Two days back there was an alarming report that millions of sensitive personal records were exposed due to a security vulnerability by @CSCegov_. We sprung into action and wrote to the IT Ministry. 1/5
The report published by the website, “vpnMentor” a website that provided for on-boarding services for BHIM (a UPI payment app) contained a security vulnerability. Records made vulnerable included Aadhaar documents and caste certificates. 2/5
The vulnerability had impacted the data breach of more than 7 million records impacting those from semi-urban and rural backgrounds. Leaving them vulnerable to identity theft, fraud and viral attacks. Meanwhile digital frauds are on the rise. 3/5
While there have been blanket denials by CSCegov_, we have recommended the following actions: 4/5
✅ Admission and remedy by CSC
✅ Better response times by CERT-In
✅ Breach notifications to affected persons
✅ Safeguarding and promoting security researchers
IFF works to not only protect your privacy but also cyber security. You can help our work by funding it. This month we are running a membership drive. Donate today! 5/5 #WeNeed50
🚨 Massive Victory! 🚨
@CCI_India has imposed a historic penalty of ₹213.14 cr (approx. $25.25 M) on Meta for abusing its dominant position via WhatsApp's 2021 Privacy Policy. IFF submitted expert information as an informant. Let’s break it down 🧵👇1/10 internetfreedom.in/statement-cci-…
The 2021 policy update by WhatsApp, implemented on a 'take-it-or-leave-it' change, forcing users to accept expanded data collection & sharing within the Meta group—without any real opt-out option. 2/10
The CCI concluded that this constituted:
✅ Unfair conditions under Indian competition law
✅ A violation of user autonomy, given the lack of effective alternatives to WhatsApp
✅ An abuse of Meta’s dominant position, contravening Section 4(2)(a)(i) of the Competition Act. 3/10
Here’s how your beloved DigiYatra uses facial recognition technology (FRT) Content warning: ***DYSTOPIAN USES*** ⚠️⚠️ 1/10
Now that we have your attention, here are the recent ways in which Indian public authorities and police forces used (and abused) facial recognition systems, jeorpardising the human rights and data privacy of millions of Indian citizens without much accountability. 2/10 🧵
1️⃣ @tnpoliceoffl suffered a massive data leak in its FRT portal, making 8,00,000 lines of data vulnerable. This incl. personal data of policemen & FRT reports on thousands of accused persons. IFF called for a total ban on use of FRT by police forces. 3/10
🚨 On May 4, 2024, a massive breach in @tnpoliceoffl’s Facial Recognition (FRT) Portal exposed over 8,00,000 lines of data—which include 50,000 facial IDs, personal information of police officers, & details of crimes, police stations, & FIRs filed. 🚨🧵1/8
The FRT software, developed by CDAC-Kolkata and hosted on TNSDC, which was storing facial images alongside personal details of suspected, accused, & incarcerated persons, was compromised—and the list of data leaked from it is disturbingly long. ⬇️ 2/8
FRT is an extremely invasive & dangerous surveillance tool which poses direct threats to privacy, especially at the hands of law enforcement. Police forces are able to amass & process large volumes of sensitive facial data without any checks, consent, transparency, or procedural safeguards. 3/8
Been hearing some chatter around #DigiYatra? As scary questions about ownership, transparency, and data flow emerge, here is a quick rundown of everything we know about the service, and more importantly, everything we don’t. 😶🌫️🧵1/7
1️⃣Who owns DigiYatra?
In 2019, @MoCA_GoI passed on DigiYatra's operations & data ecosystem to a *private company* created for this very purpose – DigiYatra Foundation. DYF is a joint venture between 5 Indian airports (public-private, 74% stake) & @AAI_Official (public, 26%). 2/7
2️⃣ Such a public-private venture must be answerable to citizens?
Not exactly. Neither DYF nor its security audit agency @IndianCERT fall under the RTI Act. It cannot, technically, be forced to disclose any information on its data practices & security. 3/7 medianama.com/2023/03/223-ci…
Were you among the millions of @WhatsApp users who got a DM from ‘Viksit Bharat Sampark’? 🫠🫠
The account, seeking feedback on government initiatives, is now barred by the Election Commission from sending messages.
But several concerns persist… (1/10) internetfreedom.in/whatsapp-messa…
The message, accompanied by a letter from the PM, listed the various schemes and initiatives introduced by the incumbent government and was, in many cases, sent after the ECI released its Model Code of Conduct for upcoming elections. (2/10)
It stirred a storm and how…
First, we wonder how exactly did MeitY secure the contact information of such a large number of people and when/how did it begin using this information for outreach purposes? (3/10)
@GoI_MeitY has notified the @PIBFactCheck of the @MIB_India as the fact-checking unit (FCU) under the IT Amendment Rules, 2023.
The notified FCU will be empowered to flag online “false”, “fake”, or “misleading” information related to the Union govt. 1/9 🧵
The establishment of the FCU less than a month before the country heads for the #GeneralElections2024 could vastly affect the nature of free speech on the internet as it holds the potential to be (mis)used for proactive censorship, most importantly in the context of dissent. 2/9
This notification follows the March 13 decision of the Bombay HC, where the Bench refused to restrain the setting up of an FCU until the third Judge decides on the constitutionality of the 2023 Amendment.
This effectively allowed the Union govt to operationalise the FCU, despite its constitutionality being under deliberation before the High Court. 3/9