The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 1 to 15.
Surveillance Enabling Identity Systems in Africa: Tracing the Fingerprints of Aadhaar
http://editors.cis-india.org/internet-governance/blog/surveillance-enabling-identity-systems-in-africa-tracing-the-fingerprints-of-aadhaar
<b>Biometric identity systems are being introduced around the world with a focus on promoting human development and social and economic inclusion, rather than previous goals of security. As a result, these systems being encouraged in developing countries, particularly in Africa and Asia, sometimes with disastrous consequences.</b>
<p style="text-align: justify; ">In this report, we identify the different external actors that influencing this “developmental” agenda. These range from philanthropic organisations, private companies, and technology vendors, to state and international institutions. Most notable among these is the World Bank, whose influence we investigated in the form of case studies of Nigeria and Kenya. We also explored the role played by the “success” of the Aadhaar programme in India on these new ID systems. A key characteristic of the growing “digital identity for development” trend is the consolidation of different databases that record beneficiary data for government programmes into one unified platform, accessed by a unique biometric ID. This “Aadhaar model” has emerged as a default model to be adopted in developing countries, with little concern for the risks it introduces. Read and download the full report <a href="http://editors.cis-india.org/internet-governance/surveillance-enabling-identity-systems-in-africa" class="internal-link">here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/surveillance-enabling-identity-systems-in-africa-tracing-the-fingerprints-of-aadhaar'>http://editors.cis-india.org/internet-governance/blog/surveillance-enabling-identity-systems-in-africa-tracing-the-fingerprints-of-aadhaar</a>
</p>
No publisherShruti Trikanad and Vrinda BhandariSurveillanceAadhaarInternet GovernancePrivacy2022-08-09T08:17:32ZBlog EntryAdvanced biometric technologies and new market entries tackle fraud, chase digital ID billions
http://editors.cis-india.org/internet-governance/news/biometric-update-june-26-2021-chris-burt-advanced-biometric-technologies-and-new-market-entries-tackle-fraud-chase-digital-id-billions
<b>Amid forecasts of rapid growth and huge market potential, digital ID platforms launches by Techsign and Ping Identity, new services, features and even an investment fund have been launched.</b>
<p style="text-align: justify; ">The blog post by Chris Burt was <a class="external-link" href="https://www.biometricupdate.com/202106/advanced-biometric-technologies-and-new-market-entries-tackle-fraud-chase-digital-id-billions">published by Biometric Update</a> on June 26, 2021.</p>
<p style="text-align: justify; ">A new camera solution for under-display 3D face biometrics from Infineon and partners, and IPO filings by Clear and SenseTime show parallel investment activity in biometrics, meanwhile, and experts from Veridium and Intellicheck provide insight into the shifting technology and fraud landscapes, among the most widely-read stories this week on Biometric Update.</p>
<h2 style="text-align: justify; ">Top biometrics news of the week</h2>
<p style="text-align: justify; ">Several areas of the digital identity market continued to be very active, with a new investment fund launched to support startups in digital commerce and payments, Yoti joining a regulatory sandbox, Techsign launching a digital ID platform, and Mastercard and b.well reporting positive results from a recent pilot for their biometric healthcare platform. All this activity contributes to explaining Juniper Research’s <a href="https://www.biometricupdate.com/202106/digital-identity-verification-market-forecast-to-reach-16-7b-by-2026">forecast of rapid growth</a> in the sector to $16.7 billion in 2026, driven largely by spending on remote onboarding.</p>
<p style="text-align: justify; ">Okta CEO Todd McKinnon, meanwhile, told Barron’s that the total addressable market for identity and access management providers like Okta is something like <a href="https://www.biometricupdate.com/202106/okta-ceo-says-total-addressable-identity-and-access-management-market-near-80b">$80 billion</a>, as well as that effective integration is the key to solving biometrics challenges in the space. Entrust and Yubico formed an integration partnership, LoginRadius launched a new feature, Jamf launched a biometric tool for enterprises, and a certification program for IAM professionals was launched.</p>
<p style="text-align: justify; ">A list of goods for sale on the dark web includes a listing for <a href="https://www.biometricupdate.com/202106/biometric-selfies-and-forged-passports-identities-for-sale-on-the-dark-web">selfies holding an American ID credential</a>, which in theory could be used in a biometric spoofing attack. Cybersecurity researcher Luana Pascu helps guide readers through the report, and shares insights such as on the status of faked vaccination certificates on dark web marketplaces.</p>
<p style="text-align: justify; ">Ensuring the validity of the ID document a biometric identity verification process is based on, without adding too much friction, often means adopting <a href="https://www.biometricupdate.com/202106/intellicheck-ceo-on-building-the-foundations-for-biometric-verification-and-fraud-protection">layered risk profiling</a>, Intellicheck CEO Bryan Lewis tells <em>Biometric Update</em> in a sponsored post. The company has deep roots in detecting fraudulent documents and has found that even scanning the barcode on an identity document will not necessarily catch a fake if the unique security elements are not validated as part of the scan.</p>
<p style="text-align: justify; ">Fourthline Anti-Financial Crime Head Ro Paddock writes in a Biometric Update guest post about the ever-increasing sophistication of fraud attacks, which reached the level of computer-generated <a href="https://www.biometricupdate.com/202106/the-fraudsters-new-game-face">3D masks and deepfakes</a> during the pandemic,. In response, information-sharing between organizations will be necessary to understand the scope of these new threats, and how to defend against them.</p>
<p style="text-align: justify; ">Philippines’ election commission has launched an app to allow people to preregister for the <a href="https://www.biometricupdate.com/202106/philippines-launches-app-to-fast-track-biometric-voter-registration">voter roll online</a> before enrolling their biometrics in person, as the country continues digitizing its public services. Governments in Pakistan, Haiti and Nigeria are also making moves to improve the accessibility and trustworthiness of their electoral processes.</p>
<p style="text-align: justify; ">A partnership between Research ICT Africa and the Centre for Internet and Society, supported by the Omidyar Network, to explore the development of digital ID systems for the African context is explained in a <a href="https://researchictafrica.net/2021/06/21/why-digital-id-matters/" target="_blank">blog post</a>. The project will be based on an adaptation of the Evaluation Framework for Digital Identities which the CIS used to assess India’s Aadhaar system, with rule of law, rights and risk-based tests, and presented in a series of posts.</p>
<p style="text-align: justify; ">Details of Clear’s IPO plans emerged, including its intention to raise up to <a href="https://www.biometricupdate.com/202106/clear-ipo-could-raise-up-to-396m-in-hot-biometrics-investment-market">$396 million</a> on the NYSE. The $2.2 billion valuation aligns with some comparable companies, by revenue multiple, but the lower voting power of the shares on offer could be a restraining factor.</p>
<p style="text-align: justify; ">An even bigger IPO could be held by SenseTime later this year, with the Chinese AI firm looking to raise up to $2 billion <a href="https://www.biometricupdate.com/202106/not-smarting-from-us-sanctions-sensetime-says-its-ipo-is-on-again">on the Hong Kong exchange</a>. The company has been talking about a public stock launch since before the company was hit with restrictions to U.S. trade, which it indicates have had little impact.</p>
<p style="text-align: justify; ">The latest major funding round in digital identity is the largest yet, with <a href="https://www.biometricupdate.com/202106/transmit-security-raises-543m-to-grow-biometric-passwordless-authentication">Transmit Security raising $543 million</a> at a $2.2 billion valuation to expand the market reach of its passwordless biometric authentication technology. The company claims it is the highest ever Series A funding round in cybersecurity.</p>
<p style="text-align: justify; ">Bob Eckel, Aware CEO and International Biometrics + Identity Association (IBIA) Director and Board Member, discusses why people should own their own identity, identifying things and protecting supply chains, and his background in setting up air traffic control systems used all over the world with the Requis <a href="https://requis.com/podcasts/podcast-bob-eckel-biometrics-future-secured-identities/" target="_blank">Supply Chain Next podcast</a>. In the longer term Eckel sees biometric replacing passwords, and in the shorter term being used to make processes touchless.</p>
<p style="text-align: justify; ">Veridium CTO John Callahan guides Biometric Update through recent NIST guidance on the <a href="https://www.biometricupdate.com/202106/nist-touchless-fingerprint-biometrics-guidance-confirms-interoperability">interoperable use of contactless fingerprints</a> with contact-based back-end AFIS systems. The guidance, which changes definitions within the NIST ITL biometric container standard, but advises that the associated image quality metric does not apply to contactless prints, could spark further investment in the modality.</p>
<p style="text-align: justify; ">A new time-of-flight 3D imaging solution that could be used to implement facial authentication from <a href="https://www.biometricupdate.com/202106/under-display-camera-for-3d-face-biometrics-developed-by-infineon-pmd-arcsoft">under the display of mobile devices</a> without notches or bezels has been developed by partners Infineon, pmdtechnologies and ArcSoft. Based on the REAL3 sensor and ArcSoft’s computer vision algorithms, the solution is expected to reach availability in Q3 2021.</p>
<p style="text-align: justify; "><a href="https://www.biometricupdate.com/202106/ping-identity-adds-behavioral-biometrics-and-bot-detection-with-securedtouch-acquisition">Ping Identity has acquired SecuredTouch</a> in a deal with undisclosed financial details to integrate its behavioral biometrics-based continuous user authentication with the PingOne enterprise cloud platform. Ping also launched a consumer application for reusable credentials and added unified management features to its cloud platform at its Identiverse 2021 event.</p>
<p style="text-align: justify; ">Notre Dame-IBM Technology Ethics Lab Founding Director Elizabeth Renieris joins the MIT Sloan Management Review’s <a href="https://sloanreview.mit.edu/audio/starting-now-on-technology-ethics-elizabeth-renieris/" target="_blank">Me, Myself and AI podcast</a> to discuss the role of the lab, her path past and through some of the digital identity space’s key ethical developments, and the need to take the long view on technology to understand its ethical implications. Renieris makes a pitch for process-oriented regulations, based on the best understanding we have at the time.</p>
<p style="text-align: justify; ">ProctorU’s announcement that it will no longer sell fully-automated remote proctoring services is seen as a win in the battle against “the AI shell game” by the <a href="https://www.eff.org/deeplinks/2021/06/long-overdue-reckoning-online-proctoring-companies-may-finally-be-here" target="_blank">Electronic Frontier Foundation</a>. The descriptions of the balance between the automated and human decision-making by AI proctoring providers amount to doublespeak, the EFF says, before panning their human review processes, accuracy rates, and use of facial recognition.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/biometric-update-june-26-2021-chris-burt-advanced-biometric-technologies-and-new-market-entries-tackle-fraud-chase-digital-id-billions'>http://editors.cis-india.org/internet-governance/news/biometric-update-june-26-2021-chris-burt-advanced-biometric-technologies-and-new-market-entries-tackle-fraud-chase-digital-id-billions</a>
</p>
No publisherChris BurtPrivacyInternet GovernanceUIDAIBiometricsAadhaar2021-06-28T01:13:05ZNews ItemNo such rule, but many vaccination centres are insisting on Aadhaar as proof
http://editors.cis-india.org/internet-governance/news/the-news-minute-june-4-2021-sreedevi-jayarajan-no-such-rule-but-many-vaccination-centres-are-insisting-on-aadhaar-as-proof
<b>Radhika Radhakrishnan saw three words swimming before her as she inched closer to the hospital lobby. </b>
<p>The blog post by Sreedevi Jayarajan was <a class="external-link" href="https://www.thenewsminute.com/article/no-such-rule-many-vaccination-centres-are-insisting-aadhaar-proof-covid150080">published in the News Minute</a> on June 4, 2021. Pranesh Prakash was quoted.</p>
<hr />
<p style="text-align: justify; ">The words were written on a white board inside the private hospital she had visited in Bengaluru on May 21, three weeks after the Union Government opened up COVID-19 vaccinations for the 18+ category after online registration. “I had booked a vaccine slot and visited the hospital and the words on the board read ‘Aadhaar is mandatory’, along with other dos and don’ts of the vaccination process that the hospital followed,” she tells TNM. On the morning of her vaccination date, Radhika had registered on the Union Health Ministry’s CoWin portal for a vaccine slot in the 18+ age group. She had given her PAN number when the portal asked for a government ID proof. The appointment slip on CoWin also showed her PAN, she says.</p>
<p class="_yeti_done" style="text-align: justify; ">But on the day of vaccination, authorities at the private hospital refused to accept her PAN card. Radhika says that they insisted on her Aadhaar number in order to authenticate her vaccination appointment, despite her telling them that it is illegal to demand her Aadhar card. “The hospital authorities told me that they only used Aadhaar cards to register people for vaccination or authenticate CoWin appointments. They said that if I did not want to give my Aadhaar number, I would have to wait a few more hours for them to figure out a different process,” she tells TNM. By this time, Radhika had already waited three hours in the hospital queue.</p>
<p dir="ltr" style="text-align: justify; ">Bengaluru-based journalist Biswak* too recounts a similar experience at a government run vaccination centre he had visited on May 5. The 25-year-old had registered on CoWin using his Driving License, one of five government ID proofs that the Health Ministry portal accepts for booking vaccination slots. But at the centre, Biswak says that the officials insisted on his Aadhaar number. “Thankfully I had the number despite not carrying my card. I got vaccinated and the vaccination certificate issued on my CoWin account showed the last four digits of my Aadhaar, and did not mention my driving license which was my ID proof of choice,” he says.</p>
<p dir="ltr" style="text-align: justify; ">TNM got in touch with several people from Tamil Nadu and Karnataka among other states who confirmed that their vaccination centres refused to accept any other ID proof, and insisted on Aadhaar. This despite the Union government not making Aadhaar mandatory for CoWin registration, for on-the-spot registrations, and even for authentication of appointments at vaccination centres.</p>
<h3 id="_mcePaste">Co-Win does not insist on Aadhaar</h3>
<p style="text-align: justify; ">A quick look at the CoWin portal will tell you that you can register with any of six government ID proofs other than your Aadhaar card. These are Driving License, PAN card, Passport, Pension Passbook, NPR Smart Card and Voter ID (EPIC). To the vaccine centres, registered citizens should carry the very same ID proof they have used to register on the Co-Win portal, along with a printout or screenshot of their appointment slip. This means, if a person has registered on the portal using an Aadhaar card, the vaccination centre will ask for the same for authentication.</p>
<p dir="ltr">Once vaccinated, citizens get a certificate with their vaccination status (one dose or fully vaccinated) on their phones. This certificate contains the person’s name, age, type of vaccine (Covishield or Covaxin) and the last four digits of the ID proof used for registration.</p>
<p dir="ltr" style="text-align: justify; ">While Radhika and Biswak say that their appointment slips had their PAN and Driving License numbers respectively, after they were coerced to give their Aadhaar numbers, the vaccination certificate on the Co-Win portal showed their Aadhaar number. “This means that they have forced me to give my Aadhaar number and then used this, despite me giving a different ID proof,” Radhika says. Multiple private hospitals in Chennai too currently insist on Aadhaar card for vaccinations, while Tamil Nadu government maintains that Aadhaar is not mandatory.</p>
<p style="text-align: justify; ">TNM spoke to a senior official in the Revenue and Finance Department of the Greater Chennai Corporation who confirmed that centres, both private and government, did not have the right to demand Aadhaar for vaccination. “There is no such rule that Aadhaar has to be submitted by citizens. In fact, the Co-Win portal also has a section to register those who have no ID proof, i.e homeless persons or those from marginalised sections. The portal finds another way to register these people. So insisting on an Aadhaar number is out of the question,” he says. In the neighbouring state of Kerala, the government recently announced that persons who had to travel abroad for various reasons should register on the government portal only using their passports. This, so that their vaccination certificate would generate their passport number as ID proof.</p>
<h3 style="text-align: justify; ">A matter of convenience?</h3>
<p style="text-align: justify; ">In the absence of a law which mandates Aadhaar to be used for the purpose of universal COVID-19 vaccination, there is no legal basis for hospitals and vaccination centres to insist on Aadhaar numbers to vaccinate people. “Unlike a law passed by the Union government which makes it compulsory for your PAN to be linked to your Aadhaar, there is no law which the government has passed to make Aadhaar compulsory for vaccination. The Union government does, however, have the legislative competence to pass such a law. Which means that if they want to make Aadhaar mandatory for vaccination, they can. So far they have not. And therefore, nobody has the right to demand Aadhaar to vaccinate people,” says Pranesh Prakash of the Centre for Internet and Society.</p>
<p dir="ltr" style="text-align: justify; ">However, it could be a matter of convenience for hospitals to use one type of ID proof, to be able to streamline their data entry process. “As (I believe) Aadhaar is the most widespread ID card in the country right now, when compared to other ID proofs, it makes it simple for vaccination centres to ask for Aadhaar numbers and key this in," Pranesh adds.</p>
<p dir="ltr" style="text-align: justify; ">To a query that TNM posted on Twitter, we got varied responses from people. While many said that the centres did not insist on a particular ID card, many others said they had to give their Aadhaar. The insistence for Aadhaar by vaccination centres, both private and government, seems to be random, with no proper pattern or rule in place.</p>
<h3>System does not support other ID proofs?</h3>
<p dir="ltr" style="text-align: justify; ">From Radhika’s experience, the hospital she visited for vaccination could not support any other ID proof, as they, in their own words “followed a system of using just Aadhaar cards”. This indirectly coerces unwilling citizens to part with their Aadhaar details, and offers no choice for those who registered with other ID proofs.</p>
<p dir="ltr" style="text-align: justify; ">“I had to finally give my Aadhaar number but it said that there was a mismatch. Later we found out that my name on my PAN was a bit different from the name on my Aadhaar card. Since I had used the PAN to register on Co-Win, the portal could not authenticate me with the Aadhaar number. Finally I had to re-register on the spot and give a different phone number as the phone number I had given was already linked to my Aadhaar and PAN,” she says, adding that all of this could have been avoided if the hospital had accepted her PAN in the first place.</p>
<p style="text-align: justify; ">However, a private hospital that has been doing vaccinations in many places across India told TNM that they had no instructions from the state or Union government to use only Aadhaar and claimed that they only asked for Aadhaar if the person had used it during registration. However, many people who responded to TNM named this private hospital and many others too as those insisting on Aadhaar as proof.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-news-minute-june-4-2021-sreedevi-jayarajan-no-such-rule-but-many-vaccination-centres-are-insisting-on-aadhaar-as-proof'>http://editors.cis-india.org/internet-governance/news/the-news-minute-june-4-2021-sreedevi-jayarajan-no-such-rule-but-many-vaccination-centres-are-insisting-on-aadhaar-as-proof</a>
</p>
No publisherSreedevi JayarajanAadhaarInternet Governance2021-06-26T04:43:13ZNews ItemAtmanirbhar Bharat Meets Digital India: An Evaluation of COVID-19 Relief for Migrants
http://editors.cis-india.org/raw/migrant-workers-solidarity-network-and-cis-ankan-barman-atmanirbhar-bharat-meets-digital-india-an-evaluation-of-covid-19-relief-for-migrants
<b>With the onset of the national lockdown on 24th March 2020 in response to the outbreak of COVID-19, the fate of millions of migrant workers was left uncertain. In addition, lack of enumeration and registration of migrant workers became a major obstacle for all State Governments and the Central Government to channelize relief and welfare measures.</b>
<p style="text-align: justify; ">A majority of workers were dependent on relief provided by NGOs, Civil Society Organizations and individuals or credit via kinship networks. With mounting domestic and international pressures, various relief and welfare schemes were rolled out but they were too little, too late and more often than not characterised by poor implementation.</p>
<p style="text-align: justify; ">The aim of this report is to qualitatively assess health conditions of migrant workers and access to welfare during the first COVID-19 lockdown. The primary focus is on the host states of Tamil Nadu, Maharashtra and Haryana. 20 in-depth interviews were conducted remotely with migrant workers working in various sectors. Their access to welfare schemes of the Central Government as well as of their host states was ascertained. Emphasis was also laid on their access to healthcare facilities in relation to COVID-19 and non-COVID-19 ailments.</p>
<p style="text-align: justify; ">The findings of the report showcase a dismal state of affairs. No one in our sample group received any kind of dry ration or cooked food in a sustained manner and, in the rare occasions when they did, it was woefully inadequate. Of the three states considered, we found that relief distribution was the best in Tamil Nadu followed by Maharashtra and then Haryana. Even the Direct Cash Transfer Scheme of the Central Government under ‘<i>Atmanirbhar Bharat</i>’ did not reach the migrant workers. Moreover, the migrant workers were apprehensive to report any COVID-19 related symptom due to the draconian treatment that followed therein and the crumbling healthcare sector made it impossible to avail facilities in non-COVID-19 related issues. Lastly, a case has been made for the creation of bottom-level infrastructures to further dialogue between various stakeholders, including associations of migrant workers, for the implementation of schemes and policies which can consolidate migrant workers as a relevant political subject. As migrant workers reel from the impact of the second wave, pushing for on-ground infrastructure and supporting community-based organisations becomes even more urgent.</p>
<hr />
<p style="text-align: justify; "><a class="external-link" href="https://cis-india.org/raw/files/atmanirbhar-bharat-meets-digital-india.pdf">Click here to read the report</a> authored by Ankan Barman and edited by Ayush Rathi. [PDF, 882 kb]</p>
<p>
For more details visit <a href='http://editors.cis-india.org/raw/migrant-workers-solidarity-network-and-cis-ankan-barman-atmanirbhar-bharat-meets-digital-india-an-evaluation-of-covid-19-relief-for-migrants'>http://editors.cis-india.org/raw/migrant-workers-solidarity-network-and-cis-ankan-barman-atmanirbhar-bharat-meets-digital-india-an-evaluation-of-covid-19-relief-for-migrants</a>
</p>
No publisherankanRAW PublicationsResearchers at WorkCovid19FeaturedLabour FuturesAadhaarHomepage2021-06-03T12:53:57ZBlog EntryLinking Aadhaar with social media or ending encryption is counterproductive
http://editors.cis-india.org/internet-governance/blog/prime-time-august-26-2019-sunil-abraham-linking-aadhaar-with-social-media-or-ending-encryption-is-counterproductive
<b>Should Aadhaar be used as KYC for social media accounts? We have recently seen a debate on this question with even the courts hearing arguments in favour and against such a move. </b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="https://theprimetime.in/linking-aadhaar-with-social-media-or-ending-encryption-is-counterproductive/">Prime Time</a> on August 26, 2019.</p>
<hr />
<p style="text-align: justify; ">The case began in Madras High Court and later Facebook moved the SC seeking transfer of the petition to the Apex court. The original petition was filed in July, 2018 and sought linking of Aadhaar numbers with user accounts to further traceability of messages.</p>
<p style="text-align: justify; ">Before we try and answer this question, we need to first understand the differences between the different types of data on social media and messaging platforms. If a crime happens on an end to end cryptographically secure channel like WhatsApp the police may request the following from the provider to help solve the case:</p>
<ol>
<li>Identity data: Phone numbers of the accused. Names and addresses of the accused.</li>
<li>Metadata: Sender, receiver(s), time, size of message, flag identifying a forwarded messages, delivery status, read status, etc.</li>
<li>Payload Data: Actual content of the text and multimedia messages.</li>
</ol>
<p style="text-align: justify; ">Different countries have taken different approaches to solving different layers of the surveillance problem. Let us start with identity data. Some like India require KYC for sale of SIM cards while others like the UK allow anonymous purchases. Corporations also have policies when it comes to anonymous speech on their platforms – Facebook for instance enforces a soft real ID policy while Twitter does not crack down on anonymous speech. The trouble with KYC the old fashioned way is that it exposes citizens to further risk. Every possessor of your identity documents is a potential attack surface. Indian regulation should not result in Indian identity documents being available in the millions to foreign corporations. Technical innovations are possible, like tokenisation, Aadhaar paperless local e-KYC or Aadhaar offline QR code along with one time passwords. These privacy protective alternatives must be mandatory for all and the Aadhaar numbers must be deleted from previously seeded databases. Countries that don’t require KYC have an alternative approach to security and law enforcement. They know that if someone like me commits a crime, it would be easy to catch me because I have been using the same telecom provider for the last fifteen years. This is true of long term customers regardless if they are pre-paid or post-paid. The security risk lies in the new numbers without this history that confirms identity. These countries use targeted big data analytics to determine risk and direct surveillance operations to target new SIM cards. My current understanding is that when it comes to basic user data – all the internet giants in India comply with what they consider as legitimate law enforcement requests. Some proprietary and free and open source [FOSS] alternatives to services offered by the giants don’t provide such direct cooperation in India.</p>
<p style="text-align: justify; ">When it comes to payload data – it is almost impossible (meaning you will need supercomputers) to access the data unless the service/software provider breaks end-to-end cryptography. It is unwise, like some policy-makers are proposing, to prohibit end-to-end cryptography or mandate back doors because our national sovereignty and our capacity for technological self-determination depends on strong cryptography. A targeted ban or prohibition against proprietary providers might have a counterproductive consequence with users migrating to FOSS alternatives like Signal which won’t even give the police identity data. As a supporter of the free software movement, I would see this as a positive development but as a citizen I am aware that the fight against crime and terror will become harder. So government must pursue other strategies to getting payload data such as a comprehensive government hacking programme.</p>
<p style="text-align: justify; ">Meta-data is critical when it comes to separating the guilty from the innocent and apportioning blame during an investigation. For example, who was the originator of a message? Who got it and read it last? WhatsApp claims that it has implemented the Signal protocol faithfully meaning that they hold no meta-data when it comes to the messages and calls. Currently there is no regulation which mandates data retention for over the top providers but such requirements do exist for telecom providers. Just like access to meta-data provides some visibility into illegal activities it also provides visibility into legal activities. Therefore those using end-to-end cryptography on platforms with comprehensive meta-data retention policies will have their privacy compromised even though the payload data remains secure. Here is a parallel example to understand why this is important. Early last year, the Internet Engineering Task Force chose a version of TLS 1.3 that revealed less meta-data over one that provided greater visibility into the communications. This hardening of global open standards, through the elimination of availability of meta-data for middle-boxes, makes it harder for foreign governments to intercept Indian military and diplomatic communications via imported telecom infrastructure. Courts and policy makers across the world have to grapple with the following question: Are meta-data retention mandates for the entire population of users a “necessary and proportionate” legal measure to combat crime and terror. For me, it should not be illegal for a provider who voluntarily wishes to retain data, provided it is within legally sanctioned limits but it should not be requirement under law.</p>
<p style="text-align: justify; ">There are technical solutions that are yet to be properly discussed and developed as an alternative to blanket meta-data retention measures. For example, Dr. V Kamakoti has made a traceability proposal at the Madras High Court. This proposal has been critiqued by Anand Venkatanarayanan as being violative in spirit of the principles of end-to-end cryptography. Other technical solutions are required for those seeking justice and for those who wish to serve as informers for terror plots. I have proposed client side metadata retention. If a person who has been subjected to financial fraud wishes to provide all the evidence from their client, it should be possible for them to create a digital signed archive of messages for the police. This could be signed by the sender, the provider and also the receiver so that technical non-repudiation raises the evidentiary quality of the digital evidence. However, there may be other legal requirements such as the provision of notice to the sender so that they know that client side data retention has been turned on.</p>
<p style="text-align: justify; ">The need of the hour is sustained research and development of privacy protecting surveillance mechanisms. These solutions need to be debated thoroughly amongst mathematicians, cryptographers, scientists, technologists, lawyers, social scientists and designers so that solutions with the least negative impact can be rolled out either voluntarily by providers or as a result of regulation.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/prime-time-august-26-2019-sunil-abraham-linking-aadhaar-with-social-media-or-ending-encryption-is-counterproductive'>http://editors.cis-india.org/internet-governance/blog/prime-time-august-26-2019-sunil-abraham-linking-aadhaar-with-social-media-or-ending-encryption-is-counterproductive</a>
</p>
No publishersunilAadhaarInternet GovernancePrivacy2019-08-28T01:39:47ZBlog EntryA judicial overreach into matters of regulation
http://editors.cis-india.org/internet-governance/blog/the-hindu-august-27-2019-a-judicial-overreach-into-matters-of-regulation
<b>A PIL on Aadhaar sheds light on some problematic trends</b>
<p style="text-align: justify; ">The article by Gurshabad Grover was <a class="external-link" href="https://www.thehindu.com/opinion/op-ed/a-judicial-overreach-into-matters-of-regulation/article29262148.ece">published in the Hindu</a> on August 27, 2019.</p>
<hr />
<p style="text-align: justify; ">The Madras High Court has been hearing a PIL petition since 2018 that initially asked the court to declare the linking of Aadhaar with a government identity proof as mandatory for registering email and social media accounts. The petitioners, victims of online bullying, went to the court because they found that law enforcement agencies were inefficient at investigating cybercrimes, especially when it came to gathering information about pseudonymous accounts on major online platforms. This case brings out some of the most odious trends in policymaking in India.</p>
<p style="text-align: justify; ">The first issue is how the courts, as Anuj Bhuwania has argued in the book <em>Courting the People</em>, have continually expanded the scope of issues considered in PILs. In this case, it is absolutely clear that the court is not pondering about any question of law. In what could be considered as abrogation of the separation of powers provision in the Constitution, the Madras High Court started to deliberate on a policy question with a wide-ranging impact: Should Aadhaar be linked with social media accounts?</p>
<p style="text-align: justify; ">After ruling out this possibility, it went on to consider a question that is even further out of its purview: Should platforms like WhatsApp that provide encrypted services allow forms of “traceability” to enable finding the originator of content? In essence, the court is now trying to regulate one particular platform on a very specific technical question, ignoring legal frameworks entirely. It is worrying that the judiciary is finding itself increasingly at ease with deliberations on policy and regulatory measures, and its recent actions remind us that the powers of the court also deserve critical questioning.</p>
<h2 style="text-align: justify; ">Government’s support</h2>
<p style="text-align: justify; ">Second, not only are governments failing to assert their own powers of regulation in response to the courts’ actions, they are on the contrary encouraging such PILs. The Attorney General, K.K. Venugopal, who is representing the State of Tamil Nadu in the case, could have argued for the case’s dismissal by referring to the fact that the Ministry of Electronics and Information Technology has already published draft regulations that aim to introduce “traceability” and to increase obligations on social media platforms. Instead, he has largely urged the court to pass regulatory orders.</p>
<p style="text-align: justify; ">Third, ‘Aadhaar linking’ is becoming increasingly a refrain whenever any matter even loosely related to identification or investigation of crime is brought up. While the Madras High Court has ruled out such linking for social media platforms, other High Courts are still hearing petitions to formulate such rules. The processes that law enforcement agencies use to get information from platforms based in foreign jurisdictions rely on international agreements. Linking Aadhaar with social media accounts will have no bearing on these processes. Hence, the proposed ‘solution’ misses the problem entirely, and comes with its own threats of infringing privacy.</p>
<h2 style="text-align: justify; ">Problems of investigation</h2>
<p style="text-align: justify; ">That said, investigating cybercrime is a serious problem for law enforcement agencies. However, the proceedings before the court indicate that the cause of the issues have not been correctly identified. While legal provisions that allow agencies to seek information from online platforms already exist in the Code of Criminal Procedure and the Information Technology Act, getting this information from platforms based in foreign jurisdictions can be a long and cumbersome process. For instance, the hurdles posed by the mutual legal assistance treaty between India and the U.S. effectively mean that it might take months to receive a response to information requests sent to U.S.-based platforms, if a response is received at all.</p>
<p style="text-align: justify; ">To make cybercrime investigation easier, the Indian government has various options. India should push for fairer executive agreements possible under instruments like the United States’ CLOUD Act, for which we need to first bring our surveillance laws in line with international human rights standards through reforms such as judicial oversight. India could use the threat of data localisation as a leverage to negotiate bilateral agreements with other countries to ensure that agencies have recourse to quicker procedures. As a first step, however, Indian courts must wash their hands of such questions. For its part, the Centre must engage in consultative policymaking around these important issues, rather than support ad-hoc regulation through court orders in PILs.</p>
<p style="text-align: justify; "><span>(</span><em>Disclosure: The CIS is a recipient of research grants from Facebook.</em><span>)</span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-hindu-august-27-2019-a-judicial-overreach-into-matters-of-regulation'>http://editors.cis-india.org/internet-governance/blog/the-hindu-august-27-2019-a-judicial-overreach-into-matters-of-regulation</a>
</p>
No publishergurshabadAadhaarInternet GovernancePrivacy2019-08-28T01:28:52ZBlog Entry"Aadhaar Reduced Agency in Citizens and Empowered Those in Positions of Authority"
http://editors.cis-india.org/internet-governance/news/newsclick-martin-moore-may-20-2019-aadhaar-reduced-agency-in-citizens-and-empowered-those-in-positions-of-authority
<b>In the space of one election cycle, authoritarian governments, moneyed elites and fringe hackers figured out how to game elections, bypass democratic processes, and turn social networks into battlefields. Facebook, Google and Twitter – where our politics now takes place – have lost control and are struggling to claw it back. As our lives migrate online, we are gradually moving into a world of datafied citizens and real-time surveillance. The entire political landscape has changed, with profound consequences for democracy. </b>
<p style="text-align: justify; ">The article by Martin Moore was <a class="external-link" href="https://www.newsclick.in/aadhar-reduced-agency-citizens-and-empowered-those-positions-authority">published by NewsClick</a> on May 20, 2019. Pranesh Prakash was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; "><em>Written by Martin Moore,</em> Democracy Hacked: Political Turmoil and Information Warfare in the Digital Age,<em> is a compelling account of how democracy is being disrupted by the tech revolution, and what can be done to get us back on track. The following are excerpts from the chapter </em>"Survellaince Democracy" <em>of the book.</em></p>
<p style="text-align: justify; ">Tembhli, a remote rural village in northern Maharashtra, about 250 miles north of Mumbai, is rarely visited by high-powered politicians or prominent dignitaries. But on Wednesday, 29 September 2010, it found itself hosting not just the Indian prime minister, Manmohan Singh, but the president of Congress, Sonia Gandhi; the chief and deputy chief ministers and the governor of Maharashtra; and the head of the recently established Unique Identification Authority of India, Nandan Nilekani. It was this last figure, the least well known of the distinguished group, who was the reason behind the visit, and who would subsequently play the most important role in its aftermath. Nilekani and the politicians were there to give out the first ten ‘unique identifiers’ to residents of Tembhli. These ten people received their own twelve-digit number, a number that would, from that day forward, distinguish each of them from every other Indian citizen, and indeed – combined with their biometric data – from every other citizen in the world. “With this,” Sonia Gandhi said, “Tembhli has got a special importance in the map of India. People of Tembhli will lead the rest of the country. It is a historic step towards strengthening the people of our nation.”</p>
<p style="text-align: justify; ">Governments of all stripes are prone to exaggerated rhetoric, but in this instance, Gandhi was proved right when she proclaimed that “starting from this tiny hamlet, the scheme will reach more than a billion people of this country.” Despite the change of government in 2014, by April 2016 a billion Indians had been allocated their unique identifier. By 2018 the number had exceeded 1.1 billion, out of a total population of just over 1.3 billion. It was, in the words of a Harvard Business School report, a “hugely ambitious project”, “the largest-scale project of its kind in the world”. Aadhaar, as the project was called, was “unique in its scale and ambition”.3 Each Aadhaar identifier included not just a twelve-digit number, but all ten fingerprints, iris scans from both eyes, and a photograph of each person’s face (with the potential for facial recognition later). By combining the number with one element of biometric data, the government believed, it could ensure that every Indian citizen had a single, verifiable, machine-readable identity. With this verifiable identity a citizen could open a bank account, receive welfare or pension payments, pay tax, apply for a driving license, or receive healthcare, regardless of literacy. In a country known for its administrative torpor and tortuous bureaucracy, where – in 2013 – only forty per cent of children’s births were even registered, such a scheme had the potential to let India leapfrog other democratic countries into the digital era, and make government not just digitally enabled but digitally empowered.</p>
<p style="text-align: justify; ">Yet this, for critics of the scheme, was one of its many flaws. “Aadhaar marks a fundamental shift in citizen–state relations,” Pranesh Prakash from India’s Centre for the Internet and Society wrote in the <em>Hindustan Times</em>, “from ‘We the People’ to ‘We the Government’.” Civil society activists objected to the government’s enhanced power, and the relative unaccountability of the body running Aadhaar, headed by Nandan Nilekani until 2014. “In effect,” tech developer and activist Kiran Jonnalagadda wrote, “they are beyond the rule of law.” Others had practical objections.</p>
<p style="text-align: justify; ">Biometric identification often did not work. A database of this size and importance was bound to attract hackers. Leaks were inevitable. Indeed, the <em>Tribune</em> newspaper in January 2018 revealed that it had been able to buy a service, for 500 rupees (less than $10), that gave it access to any of up to one billion Aadhaar details. Yet such objections were written off as ‘scaremongering’ and Aadhaar critics as “activists of the upper crust, upper class, wine ’n cheese, Netflix-watching social media elite”. On top of which, despite an Indian Supreme Court judgment in August 2017 that affirmed the fundamental right of Indians to privacy, by early 2018 Aadhaar had achieved such momentum as to appear unstoppable. If the government was able to navigate the various legislative challenges to the scheme, then there was also a queue of other nations keen to adopt something similar.</p>
<p style="text-align: justify; ">[…]</p>
<p style="text-align: justify; ">As the government pushed Aadhaar towards every interaction the state had with the citizen, evidence mounted of failures in the system.</p>
<p style="text-align: justify; ">In the north-eastern state of Jharkhand, an eleven-year-old girl died of starvation after her family stopped receiving their government food ration. Their ration card, the Hindu Centre for Politics and Public Policy reported, “was not linked to Aadhaar”. The centre also reported on data, taken from the government’s websites, showing that in Rajasthan, where receiving rations was dependent on Aadhaar authentication, between a quarter and a third of people with ration cards did not receive rations between September 2016 and July 2017. In some ration shops, after having spent hours trying and failing to get their fingerprints read by the biometric machines, people lost their temper and smashed the machines on the ground.</p>
<p style="text-align: justify; ">Across India there were reports of machines not recognizing fingerprints, or only recognizing them after multiple attempts. Old people’s prints turned out to be more difficult to read, as were those of manual workers and fishermen. Since the system presumes guilt rather than innocence, the burden of proof lies with the citizen, not with the state. To claim a ration, apply for a scholarship or buy a train ticket, you have to prove who you are before receiving it. The obligation lies with the citizen to prove she is not a fraud. Even if she is not, and the failure is not with her but with the system, she pays for the system’s failure, not the government. To dispute a decision made by the machine means going to the nearest large town – often many miles away – and convincing an official that the problem is with the machine or the digital record, not with you. It is not surprising that some people wrecked Aadhaar machines in their rage.</p>
<p style="text-align: justify; ">While the system was found to reduce agency in citizens, it empowered those in positions of authority. Central government was able to make public services conditional on authentication by Aadhaar (despite repeated court rulings that Aadhaar be voluntary, not mandatory). This conditionality could then be extended to the level and type of public services available to individuals. In fact, it had to be for many services – distinguishing pensioners from non-pensioners, for example. Yet in this conditionality, there is plenty of scope for harm and abuse. In 2017 the independent media site <em>Scroll.in</em> reported a rising number of HIV-positive patients who were dropping out of treatment programmes because they were required to use their Aadhaar numbers and were fearful of their condition becoming public.</p>
<p style="text-align: justify; ">Equally, while Aadhaar itself did not provide any information about caste, ethnicity, religion or language, once it was linked to other databases, most notably the National Population Register, then it became possible to identify people by group. Formal group identification by the state has an ignominious history. During the apartheid era in South Africa, the penultimate number on the South African identity card indicated race. In the Rwandan genocide in 1994, anyone who had ‘Tutsi’ on their identification was liable to be killed. In Nazi Germany in 1938, every Jewish citizen had ‘J’ stamped on their ID cards and passports. In India, where political and religious divisions are closely intertwined, there is good reason to be anxious about new opportunities for group identification.</p>
<p style="text-align: justify; ">Thanks to Aadhaar, companies started to build services using unique identification. A series of ‘trust platforms’ emerged, built on top of Aadhaar, where employers – and others – could access and authenticate people’s identity. A company called TrustID advertised itself as “India’s first, unique and comprehensive online verification platform”. Through TrustID an employer could check whether a potential employee had any criminal or civil convictions, or whether that person had a good or bad reputation (based on a news search and social media profiling). The company even encouraged women to check up on potential husbands they had found via marriage websites. Other international companies integrated Aadhaar into existing services. This is similar to the way in which companies work with platforms like Facebook to profile, and target, individuals based on their personal information – except in this instance doing it via the government. All the same questions about trust, privacy, freedom and power arise, with even greater political potency. The state and private companies are in partnership to track citizens constantly and to gather as much data as they can on them – data that they can then use for commercial or political purposes. This opaque, asymmetrical knowledge of the citizen seems like the reverse of what was intended by democratic transparency, especially in the absence of strong privacy and data protection. “Totalitarian states often do this against the wishes of their citizens,” Pratap Bhanu Mehta, the president of the Centre for Policy Research, writes, yet “in our democracy, our consent is being mobilized to put an imprimatur over more control and arbitrariness.”</p>
<p style="text-align: justify; ">In August 2017, the Supreme Court of India came to a unanimous 9–0 decision that Article 21 of the Indian Constitution did guarantee a fundamental right to privacy. As such, it was not lawful for the government to make it mandatory for people to identify themselves using a unique identifier like Aadhaar, except in specific circumstances. To some this looked like a huge blow to the grand project. The Supreme Court decision “raises serious questions about Aadhaar”, lawyer Adarsh Ramanujan argued in India’s <em>Financial Express</em>, and appeared to send “a direction to the central government to create a regime to ensure that privacy rights are not trammelled by other private parties”. The judgment was about privacy broadly, and did not refer to specific cases like Aadhaar, but was seen as the basis from which future challenges to the scheme could be launched. The Modi government, however, appeared to carry on regardless. In October it linked Aadhaar to driving licence applications. By mid-December, the government had made Aadhaar mandatory if citizens wanted to access any of 140 government services.</p>
<p style="text-align: justify; ">Nandan Nilekani, who had stepped down as chair of Aadhaar in 2014 in order to become a candidate for the Congress party, railed against those who criticized the scheme. There was, he claimed, an “orchestrated campaign” to malign the system. “I think this so-called anti-Aadhaar lobby is really just a small bunch of liberal elites who are in some echo chamber,” he told an Indian business news channel. Anyway, Nilekani argued, it was too late for the naysayers to stop it. Too many people were now enrolled. It was too integral to the provision of services. Others saw attacks on Aadhaar as political, arguing that Congress was using it for political gain prior to the 2019 election, and that this would backfire. “Aadhaar today is not just a number,” the editor of India’s <em>Economic Times</em>wrote. “The Congress envisaged it as a means of identity but the Modi government has taken it to a different level. It has become a weapon in the hands of the poor and a powerful tool to fight entrenched black money interests. It is now a symbol of anti-corruption, anti-black money drives, a symbol of efficient allocation of welfare benefits.”</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/newsclick-martin-moore-may-20-2019-aadhaar-reduced-agency-in-citizens-and-empowered-those-in-positions-of-authority'>http://editors.cis-india.org/internet-governance/news/newsclick-martin-moore-may-20-2019-aadhaar-reduced-agency-in-citizens-and-empowered-those-in-positions-of-authority</a>
</p>
No publisherMartin MooreAadhaarInternet Governance2019-05-21T15:33:01ZNews ItemSubmitted Your Biometrics for Aadhaar? Here’s How You Can Lock/Unlock That Data
http://editors.cis-india.org/internet-governance/news/the-better-india-vidya-raja-january-24-2019-aadhaar-biometric-privacy-safety-online-india
<b>Did you know that UIDAI provides a facility that allows users to lock/unlock their Aadhaar biometric data online?</b>
<p>The blog post by Vidya Raja was <a class="external-link" href="https://www.thebetterindia.com/170550/aadhaar-biometric-privacy-safety-online-india/">published in the Better India</a> on January 24, 2019. Pranesh Prakash was quoted.</p>
<hr />
<p style="text-align: justify; ">Imagine someone hacking into your Netflix account – all you have to do is change the password. However, if there is a security <a href="https://www.thebetterindia.com/99520/aadhaar-card-right-over-our-body-privacy-government/" rel="noopener" target="_blank">breach</a> with respect to your biometric details, there is no reversing it. So think carefully about how and where you submit your details. While the Supreme Court has said that it is no longer mandatory to link Aadhaar with your bank accounts or your telecom service provider, it does not lessen the importance of Aadhaar.</p>
<p style="text-align: justify; ">Pranesh Prakash, Policy Director, The Centre for Internet & Society, in a report published in <a href="https://www.livemint.com/Money/YD7dqEVRJbrqoAs3h4PuJO/Are-biometrics-hackproof.html" rel="noopener" target="_blank">The Mint</a>, says, “Biometric devices are not hack-proof. It depends on the ease with which this can be done. In Malaysia, thieves who stole a car with a fingerprint-based ignition system simply chopped off the owner’s finger. When a biometric attendance system was introduced at the Institute of Chemical Technology (ICT) in Mumbai, students continued giving proxies by using moulds made from Fevicol.” Over the last year, there has been so much chatter about the Aadhaar number and how one can protect one’s information.</p>
<p>Did you know that UIDAI provides a facility that allows users to lock/unlock their Aadhaar biometric data online?</p>
<p><b>In this article, we explain how you can do that.</b></p>
<p><b>Locking biometrics online:</b></p>
<ol>
<li>Visit UIDAI’s <a href="https://uidai.gov.in/" rel="noopener" target="_blank">online</a> portal to lock or unlock your biometrics</li>
<li>Once there, you will need to click on ‘My Aadhaar’ and under the Aadhaar Services tab, click on Lock/Unlock Biometrics</li>
<li>You will then be redirected to a new page and prompted to enter the 12-digit Aadhaar number and the security code</li>
<li>Once the details have been entered, click on ‘Send OTP’</li>
<li>You will receive an OTP on your registered mobile number</li>
<li>Enter this and click on the Login button</li>
<li>This feature will allow you to lock your biometrics</li>
<li>Enter the 4-digit security code mentioned on the screen and click on the ‘Enable’ button</li>
<li>Your biometrics will be locked, and you will have to unlock it in case you want to access it again</li>
</ol>
<p><b>Unlocking biometrics online:</b></p>
<ol>
<li>To unlock your biometrics, click on the ‘Login’ button</li>
<li>Enter your Aadhaar number and the security code in the designated spaces</li>
<li>Now click on ‘Send OTP’</li>
<li>An OTP will be sent to your registered mobile number</li>
<li>Enter it in the space provided and click on ‘Login’</li>
<li>In case you want to temporarily unlock the biometrics, enter the security code and click on the unlock button</li>
<li>Your biometrics will be unlocked for 10 minutes</li>
<li>The locking date and time is mentioned on the screen after which biometrics will be automatically locked</li>
<li>When you do not want to lock your biometrics, you can disable the lock permanently.</li>
</ol>
<h2>Using mAadhaar to lock/unlock biometrics:</h2>
<p>mAadhaar is the official mobile application developed by the Unique Identification Authority of India (UIDAI). Presently, it is available on the <a href="https://play.google.com/store/apps/details?id=in.gov.uidai.mAadhaarPlus&hl=en_IN" rel="noopener" target="_blank">Android</a> platform.</p>
<ol>
<li>Once the mAadhaar app has been downloaded, the user must use their Aadhaar card registered mobile number to login.</li>
<li>You will then be sent an OTP that you are required to enter for authentication. Do remember to change your password once registered.</li>
<li style="text-align: justify; ">On the top right side, tap on ‘Biometric lock’, and enter your password to lock the biometrics. Once locked, it will show a small lock icon next to your profile.</li>
<li>To unlock, tap on the same icon followed by your password. The information will unlock for 10 minutes. After that, it will be locked again.</li>
<li style="text-align: justify; ">Once you lock this information, it ensures that even the Aadhaar holder will not be able to use their biometric data (iris scan and fingerprints) for authentication, until unlocked.</li>
<li>If you try to use this information without unlocking, it will show you an error code 330.</li>
</ol>
<p style="text-align: justify; ">Remember to lock and unlock your biometrics through a trusted channel. The fact that there is no fee involved in either exercise will make this easier. Also, even with the biometric locked, you can continue to use the OTP-based authentication process for transactions, where you will receive the OTP on your registered mobile number and e-mail address.</p>
<p><i>(Edited by Shruti Singhal)</i></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-better-india-vidya-raja-january-24-2019-aadhaar-biometric-privacy-safety-online-india'>http://editors.cis-india.org/internet-governance/news/the-better-india-vidya-raja-january-24-2019-aadhaar-biometric-privacy-safety-online-india</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2019-02-02T02:09:56ZNews ItemRegistering for Aadhaar in 2019
http://editors.cis-india.org/internet-governance/blog/business-standard-january-2-2019-registering-for-aadhaar-in-2019
<b>It is a lot less scary registering for Aadhaar in 2019 than it was in 2010, given how the authentication modalities have since evolved.</b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="https://www.business-standard.com/article/opinion/registering-for-aadhaar-in-2019-119010201018_1.html">Business Standard</a> on January 2, 2019.</p>
<hr />
<p style="text-align: justify; ">Last November, a global committee of lawmakers from nine countries the UK, Canada, Ireland, Brazil, Argentina, Singapore, Belgium, France and Latvia summoned Mark Zuckerberg to what they called an “international grand committee” in London. Mr. Zuckerberg was too spooked to show up, but Ashkan Soltani, former CTO of the FTC was among those who testified against Facebook. He said “in the US, a lot of the reticence to pass strong policy has been about killing the golden goose” referring to the innovative technology sector. Mr. Soltani went on to argue that “smart legislation will incentivise innovation”. This could be done either intentionally or unintentionally by governments. For example, a poorly thought through blocking of pornography can result in innovative censorship circumvention technologies. On other occasions, this can happen intentionally. I hope to use my inaugural column in these pages to provide an Indian example of such intentional regulatory innovation.<br /><br />Eight years ago, almost to this date, my colleague Elonnai Hickok wrote an open letter to the Parliamentary Finance Committee on what was then called the UID or Unique Identity. She compared Aadhaar to the digital identity project started by the National Democratic Alliance (NDA) government in 2001. Like the Vajpayee administration which was working in response to the Kargil War, she advocated a decentralised authentication architecture using smart cards based on public key cryptography. Last year, even before the five-judge constitutional bench struck down Section 57 of the Aadhaar Act, the UIDAI preemptively responded to this regulatory development by launching offline Aadhaar cards. This was to be expected especially since from the A.P. Shah Committee report, the Puttaswamy Judgment, the B.N. Srikrishna Committee consultation paper, report and bill, the principle of “privacy by design” was emerging as a key Indian regulatory principle in the domain of data protection.<br /><br />The introduction of the offline Aadhaar mechanism eliminates the need for biometrics during authentication. I have previously provided 11 reasons why biometrics is inappropriate technology for e-governance applications by democratic governments, and this comes as a massive relief for both human rights activists and security researchers. Second, it decentralises authentication, meaning that there is a no longer a central database that holds a 360-degree view of all incidents of identification and authentication. Third, it dramatically reduces the attack surface for Aadhaar numbers, since only the last four digits remain unmasked on the card. Each data controller using Aadhaar will have to generate his/her own series of unique identifiers to distinguish between residents. If those databases leak or get breached, it won’t tarnish the credibility of Aadhaar or the UIDAI to the same degree. Fourth, it increases the probability of attribution in case a data breach were to occur; if the breached or leaked data contains identifiers issued by a particular data controller, it would become easier to hold them accountable and liable for the associated harms. Fifth, unlike the previous iteration of the Aadhaar “card”, on which the QR code was easy to forge and alter, this mechanism provides for integrity and tamper detection because the demographic information contained within the QR code is digitally signed by the UIDAI. Finally, it retains the earlier benefit of being very cheap to issue, unlike smart cards.<br /><br />Thanks to the UIDAI, the private sector is also being forced to implement privacy by design. Previously, since everyone was responsible for protecting Aadhaar numbers, nobody was. Data controllers would gladly share the Aadhaar number with their contractors, that is, data processors, since nobody could be held responsible. Now, since their own unique identifiers could be used to trace liability back to them, data controllers will start using tokenisation when they outsource any work that involves processing of the collected data. Skin in the game immediately breeds more responsible behaviour in the ecosystem.<br /><br />The fintech sector has been rightfully complaining about regulatory and technological uncertainty from last year’s developments. This should be addressed by developing open standards and free software to allow for rapid yet secure implementation of these changes. The QR code standard itself should be an open standard developed by the UIDAI using some of the best practices common to international standard setting organisations like the World Wide Web Consortium, Internet Engineers Task Force and the Institute of Electrical and Electronics Engineers. While the UIDAI might still choose to take the final decision when it comes to various technological choices, it should allow stakeholders to make contributions through comments, mailing lists, wikis and face-to-face meetings. Once a standard has been approved, a reference implementation must be developed by the UIDAI under liberal licences, like the BSD licence that allows for both free software and proprietary software derivative works. For example, a software that can read the QR code as well as send and receive the OTP to authenticate the resident. This would ensure that smaller fintech companies with limited resources can develop secure systems.<br /><br />Since Justice Dhananjaya Y. Chandrachud’s excellent dissent had no other takers on the bench, holdouts like me must finally register for an Aadhaar number since we cannot delay filing taxes any further. While I would still have preferred a physical digital artefact like a smart card (built on an open standard), I must say it is a lot less scary registering for Aadhaar in 2019 than it was in 2010, given how the authentication modalities have since evolved.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/business-standard-january-2-2019-registering-for-aadhaar-in-2019'>http://editors.cis-india.org/internet-governance/blog/business-standard-january-2-2019-registering-for-aadhaar-in-2019</a>
</p>
No publishersunilAadhaarInternet GovernancePrivacy2019-01-03T14:59:04ZBlog EntryIs Aadhaar Essential To Achieve Error-Free Electoral Rolls?
http://editors.cis-india.org/internet-governance/news/bloomberg-quint-december-16-2018-is-aadhaar-essential-to-achieve-error-free-electoral-rolls
<b>The Election Commission’s plans to link Aadhaar with electoral rolls may have stirred a hornet’s nest.</b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="https://www.bloombergquint.com/politics/is-aadhaar-essential-to-achieve-error-free-electoral-rolls">Bloomberg's Quint</a> on December 16, 2018. Pranesh Prakash was quoted.</p>
<hr />
<p style="text-align: justify; ">The commission plans to undertake the exercise to clean up electoral rolls—which need to be updated frequently to avoid duplication and errors, <i>The Economic Times</i> newspaper reported citing people aware of the matter. But with privacy concerns raised against the Aadhaar, is this the best way to achieve error-free voter data?</p>
<p style="text-align: justify; ">Pranesh Prakash, policy director at the Centre for Internet and Society, doesn’t think so. Using Aadhaar data without the consent of the user poses legal problems, he told BloombergQuint in a conversation. “For the Election Commission to link Aadhaar with citizens’ voter ID would require amending the law.”</p>
<blockquote style="text-align: justify; ">It is questionable whether this will fall within the bounds that the SC has set for usage of Aadhaar.</blockquote>
<p style="text-align: justify; ">Pranesh Prakash, Policy Director, Centre for Internet and Society</p>
<p style="text-align: justify; ">The former legal advisor of the Election Commission SK Mendiratta, however, brushed aside privacy concerns relating to the process. The Election Commission, according to him, is a constitutional body and can use information with the government to ensure purity of the electoral roll.</p>
<p style="text-align: justify; ">Reetika Khera, associate professor at Indian Institute of Management-Ahmedabad, said this could be bad for voters. She cited the mass deletion of voters from electoral rolls in Telangana ahead of the recent elections, and urged that due process must be followed.</p>
<blockquote style="text-align: justify; ">There are serious problems with the use of algorithmic approaches in various spheres. Aadhaar as a tool to clean up the electoral rolls is the problem.</blockquote>
<p style="text-align: justify; ">Reetika Khera, Associate Professor, IIM Ahmedabad</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/bloomberg-quint-december-16-2018-is-aadhaar-essential-to-achieve-error-free-electoral-rolls'>http://editors.cis-india.org/internet-governance/news/bloomberg-quint-december-16-2018-is-aadhaar-essential-to-achieve-error-free-electoral-rolls</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2018-12-25T01:21:45ZNews ItemClarification on the Information Security Practices of Aadhaar Report
http://editors.cis-india.org/internet-governance/blog/clarification-on-the-information-security-practices-of-aadhaar-report
<b>We are issuing a second clarificatory statement on our report titled “Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information” published on May 1, 2017. </b>
<p> </p>
<h4>The report concerned can be accessed <a href="https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1">here</a>, and the first clarificatory statement (dated May 16, 2017) can be accessed <a href="https://cis-india.org/internet-governance/clarification-on-information-security-practices-of-the-aadhaar-report/">here</a>.</h4>
<hr />
<p>This clarificatory statement is being issued in response to reports that misrepresent our research. In light of repeated questions we have received, which seem to emanate from a misunderstanding of our report, we would like to make the following clarifications.</p>
<ol>
<li>Our research involved documentation and taking illustrative screenshots (included in our report) of public webpages on the four government websites listed in our report. These screenshots were taken to demonstrate that the vulnerability existed.<br /><br /></li>
<li>The figure of 130-135 million Aadhaar Numbers quoted in our Report are, as clearly stated, derived directly by adding the aggregate numbers (of beneficiaries/individuals whose data were listed in the three government websites concerned) and published by the portals themselves in the MIS reports publicly available on the portals. The numbers are as follows:<br /><br />
<ul>
<li>10,97,60,343 from NREGA,<br /><br /></li>
<li>63,95,317 from NSAP, and<br /><br /></li>
<li>2,05,60,896 from Chandranna Bima (screenshots included in the report).<br /><br /></li></ul>
<strong>We did not arrive at this number by downloading data ourselves but by adding the figures on the government websites. To our knowledge, no harm, financial or otherwise has been caused to anyone due to the public availability. Further, it must be noted that we published the report only after ascertaining that the websites in questions had masked or removed the data. Therefore our report only points to the possibility that there could be harm caused by malicious actors before the data was taken down. However, we are not aware of any such cases of exploitation, nor do we suggest so anywhere in our report.</strong></li></ol>
<p>We sincerely hope that this clarification helps with a clearer comprehension of the argument and implications of the said report. We urge those who are using our report in their research to reach out to us to prevent the future misinterpretation of the report.</p>
<p><em>— Amber Sinha and Srinivas Kodali</em></p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/clarification-on-the-information-security-practices-of-aadhaar-report'>http://editors.cis-india.org/internet-governance/blog/clarification-on-the-information-security-practices-of-aadhaar-report</a>
</p>
No publisherAmber Sinha and Srinivas KodaliFeaturedHomepageAadhaar2018-11-05T12:08:06ZBlog EntryAfter Supreme Court Setback, Fintech Firms Await Clarity On Aadhaar
http://editors.cis-india.org/internet-governance/news/bloomberg-quint-nishant-sharma-september-27-2018-after-sc-setback-fintech-firms-await-clarity-on-aadhaar
<b>The 12-digit Aadhaar number is now out of bounds for fintech companies in India.</b>
<p style="text-align: justify; ">The article by Nishant Sharma was <a class="external-link" href="https://www.bloombergquint.com/aadhaar/after-supreme-court-setback-fintech-firms-await-clarity-on-aadhaar">published in Bloomberg Quint</a> on September 27, 2018. Pranesh Prakash was quoted.</p>
<hr />
<h3>Video</h3>
<p><iframe frameborder="0" height="315" src="https://www.youtube.com/embed/FiEbZcL3lnY" width="560"></iframe></p>
<hr />
<p style="text-align: justify; ">With the Supreme Court on Wednesday terming Aadhaar authentication by private companies as “<a href="https://www.bloombergquint.com/law-and-policy/2018/09/26/aadhaar-a-quick-summary-of-the-supreme-court-majority-order" target="_blank">unconstitutional</a>”, companies such as online wallets and e-tailers, among others, will now have to make changes to how they onboard and verify customers, in addition to how they transact.</p>
<p style="text-align: justify; ">In a 567-page majority judgment authored by Justice Sikri and concurred upon by two other judges—Chief Justice Dipak Misra and Justice AM Khanwilkar—it said that Section 57 of the Aadhaar Act, which allows private companies to use Aadhaar for authentication services based on a contract between the corporate and an individual, would enable commercial exploitation of private data and hence is unconstitutional.</p>
<p style="text-align: justify; ">“What it essentially means is that the private bodies, such as lending platforms, wallets, or any private entity, cannot use Aadhaar for authentication,” said Anirudh Rastogi founder at Ikigai Law (formerly TRA), a law firm that specialises in representing businesses on data privacy.</p>
<p style="text-align: justify; ">The decision is set to impact private companies right from Flipkart-owned PhonePe, Paytm, Reliance Jio and Amazon, among others, which rely on Aadhaar for e-verification. Amazon recently launched cardless equated monthly installments on Amazon Pay through the digital finance platform Capital Float and asked customers to provide Aadhaar numbers or virtual ID and PAN details on the Amazon app for verification.</p>
<h3 style="text-align: justify; ">'Aadhaar Is Just Another ID'</h3>
<p style="text-align: justify; ">Pranesh Prakash, fellow, Centre for Internet and Society, said that with this judgment Aadhaar is no longer an identity infrastructure as its creators have dreamt of. “It is now just another ID.”</p>
<p style="text-align: justify; ">For those opposed to Aadhaar, on privacy and security grounds, this may be a part victory. But for the Fintech industry it stymies the use of quick Aadhaar-based e-KYC (know your customer norms) to onboard customers. “The fintech industry thrives on the instant paperless mantra, and this move will curb its rapid growth, ” Amrish Rau, co-founder of PayU, said in a text message.</p>
<p style="text-align: justify; ">The verdict is also set to push up costs for the industry. Rau said: “Conducting physical KYC would be a costly affair, with every physical KYC costing about Rs 100 per person.”</p>
<p style="text-align: justify; ">Companies like PhonePe await more clarity. “We are waiting to hear from bodies like the Reserve Bank of India, UIDAI on what KYC that will be required for wallets moving ahead," Sameer Nigam, cofounder of PhonePe, said. "Whether we go to no KYC, lower limit environment or go to the physical KYC environment."</p>
<p style="text-align: justify; ">The judgment also stated that the identification number will not be mandatory for opening bank accounts, mobile-phone connections or for admissions into educational institutions. However, Aadhaar will continue to be mandatory for the distribution of state-sponsored welfare schemes including direct benefit transfers and the public distribution system. Taxpayers will have to link their Permanent Account Numbers to the biometric database.</p>
<h3 style="text-align: justify; ">Aadhaar-Based KYC: Allowed With Consent?</h3>
<p style="text-align: justify; ">The Supreme Court has concluded that the part of section 57 which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals.</p>
<p style="text-align: justify; ">Prasanna S, a Supreme Court advocate and lawyer for one of the petitioners in the Aadhaar matter interpreted it to mean that even if a customer voluntarily wants to use Aadhaar for e-KYC, businesses cannot accept it.</p>
<blockquote style="text-align: justify; ">They have struck down the part of Section 57 that allows use of Aadhaar based on a contract. A contract, by nature is voluntary, But since the court has struck down this part, even voluntary use won’t be permitted.</blockquote>
<p style="text-align: justify; ">Prasanna S, Advocate, Supreme Court</p>
<h3 style="text-align: justify; ">Jaitley Hints At Legal Backing</h3>
<p style="text-align: justify; ">Meanwhile, Finance Minister Arun Jaitley on Wednesday hinted that the Centre is likely to examine whether separate legal backing is needed for Section 57 of the Aadhaar Act, the newswire PTI reported. “So, let us first read the judgement. There are two-three prohibited areas. Are they because they are totally prohibited or are they because they need legal backing,” Jaitley was quoted as saying.</p>
<p style="text-align: justify; ">Rastogi of Ikigai Law said that the court has left open for the government to promulgate a law to enable private parties to use Aadhaar that can withstand judicial scrutiny.</p>
<p style="text-align: justify; ">Rahul Matthan, a technology partner at law firm Trilegal differed with this view. He said that since the apex court has ruled that private entities cannot access the Aadhaar infrastructure, it means that even if the government brings a specific law to allow for that, it would be unconstitutional.</p>
<p style="text-align: justify; ">Prasanna agreed with this interpretation.</p>
<blockquote style="text-align: justify; ">The court has hinted that commercial exploitation of personal information will fail the proportionality test laid down by it in the Right to Privacy judgment. This is one of the grounds for them to conclude that Section 57 is unconstitutional. So even a law is introduced, private access will be impermissible.</blockquote>
<p style="text-align: justify; ">Prasanna S, Advocate, Supreme Court</p>
<h3 style="text-align: justify; ">Are Aadhaar-Based KYCs Tainted?</h3>
<p style="text-align: justify; ">Since the use of Aadhaar by private entities has been struck down, does it mean entities who have used it for KYC so far have to re-do that exercise? And data that was collected as part of Aadhaar-based KYC- does that need to be deleted?</p>
<p style="text-align: justify; ">The majority order hasn’t specifically addressed these questions, Matthan pointed out. But went on to explain that his reading of the judgment is that the court wants things to remain as they are.</p>
<blockquote style="text-align: justify; ">The Supreme Court has said that collection of data before the Aadhaar Act was introduced is valid. If you follow that sentiment, may be we can argue that there’s no requirement to delete the data.</blockquote>
<p style="text-align: justify; ">Rahul Matthan, Partner, Trilegal</p>
<p style="text-align: justify; "><br />Whatever has been done without the authority of law has to go, Prasanna said. But this outcome may not be practical and another hearing before the Supreme Court may be required to clear these questions, he added.</p>
<p style="text-align: justify; ">Private entities such as the online cab aggregator Ola have already removed eKYC from its e-wallet when BloombergQuint last checked. Others may follow suit.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/bloomberg-quint-nishant-sharma-september-27-2018-after-sc-setback-fintech-firms-await-clarity-on-aadhaar'>http://editors.cis-india.org/internet-governance/news/bloomberg-quint-nishant-sharma-september-27-2018-after-sc-setback-fintech-firms-await-clarity-on-aadhaar</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-10-01T23:39:42ZNews ItemNational Health Stack: Data For Data’s Sake, A Manmade Health Hazard
http://editors.cis-india.org/internet-governance/blog/bloomberg-quint-murali-neelakantan-swaraj-barooah-swagam-dasgupta-torsha-sarkar-august-14-2018-national-health-stack-data-for-datas-sake-a-manmade-health-hazard
<b>On Oct. 5, 2017, an HIV positive woman was denied admission in Hyderabad’s Osmania General Hospital even though she was entitled to free treatment under India’s National AIDS Control Organisation programme. Another incident around the same time witnessed a 24-year-old pregnant woman at Tikamgarh district hospital in Madhya Pradesh being denied treatment by hospital doctors once she tested positive for HIV. The patient reportedly delivered the twins outside the maternity ward after she was turned away by the hospital, but her newborn twin girls died soon after.</b>
<p style="text-align: justify; ">The op-ed was <a class="external-link" href="https://www.bloombergquint.com/opinion/2018/08/14/data-for-datas-sake-a-manmade-health-hazard#gs.bT20zK4">published in Bloomberg Quint</a> on August 14, 2018.</p>
<hr />
<p style="text-align: justify; ">Apart from facing the severity of their condition, patients afflicted with diseases such as HIV, tuberculosis, and mental illnesses, are often subject to social stigma, sometimes even leading to the denial of medical treatment. Given this grim reality would patients want their full medical history in a database?</p>
<p style="text-align: justify; ">The ‘National Health Stack’ as described by the NITI Aayog in its consultation paper, is an ambitious attempt to build a digital infrastructure with a “deep understanding of the incentive structures prevalent in the Indian healthcare ecosystem”. If the government is to create a database of individuals’ health records, then it should appreciate the differential impact that it could have on the patients.</p>
<blockquote>The collection of health data, without sensitisation and accountability, has the potential to deny healthcare to the vulnerable.</blockquote>
<p style="text-align: justify; ">We have innumerable instances of denial of services due to Aadhaar and there is a real risk that another database will lead to more denial of access to the most vulnerable.</p>
<p style="text-align: justify; ">Earlier, we had outlined some key aspects of the NHS, the ‘world’s largest’ government-funded national healthcare scheme. Here we discuss some of the core technical issues surrounding the question of data collection, updating, quality, and utilisation.</p>
<h3>Resting On A Flimsy Foundation: The Unique Health ID</h3>
<p style="text-align: justify; ">The National Health Stack envisages the creation of a unique ID for registered beneficiaries in the system — a ‘Digital Health ID’. Upon the submission of a ‘national identifier’ and completion of the Know Your Customer process, the patient would be registered in the system, and a unique health ID generated.</p>
<p style="text-align: justify; ">This seemingly straightforward process rests on a very flimsy foundation. The base entry in the beneficiary registry would be linked to a ‘strong foundational ID’. Extreme care needs to be taken to ensure that this is not limited to an Aadhaar number. Currently, the unavailability of Aadhaar would not be a ground for denial of treatment to a patient only for their first visit; the patient must provide Aadhaar or an Aadhaar enrolment slip to avail treatment thereafter. This suggests that the national healthcare infrastructure will be geared towards increasing Aadhaar enrollment, with the unstated implication that healthcare is a benefit or subsidy — a largess of government, and not, as the courts have confirmed, a fundamental right.</p>
<blockquote style="text-align: justify; ">Not only is this project using government-funded infrastructure to deny its citizens the fundamental right to healthcare, it is using the desperate need of the vulnerable for healthcare to push the ‘Aadhaar’ agenda.</blockquote>
<p style="text-align: justify; ">Any pretence that Aadhaar is voluntary is slowly fading with the government mandating it at every step of our lives.</p>
<p style="text-align: justify; "><img alt="Aadhaar Seva kendra. (Source: Aadhaar Official Account/Facebook)&nbsp;" class="qt-image" src="https://images.assettype.com/bloombergquint%2F2018-01%2Fd7f4b53a-b069-484d-8c28-511c516aa4d5%2F3a192ed0-8a18-4518-95be-ac5234239e94.jpg?w=480&auto=format%2Ccompress" /></p>
<div class="visualClear" style="text-align: justify; ">Aadhaar Seva kendra. (Source: Aadhaar Official Account/Facebook</div>
<div class="visualClear" style="text-align: justify; "></div>
<h3>Is The Health ID An Effective And Unique Identifier?</h3>
<p style="text-align: justify; ">Even if we choose to look past the fact that the validity of Aadhaar is still pending the test of legality before the apex court, a foundational ID would mean that the data contained within that ID is unique, accurate, incorruptible, and cannot be misused. These principles, unfortunately, have been compromised by the UIDAI in the Aadhaar project with its lack of uniqueness of identity (i.e, fake IDs and duplicity), failure to authenticate identity, numerous alleged data leaks (‘alleged’ because UIDAI maintains that there haven’t been any leaks), lack of connectivity to be able to authenticate identity and numerous instances of inaccurate information which cannot be corrected.</p>
<p>Linking something as crucial and basic as healthcare data with such a database is a potential disaster.</p>
<p>There is a real risk that incorrect linking could cause deaths or inappropriate medical care.</p>
<h3>The High Risk Of Poor Quality Data</h3>
<p style="text-align: justify; ">The NITI Aayog paper envisages several expansive databases that are capable of being updated by different entities. It includes enrollment and updating processes but seems to assume that all these extra steps will be taken by all the relevant stakeholders and does not explain the motivation for stakeholders to do so.</p>
<p style="text-align: justify; ">In a country where government doctors, hospitals, wellness centres, etc are overburdened and understaffed, this reliance is simply not credible. For instance, all attributes within the registries are to be digitally signed by an authorised updater, there must be an audit trail for all changes made to the registries, and surveyors will be tasked with visiting providers in person to validate the data. Identifying these precautions as measures to assure accurate data is a great step towards building a national health database, but this seems an impossible task.</p>
<blockquote>Who are these actors and what will incentivise them to ensure the accuracy and integrity of data?</blockquote>
<p style="text-align: justify; ">In other words, what incentive and accountability structures will ensure that data entry and updating is accurate, and not approached from a more ‘<i>jugaad</i>’ ‘let’s just get this done for the sake of it’ attitude that permeates much of the country. How will patients have access to the database to be able to check its accuracy? Is it possible for a patient (who will presumably be ill) to gain easy access to an updater to change their data? If so, how? It is worth noting that the patient’s ‘right’ to check her data assumes that they have access to a computer that is connected to the internet as well as a good level of digital literacy, which is not the case in India for a significant section of the population. Even data portability loses its potential benefits if the quality of data on these registries is not reliable. In this case, healthcare providers will need to verify their patients’ health history using physical records instead, rendering the stack redundant.</p>
<p>Who will be liable to the patient for misdiagnosis based on the database?</p>
<p><img alt="A sonographic image is displayed on a monitor as a patient undergoes an ultrasound scan in Bikaner, Rajasthan, India. (Photographer: Prashanth Vishwanathan/Bloomberg)" class="qt-image" src="https://images.assettype.com/bloombergquint%2F2018-08%2Fe1659408-49ba-4188-b57e-aef377c69eb0%2Fm1291107.jpg?w=480&auto=format%2Ccompress" /></p>
<div class="visualClear">A sonographic image is displayed on a monitor as a patient undergoes an ultrasound scan in Bikaner, Rajasthan, India. (Photographer: Prashanth Vishwanathan/Bloomberg)</div>
<p style="text-align: justify; ">Leaving the question of accountability vague opens updaters to the possibility of facing dangerous and unnecessarily punitive measures in the future. The NITI Aayog paper fails to address this key issue which arose recently. Despite being a notifiable disease, there are reports that numerous doctors from the private sector failed to notify or update TB cases to the Ministry of Health and Family Welfare ostensibly on the grounds that they did not receive consent from their patients to share their information with the government. This was met with a harsh response from the government which stated that clinical establishment that failed to notify tuberculosis patients would face jail time. According to a few doctors, the government’s new move would coerce patients to go to ‘underground clinics’ to receive treatment discreetly and hence, would not solve the issue of TB.</p>
<blockquote>The document also offers no specific recommended procedures regarding how inaccurate entries will be corrected or deleted.</blockquote>
<p style="text-align: justify; ">It is then perhaps not a stretch to imagine that these scenarios would affect the quality of the data stored; defeating NITI Aayog’s objective of researchers using the stack for high-quality medical data.</p>
<p style="text-align: justify; ">The reason why the quality and integrity of data is at the head of the table is that all the proposed applications of the NHS (analytics, fraud detection etc.) assume a high quality, accurate dataset. At the same time, the enrolment process, updating process and disclosed measures to ensure data quality will effectively lead to poor quality data. If this is the case, then applications derived from the NHS dataset should assume an imperfect data, rather than an accurate dataset, which should make one wonder if no data is better than data that is certainly inaccurate.</p>
<h3>Lack Of Data Utilisation Guidelines</h3>
<p style="text-align: justify; ">Issues with data quality are exacerbated depending on how and where it is used, and who uses it. The paper has identified some users to be health-sector stakeholders such as healthcare providers (hospitals, clinics, labs etc), beneficiaries, doctors, insurers and accredited social health activists but misses laying down utilisation guidelines. The foresight to create a dataset that can be utilised by multiple actors for numerous applications is commendable, but potentially problematic -- especially if guidelines on how this data is to be used by stakeholders (especially the private sector) are ignored.</p>
<p style="text-align: justify; ">In order to bridge this knowledge gap, India has the opportunity to learn from the legal precedent set by foreign institutions. As an example, one could examine the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. which sets out strict guidelines for how businesses are to handle sensitive health data in order to maintain the individual’s privacy and security. It goes one step further to also lay down incentive and accountability structures in order that business associates necessarily report security breaches to their respective covered entities.</p>
<blockquote>If we do not take necessary precautions now, we not only run the risk of poor security and breach of privacy but of inaccurate data that renders the national health data repository a health risk for the whole patient population.</blockquote>
<p style="text-align: justify; ">There’s also the lack of clarity on who is meant to benefit from using such a database or whether the benefits are equal to all stakeholders, but more on that in a subsequent piece.</p>
<p style="text-align: justify; "><img alt="A medical team uses a glucometer to check the blood glucose level of a patient at a mobile clinic in Pancharala, on the outskirts of Bengaluru, India. (Photographer: Dhiraj Singh/Bloomberg)" class="qt-image" src="https://images.assettype.com/bloombergquint%2F2018-08%2F5e7e7b41-1513-4161-b195-5b8a77c6e4f1%2F314780590_1_20.jpg?w=480&auto=format%2Ccompress" /></p>
<div class="visualClear" style="text-align: justify; ">A medical team uses a glucometer to check the blood glucose level of a patient at a mobile clinic in Pancharala, on the outskirts of Bengaluru, India. (Photographer: Dhiraj Singh/Bloomberg)</div>
<div class="visualClear" style="text-align: justify; "></div>
<h3>It’s Your Recipe, You Try It First!</h3>
<p style="text-align: justify; ">If the NITI Aayog and the government are sure that there is a need for a national healthcare database, perhaps they can start using the Central Government Health Scheme (which includes all current and retired government employees and their families) as a pilot scheme for this. Once the software, database and the various apps built on it are found to be good value for money and patients benefit from excellent treatment all over the country, it could be expanded to those who use the Employees’ State Insurance system, and then perhaps to the armed forces. After all, these three groups already have a unique identifier and would benefit from the portability of healthcare records since they are likely to be transferred and posted all over the country. If, and only if, it works for these groups and the claimed benefits are observed, then perhaps it can be expanded to the rest of the country’s healthcare systems.</p>
<p><i>Murali Neelakantan is an expert in healthcare laws. Swaraj Barooah is Policy Director at The Centre for Internet and Society. Swagam Dasgupta and Torsha Sarkar are interns at The Centre for Internet and Society.</i></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/bloomberg-quint-murali-neelakantan-swaraj-barooah-swagam-dasgupta-torsha-sarkar-august-14-2018-national-health-stack-data-for-datas-sake-a-manmade-health-hazard'>http://editors.cis-india.org/internet-governance/blog/bloomberg-quint-murali-neelakantan-swaraj-barooah-swagam-dasgupta-torsha-sarkar-august-14-2018-national-health-stack-data-for-datas-sake-a-manmade-health-hazard</a>
</p>
No publisherMurali Neelakantan, Swaraj Barooah, Swagam Dasgupta and Torsha SarkarPrivacyAadhaarInternet GovernanceHealthcare2018-09-16T05:01:18ZBlog EntrySpreading unhappiness equally around
http://editors.cis-india.org/internet-governance/blog/business-standard-july-31-2018-sunil-abraham-spreading-unhappiness-equally-around
<b>The section of civil society opposed to Aadhaar is unhappy because the UIDAI and all other state agencies that wish to can process data non-consensually.</b>
<p>The article was published in <a class="external-link" href="https://www.business-standard.com/article/opinion/spreading-unhappiness-equally-around-118073100008_1.html">Business Standard</a> on July 31, 2018.</p>
<hr />
<p style="text-align: justify; ">There is a joke in policy-making circles — you know you have reached a good compromise if all the relevant stakeholders are equally unhappy. By that measure, the B N Srikrishna committee has done a commendable job since there are many with complaints.</p>
<p style="text-align: justify; ">Some in the private sector are unhappy because their demonisation of the European Union’s General Data Protection Regulation (GDPR) has failed. The committee’s draft data protection Bill is closely modelled upon the GDPR in terms of rights, principles, design of the regulator and the design of the regulatory tools like impact assessments. With 4 per cent of global turnover as maximum fine, there is a clear signal that privacy infringements by transnational corporations will be reigned in by the regulator. Getting a law that has copied many elements of the European regulation is good news for us because the GDPR is recognised by leading human rights organisations as the global gold standard. But the bad news for us is that the Bill also has unnecessarily broad data localisation mandates for the private sector.</p>
<p style="text-align: justify; ">Some in the fintech sector are unhappy because the committee rejected the suggestion that privacy be regulated as a property right. This is a positive from the human rights perspective, especially because this approach has been rejected across the globe, including the European Union. Property rights are inappropriate because a natural law framing of the enclosure of the commons into private property through labour does not translate to personal data. Also in comparison to patents — or “intellectual property” — the scale of possible discreet property holdings in personal information is several orders higher, posing unimaginable complexity for regulation, possibly creating a gridlock economy.</p>
<p style="text-align: justify; ">The section of civil society opposed to Aadhaar is unhappy because the UIDAI and all other state agencies that wish to can process data non-consensually. A similar loophole exists in the GDPR. Remember the definition of processing includes “operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction”. This means the UIDAI can collect data from you without your consent and does not have to establish consent for the data it has collected in the past. There is a “necessary” test which is supposed to constrain data collection. But for the last 10 odd years, the UIDAI has deemed it “necessary” to collect biometrics to give the poor subsidised grain. Will those forms of disproportionate non-consensual data collection continue? Most probably because the report recommends that the UIDAI continue to play the role of the regulator with heightened powers. Which is like trusting the fox with<br />the henhouse.</p>
<p style="text-align: justify; ">Employees should be unhappy because the Bill has an expansive ground under which employers can nonconsensually harvest their data. The Bill allows for non-consensual processing of any data “necessary” for recruitment, termination, providing any benefit or service, verifying the attendance or any other activity related to the assessment of the performance”. This is permitted when consent is not an appropriate basis or would involve disproportionate effort on the part of the employer. This is basically a surveillance provision for employers. Either this ground should be removed like in the GDPR or a “proportionate” test should also be introduced otherwise disproportionate mechanisms like spyware on work computers will be installed by employees without providing notice.</p>
<p style="text-align: justify; ">Some free speech activists are unhappy because the law contains a “right to be forgotten” provision. They are concerned that this will be used by the rich and powerful to censor mainstream and alternative media. On the face of the “right to be forgotten” in the GDPR is a much more expansive “right to erasure”, whilst the Bill only provides for a more limited "right to restrict or prevent continuing disclosure”. However, the GDPR has a clear exception for “archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”. The Bill like the GDPR does identify the two competing human rights imperatives — freedom of expression and the right to information. However, by missing the “public interest” test it does not sufficiently social power asymmetries.</p>
<p style="text-align: justify; ">Privacy and security researchers are unhappy because re-identification has been made an offence without a public interest or research exception. It is indeed a positive that the committee has made re-identification a criminal offence. This is because the de-identification standards notified by the regulator would always be catching up with the latest mathematical development. However, in order to protect the very research that the regulator needs to protect the rights of individuals, the Bill should have granted the formal and non-formal academic community immunity from liability and criminal prosecution.</p>
<p style="text-align: justify; ">Lastly but also most importantly, human rights activists are unhappy because the committee again like the GDPR did not include sufficiently specific surveillance law fixes. The European Union has historically handled this separately in the ePrivacy Regulation. Maybe that is the approach we must also follow or maybe this was a missed opportunity. Overall, the B N Srikrishna committee must be commended for producing a good data protection Bill. The task before us is to make it great and to have it enacted by Parliament at the earliest.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/business-standard-july-31-2018-sunil-abraham-spreading-unhappiness-equally-around'>http://editors.cis-india.org/internet-governance/blog/business-standard-july-31-2018-sunil-abraham-spreading-unhappiness-equally-around</a>
</p>
No publishersunilAadhaarInternet GovernancePrivacy2018-07-31T14:49:52ZBlog EntryThe Centre for Internet and Society’s Comments and Recommendations to the: Indian Privacy Code, 2018
http://editors.cis-india.org/internet-governance/blog/the-centre-for-internet-and-society2019s-comments-and-recommendations-to-the-indian-privacy-code-2018
<b>The debate surrounding privacy has in recent times gained momentum due to the Aadhaar judgement and the growing concerns around the use of personal data by corporations and governments.</b>
<p>Click to download the <a class="external-link" href="http://cis-india.org/internet-governance/files/indian-privacy-code">file here</a></p>
<hr />
<p style="text-align: justify; ">As India moves towards greater digitization, and technology becomes even more pervasive, there is a need to ensure the privacy of the individual as well as hold the private and public sector accountable for the use of personal data. Towards enabling public discourse and furthering the development a privacy framework for India, a group of lawyers and policy analysts backed by the Internet Freedom Foundation (IFF) have put together a draft a citizen's bill encompassing a citizen centric privacy code that is based on seven guiding principles.<a href="#_ftn1"><sup><sup>[1]</sup></sup></a> This draft builds on the Citizens Privacy Bill, 2013 that had been drafted by CIS on the basis of a series of roundtables conducted in India.<a href="#_ftn2"><sup><sup>[2]</sup></sup></a> Privacy is one of the key areas of research at CIS and we welcome this initiative and hope that our comments make the Act a stronger embodiment of the right to privacy.</p>
<h1 style="text-align: justify; ">Section by Section Recommendations</h1>
<h2 style="text-align: justify; ">Preamble</h2>
<p style="text-align: justify; "><b>Comment:</b> The Preamble specifies that the need for privacy has increased in the digital age, with the emergence of big data analytics.</p>
<p style="text-align: justify; "><b>Recommendation:</b> It could instead be worded as ‘with the emergence of technologies such as big data analytics’, so as to recognize the impact of multiple technologies and processes including big data analytics.</p>
<p style="text-align: justify; "><b>Comment:</b> The Preamble states that it is necessary for good governance that all interceptions of communication and surveillance be conducted in a systematic and transparent manner subservient to the rule of law.</p>
<p style="text-align: justify; ">Recommendation: The word ‘systematic’ is out of place, and can be interpreted incorrectly. It could instead be replaced with words such as ‘necessary’, ‘proportionate’, ‘specific’, and ‘narrow’, which would be more appropriate in this context.</p>
<h2 style="text-align: justify; ">Chapter 1</h2>
<h2 style="text-align: justify; ">Preliminary</h2>
<p style="text-align: justify; "><b>Section 2: </b>This Section defines the terms used in the Act.</p>
<p style="text-align: justify; "><b>Comment:</b> Some of the terms are incomplete and a few of the terms used in the Act have not been included in the list of definitions.</p>
<p style="text-align: justify; "><b>Recommendations:</b></p>
<ul style="text-align: justify; ">
<li>The term “effective consent” needs to be defined. The term is first used in the Proviso to Section 7(2), which states “Provided that effective consent can only be said to have been obtained where...:”It is crucial that the Act defines effective consent especially when it is with respect to sensitive data.</li>
<li>The term “open data” needs to be defined. The term is first used in Section 5 that states the exemptions to the right to privacy. Subsection 1 clause ii states as follows “the collection, storage, processing or dissemination by a natural person of personal data for a strictly non-commercial purposes which may be classified as open data by the Privacy Commission”. Hence the term open data needs to be defined in order to ensure that there is no ambiguity in terms of what open data means.</li>
<li>The Act does not define “erasure”, although the term erasure does come under the definition of destroy (Section 2(1)(p)). There are some provisions that use the word erasure , hence if erasure and destruction mean different acts then the term erasure needs to be defined, otherwise in order to maintain uniformity the sections where erasure is used could be substituted with the term “destroy” as defined under this Act.</li>
<li>The definition of “sensitive personal data” does not include location data and identification numbers. The definition of sensitive data must include location data as the Act also deals in depth with surveillance. With respect to identification numbers, the Act needs to consider identification numbers (eg. the Aadhaar number, PAN number etc.) as sensitive information as this number is linked to a person's identity and can reveal sensitive personal data such as name, age, location, biometrics etc. Example can be taken from Section 4(1) of the GDPR<a href="#_ftn3"><sup><sup>[3]</sup></sup></a> which identifies location data as well as identification numbers as sensitive personal data along with other identifies such as biometric data, gender race etc.</li>
<li>The Act defines consent as the “unambiguous indication of a data subject’s agreement” however, the definition does not indicate that there needs to be an informed consent. Hence the revised definition could read as follows “the informed and unambiguous indication of a data subject’s agreement”. It is also unclear how this definition of consent relates to ‘effective consent’. This relationship needs to be clarified.</li>
<li>The Act defines ‘data controller’ in Section 2(1)(l) as “ any person including appropriate government..”. In order to remove any ambiguity over the definition of the term person, the definition could specify that the term person means any natural or legal person.</li>
<li>The Act defines ‘data processor’ in Section (2(1)(m) as “means any person including appropriate government”. In order to remove any ambiguity over the definition of the term ‘any person’, the definition could specify that the term person means any natural or legal person. </li>
</ul>
<h2 style="text-align: justify; ">CHAPTER II</h2>
<h2 style="text-align: justify; ">Right to Privacy</h2>
<p style="text-align: justify; "><b>Section 5: </b>This section provides exemption to the rights to privacy<b>. </b></p>
<p style="text-align: justify; "><b>Comment: </b>Section 5(1)(ii) states that the collection, storage, processing or dissemination by a natural person of personal data for a strictly non-commercial purposes are exempted from the provisions of the right to privacy. This clause also states that this data may be classified as open data by the Privacy Commission. This section hence provides individuals the immunity from collection, storage, processing and dissemination of data of another person. However this provision fails to state what specific activities qualify as non commercial use.</p>
<p style="text-align: justify; "><b>Recommendation: </b>This provision could potentially be strengthened by specifying that the use must be in the public interest. The other issue with this subsection is that it fails to define open data. If open data was to be examined using its common definition i.e “data that can be freely used, modified, and shared by anyone for any purpose”<a href="#_ftn4"><sup><sup>[4]</sup></sup></a> then this section becomes highly problematic. As a simple interpretation would mean that any personal data that is collected, stored, processed or disseminated by a natural person can possibly become available to anyone. Beyond this, India has an existing framework governing open data. Ideally the privacy commissioner could work closely with government departments to ensure that open data practices in India are in compliance with the privacy law.</p>
<h2 style="text-align: justify; ">CHAPTER III</h2>
<h2 style="text-align: justify; ">Protection of Personal Data</h2>
<h2 style="text-align: justify; ">PART A</h2>
<p style="text-align: justify; "><b>Notice by data controller </b></p>
<p style="text-align: justify; "><b>Section 6: </b>This section specifies the obligations to be followed by data controllers in their communication, to maintain transparency and lays down provisions that all communications by Data Controllers need to be complied with.</p>
<p style="text-align: justify; "><b>Comment:</b> There seems to be a error in the <i>Proviso </i>to this section. The proviso states “Provided that all communications by the Data Controllers including but not limited to the rights of Data Subjects under this part <b>shall may be </b>refused when the Data Controller is, unable to identify or has a well founded basis for reasonable doubts as to the identity of the Data Subject or are manifestly unfounded, excessive and repetitive, with respect to the information sought by the Data Subject ”.</p>
<p style="text-align: justify; "><b>Recommendation: </b>The proviso could read as follows “The proviso states “Provided that all communications by the Data Controllers including but not limited to the rights of Data Subjects under this part <b><i>may</i></b> be refused when the Data Controller is…”. We suggest the use of the ‘may’ as this makes the provision less limiting to the rights of the data controller.</p>
<p style="text-align: justify; ">Additionally, it is not completely clear what ‘included but not limited to...’ would entail. This could be clarified further.</p>
<h2 style="text-align: justify; ">PART B</h2>
<h2 style="text-align: justify; ">CONSENT OF DATA SUBJECTS</h2>
<p style="text-align: justify; "><b>Section 10: </b>This section talks about the collection of personal data.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 10(3) lays down the information that a person must provide before collecting the personal data of an individual.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 10(3)(xi) states as follows “the time and manner in which it will be destroyed, or the criteria used to Personal data collected in pursuance of a grant of consent by the data subject to whom it pertains shall, if that consent is subsequently withdrawn for any reason, be destroyed forthwith: determine that time period;”. There seems to be a problem with the sentence construction and the rather complex sentence is difficult to understand.</p>
<p style="text-align: justify; "><b>Recommendation:</b> This section could be reworked in such as way that two conditions are clear, one - the time and manner in which the data will be destroyed and two the status of the data once consent is withdrawn.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 10(3)(xiii) states that the identity and contact details of the data controller and data processor must be provided. However it fails to state that the data controller should provide more details with regard to the process for grievance redressal. It does not provide guidance on what type of information needs to go into this notice and the process of redressal. This could lead to very broad disclosures about the existence of redress mechanisms without providing individuals an effective avenue to pursue.</p>
<p style="text-align: justify; "><b>Recommendation: </b>As part of the requirement for providing the procedure for redress, data controllers could specifically be required to provide the details of the Privacy Officers, privacy commissioner, as well as provide more information on the redressal mechanisms and the process necessary to follow.</p>
<p style="text-align: justify; "><b>Section 11:</b>This section lays out the provisions where collection of personal data without prior consent is possible.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 11 states “Personal data may be collected or received from a third party by a Data Controller the prior consent of the data subject only if it is:..”. However as the title of the section suggests the sentence could indicate the situations where it is permissible to collect personal data without prior consent from the data subject”. Hence the word “without” is missing from the sentence. Additionally the sentence could state that the personal data may be collected or received directly from an individual or from a third party as it is possible to directly collect personal data from an individual without consent.</p>
<p style="text-align: justify; "><b>Recommendation:</b>The sentence could read as “Personal data may be collected or received from an <b>individual or a third party </b>by a Data Controller <b><i>without</i></b> the prior consent of the data subject only if it is:..”.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 11(1)(i) states that the collection of personal data without prior consent when it is “necessary for the provision of an emergency medical service or essential services”. However it does not specify the kind or severity of the medical emergency.</p>
<p style="text-align: justify; "><b>Recommendation: </b>In addition to medical emergency another exception could be made for imminent threats to life.</p>
<p style="text-align: justify; "><b>Section 12: </b>This section details the Special provisions in respect of data collected prior to the commencement of this Act.</p>
<p style="text-align: justify; "><b>Comment:</b> This section states that all data collected, processed and stored by data controllers and data processors prior to the date on which this Act comes into force shall be destroyed within a period of two years from the date on which this Act comes into force. Unless consent is obtained afresh within two years or that the personal data has been anonymised in such a manner to make re-identification of the data subject absolutely impossible. However this process can be highly difficult and impractical in terms of it being time consuming, expensive particularly, in cases of analog collections of data. This is especially problematic in cases where the controller cannot seek consent of the data subject due to change in address or inavailability or death. This will also be problematic in cases of digitized government records.</p>
<p style="text-align: justify; "><b>Recommendation:</b> We suggest three ways in which the issue of data collected prior to the Act can be handled. One way is to make a distinction on the data based on whether the data controller has specified the purpose of the collection before collecting the data. If the purpose was not defined then the data can be deleted or anonymised. Hence there is no need to collect the data afresh for all the cases. The purpose of the data can also be intimated to the data subject at a later stage and the data subject can choose if they would like the controller to store or process the data.The second way is by seeking consent afresh only for the sensitive data. Lastly, the data controller could be permitted to retain records of data, but must necessarily obtain fresh consent before using them. By not having a blanket provision of retrospective data deletion the Act can address situations where deletion is complicated or might have a potential negative impact by allowing storage, deletion, or anonymisation of data based on its purpose and kind.</p>
<p style="text-align: justify; "><b>Comment:</b> Section (2)(1)(i) of the Act states that the data will not be destroyed provided that <b>effective consent</b> is obtained afresh within two years. However as stated earlier the Act does not define effective consent.</p>
<p style="text-align: justify; ">Recommendation: The term <b>effective consent </b>needs to be defined in order to bring clarity to this provision.</p>
<h2 style="text-align: justify; ">PART C</h2>
<h2 style="text-align: justify; ">FURTHER LIMITATIONS ON DATA CONTROLLERS</h2>
<p style="text-align: justify; "><b>Section 16: </b>This section deals with the security of personal data and duty of confidentiality.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 16(2) states “ Any person who collects, receives, stores, processes or otherwise handles any personal data shall be subject to a duty of confidentiality and secrecy in respect of it.” Similarly Section 16(3) states “data controllers and data processors shall be subject to a duty of confidentiality and secrecy in respect of personal data in their possession or control. However apart from the duty of confidentiality and secrecy the data collectors and processors could also have a duty to maintain the security of the data.” Though it is important for confidentiality and secrecy to be maintained, ensuring security requires adequate and effective technical controls to be in place.</p>
<p style="text-align: justify; "><b>Recommendation:</b> This section could also emphasise on the duty of the data controllers to ensure the security of the data. The breach notification could include details about data that is impacted by a breach or attach as well as the technical details of the infrastructure compromised.</p>
<p style="text-align: justify; "><b>Section 17:</b> This section details the conditions for the transfer of personal data outside the territory of India.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 17 allows a transfer of personal data outside the territory of India in 3 situations- If the Central Government issues a notification deciding that the country/international organization in question can ensure an adequate level of protection, compatible with privacy principles contained in this Act; if the transfer is pursuant to an agreement which binds the recipient of the data to similar or stronger conditions in relation to handling the data; or if there are appropriate legal instruments and safeguards in place, to the satisfaction of the data controller. However, there is no clarification for what would constitute ‘adequate’ or ‘appropriate’ protection, and it does not account for situations in which the Government has not yet notified a country/organisation as ensuring adequate protection. In comparison, the GDPR, in Chapter V<a href="#_ftn5"><sup><sup>[5]</sup></sup></a>, contains factors that must be considered when determining adequacy of protection, including relevant legislation and data protection rules, the existence of independent supervisory authorities, and international commitments or obligations of the country/organization. Additionally, the GDPR allows data transfer even in the absence of the determination of such protection in certain instances, including the use of standard data protection clauses, that have been adopted or approved by the Commission; legally binding instruments between public authorities; approved code of conduct, etc. Additionally, it allows derogations from these measures in certain situations: when the data subject expressly agrees, despite being informed of the risks; or if the transfer is necessary for conclusion of contract between data subject and controller, or controller and third party in the interest of data subject; or if the transfer is necessary for reasons of public interest, etc. No such circumstances are accounted for in Section 17.</p>
<p style="text-align: justify; "><b>Recommendation: </b>Additionally, data controllers and processors could be provided with a period to allow them to align their policies towards the new legislation. Making these provisions operational as soon as the Act is commenced might put the controllers or processors guilty of involuntary breaching the provisions of the Act.</p>
<p style="text-align: justify; "><b>Section 19: </b>This section<b> </b>states the special provisions for sensitive personal data.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 19(2) states that in addition to the requirements set out under sub-clause (1), the Privacy Commission shall set out additional protections in respect of:i.sensitive personal data relating to data subjects who are minors; ii.biometric and deoxyribonucleic acid data; and iii.financial and credit data.This however creates additional categories of sensitive data apart from the ones that have already been created.<a href="#_ftn6"><sup><sup>[6]</sup></sup></a> These additional categories can result in confusion and errors.</p>
<p style="text-align: justify; "><b>Recommendation: </b>Sensitive data must not be further categorised as this can lead to confusion and errors. Hence all sensitive data could be subject to the same level of protection.</p>
<p style="text-align: justify; "><b>Section 20:</b> This section states the special provisions for data impact assessment.</p>
<p style="text-align: justify; "><b>Comment:</b> This section states that all data impact assessment reports will be submitted periodically to the State Privacy commission. This section does not make provisions for instances of circumstances in which such records may be made public. Additionally the data impact assessment could also include a human rights impact assessment.</p>
<p style="text-align: justify; "><b>Recommendation:</b> The section could also have provisions for making the records of the impact assessment or relevant parts of the assessment public. This will ensure that the data controllers / processors are subjected to a standard of accountability and transparency. Additionally as privacy is linked to human rights the data impact assessment could also include a human rights impact assessment. The Act could further clarify the process for submission to State Privacy Commissions and potential access by the Central Privacy Commission to provide clarity in process.</p>
<p style="text-align: justify; ">Section 20 requires controllers who use new technology to assess the risks to the data protection rights that occur from processing. ‘New technology’ is defined to include pre-existing technology that is used anew. Additionally, the reports are required to be sent to the State Privacy Commission periodically. However, there is no clarification on the situations in which such an assessment becomes necessary, or whether all technology must undergo such an assessment before their use. Additionally, the differentiation between different data processing activities based on whether the data processing is incidental or a part of the functioning needs to be clarified. This differentiation is necessary as there are some data processors and controllers who need the data to function; for instance an ecommerce site would require your name and address to deliver the goods, although these sites do not process the data to make decisions. This can be compared to a credit rating agency that is using the data to make decisions as to who will be given a loan based on their creditworthiness. Example can taken from the GDPR, which in Article 35, specifies instances in which a data impact assessment is necessary: where a new technology, that is likely to result in a high risk to the rights of persons, is used; where personal aspects related to natural persons are processed automatically, including profiling; where processing of special categories of data (including data revealing ethnic/racial origin, sexual orientation etc), biometric/genetic data; where data relating to criminal convictions is processed; and with data concerning the monitoring of publicly accessible areas. Additionally, there is no requirement to publish the report, or send it to the supervising authority, but the controller is required to review the processor’s operations to ensure its compliance with the assessment report.</p>
<p style="text-align: justify; "><b>Recommendation:</b> The reports could be sent to a central authority, which according to this Act is the Privacy Commission, along with the State Privacy Commission. Additionally there needs to be a differentiation between the incidental and express use of data. The data processors must be given at least a period of one year after the commencement of the Act to present their impact assessment report. This period is required for the processors to align themselves with the provisions of the Act as well as conduct capacity building initiatives.</p>
<h2 style="text-align: justify; ">PART C</h2>
<h2 style="text-align: justify; ">RIGHTS OF A DATA SUBJECT</h2>
<p style="text-align: justify; "><b>Section 21: </b>This section explains the right of the data subject with regard to accessing her data. It states that the data subject has the right to obtain from the data controller information as to whether any personal data concerning her is collected or processed. The data controller also has to not only provide access to such information but also the personal data that has been collected or processed.</p>
<p style="text-align: justify; "><b>Comment:</b> This section does not provide the data subject the right to seek information about security breaches.</p>
<p style="text-align: justify; "><b>Recommendation: </b>This section could state that the data subject has the right to seek information about any security breaches that might have compromised her data (through theft, loss, leaks etc.). This could also include steps taken by the data controller to address the immediate breach as well as steps to minimise the occurrence of such breaches in the future.<a href="#_ftn7"><sup><sup>[7]</sup></sup></a></p>
<h2 style="text-align: justify; ">CHAPTER IV</h2>
<h2 style="text-align: justify; ">INTERCEPTION AND SURVEILLANCE</h2>
<p style="text-align: justify; "><b>Section 28: </b>This section lists out the special provisions for competent organizations.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 28(1) states ”all provisions of Chapter III shall apply to personal data collected, processed, stored, transferred or disclosed by competent organizations unless when done as per the provisions under this chapter ”.This does not make provisions for other categories of data such as sensitive data.</p>
<p style="text-align: justify; "><b>Recommendation:</b> This section needs to include not just personal data but also sensitive data, in order to ensure that all types of data are protected under this Act.</p>
<p style="text-align: justify; "><b>Section 30:</b> This section states the provisions for prior authorisation by the appropriate Surveillance and Interception Review Tribunal.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 30(5) states “any interception involving the infringement of the privacy of individuals who are not the subject of the intended interception, or where communications relate to <b>medical, journalistic, parliamentary or legally privileged material</b> may be involved, shall satisfy additional conditions including the provision of specific prior justification in writing to the Office for Surveillance Reform of the Privacy Commission as to the necessity for the interception and the safeguards providing for minimizing the material intercepted to the greatest extent possible and the destruction of all such material that is not strictly necessary to the purpose of the interception.” This section needs to state why these categories of communication are more sensitive than others. Additionally, interceptions typically target people and not topics of communication - thus medical may be part of a conversation between two construction workers and a doctor will communicate about finances.</p>
<p style="text-align: justify; "><b>Recommendation:</b> The section could instead of singling out “medical, journalistic, parliamentary or legally privileged material” state that “any interception involving the infringement of the privacy of individuals who are not the subject of the intended interception may be involved, shall satisfy additional conditions including the provision of specific prior justification in writing to the Office for Surveillance Reform of the Privacy Commission.</p>
<p style="text-align: justify; "><b>Section 37</b>: This section details the bar against surveillance.</p>
<p style="text-align: justify; "><b>Comment: </b>Section 37(1) states that “no person shall order or carry out, or cause or assist the ordering or carrying out of, any surveillance of another person”. The section also prohibits indiscriminate monitoring, or mass surveillance, unless it is necessary and proportionate to the stated purpose. However, it is unclear whether this prohibits surveillance by a resident of their own residential property, which is allowed in Section 5, as the same could also fall within ‘indiscriminate monitoring/mass surveillance’. For instance, in the case of a camera installed in a residential property, which is outward facing, and therefore captures footage of the road/public space.</p>
<p style="text-align: justify; "><b>Recommendation:</b> The Act needs to bring more clarity with regard to surveillance especially with respect to CCTV cameras that are installed in private places, but record public spaces such as public roads. The Act could have provisions that clearly define the use of CCTV cameras in order to ensure that cameras installed in private spaces are not used for carrying out mass surveillance. Further, the Act could address the use of emerging techniques and technology such as facial recognition technologies, that often rely on publicly available data.</p>
<h2 style="text-align: justify; ">CHAPTER V</h2>
<h2 style="text-align: justify; ">THE PRIVACY COMMISSION</h2>
<p style="text-align: justify; "><b>Section 53:</b> This section details the powers and functions of the Privacy Commission.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 53(2)(xiv) states that the Privacy Commission shall publish periodic reports “providing description of performance, findings, conclusions or recommendations of any or all of the functions assigned to the Privacy Commission”. However this Section does not make provisions for such reporting to happen annually and to make them publicly available, as well as contain details including financial aspects of matters contained within the Act.</p>
<p style="text-align: justify; "><b>Recommendation: </b>The functions could include a duty to disclose the information regarding the functioning and financial aspects of matters contained within the Act. Categories that could be included in such reports include: the number of data controllers, number of data processors, number of breaches detected and mitigated etc.</p>
<h2 style="text-align: justify; ">CHAPTER IX</h2>
<h2 style="text-align: justify; ">OFFENCES AND PENALTIES</h2>
<p style="text-align: justify; "><b> Sections 73 to 80:</b> These sections lay out the different punishments for controlling and processing data in contravention to the provisions of this Act.</p>
<p style="text-align: justify; "><b>Comment:</b> These sections, while laying out different punishments for controlling and processing data in contravention to the provisions of this Act, mets out a fine extending upto Rs. 10 crore. This is problematic as it does not base these penalties on the finer aspects of proportionality, such as offences that are not as serious as the others.<br /> <br /> <b>Recommendation:</b> There could be a graded approach to the penalties based on the degree of severity of the offence.This could be in the form of name and shame, warnings and penalties that can be graded based on the degree of the offence. <br /> ----------------------------------------------------------------------</p>
<p style="text-align: justify; ">Additional thoughts: As India moves to a digital future there is a need for laws to be in place to ensure that individual's rights are not violated. By riding on the push to digitization, and emerging technologies such as AI, a strong all encompassing privacy legislation can allow India to leapfrog and use these emerging technologies for the benefit of the citizens without violating their privacy. A robust legislation can also ensure a level playing field for data driven enterprises within a framework of openness, fairness, accountability and transparency.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; "><a href="#_ftnref1"><sup><sup>[1]</sup></sup></a> These seven principles include: Right to Access, Right to Rectification, Right to Erasure And Destruction of Personal Data,Right to Restriction Of Processing, Right to Object, Right to Portability of Personal Data,Right to Seek Exemption from Automated Decision-Making.</p>
<p style="text-align: justify; "><a href="#_ftnref2"><sup><sup>[2]</sup></sup></a>The Privacy (Protection) Bill 2013: A Citizen’s Draft, Bhairav Acharya, Centre for Internet & Society, https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft</p>
<p style="text-align: justify; "><a href="#_ftnref3"><sup><sup>[3]</sup></sup></a>General Data Protection Regulation, available at https://gdpr-info.eu/art-4-gdpr/.</p>
<p style="text-align: justify; "><a href="#_ftnref4"><sup><sup>[4]</sup></sup></a> Antonio Vetro, Open Data Quality Measurement Framework: Definition and Application to Open Government Data, available at https://www.sciencedirect.com/science/article/pii/S0740624X16300132</p>
<p style="text-align: justify; "><a href="#_ftnref5"><sup><sup>[5]</sup></sup></a> General Data Protection Regulation, available at https://gdpr-info.eu/chapter-5/.</p>
<p style="text-align: justify; "><a href="#_ftnref6"><sup><sup>[6]</sup></sup></a> Sensitive personal data under Section 2(bb) includes, biometric data; deoxyribonucleic acid data;<br /> sexual preferences and practices;medical history and health information;political affiliation;<br /> membership of a political, cultural, social organisations including but not limited to a trade union as defined under Section 2(h) of the Trade Union Act, 1926;ethnicity, religion, race or caste; and<br /> financial and credit information, including financial history and transactions.</p>
<p style="text-align: justify; "><a href="#_ftnref7"><sup><sup>[7]</sup></sup></a> Submission to the Committee of Experts on a Data Protection Framework for India, Amber Sinha, Centre for Internet & Society, available at https://cis-india.org/internet-governance/files/data-protection-submission</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-centre-for-internet-and-society2019s-comments-and-recommendations-to-the-indian-privacy-code-2018'>http://editors.cis-india.org/internet-governance/blog/the-centre-for-internet-and-society2019s-comments-and-recommendations-to-the-indian-privacy-code-2018</a>
</p>
No publisherShweta Mohandas, Elonnai Hickok, Amber Sinha and Shruti TrikanandAadhaarInternet GovernancePrivacy2018-07-20T13:55:46ZBlog Entry