestine clause that allows companies to access user data, but those agreements should also state how the data will be used, stored and eventually disposed of, he said.

For more details visit http://editors.cis-india.org/internet-governance/news/bloomberg-bna-february-1-2017-nayanima-basu-india-whatsapp-privacy-fight-may-affect-multinationals

India Trilateral Forum

Admin — 2018-04-10T15:09:21Z

Sunil Abraham was a panelist in the session "The Promise and Peril of Technology" at the 14th edition of India Trilateral Forum organized by the German Marshall Fund of the United States, Observer Research Foundation and Ministry of Foreign Affairs, Government of Sweden in Goa from March 22 - 23, 2018.

The Promise and Peril of Technology

The emergence of new technologies create possibilities for change, yet also carry risks of the emergence of “soft wars,” privacy issues, ethical challenges, among others. With global military spending on the rise, we may now be on the cusp of a series of new technological innovations that will fundamentally change the way we conduct warfare. The rise of low-cost real-time satellite surveillance has the potential for privacy violation, intrusive controls, and hacking. Many credit the digital revolution with creating new possibilities for democratic engagement, because information technology has made institutions like mass media less hierarchical. There are hidden costs to the digital revolution and the transformative technologies, which needs to be carefully understood. The panel discussed the deeper layers of opportunities and risks associated with transformative technologies on war and peace and discuss whether the U.S., India, and Europe are falling behind China in this crucial area.

For more details visit http://editors.cis-india.org/internet-governance/news/india-trilateral-forum

India Today Conclave Next 2017: Aadhaar was rushed, says MP Rajeev Chandrashekhar

praskrishna — 2017-11-26T06:41:07Z

Talking at the ongoing India Today Conclave Next 2017, MP Rajeev Chandrashekhar said that Aadhaar was rushed and foisted on the country by authorities that fail to first create a proper ecosystem. Chandrashekhar gave his comments at a keynote titled Privacy -- The Fundamental Right for the Digital Citizen.

The article by Priya Pathak was published by India Today on November 8, 2017.

Chandrashekhar, who has been vocal on the issues like data protection, privacy and net neutrality, said that the government should have created a proper ecosystem for Aadhaar by bringing norms and laws around data protection and privacy before asking people to sign up for the unique ID.

The MP talked about India's journey from being a largest unconnected world to becoming the largest connected world. But Chandrashekhar criticised the "flawed" Aadhaar and said that it was a classic example of how a government system would push for technology in governance without addressing key bits of the ecosystem around the citizen and the consumer.

"If that (Aadhaar) wasn't enough, the IT act and section 66A and its language and its vagueness and its potential for misuse was another example of the faults of a bureaucracy or a political system trying to legislate or create solutions in the digital world, " he said.

At the same time, he lauded the recent Supreme Court order that held all Indians had fundamental right to privacy. "The latest finding of Supreme Court of Privacy as fundamental right is a big deal and it will alter number of things going forward," he said. He added that there should be more debate and discussion on data privacy as there is an attempt to characterise data privacy as some of kind of elitist issue in India which it's not.

Privacy, especially for the digital world, currently is one of the most debated topics in India. The country in the past few years has seen a number of instances where a government or a private entity has knowingly or unknowingly compromised the data of its users. Recently a study published by Centre for Internet and Society, a Bengaluru-based organisation, revealed that private data of more 130 million Aadhaar card holders were leaked from four government websites.

The Supreme Court in August this year declared privacy as a fundamental right. A nine-judge Constitution bench headed by Chief Justice J S Khehar has declared that "right to privacy is an intrinsic part of Right to Life and Personal Liberty under Article 21 and entire Part III of the Constitution".

The move has been praised by many including Rajeev Chadrashekhar who has said that it is a big welcome step. "It is clear that Aadhaar and all other legislations existing and proposed will have to meet the test of privacy being a fundamental right," he recently said.

For more details visit http://editors.cis-india.org/internet-governance/news/india-today-priya-pathak-november-8-2017-india-today-conclave-next-2017-aadhaar-was-rushed-says-mp-rajeev-chandrashekhar

India To Let Private Companies Access Citizens’ Biometric Data

praskrishna — 2017-02-27T15:09:16Z

India, home to the world’s largest national biometric registry, plans to begin sharing citizens’ data with the country’s private companies and startups.

The blog post by Joshua Kopstein was published by Vocativ on February 21, 2017. Sunil Abraham was quoted.

The government-backed program, called “India Stack,” will allow the second most populous country on Earth to share nearly all of its 1.3 billion citizens’ fingerprints, iris scans, and more, potentially creating unprecedented security and privacy risks in the name of convenience and digital commerce.

India Stack will open up the country’s troves of biometric data to Indian software developers, health care providers, and any other business interested in using the government’s identification records in their apps and services. The Indian government hopes the move will spur innovation, jumpstarting its effort to create a centralized system of digital commerce where citizens can purchase goods, apply for health insurance, or even qualify for a loan using the biometric sensors on their smartphones.

Opponents, however, warn that the sharing scheme opens a Pandora’s box of security and privacy problems, dramatically increasing the likelihood of data breaches and abuse.

“It’s the worst time for privacy policy in the country,” Sunil Abraham, the executive director of the Bangalore-based Centre for Internet and Society, told the Wall Street Journal. “We are very caught up in technological exuberance. Techno-utopians are ruling the roost.”

The dangers aren’t just hypothetical. In 2015, an unprecedented breach at the U.S. Office of Personnel Management allowed hackers to steal the fingerprints of 5.6 million federal employees. Researchers have found that stolen fingerprints can be used to commit fraud and identity theft, and even replicated and used to unlock smartphones and other personal devices. Worst of all, unlike passwords and social security numbers, biometric identifiers like fingerprints can never be changed, meaning that any breach is virtually guaranteed to have long-term consequences.

The India Stack program is the latest in several recent schemes to push the country toward a fully-digitized and cashless economy. As of December 2016, the Unique Identification Authority of India had registered more than 91% of the population into a centralized system called Aadhaar, which integrates with banks and allows citizens to complete transactions and access government services using their fingerprints. The country has also temporarily withdrawn its higher-denomination bank notes from circulation in an effort to bolster digital payment systems.

“While the efforts of the government are commendable, the efficacy of these programs in the absence of sufficient infrastructure for security raises various concerns,” the Centre For Internet and Society wrote in a paper outlining the privacy risks of India’s digital identity system. “Increased awareness among citizens and stronger security measures by the governments are necessary to combat the cogent threats to data privacy arising out of the increasing rate of cyberattacks.”

India’s program has already gone far beyond other countries’ biometric data collection schemes, which have mostly been limited to passports and border control. But law enforcement officials’ smaller, more piecemeal efforts to collect biometric information have also raised alarm over their potential for abuse. Thanks to the cooperation of 16 state DMVs, one in two Americans currently has their photo registered to a law enforcement face recognition database – regardless of whether they’ve been charged or even suspected of a crime. Local police in several U.S. states have also begun collecting iris scans and DNA swabs from people randomly stopped on the street, in some cases specifically targeting African American children.

For more details visit http://editors.cis-india.org/internet-governance/news/vocativ-joshua-kopstein-india-private-companies-citizens-biometric-data

India To Introduce Virtual ID For Aadhaar To Strengthen Privacy

Admin — 2018-01-17T00:11:13Z

The government will introduce a virtual identification number for Aadhaar to help strengthen privacy following several instances of data leaks.

The blog post was published by Bloomberg Quint on January 11, 2018.

The additional layer of security is meant to help Aadhaar users avoid sharing their unique identification number at the time of authentication to avail various services and welfare schemes, UIDAI said in a circular seen by BloombergQuint. The virtual ID will be an optional feature and users will be allowed to provide Aadhaar for verification.

The Aadhaar-issuing body, Unique Identification Authority of India, will also introduce limited know-your-customer rules to eliminate the need for agencies to store the biometric ID. Migration to the new system will start from June 1, it added.

Virtual IDs should be made mandatory and the UIDAI should itself generate these codes instead of having the user do it, said Pranesh Prakash, policy director at the Center for Internet Security, which has published reports on the security flaws in the world’s largest database.

This takes into account concerns of third-party databases being combined without the consent of the individual but fails to address issues of government surveillance, exclusion and cybersecurity, he added.

The move comes barely a week after The Tribune, a Chandigarh-based newspaper, reported that it could access the Aadhaar database by paying Rs 500, raising privacy concerns. Petitions challenging the validity of Aadhaar and the government’s decision to make it mandatory for everything from bank accounts to mobile services are pending in the Supreme Court.

As of now, citizens are required to share their Aadhaar number for authentication to avail certain services. With the introduction of the virtual ID that would change.

It would be a randomly generated 16-digit number that'd be digitally linked to a person's Aadhaar number. This ID would be temporary and revocable. There can be only one active and valid virtual ID for an Aadhaar number at any given point in time. Aadhaar holders will be able to use the virtual ID whenever authentication is required.

Virtual ID, by design being temporary, cannot be used by agencies for duplication.
UIDAI Circular

Only Aadhaar holders themselves can generate a virtual ID and set a minimum validity period for that after which it will have to be replaced by a new one. The virtual IDs can be changed through UIDAI's portal, at an Aadhaar enrolment centre or using the mAadhaar mobile application, the circular said.

Who Can Store Your Aadhaar Data?

The UIDAI will limit the number of agencies that can access and store your Aadhaar number. For this purpose, it will divide the agencies that seek to use Aadhaar authentication for services into two categories—global and local.

Global authentication agencies will be allowed to "securely" store the Aadhaar number, while local agencies won't. The latter would be the ones that’d use the virtual IDs and a unique token for authentication.

The Aadhaar-issuing body has not clearly defined what would classify as a global agency. It has only said that it will "from time to time" evaluate authentication agencies "based on the laws governing them and categorise them" as global agencies. Any authentication agency that is not classified as global would be local.

Transition To New System

UIDAI has told all agencies that use Aadhaar authentication to update their applications and processes for accepting virtual IDs instead of the Aadhaar number and allow authentication using the UID token. This has to be done by June 1.

If an agency fails to migrate to the new system by then, their authentication services "may be discontinued" and a penalty may be imposed, UIDAI said.

UIDAI will release the updated tools and protocols required for building the authentication software by March 1. All authentication agencies would also receive technical documents, workshops and training session to ensure smooth implementation.

For more details visit http://editors.cis-india.org/internet-governance/news/bloomberg-quint-january-11-2018-india-to-introduce-virtual-id-for-aadhaar-to-strengthen-privacy

India takes its first serious step toward privacy regulation – but it may be misguided

praskrishna — 2013-04-15T06:39:05Z

The world’s second-most populous nation may be on the cusp of embracing privacy legislation. After several false starts the Indian government appears ready to accept the need for some form of regulation.

This blog post by Simon Davies was published in the Privacy Surgeon on April 9, 2013. The Centre for Internet and Society recently published a draft Citizens privacy bill which is mentioned in this post.

Well, maybe this is a slightly optimistic view. A more accurate portrayal might be “the Indian government appears ready to accept the principle of some form of regulation”.

There is actually no agreed policy position across government on the question of privacy and data protection, but the Planning Commission last year established an Expert Group under the chairmanship of the former Chief Justice of the Delhi High Court, A.P.Shah. Justice Shah’s subsequent report is being considered and a draft Bill has been created.

Shah’s report provided a convincing body of evidence – both at the domestic and the international level – for the creation of national regulation.

It called for the formation of a regulatory framework and set out nine principles that could form a foundation for the next stage. These principles – reflecting the basis of law in other countries – have been generally accepted by Indian stakeholders as a sound frame of reference for progress.

However although the nine principles are supported, the precise nature of any possible regulation is still very much in flux.

There’s a long way to go before consensus is established on a overall type of regulatory framework. Having said that, India is closer than ever to seeing real legislation – and the international community needs to put its weight behind the activity.

Debate over the merits of data protection and privacy law stretch back beyond a decade but reform was constantly hampered by perceptions that regulation would stifle economic growth.

Some industry lobbies have been as keen as government to ensure that privacy proposals are stillborn.

Even with the nine principles as a bedrock the path to privacy law must overcome two extremely difficult hurdles.

The first of these is that a substantial number of Indian opinion leaders continue to express an instinctive view that there is no cultural history for respect of privacy in India. That is, people don’t want or expect privacy protection and Western notions of privacy are alien to Indian society.

In support of this assertion these critics often cite an analogy about conversation on Indian trains. It is well known that many Indians will disclose their life story to strangers on the Indian rail network, discussing their personal affairs with people they have never before met. This trait is construed as evidence that Indians do not value their privacy.

I spoke last week at an important meeting in New Delhi where this exact point was repeatedly made. The meeting, organised by the Data Security Council of India and ICOMP India was well attended by industry, government, academics and NGOs. Speakers made constant reference to the matter of public disclosure of personal information.

In response, noted commentator Vickram Crishna expressed the view that the train anecdote had no relevance and was a convenient ruse for people who for their own self interest opposed privacy regulation.

“In reality this circumstance is like Vegas”, he said. “What happens on Indian trains, stays on Indian trains. People will talk about their lives because they will never see these passengers again and there is no record of the disclosures.”

“What we are dealing with in the online world is a completely different matter. There is no correlation between the two environments”.

A substantial opinion poll published earlier this year also debunked the myth that Indians don’t care about privacy. Levels of concern expressed by respondents was roughly the same as the level of concern identified in other parts of the world.

A second hurdle facing privacy legislation is the perception - particularly prevalent in the United States – that legislation will be a burden on industry and people do not want yet another cumbersome and costly government structure.

There are perhaps some grounds for considering this perspective, given the vast scale and complexity of India’s economy.

Government intervention does not enjoy a history of consistent success in the marketplace, though in many instances intervention has been the only means to bring industry into compliance with basic safeguards.

I made the point at the meeting that support for a purist model of industry self regulation was simplistic and misguided. Most systems of a similar nature fail unless someone is mandated to ensure compliance, transparency, enforceability and consistency. It’s a question of finding a way to embed accountability in industry self regulation – and this is where legislation and government could help.

Justice Shah’s report reflected this widespread concern by recommending a co-regulatory framework in which a privacy commissioner would oversee industry self regulation. However – as last week’s meeting exemplified – even this compromise solution is not acceptable to many industry players. They oppose the idea of an appointed commissioner and believe that industry self regulation alone will be sufficient.

This is an influential view that cannot be brushed aside. However in a special programme aired on19th April on India’s main parliamentary television network – RSTV – I repeatedly make the point that such a view, if successful, would put Indian industry in danger of winning the battle but losing the war. Europe is unlikely to accept a model of sole industry regulation, and the crucial flow of data between the two regions could be imperiled.

Conscious of all these challenges the influential NGO Centre for Internet and Society has published a draft Citizens privacy bill and has commenced a series of consultation meetings across the country. These initiatives will provide important input for the emerging legislation.

This is an important moment for privacy in India, and one that will require careful thought and sensitive implementation. However no-one in India should be in any doubt that the current unregulated situation is unsustainable in a global environment where nations are expected to protect both their citizens and the safety of data on their systems.

For more details visit http://editors.cis-india.org/news/privacy-surgeon-simon-davies-april-9-2013-india-takes-its-first-serious-step-toward-privacy-regulation

India Subject to NSA Dragnet Surveillance! No Longer a Hypothesis — It is Now Officially Confirmed

maria — 2013-11-06T10:20:46Z

As of last week, it is officially confirmed that the metadata of everyone´s communications is under the NSA´s microscope. In fact, the leaked data shows that India is one of the countries which is under NSA surveillance the most!

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC. This blog was cross-posted in Medianama on 24th June 2013.

¨Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?”, the democratic senator, Ron Wyden, asked James Clapper, the director of national intelligence a few months ago. “No sir”, replied Clapper.

True, the National Security Agency (NSA) does not collect data on millions of Americans. Instead, it collects data on billions of Americans, Indians, Egyptians, Iranians, Pakistanis and others all around the world.

Leaked NSA surveillance

Verizon Court Order

Recently, the Guardian released a top secret order of the secret Foreign Intelligence Surveillance Court (FISA) requiring Verizon on an “ongoing, daily basis” to hand over information to the NSA on all telephone calls in its systems, both within the US and between the US and other countries. Verizon is one of America's largest telecoms providers and under a top secret court order issued on 25 April 2013, the communications records of millions of US citizens are being collected indiscriminately and in bulk supposedly until 19 July 2013. In other words, data collection has nothing to do with whether an individual has been involved in a criminal or terrorist activity or not. Literally everyone is potentially subject to the same type of surveillance.

USA Today reported in 2006 that the NSA had been secretly collecting the phone call records of millions of Americans from various telecom providers. However, the April 25 top secret order is proof that the Obama administration is continuing the data mining programme begun by the Bush administration in the aftermath of the 09/11 terrorist attacks. While content data may not be collected, this dragnet surveillance includes metadata such as the numbers of both parties on a call, location data, call duration, unique identifiers, the International Mobile Subscriber Identity (IMSI) number and the time and duration of all calls.

Content data may not be collected, but metadata can also be adequate to discover an individual's network of associations and communications patterns. Privacy and human rights concerns rise from the fact that the collection of metadata can result in a highly invasive form of surveillance of citizens´ communications and lives. Metadata records can enable the US government to know the identity of every person with whom an individual communicates electronically, as well as the time, duration and location of the communication. In other words, metadata is aggregate data and it is enough to spy on citizens and to potentially violate their right to privacy and other human rights.

PRISM

Recently, a secret NSA surveillance programme, code-named PRISM, was leaked by The Washington Post. Apparently, not only is the NSA gaining access to the meta data of all phone calls through the Verizon court order, but it is also tapping directly into the servers of nine leading Internet companies: Microsoft, Skype, Google, Facebook, YouTube, Yahoo, PalTalk, AOL and Apple. However, following these allegations, Google, Microsoft and Facebook recently asked the U.S. government to allow them to disclose the security requests they receive for handing over user data. It remains unclear to what extent the U.S. government is tapping into these servers.

Yet it appears that the PRISM online surveillance programme enables the NSA to extract personal material, such as audio and video chats, photographs, emails and documents. The Guardian reported that PRISM appears to allow GCHQ, Britain's equivalent of the NSA, to secretly gather intelligence from the same internet companies. Following allegations that GCHQ tried to circumvent UK law by using the PRISM computer network in the US, the British foreign secretary, William Hague, stated that it is “fanciful nonsense” to suggest that GCHQ would work with an agency in another country to circumvent the law. Most notably, William Hague emphasized that reports that GCHQ are gathering intelligence from photos and online sites should not concern people who have nothing to hide! However, this implies that everyone is guilty until proven innocent...when actually, democracy mandates the opposite.

James R. Clapper, the US Director of National Intelligence, stated:

“Information collected under this program is among the most important and valuable foreign intelligence information we collect, and is used to protect our nation from a wide variety of threats. The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans.”

So essentially, Clapper stated that in the name of US national security, the personal data of billions of citizens around the world is being collected. By having access to data stored in the servers of some of the biggest Internet companies in the world, the NSA ultimately has access to the private data of almost all the Internet users in the world.

Boundless Informant

And once the NSA has access to tons of data through the Verizon court order and the PRISM surveillance programme, how does it create patterns of intelligence and generally mine huge volumes of data?

The Guardian released top secret documents about the NSA data mining tool, called Boundless Informant; this tool is used to detail and map by country the volumes of information collected from telephone and computer networks. The focus of the Boundless Informant is to count and categorise the records of communication, known as metadata, and to record and analyse where its intelligence comes from. One of the leaked documents states that the tool is designed to give NSA officials answers to questions like: “What type of coverage do we have on country X”. According to the Boundless Informant documents, the NSA has been collecting 3 billion pieces of intelligence from US computer networks over a 30-day period ending in March 2013. During the same month, 97 billion pieces of intelligence from computer networks were collected worldwide.

The following “global heat map” reveals how much data is being collected by the NSA from around the world:

The colour scheme of the above map ranges from green (least subjected to surveillance) through yellow and orange to red (most surveillance). India is notably orange and is thus subject to some of the highest levels of surveillance by the NSA in the world.

During a mere 30-day period, the largest amount of intelligence was gathered from Iran with more than 14 billion reports, while Pakistan, Jordan and Egypt were next in line in terms of intelligence gathering. Unfortunately, India ranks 5th worldwide in terms of intelligence gathering by the NSA. According to the map above, 6.3 billion pieces of intelligence were collected from India by the NSA from February to March 2013. In other words, India is currently one of the top countries worldwide which is under the US microscope, with 15% of all information being tapped by the NSA coming from India during February-March 2013.

Edward Snowden is the 29-year-old man behind the NSA leaks...who is responsible for one of the most important leaks in US (and one may argue, global) history.

So what does this all mean for India?

In his keynote speech at the 29th Chaos Communications Congress, Jacob Appelbaum stated that surveillance should be an issue which concerns “everyone´s department”, especially in light of the NSA spying on citizens all over the world. True, the U.S. appears to have a history in spying on civilians, and the Corona, Argon, and Lanyard satellites used by the U.S. for photographic surveillance from the late 1950s is proof of that. But how does all this affect India?

By tapping into the servers of some of the biggest Internet companies in the world, such as Google, Facebook and Microsoft, the NSA does not only gain access to the data of American users, but also to that of Indian users. In fact, the “global heat map” of the controversial Boundless Informant data mining tool clearly shows that India ranked 5th worldwide in terms of intelligence gathering, which means that not only is the NSA spying on Indians, but that it is also spying on India more than most countries in the world. Why is that a problem?

India has no privacy law. India lacks privacy legislation which could safeguard citizens from potential abuse by different types of surveillance. But the worst part is that, even if India did have privacy laws, that would still not prevent the NSA from tapping into Indians´ data through the servers of Internet companies, such as Google. Moreover, the fact that India lacks a Privacy Commissioner means that the country lacks an expert authority who could address data breaches.

Recent reports that the NSA is tapping into these servers ultimately means that the U.S. government has access to the data of Indian internet users. However, it remains unclear how the U.S. government is handling Indian data, which other third parties may have access to it, how long it is being retained for, whether it is being shared with other third parties or to what extent U.S. intelligence agencies can predict the behaviour of Indian internet users through pattern matching and data mining.

Many questions remain vague, but one thing is clear: through the NSA´s total surveillance programme, the U.S. government can potentially control the data of billions of internet users around the world, and with this control arises the possibility of oppression. It´s not just about the U.S. government having access to Indians´ data, because access can lead to control and according to security expert, Bruce Schneier:

“Our data reflects our lives...and those who control our data, control our lives”.

How are Indians supposed to control their data, and thus their lives, when it is being stored in foreign servers and the U.S. has the “right” to tap into that data? The NSA leaks mark a significant point in our history, not only because they are resulting in corporations seeking data request transparency, but also because they are unveiling a major global issue: surveillance is a fact and can no longer can be denied. The massive, indiscriminate collection of Indians´ data, without their prior knowledge or consent, and without the provision of guarantees in regards to how such data is being handled, poses major threats to their right to privacy and other human rights. The potential for abuse is real, especially since the larger the database, the larger the probability for error. Mining more data does not necessarily increase security; on the contrary, it increases the potential for abuse, especially since technology is not infallible and data trails are not always accurate.

What does this mean? Well, probably the best case scenario is that an individual is targeted. The worst case scenario is that an individual is imprisoned (or maybe even murdered - remember the drones?) because his or her data “says” that he or she is guilty. Is that the type of world we want to live in?

What can we do now?

Let´s start from the basics. India needs privacy legislation. India needs privacy legislation now. India needs privacy legislation now, more than ever.

Privacy legislation would regulate the collection, access to, sharing of, retention and disclosure of all personal data within India. Such legislation could also regulate surveillance and the interception of communications, in compliance with the right to privacy and other human rights. A Privacy Commissioner would also be established through privacy legislation, and this expert authority would be responsible for overseeing the enforcement of the Privacy Act and addressing data breaches. But clearly, privacy legislation is not enough. The various privacy laws of European countries have not prevented the NSA from tapping into the servers of some of the biggest Internet companies in the world and from gaining access to the data of millions of citizens around the world. Yet, privacy legislation in India should be a basic prerequisite to ensure that data is not breached within India and by those who may potentially gain access to Indian national databases.

As a next- but immediate- step, the Indian government should demand answers from the NSA to the following questions:

What type of data is collected from India and which parties have access to it?
How long is such data retained for? Can the retention period be renewed and if so, for how long?
Is data collected on Indian internet users shared with third parties? If so, which third parties can gain access to this data and under what conditions? Is a judicial warrant required?

In addition to the above questions, the Indian government should also request all other information relating to Indians´ data collected through the PRISM programme, as well as proceed with a dialogue on the matter. Governments are obliged to protect their citizens from the abuse of their human rights, especially in cases when such abuse may occur from foreign agencies. Thus, the Indian government should ensure that the future secret collection of Indians´ data is prevented and that Internet companies are transparent and accountable in regards to who has access to their servers.

On an individual level, Indians can protect their data by using encryption, such as GPG encryption for their emails and OTR encryption for instant messaging. Tor is free software and an open network which enables online anonymity by bouncing communications around a distributed network of relays run by volunteers all around the world. Tor is originally short for “The Onion Router” and “onion routing” refers to the layers of encryption used. In particular, data is encrypted and re-encrypted multiple times and is sent to randomly selected Tor relays. Each relay decrypts a “layer” of encryption to reveal it only to the next relay in the circuit and the final relay decrypts the last “layer” of encryption. Essentially, Tor reduces the possibility of original data being understood in transit and conceals the routing of it.

To avoid surveillance, the use of HTTPS-Everywhere in the Tor Browser is recommended, as well as the use of combinations of additional software, such as TorBirdy and Enigmail, OTR and Diaspora. Tor hidden services are communication endpoints that are resistant to both metadata analysis and surveillance, which is why they are highly recommended in light of the NSA´s surveillance. An XMPP client that ships with an XMPP server and a Tor hidden service is a good example of how to avoid surveillance.

Protecting our data is more important now than ever. Why? Because global, indiscriminate, mass data collection is no longer a hypothesis: it´s a fact. And why is it vital to protect our data? Because if we don´t, we are ultimately sleepwalking into our control and oppression where basic human rights, such as freedom, would be a myth of the past.

The principles formulated by the Electronic Frontier Foundation and Privacy International on communication surveillance should be taken into consideration by governments and law enforcement agencies around the world. In short, these principles are:

Legality: Limitations to the right to privacy must be prescribed by law
Legitimate purpose: Access to communications or communications metadata should be restricted to authorised public authorities for investigative purposes and in pursuit of a legitimate purpose
Necessity: Access to communications or communications metadata by authorised public authorities should be restricted to strictly and demonstrably necessary cases
Adequacy: Public authorities should be restricted from adopting or implementing measures that allow access to communications or communications metadata that is not appropriate for fulfillment of the legitimate purpose
Competent authority: Authorities must be competent when making determinations relating to communications or communications metadata
Proportionality: Public authorities should only order the preservation and access to specifically identified, targeted communications or communications metadata on a case-by-case basis, under a specified legal basis
Due process: Governments must respect and guarantee an individual's human rights, that may interference with such rights must be authorised in law, and that the lawful procedure that governs how the government can interfere with those rights is properly enumerated and available to the public
User notification: Service providers should notify a user that a public authority has requested his or her communications or communications metadata with enough time and information about the request so that a user may challenge the request
Transparency about use of government surveillance: The access capabilities of public authorities and the process for access should be prescribed by law and should be transparent to the public
Oversight: An independent oversight mechanism should be established to ensure transparency of lawful access requests
Integrity of communications and systems: Service providers are responsible for the secure transmission and retention of communications data or communications metadata
Safeguards for international cooperation: Mutual legal assistance processes between countries and how they are used should be clearly documented and open to the public
Safeguards against illegitimate access: Governments should ensure that authorities and organisations who initiate, or are complicit in, unnecessary, disproportionate or extra-legal interception or access are subject to sufficient and significant dissuasive penalties, including protection and rewards for whistleblowers, and that individuals affected by such activities are able to access avenues for redress
Cost of surveillance: The financial cost of providing access to user data should be borne by the public authority undertaking the investigation

Applying these above principles is a prerequisite, but may not be enough. Now is the time to resist unlawful and non-transparent surveillance. Now is the time for everyone to fight for their right to be free.

Is a world without freedom worth living in?

For more details visit http://editors.cis-india.org/internet-governance/blog/india-subject-to-nsa-dragnet-surveillance

India Still Trying To Turn Optional Aadhaar Identification Number Into A Mandatory National Identity System

praskrishna — 2016-03-24T06:34:21Z

from the sliding-down-the-slippery-slope-to-disaster dept

The blog post was published by Tech Dirt on March 22, 2016. CIS research on Aadhaar was quoted.

Last year, we wrote about India's attempt to turn the use of its Aadhaar system, which assigns a unique 12-digit number to all Indian citizens, into a requirement for accessing government schemes. An article in the Hindustan Times shows that the Indian government is still pushing to turn Aadhaar into a mandatory national identity system. A Bill has just been passed by both houses of the country's parliament, which seeks to give statutory backing to the scheme -- in the teeth of opposition from India's Supreme Court:

There have been orders passed by the Supreme Court that prohibit the government from making Aadhaar mandatory for availing government services whereas this Bill seeks to do precisely that, contrary to the government's argument that Aadhaar is voluntary.

The article notes that in some respects, the new Bill brings improvements over a previous version:

It places stringent restrictions on when and how the UID [Unique Identification] Authority (UIDAI) can share the data, noting that biometric information -- fingerprint and iris scans -- will not be shared with anyone. It seeks prior consent for sharing data with third party. These are very welcome provisions.

But it also contains some huge loopholes:

The government will get sweeping power to access the data collected, ostensibly for "efficient, transparent, and targeted delivery of subsidies, benefits and services" as it pleases "in the interests of national security", thus confirming the suspicions that the UID database is a surveillance programme masquerading as a project to aid service delivery.

The fact that an optional national numbering system now seems to be morphing into a way to monitor what people are doing will hardly come as a surprise to Techdirt readers, but this continued slide down the slippery slope is still troubling, as are other aspects of the new legislation. For example, it was introduced as a "Money Bill," which is normally reserved for matters related to taxation, not privacy. That suggests a desire to push it through without real scrutiny. What makes this attempt to give the Aadhaar number a much larger role in Indian society even more dangerous is the possibility that it won't work:

A recent paper in the Economic and Political Weekly by Hans Mathews, a mathematician with the [Centre for Internet and Society], shows the programme would fail to uniquely identify individuals in a country of 1.2 billion.

A mandatory national identity system that can't even uniquely identify people: sounds like a recipe for disaster.

For more details visit http://editors.cis-india.org/internet-governance/news/tech-dirt-march-22-2016-india-still-trying-to-turn-optional-aadhaar-identification-number-into-mandatory-national-identity-system

India second in requesting user info: Google

praskrishna — 2012-11-15T09:40:10Z

India is at second place after the US in terms of the government requests for user data from Google

Karthik Subramanian's article was published in the Hindu on November 14, 2012. Pranesh Prakash is quoted.

The Indian government made the second largest demand for Web user information — next only to the United States government — to Google in the six-month period from January to June this year, according to the ‘Transparency Report’ published by the Web services major on Tuesday.

During the six-month period, the Indian government — both by way of court orders and by way of requests from police— requested Google to disclose user information 2,319 times over 3,467 users/accounts. Google fully or partially complied with the request to the tune of 64 per cent. Only the U.S. government requested more data during the period — 7,969 requests over 16,281 accounts, compliance rate: 90 per cent.

It is the sixth time Google has brought out the bi-annual report detailing its interactions with the world government agencies. It details two categories of interactions : requests to divulge user data; and requests to pull down content. India ranked seventh in the list of requests to pull down data; experts say that the possible reason could be the government not having such powers under the Constitution.

Pranesh Prakash, policy director with Bangalore-based Centre for Internet and Society, said that the Google report was a damning indictment of the country’s government exceeding its constitutional bounds by demanding removal of material for defamation, government criticism, etc., without a valid court order. "There are no laws in our country that allows the executive or the police to remove such material without a court order."

Substantial spike

In all, 33 countries figure in the report. There was a substantial spike when compared to previous reports with respect to the number of requests from various governments to pull down content.

"In the first half of 2012, there were 20,938 inquiries from government entities around the world. Those requests were for information about 36,614 accounts,” wrote Dorothy Chou, Google’s senior policy analyst, on the Official Google Blog while presenting the report. “The number of government requests to remove content from our services was largely flat from 2009 to 2011. But it’s spiked in this reporting period. In the first half of 2012, there were 1,791 requests from government officials around the world to remove 17,746 pieces of content."

Google is leading the cause for voluntary disclosure of the interactions it has with the governments. Other web services that put out similar transparency reports include micro-blogging site Twitter; cloud storage service Dropbox; and social networking site Linkedin.

Mr. Prakash said it was not enough if just the web services put out such reports. "The telecom service providers must voluntarily come out with such information," he added.

"There is a dearth of public information about the amount of legal interception and surveillance. This does not bode well in a democratic polity."

For more details visit http://editors.cis-india.org/news/the-hindu-sci-tech-internet-karthik-subramanian-nov-14-2012-india-second-in-requesting-user-info-google

India second in keeping tabs on netizens

praskrishna — 2012-11-15T09:04:01Z

India ranks second globally in accessing private details of its citizens, next only to the US, if the latest data from Google is to be believed.

The article by Ishan Srivastava was published in the Times of India on November 15, 2012, Pranesh Prakash is quoted.

The transparency report by the internet search giant lists out requests it received from governments across the world to access information on the users of its various services.

In the first six months of 2012, India made 2,319 requests involving 3,467 users. In comparison, the US made 7,969 requests in the same period and Brazil, which comes third, sent 1,566 requests. Globally, there were 20,938 requests for user data during the January-June period. The data can include your complete Gmail account, chat logs, Orkut profile and search terms among others. These reports are prepared by Google every six months, and were started in July-December 2009.

The requests for user data from India doubled from 1,061 in July-December 2009 to 2,207 in July-December 2011.

"Though India is a large country with a significant number of internet users, this data is nonetheless an indicator of growing surveillance," said Pranesh Prakash, policy director at Centre for Internet and Society (CIS), a Bangalore-based organization looking at issues of public accountability, internet freedom and openness.

"India lacks a general privacy law that helps set guidelines for such user requests, despite privacy being a constitutional right as part of the right to life," said Prakash.

India also actively sends requests to take down content which it deems defamatory and against national security. While the number of court orders for taking down web content has remained almost stagnant over the years, there has been a rise in the number of requests by the executive and police. Between January and June this year, there were 20 court orders and 64 requests from executive/police that resulted in 596 items being taken down from the web. In comparison, there were only eight court orders and 22 executive/police requests in January-June 2010, resulting in 125 items being taken down.

"The government does not always specify the reason for which they want access. They just want access, what they do with the information is not known to us," said a legal adviser to an MNC. "These requests come with a threat to our continued operation in India."

Falsified court orders are also being employed to seek removal of content. Three such court orders were sent to Google "that demanded the removal of blog posts and entire blogs for alleged defamation." One order was said have been issued by a local court in Andheri, Mumbai while the other two by the Delhi high court. But all the three were found to be fake.

Google says a single court order was responsible for removal of 360 items this year as they "contained adult videos that allegedly violated an individual's personal privacy." While such orders have a positive impact like curbing pornography and violent content, governments at every level have also tried to use these requests to take down unfavourable content or criticism.

In January-June 2011 period, Google received "requests from state and local law enforcement agencies to remove YouTube videos that displayed protests against social leaders or used offensive language in reference to religious leaders". Google rejected a majority of these requests. It also received a request from a law enforcement agency to remove 236 communities and profiles from Orkut that were critical of a local politician. Google did not remove them either.

"Prior to 2009, government had limited powers of interception. However, after 26/11 they gave themselves huge powers to block and monitor content," said Supreme Court lawyer Pavan Duggal. "Data privacy is non-existent in India." He said that the A P Shah Committee, which was formed to recommend principles for a privacy law, has submitted its report to the Planning Commission and now it is up to the government to take it to the next stage.

Both Prakash and Duggal said that technology companies in India, including telecom players, should come out with similar transparency reports as Google. A report by international watchdog Privacy International says that Bharti Airtel, in its 2010-2011 annual report, said it had received 422 appreciation letters from law enforcement agencies for assistance in lawful interceptions. "The Indian IT Act requires electronic audit by firms but the law is silent on how this audit is filed," said Duggal.

Globally, Dropbox, LinkedIn, Sonic.net and Twitter release transparency reports apart from Google.

For more details visit http://editors.cis-india.org/news/times-of-india-india-times-tech-tech-news-internet-ishan-srivastava-nov-15-2012-india-second-in-keeping-tabs-on-netizens

India ranks second globally in accessing private details of users

praskrishna — 2012-11-19T04:49:23Z

According to the latest transparency report released by Google, India ranks second in the world for accessing private details of its citizens, only after the U.S. The Google report lists out requests it received from governments across the world to access details of users of its various services.

Kul Bhushan's blog post was published in thinkdigit on November 15, 2012. Pranesh Prakash is quoted.

Google's data reveals India had made 2,319 requests involving 3,467 users in the first six months. The U.S. made 7,969 requests, while Brazil, which ranks third, made 1,566 requests during the same period. Worldwide 20,938 requests were made during the January-June period. The report says the information shared included complete Gmail account, chat logs, Orkut profile and search terms among others.

The requests for accessing user data from India had grown two-fold from 1,061 in July-December 2009 to 2,207 in July-December 2011, the report points out.

According to the report, India has been consistently sending requests to remove content which it brands as defamatory and against national security. The court orders, however, to take down content has remained almost stagnant over the years; though requests from the executive and police have grown.

In the first six months this year, there were 20 court orders and 64 requests from executive/police that resulted in 596 items being taken down from the web. During the January-June 2010 period, there were only eight court orders and 22 executive/police requests, resulting in 125 items being taken down. Read about Google's previous transparency report here.

"Though India is a large country with a significant number of internet users, this data is nonetheless an indicator of growing surveillance," Times of India quotes Pranesh Prakash, policy director at Centre for Internet and Society ( CIS), a Bangalore-based organization looking at issues of public accountability, internet freedom and openness, as saying.

"India lacks a general privacy law that helps set guidelines for such user requests, despite privacy being a constitutional right as part of the right to life," added Prakash.

For more details visit http://editors.cis-india.org/news/thinkdigit-internet-kul-bhushan-nov-15-2012-india-ranks-second-globally-in-accessing-private-details-of-users

India Privacy Meet

praskrishna — 2012-07-02T10:48:54Z

Microsoft, DSCI and Greyhead came together to organise India Privacy Meet at Hotel LeMeridien on June 29, 2012 in New Delhi. Sunil Abraham was a panelist in the event.

Agenda

10:00a.m.- 10:10a.m.	Welcome and Introduction: Rahul Neel Mani, Editor & Co-founder Grey Head Media
10:10a.m.- 10:30a.m.	Conference Opening Remarks: Dr. Kamlesh Bajaj, CEO Data Security Council of India
10:30a.m.- 10:45a.m.	Theme Address: Deepak Rout, CSO & Director Privacy, Microsoft India
10:45a.m.- 11:00a.m.	Tea/Coffee Break
11:00a.m.- 12:00p.m.	Panel 1: Consumer Privacy – Creating the Right Balance

Brief: Data Privacy is perhaps the most concerning issue in the digital age. Consumer privacy or customer privacy, involves the handling and protection of sensitive personal information that individuals provide in the course of everyday commercial or professional transactions. This involves exchange or use of data electronically or by other means, including telephone, fax, writing, and word of mouth. With the advent and evolution of Internet and other electronic methods of mass communications, consumer privacy has become a major concern to deal with. Personal information, when misused or inadequately protected, can result in identity theft, financial fraud, and other problems that collectively cost individuals, businesses, and governments. In addition, Internet crimes and civil disputes consume law enforcement and judicial resources, confound legislators and bureaucracy, and produce untold personal aggravation.

Key Discussion Areas:

Handling of Personal Information including Sensitive Personal Information
Customer education on understanding business models and motives behind collection and use of Personal Information?
Privacy legislation and striking the right balance between various objectives
Privacy by design, online tracking, and transparency issues
Role of Government, Academia and Citizen groups

Panelists:

Chair - Dr. Kamlesh Bajaj, CEO, Data Security Council of India (DSCI)
Sivarama Krishnan, Executive Director, PwC India
Pankaj Agarwal, Head of IT Governance & CISO Aircel
Prashant Mali, Advocate & Cyber Law Expert
Deepak Rout, CSO & Director Privacy, Microsoft India
Vishal Jain, Director, Ernst & Young

12:00p.m.- 01:00p.m.	Panel 2: Citizen Privacy Transparency, Accountability and Social Progress

Brief: While citizens are adopting new technologies which are increasingly making it easier to share information more freely and thereby track individuals more easily, they are also demanding more accountability and openness. Experience indicates that having a more informed citizenry improves services, and accelerates innovation; thus the era of copious content has the potential to generate a host of new services and businesses. However, there is a need for greater transparency in the handling of citizen data and its legitimate use in governance and law enforcement. While new age technologies, if inappropriately used, have a potential impact on citizens’ privacy, they also arm us with the capability to protect citizen data and provide opportunities for privacy conscious and transparent usage of such data, provided there is an enabling environment created by informed and responsible privacy legislation.

Key Discussion Areas:

Core objectives for privacy legislation
Role of government in protecting citizen privacy
Citizen awareness of privacy concerns in today’s legal, business and technology landscape
Expectations of government and citizens on policies around usage and collection of personal data and ability to build profiles for being used for different purposes
Model privacy legislation

Panelists:

Chair - Nirmaljeet Singh Kalsi, Jt. Secretary, Ministry of Home Affairs
Na Vijaya Shankar, E-business Consultant & Cyber Law Specialist (Coordinator)
Sunil Abraham, Executive Director, Centre for Internet & Society
Akhilesh Tuteja, Executive Director, KPMG India
A P Singh, DDG, Unique Identification Authority of India (UIDAI)
Kailas Karthikeyan, Regulatory & Pub Policy Manager, Legal and Corp Affairs Microsoft

01:00p.m.- 01:10p.m.	Conference Closing Remarks by Deepak Rout, CSO & Director, Privacy Microsoft India Vote of Thanks
01:15p.m. onwards	Lunch

For more details visit http://editors.cis-india.org/news/india-privacy-meet

India No Haven For Net Freedom But It Did Not Oppose UN Move on Internet Rights

praskrishna — 2016-07-09T02:25:51Z

India hasn’t had the best record when it comes to Internet rights. The country regularly carries out Internet shutdowns under flimsy pretexts, is still fumbling when it comes to the drafting of a comprehensive privacy bill, and most recently came out with a geospatial information regulation bill that would establish ownership over all forms of location data.

The article by Anuj Srinivas was published in the Wire on July 6, 2016.

So, last week, when the United Nations Human Rights Council (UNHRC) passed a resolution on the “promotion, protection and enjoyment of human rights on the Internet”, it wasn’t surprising to see the wave of media criticism of the amendments that were proposed by countries such as China and Russia – and which were supported by India.

South Africa’s Mail & Guardian ran a story headlined “South Africa votes with China, Russia and India against Internet freedoms in UN resolution”. Private Internet Access’s headline was “These 17 Countries Don’t Believe that Freedom of Expression on the Internet is a Human Right”. Popular tech website The Verge noted that the resolution was opposed “by a minority of authoritarian regimes including Russia, China and Saudi Arabia, as well as democracies like South Africa and India. These nations called for the UN to delete a passage in the resolution that ‘condemns unequivocally measures to intentionally prevent or disrupt access to our dissemination of information online’.”

The Verge‘s report was followed up by a number of Indian publications including IndiaToday and Medianama – the latter incorrectly stating that the UNHRC resolution “recognised Internet usage as a basic human right – as well a host of other global publications.

The facts
There were two fundamental mistakes with some of these reports. Firstly, the resolution was adopted without vote (with oral revision) as noted by the UNHRC. Therefore, while there were a number of countries which co-sponsored the resolution and many that didn’t, it is completely wrong to state that India – as the Mail & Guardian reported – or any other country, voted against the resolution.

Secondly, as noted by the Centre for Internet and Society, none of the four amendments supported by India called for the deletion of a passage that condemned the prevention or disruption of Internet access and online information dissemination. Although it may fit neatly within India’s history of issuing Internet block orders, no country was opposed to this paragraph at the UNHRC forum (although many countries including India flout this clause in spirit back at home). No such amendment was proposed.

What then were these four amendments, which Article 19, an organisation that advocates freedom of expression, statedwould “substantially weaken the resolution”? Out of the four amendments (referred to as L85-88 in the UNHRC resolution), the first amendment (L85) – which sought to include a reference to fighting against the exploitation of children online – was withdrawn by Russia before it was considered by member states.

The other three amendments, while not completely endorsed by the countries that co-sponsored the resolution, do carry a certain level of nuance. Only one of the amendments (L86) can truly be described as diluting language regarding freedom of expression online, although this could have been potentially a result of procedural politics.

L88: Including Reference to Hate Speech
This amendment – proposed by Belarus, China, Iran and the Russian Federation – asks to introduce a new paragraph that states:

“Expresses its concern at the use of the Internet and information and communications technology to disseminate ideas based on racial superiority or hatred, and incitement to racial discrimination, xenophobia and related intolerance.”

Article 19 says of this amendment that it would “undermine the intended focus of the draft resolution on protecting human rights online, in particular freedom of expression..” While it is true that a few paragraphs of the resolution’s preamble include a reference to hate speech, it is difficult to see what harm this amendment would have brought in and even more difficult to accept that it would dilute the focus of the overall resolution.

Using the Internet and other online media technologies for incitement and as a means of propagating intolerance and xenophobia is a very real problem in India and other Asian countries, the most notable example of which was the role that social media played in the exodus of north-east Indian migrants from Bangalore four years ago. While shutdowns are obviously not the best way of dealing with this, it is important to acknowledge the role of the Internet as a medium in this aspect. In sum, this amendment certainly would not have diluted the resolution’s aim of promoting freedom of expression online.

L87: Human-Rights Approach
The second amendment replaces the term “human rights-based approach” with “comprehensive and integrated approach” in two paragraphs on expanding Internet access:

PP17: Stressing the importance of applying a comprehensive and integrated (human rights-based approach) in providing and expanding access to the Internet and for the Internet to be open, accessible and nurtured by multistakeholder participation,

OP5: Affirms also the importance of applying a comprehensive and integrated (human rights-based approach) in providing and in expanding access to Internet and requests all States to make efforts to bridge the many forms of digital divides..

This amendment was a little trickier. According to people involved in the country stakeholder discussions, whom The Wirespoke with, the aversion to a ‘human-rights’ approach towards expanding Internet access came as a result of China and Russia playing procedural politics. The language that was proposed in the amendment – “comprehensive and integrated” – while certainly not the strongest possible language that could have been used, would not have legally diluted the proposal to expand Internet access while maintaining an open and multistakeholder approach towards Internet governance.

Stepping back, what would a human rights-based approach in expanding Internet access look like? Would it include legitimising the act of zero-rating and the approval of schemes such as Facebook’s Free Basics? Both of which, incidentally, have been banned in India. While the proposed amendment certainly does not speak well of the motivations of China, Russia and India, the term is also vague enough that its mere removal doesn’t indicate a lack of support towards Internet freedom.

L88 – Right to privacy and removal of UDHR reference
This amendment, proposed by China and the Russian Federation, was more straightforward. In two paragraphs, it sought to add the specific term ‘right to privacy’, while in another paragraph it proposed removing reference to language from, and articles in, the Universal Declaration of Human Rights. Had the amendment been passed, the changes in the following paragraphs would have been made:

PP7: Noting that the exercise of human rights, in particular the right to freedom of expression and the right to privacy, on the Internet is an issue of increasing interest and importance as the rapid pace of technological development enables individuals all over the world to use new information and communication technologies,

OP15: Decides to continue its consideration of the promotion, protection and enjoyment of human rights, including the right to freedom of expression and the right to privacy, on the Internet and other information and communication technology, as well as of how the Internet can be an important tool for fostering citizen and civil society participation, for the realisation of development in every community and for exercising human rights, in accordance with its programme of work.

OP1: Affirms that the same rights that people have offline must also be protected online, in particular freedom of expression ~~which is applicable regardless of frontiers and through any media of one’s choice~~, and the right to privacy in accordance with articles 17 and 19 of the ~~Universal Declaration of Human Rights and the~~ International Covenant on Civil and Political Rights;

On one hand, this amendment would have added specific reference to the right to privacy. That specific term doesn’t appear in the draft resolution, although there are a few references to privacy in general in the resolution’s preamble.

However, the addition of a ‘right to privacy’ is coupled with a watering down of clear references to the protection of freedom of expression. Cynical observers would rightly note that China and Russia are probably less concerned with online privacy and more irked with the clear support of freedom of expression “regardless of frontiers” and “in accordance with the Universal Declaration of Human Rights”; which is probably why this particular proposed amendment combined both issues to improve its chances of passing. While there is little doubt that this amendment would have diluted the resolution’s focus on protecting freedom of expression, the alternative phrasing also doesn’t create legal loopholes that renders it useless. Moreover, it still contains reference to the International Covenant on Civil and Political Rights, especially Article 19, which goes beyond Article 19 of the UDHR .

India, a guardian?
It would be naive and wrong to take a strong position either way. To state that the amendments supported by India are all antithetical to the spirit of the UNHRC resolution, as some have done, is simply incorrect. On the other hand, this doesn’t mean India, and even less, China and Russia, are guardians of Internet freedom.

The UNHRC resolution in its entirety is a fine document. While non-binding, it provides a foundation for claiming that the same rights people have offline “must also be protected online”. Other crucial sections state that governments “should ensure accountability for all human rights violations and abuses committed against persons for exercising their human rights online”, while condemning “measures to intentionally prevent or disrupt access to or dissemination of information online”.

While the amendments India supported may not wholly oppose this resolution, it is also true that successive Indian governments also do not have an admirable track-record of upholding the resolution’s aims. Freedom for online speech had to be reclaimed in the form of court judgements, with the current government still supporting regulations that would allow it clamp down on online freedom of expression. In certain states within the country, Internet shutdowns happen without public explanations or justifiable reasoning. Over the last four years, for instance, Jammu and Kashmir has lost 18 days of Internet access. While it may not have wholly opposed the UNHRC resolution, the country still has a ways to go in terms of Internet freedom.

For more details visit http://editors.cis-india.org/internet-governance/news/the-week-anuj-srinivas-july-6-2016-india-no-haven-for-net-freedom-but-did-not-oppose-un-move-on-internet-rights