#MobikwikDataLeak
We have written to @IndianCERT asking them to initiate an inquiry over the Mobikwik data breach under Sec. 70B(6) of the IT Act. We lay out 5 steps MobiKwik must take to alleviate the situation. Pls read and RT for public knowledge. 1/n internetfreedom.in/mobikwik-data-…
Over 8.2 TB of data of MobiKwik users has reportedly been put on sale over the dark web with an asking price of 1.5 Bitcoin (~ INR 65 Lakhs). The leak includes KYC, passport, address, email, phone number and aadhar card details of 10 Crore Indians. indianexpress.com/article/techno…
2/n
MobiKwik's denial has been countered by independent researchers who indicate that a breach has occurred. MobiKwik also reportedly sought help from Amazon last month after they discovered that someone outside the organisation downloaded their S3 data.
What should MobiKwik do instead of deflecting blame?
1. It must individually inform each affected user of the extent to which the breach has impacted them.
2. It must then move towards providing remedies, including examining if any restitution is necessary. 4/n
3. MobiKwik should provide an explanation on why such a breach took place, provide details including the number of affected users and the date and time of the breach, and issue a statement explaining steps taken to ensure that such a breach does not occur in the future.
5/n
4. An independent agency must conduct a third party forensic data security audit. We commend MobiKwik for making a public commitment to conduct it but it must be done independently through a firm of repute and its findings must be made public.
6/n
5. MobiKwik threatened legal action against the cyber security researcher who uncovered the breach. It must immediately be recalled. Policy reform is needed as cyber security researchers face threats of legal prosecution without legislative protection. 7/n internetfreedom.in/security-resea…
Given the data breach, violation of the right to privacy and the lack of a response by MobiKwik, we are hopeful that our representation to @IndianCERT will compel MobiKwik to act responsibly and provide accountability to its users.
8/n
Such breaches are rising. The Personal Data Protection Bill, 2019 contains several clauses relating to security but they are insufficient. Given that it is being reviewed by a Joint Parliamentary Committee currently, a conversation around it is the need of the hour.
9/10
We have started a public information series where we talk about the need for a data law, the bill’s provisions and loopholes, where accountability from authorities is needed, and what you can do to advocate for your rights. Follow it here. #SaveOurPrivacy
In 2018 @GoI_MeitY refused to provide us with public consultation comments on the Data Protection Bill in response to our RTI request.
After 3 years of pursuing this, the Central Information Commission has held that MeitY's denial is grossly improper. 1/n internetfreedom.in/persist-transp…
The RTI reply stated that the comments were confidential, but the CPIO did not cite any provision under section 8 of the RTI Act, 2005 to support this. Thus, the refusal was without basis and illegal. 2/n indiankanoon.org/doc/758550/
So we filed an appeal before the First Appellate Authority.
The FAA replied that the information can’t be shared under section 8(1)(i) of the RTI Act.
But this section provides exemptions for cabinet papers, and doesn’t apply to our request! 3/n indiankanoon.org/doc/93879/
Thread!
As election fever rises and #Kerala#TamilNadu and #WestBengal go to the polls, we're bringing you an analysis of manifestos of major parties on their commitments to tech innovation, digital rights, internet access, privacy and cybersecurity. 1/n internetfreedom.in/2021assemblyel…
Despite a rising number of young voters and Indian internet users, political parties have been slow to move on digital rights. Before the 2019 general election we drafted an agenda making an appeal across party lines to prioritize digital rights. docs.google.com/document/d/1AX…
2/n
Following are our key learnings surrounding the promises made by political parties. We follow a model in which a “+” indicates a positive move, “-” a negative one, and “?” indicates one which does not present a clear foreseeable consequence or is ambiguous.
3/n
Thread: Facebook has announced a Human Rights Policy which will be applicable to all FB, WhatsApp, and Instagram users. We analyse this new policy in India's context, and call on FB to improve its practices openly and transparently for Indian users. 1/n internetfreedom.in/facebook-human…
FB outlines its commitment to the UN Guiding Principles on Businesses and Human Rights. Given that FB has been criticized for aiding human rights violations for years (scoring a mere 45/100 on the RDR index), the policy is too little, too late. 2/n rankingdigitalrights.org/index2020/
1. FB has committed to protecting privacy on WhatsApp, saying it won't give governments access to people’s data. The IT Rules, 2021 require traceability of information originators which may affect encryption so this is welcomed. But the Policy is insufficient on many fronts:
3/n
Thread on COVID-19 surveillance:
On May 28, 2020, we filed an RTI request with @BECIL_India on their tender to procure a Personnel Tracking GPS Solution and a Covid–19 Patient Tracking Tool. These surveillance measures impinge on rights of privacy, autonomy, and dignity.
1/n
We did not receive a reply. Then on October 30, 2020 we filed a first appeal against them and still did not receive a reply. Our last step in the matter was to file a second appeal with the CIC on December 12, 2020.
In 2021, BECIL has finally replied to our first appeal.
2/n
They state that procurement for the two items has not been done till date. Further, they have also stated that since this project is still at the Expression of Interest stage, a cost-benefit analysis is not required. 3/n
Breaking: Via an RTI filed with @MIB_India, we obtained 112 pages of complaints filed against Tandav. Sent 40 days before the IT Rules came into force, they triggered OTT censorship in India. Our policy analysis of grave implications on free speech. 1/n internetfreedom.in/tandav-case-st…
All of the complaints follow a template. 1. They've been filed majorly in Hindi and English. 2. Almost all were filed in the 3 day span of Jan 16 to Jan 18 2021. 3. Many include similar objections (even language) clustering around hurt religious sentiments.
Read one here: 2/n
After the complaints were filed, the creators apologized and removed controversial scenes, but multiple FIRs were filed against them.
People went on demanding that censorship and criminal penalties be imposed on OTT platforms. On Feb 25 2021, the government did exactly that.
3/n
Thread: You may have seen the bizarre headline stating that UP Police may track porn searches on the internet. We're clarifying what it's really about - because there's something more serious going on.
When we first saw this news, we became worried about violations of the right to privacy and free speech. (Remember, viewing sexually explicit material in private is not illegal in India). We filed an RTI with the PCO, Lucknow on Feb 16. UP Police responded publicly.
2/n
What we found: Under UP Police's 'Hamari Suraksha' program, people who visit websites which contain child sexual abuse material (CSAM) will be shown pop-up messages to sensitise them against viewing it. This will be done through AI and psychographics.