<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans%3A400italic%2C700italic%2C400%2C700">Internet privacy Archives « Aam JanataSkip to content

In a rather bewildering tweet today, Madhu Kishwar asked, "Do champions of #RightToPrivacy realise that if 2 women hadn't complained, #babaRamRahim doings in his "Gufa"covered under right to privacy?" The tweet was so absurd that she was met with a barrage of retorts and taunts by people she was taunting.

I guess if we are a country just growing into our rights, there will be a lot of debates of this sort needed, where clear talking will help more than sarcasm at someone's ignorance. It also isn't an alien concept. We have a right to privacy already. Whether it was stated or not, we had protection against someone violating our space. That is how stalking or spy cams or leaking passwords and such is already illegal, even though the right itself was explicitly stated just recently. The world has not changed all that much in terms of what is "right" and "wrong". Privacy cannot make criminal things legit all of a sudden. That was just propaganda to influence the case into denying our right. Even the government now agrees we have a right to privacy. What has changed is for those whose privacy gets invaded by powerful players like big companies or the government (this judgment emerged directly from a constitutional challenge to Aadhaar on the grounds of privacy), who have the power to fudge an unstated right and interpret it to convenience. Now that it is explicit, they will no longer be able to fudge easily.

What the right to privacy will actually entail and exclude as per law will soon be determined, but the general meaning of the term endorses the right of a person to withhold or reveal information about themselves. There is also an implicit requirement that information revealed in confidence must not be shared beyond the purpose it was explicitly authorized for. This is the rock Aadhaar will flounder on - a mandatory and unaccountable database of private information on citizens cannot coexist with even the most shoddily defined privacy. And this 9 judge bench has given a most excellent verdict. But I digress.

Publicly available information is not covered by the right to privacy. For example, board results (because there seem to be a lot of jokes about keeping marksheets private from parents). You may refuse to reveal, but if the information is public, they will have access to it anyway. Certifications (no, the Prime Minister and Smriti Irani's degrees don't get covered by privacy either - they have stated the information themselves, what they are refusing to do is provide proofs for officially filed documents). This also goes for information submitted as proofs, etc. For example, if you have to provide proof of address to start a bank account, your right to privacy does not include starting a bank account without proof of residence. But yes, it definitely includes an obligation on the bank to not share it with third parties or use it for purposes other than verifying your address (for example, sending credit card spam).

As a fundamental right, Ram Rahim still has the right to privacy. Just because he is a convicted rapist does not mean you can make personal and confidential information about him public without his consent (public functions are public). The access to personal information can also be mandated for various reasons - This is where the grey areas lie. You have a right to withhold your bank balance and what you spend your money on from me, but do you have the right to withhold it from the income tax department? The standard understanding is no, because tax is your duty as a citizen. Others, more extreme argue that we voluntarily provide our information to the tax authorities and others don't and choose to be raided instead. The government will, no doubt soon be launching some form of propaganda to create a way to impose Aadhaar in spite of the recent clobbering in court through such grey areas. But it won't be easy, because there really is no way to prove that the information is necessary in the manner knowing income would be directly necessary to assess income tax. It is still not arbitrary or unlimited. you need warrants, to enter and search premises, for example. You can't randomly check whoever you suspect.You have to prove the need for it and get a warrant.

Similarly, your right to privacy is about you having the right to reveal at your discretion what personal information you choose to share. To apply that to sex and rape, it would protect homosexuals, for example. That is why they got all excited about the clarity of the wording. Or at least those who are not engaging in "unnatural sex" in a situation that could be called "public", unless one of them revealed their "crime". Short of homosexuality explicitly being legal, this is considerably better than their previous precarious position of not knowing what boundaries and personal rights they could count on. However, it doesn't protect Ram Rahim from his two victims who complained, because as their personal experience, the victims were perfectly entitled to reveal it to anyone they wished - even if it were consensual. And it wasn't, which makes it a flat out crime. Crimes are mostly private. But if there is enough evidence of it or a complaint, an investigation will attempt to access all relevant information. The most robustly defined right to privacy in the world cannot protect a rapist from conviction if his crime is proved and it cannot prevent an investigation against an accused either. It is a thin edge of what is a legit investigation or ethical whistleblowing and what is a breach of privacy - which is why exposes are so often accompanied by defamation suits.

Right to privacy is a right of persons, not organizations. If it were not the victims and a third party who came to know about the rapes and complained, the action being illegal would make it count as whistleblowing.

Organizations too can have requirements of confidentiality, but they don't have a right to information about them requiring consent to be shared - because they aren't people. Confidentiality requirements of organizations are usually explicit. There are things you can talk about (work timings, coffee maker sucks) and things you can't (trade secrets, business strategies). If the organization was willing to own the rapes as official business of the organization and not a crime that could not be revealed without breaching confidentiality agreements, they are free to sue the whistleblower or the complainants, but a crime that gets exposed remains a crime. An organization that claims it to be its official business would be a criminal organization.

This is also why you have (and need better) whistleblower protection laws - so that confidentiality cannot be used as an excuse to cover up crimes and persecute whistleblowers.

Hope all is clear now.

After false Aadhaar benefits claims perjury to deny citizens right to privacy in case, R S Prasad claims govt always saw privacy as a fundamental right after landmark defeat in judgment by 9 judge bench.

R S Prasad makes another Aadhaar and privacy related false claim.

The Supreme Court gave a landmark 9 judge bench judgment upholding privacy as a fundamental right of citizens. The government was among the defendants and had vigorously stated that privacy was not a fundamental right.

Today, after the judgment, R. S. Prasad, Union Minister holding Law and Justice and Ministry of Information Technology portfolio in the Government of India tweeted:

Govt was of the view that #RightToPrivacy should be a fundamental right.

This is complete nonsense, of course. If the government was of the view that privacy was a fundamental right, why was the case in court at all and fought vigorously all through to the top till a 9 judge bench provided a judgment on a matter of crucial importance to the rights of citizens that the government was violating?

Attorney General Mukul Rohtagi, who represents the Union Government presented the government's stand in the Supreme Court as privacy was not a fundamental right of Indian citizens and that the Constitution makers would have put it there if they had intended it to be. The government's stand was that privacy is a right, but not a fundamental right (normal rights can be overruled by the government in various circumstances, while fundamental rights cannot).

Constitution makers did not intend to make right to privacy a fundamental right.

~ Attorney General Mukul Rohtagi while representing the Union government in Supreme Court before a 9 judge bench.

The government wants to be able to overrule a citizen's right to privacy in order to force them to enroll for Aadhaar or lose their right to essential services, subsidies, and documents. Aadhaar, imposed by the government on citizens was being challenged in court in this landmark case by citizens against their government. What R S Prasad is claiming is a flat out lie.

The Union Government actually made the ridiculous claim that citizens don't have absolute right over their bodies, sparking massive outrage on social media with hashtags like #MyBodyMyRight #RightToPrivacy starting to trend and remaining popular from then to now.

Advocate General Mukul Rohtagi cited two cases that supported this view. Rohtagi additionally falsely claimed in court that Aadhaar was foolproof and that the court should balance the right of the petitioners against those of the 700 million people it allegedly serves (which was also a false claim, because having an Aadhaar does not entitle you to anything, but in fact a lack of Aadhaar can prevent you from availing rights and services you already had access to). This outrageous falsehood has also been robustly challenged.

So the Attorney General committed perjury to defend the government's obsession with surveillance of citizens and when they got soundly defeated anyway, now R S Prasad is claiming that they supported the peititoners who fought against them? This is so absurd as to make no sense. If the government respects privacy as a fundamental right, why does Aadhaar exist at all? Why are people being forced to get an Aadhaar if they want to use essential services like the subsidies they are entitled to or to pay tax or to hold a bank account or even a phone?

Conclusion: R S Prasad is lying. It is the beginning of the usual jumble of words you see around this government and particularly around Aadhaar cover ups that turns their actual meanings into their opposites.

Since the last few weeks, there has been a sudden uptick of anonymous accounts supporting Aadhaar and dismissing concerns and news of information leaks, security and privacy issues. These accounts were all either created in may or scrubbed of all content and began tweeting afresh in May. Some of them are propaganda accounts that tweet only positives about Aadhaar and/or gloss over issues raised on grounds of law, constitutionality, fundamental rights, privacy, ethics, security, national security and so on.

Here are some of the accounts.

Out of these the @supportaadhaar has been separately claimed by Rashmi Ranjan so far

But there were more serious handles that were created in May, anonymous and interacted specifically with critics of Aadhaar in various ways that ranged from defamation to threats of legal action. For example, these handles.

It did not take us long to figure out what was going on. Prominent handles that had criticized Aadhaar on technical grounds (not lawyers, or political or ethical grounds) were the main targets. It was rapidly obvious that these were fronts for people from the tech community. Likely people profiting from Aadhaar, because it is really not plausible that the abundantly detailed flaws revealed in Aadhaar could not be understood by them.

When one of these handles, @confident_india tangled with Kiran Jonnalgadda, he was able to make an educated guess at its identity and proved it by verifying the troll account against a real phone number. That phone number belonged to the co-founder, governing body member and director of iSPIRIT - Sharad Sharma. The director of iSPIRIT was going around using a fake handle and planting allegations of profiting from criticism of Aadhaar against critics. Planting allegations about them working for foreign intelligence agencies (ironically, MongoDB that Aadhaar uses is funded by the CIA).

Allegations of foreign intelligence affiliations
Who is funded by the CIA Allegations of foreign intelligence affiliations

On a stray note, after these allegations started happening, Nandan Nilekani ("mentor" to this circus) too referred to critics of Aadhaar with vested interests from his real account while promoting that childish data free article asking personal questions related to motivations of aadhaar critics that is replied to here.

Kiran informed several of us about his investigation into this troll (aka director of iSPIRIT, Sharad Sharma) and we independently verified that his number was indeed attached to the fake account, because he knew that once he exposed Sharad Sharma in public, the phone number would immediately be removed and perhaps the anonymous account as well.

He made this video public in a tweet and later blogged about it. Thiyagarajan M, a fellow at iSPIRIT blogged a reply on medium.com as well stating that Sharad had denied the allegations and they would be investigated, while he admits that the presentation Kiran mentions exists and is just a strategy document that does not recommend anonymous trolling. He states that they were aware that some of them had created an anonymous campaign and claims it is not an official campaign by iSPIRIT. As though an official campaign would be put in writing formally.

We are aware that some volunteers and their friends have created an anonymous campaign to Support Aadhaar. This is not a troll campaign, but an informational one. It is also not an iSPIRT campaign.

I am not sure what remains to investigate. If it is about investigating how Sharad can possibly be taken off the hook, it shouldn't need an organization existing because of an authentication based product too long to realize that there really is no sane way.

No official handle related with iSPIRIT has so far published any statement to the best of my knowledge. Sharad Sharma and the troll have both promptly denied to it, of course. Except, in the process of denying that he was @confident_india, Sharad seems to have proved himself to be @indiaforward2 as well! He accidentally tweeted his denial of being @confident_india from the @indiaforward2 handle as well as his real handle, before tweeting the new tweets with his real handle. He deleted the tweets that went from both handles of course, but not before someone quick made a timely screenshot. So here we are.

 

Sharad tweeting as @indiaforward2

The denial from his main handle was read by many, but I don't have a screenshot of it... yet. However, he didn't delete it fast enough. Factordaily updated their reporting of the Sharad Sharma controversy with his denial

Sharad Sharma woke to tweetstorm in Atlanta
Sharad Sharma woke to tweetstorm in Atlanta just like @indiaforward2
Sharad tweeting as himself.
Sharad's denial of trolling from his real account
Sharad's denial of trolling from his real account

My immediate thought about it wasn't even so much that people in power use sneaky, unethical methods to get their way and undermine obstacles, but that the director of a company that is a collective of software developers and who were all defending Aadhaar on grounds of security and privacy were so ignorant about securing something as elementary as an anonymous account!

Once this expose was public, several people independently verified that they too had been able to authenticate access to the troll account with Sharad Sharma's personal number. For example:

 

Rohin Dharmakumar went a step ahead and showed how a mobile phone can't simply be attached to a Twitter account without actually verifying the number.

 

There are also a lot of people unaware of the developments in that country called Digital India who are aghast at what they are discovering. This is what you get for being gullible. Here. Educational. Video published from official iSPIRIT handle. Watch Pramod Varma, Sanjay Jain ex-UIDAI now "volunteer" at the ISpirt that "donates" to Govt and how this serves to avoid oversight by CAG, RTI.

In other words, what you have here is a bunch of private people who are creating products off big data collected from all citizens in a manner that allows them to evade accountability to the citizens for it. They also fund the government, push the expansion of Aadhaar in spite of extensive risks and violations of citizens rights being documented. In spite of the fact that Aadhaar effectively allows any infiltrator to become a "citizen" of the country by facilitating the creation of all documents that a citizen would have. And when the concerns raised get too alarming and there is no coherent defense of them possible, they make fake accounts to go around undermining dissenters so that the imposition of Aadhaar that puts citizens and country at risk may not be challenged.

If you do not speak up for your rights, they will be trampled on by profiteers out to exploit them at any cost.

First of all, what is National Encryption Policy?

“Under Section 84A of Information Technology Act, 2000 Rules are to be framed to prescribe modes or methods for encryption”. So DeitY has framed a draft of such rules which will decide the future of how encrypted services are to be used or provided to users in India. The preamble in the draft clearly shows that they very well understand what encryption is meant to be used for. What they fail to understand is how it helps secure communication between two entities. The problem lies in the strategies stated in the draft. Let us break the draft into parts and try to analyze how exactly they can possibly ruin encrypted services and also how it will affect you.

  • (III Objectives i)) states “to protect privacy in information and communication infrastructure without unduly affecting public safety and National Security”. This is perfect but then they contradict themselves by saying (IV Strategies 4), “On demand, the user shall be able to reproduce the same Plain text and encrypted text pairs using the software/hardware used to produce the encrypted text from the given plain text. Such plain text information shall be stored by the user/organization/agency for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country”. Yeah, so what is wrong with this? Well, to answer this, let us take an example. You are currently using messaging services that encrypt data sent over network. You still have a sense of security that you can freely talk about things over the network without worrying that ISPs, private companies and the government are continuously monitoring/logging what you say. The problem arises when the private companies like your Internet service provider, government and even notorious hackers can misuse this data. What government has stated under “Strategies” is not exactly that but a different version of this. They don’t want to get rid of the encryption but want a backdoor access to the encrypted networks. This is not acceptable. By demanding this, they are putting critical data and infrastructure in danger. Why? Ask these questions to yourself. Can we trust the authorities to keep the keys and the data in “Plain text” safe from hackers? It is common that hackers target government organizations everyday to get their hands on information. Governments are easy targets for most hackers because they don’t invest enough resources in security. Can we trust the government employees with our data who can’t prevent hacks on government websites? The cost of such security breaches would be severe. Think if e-commerce companies are forced to keep currently encrypted data in plain text as well. Not challenging anyone’s security but knowing that hackers always find a way in, from experience, I can tell that I would probably never use e-commerce services again knowing they are storing critical data in plain text as well. Like me, many would not want to access such services ever. This will affect the economic growth. These services will lose users. If there is a security breach and hackers have access to data stored in “plain text”, people will think twice before using such services ever again. At least currently the data is encrypted. Even if hackers get in, there is still an extra layer of protection. They may or may not be able to decrypt the data easily. Of course it all depends on the methods used to encrypt such data. This is one of the major problems that I personally see with government asking services for back-doors.
  • (IV Strategies 5) states that “B/C groups (i.e. B2C, C2B Sectors) may use Encryption for storage and communication. Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time. All information shall be stored by the concerned B/C entity for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country. In case of communication with foreign entity, the primary responsibility of providing readable plain-text along with the corresponding Encrypted information shall rest on entity (B or C) located in India”. The entity B is any business and commercial private or public bodies providing encrypted services and entity C includes every citizen. This is completely broken. They say that all information should be stored by concerned B/C entity for 90 days from the date of transaction. How can they expect citizens to store such information? What if the hackers hack into anyone under “C” entity and gets access to that information. In that case, who will be held responsible? Will the government take responsibility because they demand users to store such important information for 90 days? Moreover, they are clearly saying that they will be the ones to dictate what encryption algorithms to use and what should be the size of the key. This will cause problems to any business on the technical front. What if their business wants to use a different encryption algorithm because it suits their requirements better? Now the government will decide how you should do business and the technology used behind your encrypted network? That’s why this is completely broken.
  • The most absurd point, according to me, (IV Strategies 7), states that “Users within C group (i.e. C2C Sector) may use Encryption for storage and communication. Encryption algorithms and key sizes will be prescribed by the Government through Notification from time to time. All citizens (C), including personnel of Government/Business (G/B) performing non-official/personal functions, are required to store the plain-texts of the corresponding encrypted information for 90 days from the date of transaction and provide the verifiable Plain Text to Law and Enforcement Agencies as and when required as per the provision of the laws of the country”. This is a horrible strategy to propose. See, C group contains every citizen. So this clearly applies to communication between two citizens. Now let us take an example. I encrypt most of my emails with PGP and now according to the above stated strategy, the government can tell me to stop using PGP and use something else or they can also tell me to reduce the size of the key. This will only make my data more vulnerable. There is a reason why PGP exists. I use it so I can be sure that the email is only read by the person whom I grant access to. No matter what network it passes through, no one else will be able to read that data. I have this sense of security right now. The point 7 even takes away that from me.
  • (V Regulatory Framework 1), states that “while seeking registration, the vendors shall submit working copies of the encryption software/hardware to the Government along with professional quality documentation, test suites and execution platform environments”. This is very stupid. Why? See, if some xyz organization has some patented or closed source encryption technology, the government cannot just ask them disclose every detail of the encryption technology. The government will have to get a license from the organization to get each and every detail of how the encryption is implemented. Think about the cost. Secondly, the more problematic situation is that what if such details land up in the hands of competitors? Bam! that will expose your whole security infrastructure to competing company. That can happen. How can you rule out such possibility when you know more than one organization has all this information stored somewhere? Whom can you trust?
  • (V Regulator Framework 3), states that “The vendors of encryption products or service providers offering encryption services shall necessarily register their products / services with Government for conducting business in the country”. So most of the services will probably not wanna do business in India because of above stated reasons. Now you only decide if it’s going to affect the economy or not.
  • Lastly, (V Regulator Framework 5), states “Users in India are allowed to use only the products registered in India”. Well, say goodbye to VPN services. You see what they did there?

I am just an engineer. I am stating my opinion on this because I think it will affect me a lot. Your comments on this are welcome and hope we can have a healthy discussion on this. This will ultimately affect you and how you use Internet services. Hence, this is a crucial matter and everyone from tech should participate in this.

[Update - September 21]

New exemptions to DeitY policy
New exemptions to DeitY policy

All those who are saying that the proposed addendum exempts social media apps, messaging apps, etc., have clearly not read the addendum point 1 carefully. It states that “mass use encryption products” are exempted from the NEP. The “mass use encryption products” definitely does not include copyright crypto algorithms/proprietary encryption products owned by respective companies. So it does not clarify anything but only adds to the problems.

I am just an engineer. I am stating my opinion on this because I think it will affect me a lot. Your comments on this are welcome and hope we can have a healthy discussion on this. This will ultimately affect you and how you use Internet services. Hence, this is a crucial matter and everyone from tech should participate in this.

Originally published by Bhavyanshu Parasher here.

 

2

Zuck: Yeah so if you ever need info about anyone at Harvard
Just ask.
I have over 4,000 emails, pictures, addresses, SNS†

Friend: What? How'd you manage that one?

Zuck: People just submitted it.
I don't know why.
They "trust me"
Dumb *ucks.

The Zuck in the above conversation is Mark Zuckerberg. And they are
talking about
Facebook.

It is a fact universally acknowledged and admitted by Facebook itself
that it sells data
of and about its users. In the movie Matrix, the machines use humans as
their power source feeding into their brains a computer-generated
dreamworld to keep them under control. Facebook's product is its users.
To keep them occupied with frivolous stories Facebook makes up
algorithms, creates filter bubbles, digs up stories from the past, makes
deleting the account extremely hard, sends SMS notifications when they
remain logged out for a while, and even influences their emotions by
manipulating what they see.

Despite all the evil sins of modern day spying networks, the control
they exert on the Web has grown to dictatorial extends that saying "No"
to their terms is becoming impossible for everyone. Yet, that is exactly
what the members of a fast growing community of diaspora* users are
telling them.

Diaspora is a free software that powers the diaspora* social network - a
nonprofit, user-owned, distributed social network. Its three main tenets
are decentralization, freedom, and privacy. Anyone can install Diaspora
on their own server (diaspora pod) and have complete control over their
data. All such pods can communicate with each other, just like email. By
nature the network is resistant to take-downs and censorship.

Diaspora and other privacy aware software like Cryptocat, TextSecure,
GPG, are real alternatives to the insecure, proprietary communication
software in the market today. But unfortunately, the number of people
who are aware of these and make use of these is incredibly small. That
is why a team of Indian diaspora users started "Diaspora Yatra", a
campaign which aims to promote diaspora* and good privacy practices.

Diaspora Yatra has completed 3 weeks in Kerala visiting schools,
colleges, libraries, and other public spaces. Pirate Praveen and
others
are holding discussions, debates, and workshops to engage
people - students, teachers, workers, advocates, all who turn up - and
to make them think about privacy.

People welcome their initiative and some do stop doing what is
convenient and start doing what is right. Diaspora yatra team are
frequently asked questions like "what happens to security if
communications cannot be intercepted by the government?" They are ready
with answers like "Does giving up privacy guarantee security?". Curious
school students wonder who gets to see their photos and who does not,
and more importantly how they can control it. Lawyers talk about whether
pod admins should be moderating the content on their pod, whether
that'll be equivalent to censorship.

These are signs for hope. People are slowly beginning to ask important
questions about privacy, security, freedom, etc. It will soon be
impossible for corporate entities to wield unfair control over what one
does on the Web. Assuming we all say "no" to unsavory practices and
stand up for an open Web.

***

Diaspora Yatra is scheduled to continue till March 6. To know more about
it, visit the Diaspora
Yatra website
or follow the #diasporayatra tag in
Diaspora.