<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans%3A400italic%2C700italic%2C400%2C700">Digital Rights Archives « Aam JanataSkip to content

In a landmark challenge to Aadhaar on the grounds of privacy being an inalienable fundamental right, a 9 judge bench of the Supreme Court of India upholds Right To Privacy as an Intrinsic Part Of Right To Life And Personal Liberty

Supreme Court of India has once again come to rescue the citizens of India by declaring that right to privacy is a fundamental right. This is a big jolt to a government which was turning itself to a surveillance state by intruding every aspect of the life of the individual. This decision was made unanimously reflecting the absolute legal voice on the issue.

The decision was given by a big bench of nine judges who ruled that right to privacy is an intrinsic part of Right to Life and Personal Liberty under Article 21 and entire Part III of the Constitution.

The part III is related to the fundamental rights which have been given to people to live their life as they wish for and develop their personality in full manner. The decision is linked to the government’s effort to make Aadhaar mandatory for the social welfare policies; government also amended Income Tax Act to make Aadhaar mandatory for the IT which SC accepted as valid but government was attempting to extend Aadhaar based surveillance almost in all aspects of the individual’s life. The decision may help to halt this process though SC has to deliver decision on Aadhaar later but is now established that Indian government cannot be a surveillance state as the privacy of the individual cannot be explored and penetrated in absolute manner extending in all aspects of private domain of the person.

The decision has thus overruled the M P Sharma verdict of 1950( six judges judgment) and that of Kharak Singh of 1960 (eight judges) judgments of the same court that right to privacy is not protected under the Constitution..

The decision has been based on article 21 of the fundamental rights. The article is the most interpreted article of the constitution as SC has interpreted it in different dimensions of human life. The article states that “No person shall be deprived of his life or personal liberty except according to procedure established by law.” In the same article by 86th Constitution Amendment, 2002 the 21A was added stating that ‘under 21A the State shall provide free and compulsory education to all children of the age of six to fourteen years in such manner as the State may, by law, determine.’

The Supreme Court has taken a wider view of the right to personal liberty that it cannot be controlled by the administrative fiats and the legislations. Aadhaar issue will be heavily impacted after the decision and its decision will be dealt during the coming time but the recent decision has illuminated the hopes that SC will also limit the government powers with respect to Aadhaar. It was felt by the citizens that compulsion of Aadhaar was unnecessarily placing them under stress. From banks to entrance examinations Aadhaar was becoming a compulsory identity. In several places the old person s were faced with the problem of not getting their pensions as they were not in a position to attach the Aadhaar cards. The practical problem was that they were so old that their fingerprints did not appear or were not in position to Aadhaar camp where these cards were being prepared due to old age or no one support them to take them to the camps. Several old women have complained about this sorry state of affairs.

Government did not take a flexible view and attempted to monitor every action of the individual. The fear was that Aadhaar compulsion might put the person always under stress. That day was not far away when government could ask the person attach Aadhaar whenever anyone you purchased a newspaper or visited a restaurant for a dinner or stayed in a hospital or was hanging out in a park.

In the societies where governments are fearful of the force of the citizens such steps are contemplated. Supreme Court by its decision has placed the limits on any malafide intention and has empowered the citizens of the country.

Supreme Court is really a custodian of humane values and lives of the Indian citizens. Constitution is paramount and so the WE THE PEOPLE OF INDIA. Supreme Court has upheld it and no power can dilute it is now a well established fact.

Originally published on CounterCurrents.org

After false Aadhaar benefits claims perjury to deny citizens right to privacy in case, R S Prasad claims govt always saw privacy as a fundamental right after landmark defeat in judgment by 9 judge bench.

R S Prasad makes another Aadhaar and privacy related false claim.

The Supreme Court gave a landmark 9 judge bench judgment upholding privacy as a fundamental right of citizens. The government was among the defendants and had vigorously stated that privacy was not a fundamental right.

Today, after the judgment, R. S. Prasad, Union Minister holding Law and Justice and Ministry of Information Technology portfolio in the Government of India tweeted:

Govt was of the view that #RightToPrivacy should be a fundamental right.

This is complete nonsense, of course. If the government was of the view that privacy was a fundamental right, why was the case in court at all and fought vigorously all through to the top till a 9 judge bench provided a judgment on a matter of crucial importance to the rights of citizens that the government was violating?

Attorney General Mukul Rohtagi, who represents the Union Government presented the government's stand in the Supreme Court as privacy was not a fundamental right of Indian citizens and that the Constitution makers would have put it there if they had intended it to be. The government's stand was that privacy is a right, but not a fundamental right (normal rights can be overruled by the government in various circumstances, while fundamental rights cannot).

Constitution makers did not intend to make right to privacy a fundamental right.

~ Attorney General Mukul Rohtagi while representing the Union government in Supreme Court before a 9 judge bench.

The government wants to be able to overrule a citizen's right to privacy in order to force them to enroll for Aadhaar or lose their right to essential services, subsidies, and documents. Aadhaar, imposed by the government on citizens was being challenged in court in this landmark case by citizens against their government. What R S Prasad is claiming is a flat out lie.

The Union Government actually made the ridiculous claim that citizens don't have absolute right over their bodies, sparking massive outrage on social media with hashtags like #MyBodyMyRight #RightToPrivacy starting to trend and remaining popular from then to now.

Advocate General Mukul Rohtagi cited two cases that supported this view. Rohtagi additionally falsely claimed in court that Aadhaar was foolproof and that the court should balance the right of the petitioners against those of the 700 million people it allegedly serves (which was also a false claim, because having an Aadhaar does not entitle you to anything, but in fact a lack of Aadhaar can prevent you from availing rights and services you already had access to). This outrageous falsehood has also been robustly challenged.

So the Attorney General committed perjury to defend the government's obsession with surveillance of citizens and when they got soundly defeated anyway, now R S Prasad is claiming that they supported the peititoners who fought against them? This is so absurd as to make no sense. If the government respects privacy as a fundamental right, why does Aadhaar exist at all? Why are people being forced to get an Aadhaar if they want to use essential services like the subsidies they are entitled to or to pay tax or to hold a bank account or even a phone?

Conclusion: R S Prasad is lying. It is the beginning of the usual jumble of words you see around this government and particularly around Aadhaar cover ups that turns their actual meanings into their opposites.

Bhavyanshu Parasher, a young computer science engineer took a look at Prime Minister Narendra Modi’s Android application (among popular apps he studied for his own research purposes). The Narendra Modi app had 500,000+ downloads at that time. He found a major security flaw in how the app accesses the “api.narendramodi.in/api” API.

At the time of disclosure, API was being served over “HTTP” as well as "HTTPS". "HTTP" was being served on older versions of the app. So people who were still using older version of the app were exposed to additional vulnerability. Data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted by MiTM attacks. Another bigger problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address) for any user and posting comments as any registered user of the app.

The magnitude of the seriousness of the loophole can be understood with the following exploit. The vulnerabilities have been fixed.

Exploit demo

Bhavyanshu wrote an exploit to demonstrate how easy it was to extract email addresses using the security flaw.

"The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user." - Original Vulnerability Disclosure.

See, for instance, here is the sample output for xrange(1,10).

Exploit Result
Extracted email addresses of first 10 users

Also, he was able to post comment as any user. For example,

Comment Exploit
Comment sent as user 4234
After this security flaw was exposed, Bhavyanshu and I made considerable efforts to draw attention of the Prime Minister's development team for improving the security, but it would be another three days before the API would stop leaking the information to whoever wished to use the security loophole. It is difficult to say who and how many people have already had access to the user data for all the users of the Narendra Modi app. "Why it took them so long to connect me with developers directly? This issue could have been resolved earlier. The email address provided on play store does not work. Government should find a way to create a direct communication channel between those who report flaws and the developers. They should adopt CVRF.", Bhavyanshu said.

What are the implications for Digital India?

At a time when Indian developers are stunned by the emergence of Ankit Fadia (mostly known as a self publicized, copy-paste plagiarist at-best-mediocre script kiddie), while concerns for data security are paramount, for the Prime Minister's app to leak user information amounts to any malicious entity having a ready list of every social media savvy mobile user supporter of the Prime Minister and ruling party among other citizens. What such information could be used for is anyone's guess.

With the Prime Minister releasing a site a month on an average, the complete lack of interest in securing the application from unauthorized use is alarming. What kind of information crucial to the country could be leaked to the unscrupulous with such a casual approach to securing the information that the government seems bent on putting online if the security for such a key app with 5-6 lakh users was so careless designed.

What happens if a hacker publishes problematic information as another user?

Digital India cannot succeed if it merely courts the big business of the internet without actually having the competence to secure its own data. That would be like riding a race horse without saddle, stirrups or even knowing how to ride. Sooner or later, the horse goes rogue and you have no way to save yourself, let alone control it.

1

As I write this post, Indian Digital rights activists are watching in horror as "ethical hacker" Ankit Fadia has been declared the brand ambassador of Digital India. As Twitter goes nuts trying to show how big a "blunder" this is, perhaps it is time to realize that it is not a blunder. It is a deliberate stupidification of India with deliberate installations of mirrors of Modi's will rather than independent intellectuals.

Deliberate incompetence is the hallmark of appointments by Modi sarkar and they happen too often to be considered mistakes. From Smriti Irani, who faked her own education credentials handling National Education to Ankit Fadia, a self proclaimed ethical hacker no professional respects is only the tip of the iceberg that had started showing up right from Modi's election campaign.

Kirron Kher, contesting from Chandigarh in the Lok Sabha Elections had candidly admitted in an interview to the Indian Express, "I am not a politician. I do not see myself as politician. I see myself as somebody who is working for my city and fought (elections) to get one more seat to (Narendra) Modi ji. That is how see myself. I did not ask for the ticket. It was given to me and now I am here." Contesting against a 4 time MP Pawan Bansal of the Congress and Gul Panag of the Aam Aadmi Party, the candidature of Kirron Kher had been met with black flags by BJP workers themselves in Chandigarh. She won.

From Modi's holograms being projected nationwide to sidelining of senior leaders, Modi is clearly a man not interested in the contributions of others, even as he accepts their necessity. The Supreme Court rapped the Women and Child Ministry for the delay in filling vacancies in the National Commission for the Protection of Child Rights, but the reason turned out to be the PMO not clearing their appointments.

But if we see the appointments being made, there is little reason for cheer. Amartya Sen resigned in protest citing unprecedented interference in academics from the government. I do not see him as a leftist, but I am aware the supporters of the present government do. Yet we now have students of the FTII protesting as well. Surely the case cannot be that Modi lacks supporters among excellent actors that he settled for Gajendra Chauhan to avoid dealing with a "secular" (as his current whine in foreign countries goes)?

In a scathing piece on the rise of "anti-intellectualism" under the present government, Rishi Majumder identifies the common thread behind persistent absurd appointments as "The lack of a strong, distinct, individual vision for what they want to achieve with their charges." even as they are good managers. I see it as the appointees being conduits for a vision dictated from sources out of public scrutiny. Mirrors, mirrors everywhere, readily reflecting someone's will.

But there is more. It is a deliberate flaunting of unchecked stupidification in an obscene carnage of an intellectual India. The word "intellectual" itself has been turned into a slur by the supporters of this regime. The message is clear. "We do not want your fancy theories. We want the freedom to define scholarship however we wish." The trend is far reaching and flaunted at the most trivial of opportunities. Of all the journalists in the world, Modi chose Fareed Zakaria to give his first interview. Till then, Farid Zakaria's biggest attention puller was when his articles got pulled down for plagiarism.

Smriti Irani got rewarded for her loyalty and robust defense of Modi.  Fine. But it is not just that. What she was entrusted with was something she had been discredited for. It is not about less qualified politicians. Faking qualifications on an election affidavit is an act that declares that her qualifications felt inadequate to her own eyes. She could have been rewarded in many other ways, but she now she handles the nation's education. Something she has been established as inadequate about.

It is not merely loyalty. Modi's supporters include several senior journalists as well, but would someone like say, Kanchan Gupta accept being told what he could ask and what he couldn't? In addition to showing critics that they cannot stop him, no matter what he does, Modi's choices of people are also a statement of what behavior among supporters will get rewarded. Modi does not want independent thinking even among his supporters. Kanchan Gupta and Subramanian Swamy - two of the most independent thinking right wing thinkers are conspicuously free of responsibility, even as jokes circulate about Advani in the margadarshak mandal. The three countries Ajit Doval (who had been caught with Chota Rajan'sgangster) took an interest in, bombed in terms of foreign policy. As we speak, freaking "Hindu" Nepal has people outraging against India. It does not seem to matter to anyone. Baba Ramdev is selling churans to cure dengue and collaborating with the Defense Research and Development Organization - toward what purpose is anyone's guess.

Modi himself seems to take absurd speech to greater heights when he talks of Ganesha's head being an evidence of plastic surgery being practiced in ancient India. Not even transplants, mind you. Plastic surgery. While speaking of a super elite hospital helping improve healthcare for the masses in India, like the 32-rupees people would be lining up to pay over a thousand rupees to even be seen as an outpatient in this miracle hospital. Let there be no doubt that not even an effort to sound rational was made.

At a time when Modi has the biggest organized support among all public figures on the internet, at a time when he launches an average of two websites a month, at a time when a large part of his election victory was due to towering ethical and unethical efforts online, it is absurd to imagine that he does not have anyone to be a better brand ambassador for Digital India than Ankit Fadia - who is not respected by anyone other than abject ignorant newbies to coding. As far as appointing for incompetence goes, Ankit Fadia would rank as his second most spectacular appointment (the first being Smriti Irani, of course), because for anyone who has even passable knowledge of the subjects Ankit Fadia writes about, his name has become synonymous with plagiarism. A superstar script kiddie with dubious claims to fame. But he has the one thing Rishi Majumder had identified as a prerequisite. There is no evidence of Ankit Fadia even wanting to learn as long as he can sell his books and meaningless certificates.

Modi sarkar does not care that it reflects idolizing of incompetence on issues crucial to the nation. It does not need to care about public opinion for another 3.5 years. In a world where policies useful to cronies must be pushed unhindered, intelligent people slow things down with their questions. Even when they support. Unthinking and efficient people doing as told is what makes selling the country out from under people's feet possible. Meticulously following the government's stand, and unperturbed, supporting the government's opposite stand as well, when criticism forces a U-Turn.

 

The message to supporters is even clearer than it is to critics. I want your support, not your brain. If you want your reward, this is your key.

 

First of all, what is National Encryption Policy?

“Under Section 84A of Information Technology Act, 2000 Rules are to be framed to prescribe modes or methods for encryption”. So DeitY has framed a draft of such rules which will decide the future of how encrypted services are to be used or provided to users in India. The preamble in the draft clearly shows that they very well understand what encryption is meant to be used for. What they fail to understand is how it helps secure communication between two entities. The problem lies in the strategies stated in the draft. Let us break the draft into parts and try to analyze how exactly they can possibly ruin encrypted services and also how it will affect you.

  • (III Objectives i)) states “to protect privacy in information and communication infrastructure without unduly affecting public safety and National Security”. This is perfect but then they contradict themselves by saying (IV Strategies 4), “On demand, the user shall be able to reproduce the same Plain text and encrypted text pairs using the software/hardware used to produce the encrypted text from the given plain text. Such plain text information shall be stored by the user/organization/agency for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country”. Yeah, so what is wrong with this? Well, to answer this, let us take an example. You are currently using messaging services that encrypt data sent over network. You still have a sense of security that you can freely talk about things over the network without worrying that ISPs, private companies and the government are continuously monitoring/logging what you say. The problem arises when the private companies like your Internet service provider, government and even notorious hackers can misuse this data. What government has stated under “Strategies” is not exactly that but a different version of this. They don’t want to get rid of the encryption but want a backdoor access to the encrypted networks. This is not acceptable. By demanding this, they are putting critical data and infrastructure in danger. Why? Ask these questions to yourself. Can we trust the authorities to keep the keys and the data in “Plain text” safe from hackers? It is common that hackers target government organizations everyday to get their hands on information. Governments are easy targets for most hackers because they don’t invest enough resources in security. Can we trust the government employees with our data who can’t prevent hacks on government websites? The cost of such security breaches would be severe. Think if e-commerce companies are forced to keep currently encrypted data in plain text as well. Not challenging anyone’s security but knowing that hackers always find a way in, from experience, I can tell that I would probably never use e-commerce services again knowing they are storing critical data in plain text as well. Like me, many would not want to access such services ever. This will affect the economic growth. These services will lose users. If there is a security breach and hackers have access to data stored in “plain text”, people will think twice before using such services ever again. At least currently the data is encrypted. Even if hackers get in, there is still an extra layer of protection. They may or may not be able to decrypt the data easily. Of course it all depends on the methods used to encrypt such data. This is one of the major problems that I personally see with government asking services for back-doors.
  • (IV Strategies 5) states that “B/C groups (i.e. B2C, C2B Sectors) may use Encryption for storage and communication. Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time. All information shall be stored by the concerned B/C entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country. In case of communication with foreign entity, the primary responsibility of providing readable plain-text along with the corresponding Encrypted information shall rest on entity (B or C) located in India”. The entity B is any business and commercial private or public bodies providing encrypted services and entity C includes every citizen. This is completely broken. They say that all information should be stored by concerned B/C entity for 90 days from the date of transaction. How can they expect citizens to store such information? What if the hackers hack into anyone under “C” entity and gets access to that information. In that case, who will be held responsible? Will the government take responsibility because they demand users to store such important information for 90 days? Moreover, they are clearly saying that they will be the ones to dictate what encryption algorithms to use and what should be the size of the key. This will cause problems to any business on the technical front. What if their business wants to use a different encryption algorithm because it suits their requirements better? Now the government will decide how you should do business and the technology used behind your encrypted network? That’s why this is completely broken.
  • The most absurd point, according to me, (IV Strategies 7), states that “Users within C group (i.e. C2C Sector) may use Encryption for storage and communication. Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time. All citizens (C), including personnel of Government/Business (G/B) performing non-official/personal functions, are required to store the plain-texts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country”. This is a horrible strategy to propose. See, C group contains every citizen. So this clearly applies to communication between two citizens. Now let us take an example. I encrypt most of my emails with PGP and now according to the above stated strategy, the government can tell me to stop using PGP and use something else or they can also tell me to reduce the size of the key. This will only make my data more vulnerable. There is a reason why PGP exists. I use it so I can be sure that the email is only read by the person whom I grant access to. No matter what network it passes through, no one else will be able to read that data. I have this sense of security right now. The point 7 even takes away that from me.
  • (V Regulatory Framework 1), states that “while seeking registration, the vendors shall submit working copies of the encryption software/hardware to the Government along with professional quality documentation, test suites and execution platform environments”. This is very stupid. Why? See, if some xyz organization has some patented or closed source encryption technology, the government cannot just ask them disclose every detail of the encryption technology. The government will have to get a license from the organization to get each and every detail of how the encryption is implemented. Think about the cost. Secondly, the more problematic situation is that what if such details land up in the hands of competitors? Bam! that will expose your whole security infrastructure to competing company. That can happen. How can you rule out such possibility when you know more than one organization has all this information stored somewhere? Whom can you trust?
  • (V Regulator Framework 3), states that “The vendors of encryption products or service providers offering encryption services shall necessarily register their products / services with Government for conducting business in the country”. So most of the services will probably not wanna do business in India because of above stated reasons. Now you only decide if it’s going to affect the economy or not.
  • Lastly, (V Regulator Framework 5), states “Users in India are allowed to use only the products registered in India”. Well, say goodbye to VPN services. You see what they did there?

I am just an engineer. I am stating my opinion on this because I think it will affect me a lot. Your comments on this are welcome and hope we can have a healthy discussion on this. This will ultimately affect you and how you use Internet services. Hence, this is a crucial matter and everyone from tech should participate in this.

[Update - September 21]

New exemptions to DeitY policy
New exemptions to DeitY policy

All those who are saying that the proposed addendum exempts social media apps, messaging apps, etc., have clearly not read the addendum point 1 carefully. It states that “mass use encryption products” are exempted from the NEP. The “mass use encryption products” definitely does not include copyright crypto algorithms/proprietary encryption products owned by respective companies. So it does not clarify anything but only adds to the problems.

I am just an engineer. I am stating my opinion on this because I think it will affect me a lot. Your comments on this are welcome and hope we can have a healthy discussion on this. This will ultimately affect you and how you use Internet services. Hence, this is a crucial matter and everyone from tech should participate in this.

Originally published by Bhavyanshu Parasher here.