The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 201 to 215.
India's Aadhaar with biometric details of its billion citizens is making experts uncomfortable
http://editors.cis-india.org/internet-governance/news/mashable-india-february-14-2017-india-aadhaar-uidai-privacy-security-debate
<b>"Indians in general have yet to understand the meaning and essence of privacy," says Member of Parliament, Tathagata Satpathy. </b>
<p style="text-align: justify; ">The blog post was published by <a class="external-link" href="http://mashable.com/2017/02/14/india-aadhaar-uidai-privacy-security-debate/#RYHiC8REkmqz">Mashable India</a> on February 14, 2017. Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; ">But on Feb. 3, privacy was the hot topic of debate among many in India, thanks to a <a href="https://twitter.com/beastoftraal/status/827387794045571072" target="_blank">tweet</a> that showed random people being identified on the street via Aadhaar, India's ubiquitous database that has biometric information of more than a billion Indians.</p>
<p style="text-align: justify; ">That's how India Stack, the infrastructure built by the Unique Identification Authority of India (UIDAI), welcomed OnGrid, a privately owned company that is going to tap on the world's largest biometrics system, conjuring images of <i>Minority Report</i> style surveillance.</p>
<p style="text-align: justify; ">But how did India get here?</p>
<div class="fb_iframe_widget fb-quote" style="text-align: justify; "><span> </span></div>
<h2 style="text-align: justify; ">Aadhaar's foundation</h2>
<p style="text-align: justify; ">Not long ago, there were more people in India without a birth or school certificate <a href="http://unstats.un.org/unsd/vitalstatkb/Attachment480.aspx?AttachmentType=1" target="_blank">than those with one</a> (PDF). They had no means to prove their identity. This also contributed to what is more popularly known as “leakage” in the government subsidy fundings. The funds weren’t reaching the right people, in some instances, and much of it was being siphoned off by middlemen.</p>
<p style="text-align: justify; ">Nearly a decade ago, the government began scrambling for ways to tackle these issues. Could technology come to the rescue? The government dialled techies, people like Nandan Nilekani, a founder of India's mammoth IT firm Infosys, for help.</p>
<p style="text-align: justify; ">In 2008, they <a href="https://uidai.gov.in/images/notification_28_jan_2009.pdf" target="_blank">formulated</a> Aadhaar, an audacious project "destined" to change the prospects of Indians. It was similar to Social Security number that US residents are assigned, but its implications were further reaching.</p>
<p style="text-align: justify; ">At the time, the government <a href="http://blogs.wsj.com/indiarealtime/2012/11/28/india-prepares-for-launch-of-worlds-biggest-cash-to-the-poor-program/" target="_blank">said</a> it will primarily use this optional program to help the poor who are in need of services such as grocery and other household items at subsidized rates.</p>
<div class="fb_iframe_widget fb-quote" style="text-align: justify; "><span> </span></div>
<p style="text-align: justify; ">Eight years later, Aadhar, which stores identity information such as a photo, name, address, fingerprints and iris scans of its citizens and also assigns them with a unique 12-digit number, has become the world's largest biometrics based identity system.</p>
<p style="text-align: justify; ">According to the Indian government, over 1.11 billion people of the country's roughly 1.3 billion citizens have enrolled themselves in the biometrics system. About 99 percent of all adults in India have an Aadhaar card, it <a href="http://pib.nic.in/newsite/PrintRelease.aspx?relid=157709" target="_blank">said last month</a>.</p>
<p style="text-align: justify; ">Today, the significance of Aadhaar, which on paper remains an optional program, is undeniable in the country. The government says Aadhaar has already saved it <a href="http://www.economist.com/news/business/21712160-nearly-all-indias-13bn-citizens-are-now-enrolled-indian-business-prepares-tap" target="_blank">as much as $5 billion</a>.</p>
<p style="text-align: justify; ">But that's not it.</p>
<h2 style="text-align: justify; ">There's a bit of Aadhaar in everyone's life
<div class="fb_iframe_widget fb-quote"><span> </span></div>
</h2>
<p style="text-align: justify; ">Aadhaar (Hindi for foundation) has long moved beyond helping the poor. The UPI (Unified Payment Interface), another project by the Indian government that uses Aadhaar, is helping the<a href="http://mashable.com/2016/08/30/india-upi-payments-system/"><ins> country's much unbanked population to avail financial services</ins></a> for the first time. Nilekani calls it a "<a href="http://indianexpress.com/article/opinion/columns/the-coming-revolution-in-indian-banking-2924534/" target="_blank">WhatsApp moment</a>" in the Indian financial sector.</p>
<p style="text-align: justify; ">In December last year, Prime Minister Narendra Modi <a href="http://mashable.com/2016/12/30/bhim-app-india-narendra-modi/">launched BHIM</a>, a UPI-based payments app that aims to get millions of Indians to do online money transactions for the first time, irrespective of which bank they had their accounts with. With BHIM, transferring money is as simple as sending a text message. People can also scan QR codes and pay merchants for their purchases.</p>
<p style="text-align: justify; ">"This app is destined to replace all cash transactions," Modi said at the launch event. "BHIM app will revolutionize India and force people worldwide to take notice," he added.</p>
<p style="text-align: justify; ">The next phase, called Aadhaar Enabled Payments System will <a href="http://www.businesstoday.in/current/economy-politics/govt-to-roll-out-aadhar-pay-for-cashless-transactions/story/245059.html" target="_blank">do away</a> with smartphones. People will be able to make payments by swiping their finger on special terminals equipped with fingerprint sensors rather than swiping cards.</p>
<p style="text-align: justify; ">Last year, the government said people could <a href="http://mashable.com/2017/02/14/india-aadhaar-uidai-privacy-security-debate/mashable.com/2016/09/07/driver-license-india-digilocker-smartphone-app/#s3eNxAzZLjqB">store their driver license documents in an app called DigiLocker</a>, should they want to be relieved from the burden of carrying paper documents. DigiLocker is a digital cloud service that any citizen in India can avail using their Aadhaar information.</p>
<p style="text-align: justify; ">The government also plans to <a href="http://mashable.com/2017/02/01/aadhaar-smart-health-card-senior-citizen-india/">hand out "health cards" to senior citizens</a>, mapped to their Aadhaar number, which will store their medical records, which doctors will be able to access.</p>
<p style="text-align: justify; ">“Aadhaar is an instrument for good governance. Aadhaar is the mode to reach the poor without the middlemen,” Ravi Shankar Prasad, India’s IT minister said in a press conference last year.</p>
<p style="text-align: justify; ">But despite all the ways Aadhaar is making meaningful impact in millions of lives, some people are very skeptical about it. And for them, the scale at which Aadhaar operates now is only making things worse.</p>
<h2 style="text-align: justify; ">A security nightmare</h2>
<p style="text-align: justify; ">There have been multiple reports suggesting bogus and fake entries in Aadhaar database. Instances of animals such as dogs and cows having their own Aadhaar identification numbers have been widely reported. In one instance, even Hindu god Hanuman <a href="http://www.thehindu.com/news/national/lord-hanuman-gets-aadhaar-card/article6401288.ece" target="_blank">was found to have an Aadhaar card</a>.</p>
<p style="text-align: justify; ">The problem, it appears, is Aadhaar database has never been verified or audited, according to multiple security experts, privacy advocates, lawyers, and politicians who spoke to <i>Mashable India</i> this month.</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/aadhaar.jpg" alt="Aadhaar" class="image-inline" title="Aadhaar" /></p>
<p style="text-align: justify; ">“There are two fundamental flaws in Aadhaar: it is poorly designed, and it is being poorly verified,” Member of Parliament and privacy advocate, Rajeev Chandrasekhar told <i>Mashable India</i>. “Aadhaar isn’t foolproof, and this has resulted in fake data get into the system. This in turn opens new gateways for money launderers,” he added.</p>
<div class="fb_iframe_widget fb-quote" style="text-align: justify; "><span> </span></div>
<p style="text-align: justify; ">Another issue with Aadhaar is, Chandrasekhar explains, there is no firm legislation to safeguard the privacy and rights of the billion people who have enrolled into the system. There’s little a person whose Aadhaar data has been compromised could do. “Citizens who have voluntarily given their data to Aadhaar authority, as of result of this, are at risk,” he added.</p>
<p style="text-align: justify; ">Rahul Narayan, a lawyer who is counselling several petitioners challenging the Aadhaar project, echoed similar sentiments. “There’s no concrete regulation in place,” he told <i>Mashable India</i>. “The scope for abuses in Aadhaar is very vast,” he added.</p>
<p style="text-align: justify; ">But regulation — or its lack thereof — is only one of the many challenges, experts say. Sunil Abraham, the executive director of Bangalore-based research organisation the Centre for Internet and Society (CIS), says the security concerns around Aadhaar are alarming.</p>
<p style="text-align: justify; ">“Aadhaar is remote, covert, and non-consensual,” he told <i>Mashable India</i>, adding the existence of a central database of any kind, but especially in the context of the Aadhaar, and at the scale it is working is appalling.</p>
<p style="text-align: justify; ">Abraham said fingerprint and iris data of a person can be stolen with little effort — a “gummy bear” which sells for a few cents, can store one’s fingerprint, while a high resolution camera can capture one’s iris data.</p>
<p style="text-align: justify; "><a name="aadhaar-doesnt-use-basic"></a></p>
<blockquote class="pullquote microcontent-wrapper" style="text-align: justify; ">
<div class="microcontent-shares"></div>
<span class="microcontent"> Aadhaar doesn’t use basic principles of cryptography, and much of its security is not known. </span></blockquote>
<p style="text-align: justify; ">Aadhaar is also irrevocable, which strands a person, whose data has been compromised, with no choice but to get on with life, Abraham said, adding that these vulnerabilities could have been averted had the government chosen smart cards instead of biometrics.</p>
<p style="text-align: justify; ">On top of this, he added, that Aadhaar doesn’t use basic principles of cryptography, and much of the security defences it uses are not known.</p>
<p style="text-align: justify; ">Had the government open sourced Aadhaar code to the public (a common practice in the tech community), security analysts could have evaluated the strengths of Aadhaar. But this too isn’t happening.</p>
<p style="text-align: justify; ">At CIS, Sunil and his colleagues have <a href="http://cis-india.org/internet-governance/front-page/blog/privacy/letter-to-finance-committee" target="_blank">written</a> over half-a-dozen open letters to the UIDAI (the authority that governs Aadhaar project) raising questions and pointing holes in the system. But much of their feedback has not returned any response, Abraham told <i>Mashable India</i>.</p>
<h2 style="text-align: justify; ">India Stack: A goldmine for everyone</h2>
<p style="text-align: justify; ">As part of its push to make Aadhaar more useful, the UIDAI created what is called India Stack, an infrastructure through which government bodies as well as private entities could leverage Aadhaar's database of individual identities. This is what sparked the initial debate about privacy when India Stack tweeted the controversial photo.</p>
<p style="text-align: justify; ">Speaking to <i>Mashable India</i>, Piyush Peshwani, a founder of OnGrid, however dismissed the concerns, clarifying that the picture was for representation purposes only. He said OnGrid is building a trust platform, through which it aims to make it easier for recruiters to do background check on their potential employees after getting their consent.</p>
<p style="text-align: justify; ">India Stack and OnGrid have since taken down the picture from their Twitter accounts. "OnGrid, much like other 200 companies working with UIDAI, can only retrieve information of users after receiving their prior consent," he said.</p>
<p style="text-align: justify; ">The lack of information from the UIDAI and India Stack is becoming a real challenge for citizens, many feel. There also appears to be a conflict of interest between the privately held companies and those who helped design the framework of Aadhaar.</p>
<p style="text-align: justify; ">As Rohin Dharmakumar, a Bangalore-based journalist <a href="https://twitter.com/r0h1n/status/827407936980783104" target="_blank">pointed out</a>, Peshwani was part of the core team member of Aadhaar project. A lawyer, who requested to be not identified, told <i>Mashable India</i> that there is a chance that these people could be familiar with Aadhaar’s roadmap and use the information for business advantage, to say the least.</p>
<p style="text-align: justify; ">Most people <i>Mashable India</i> spoke to are questioning the way these third-party companies are handling Aadhaar data. There is no regulation in place to prevent these companies from storing people’s data or even creating a parallel database of their own — a view echoed by Abraham, Narayan, and Chandrasekhar.</p>
<h2 style="text-align: justify; ">Not mandatory only on paper</h2>
<p style="text-align: justify; ">But for many, the biggest concern with Aadhaar remains just how aggressively it is being implemented into various systems. For instance, in the past one month alone, students in most Indians states who want to apply for NEET, a national level medical entrance test, were told by the education board CBSE that they will have to<a href="http://www.ndtv.com/india-news/10-point-guide-to-neet-controversy-1655351" target="_blank"><ins> provide their Aadhaar number</ins></a>.</p>
<div class="fb_iframe_widget fb-quote" style="text-align: justify; "><span> </span></div>
<p style="text-align: justify; ">A few months ago, Aadhaar was also <a href="http://www.hindustantimes.com/mumbai-news/aadhaar-card-will-be-a-must-for-iit-jee-from-2017/story-iRwu40hEKn9ol21h1FGn9K.html" target="_blank">made mandatory</a> for students who wanted to appear in JEE, an all India common engineering entrance examination conducted for admission to various engineering colleges in the country.</p>
<p style="text-align: justify; ">The apex Supreme Court of India recently <a href="http://www.bgr.in/news/supreme-court-asks-centre-to-register-id-details-of-all-mobile-subscribers/" target="_blank">asked</a> the central government to register the phone number of all mobile subscribers in India (there are about one billion of those in India) to their respective Aadhaar cards. Telecom carriers are already enabling new connections to get activated by verifying users with Aadhaar database.</p>
<p style="text-align: justify; ">A prominent journalist who focuses on privacy and laws in India questioned the motive. “When they kickstarted UIDAI, people were told that this an optional biometrics system. But since then the government has been rather tight-lipped on why it is aggressively pushing Aadhaar into so many areas,” he told <i>Mashable India</i>, requesting not to be identified.</p>
<p style="text-align: justify; "><a name="it-is-especially-difficult"></a></p>
<blockquote class="pullquote microcontent-wrapper" style="text-align: justify; ">
<div class="microcontent-shares"></div>
<span class="microcontent"> "It is especially difficult to explain why privacy is necessary for a society to advance when taken in the context of Aadhaar." </span></blockquote>
<p style="text-align: justify; ">“It is especially difficult to explain why privacy is necessary for a society to advance when taken in the context of Aadhaar. The Aadhaar card is being offered to people in need, especially the poor, by making them believe that services and subsidies provided by the government will be held back from them unless they register,” Satpathy told <i>Mashable India</i>.</p>
<p style="text-align: justify; ">The central government said last week Aadhaar number would be mandatory for availing food grains through the Public Distribution System under the National Food Security Act. In October last year, the government <a href="http://timesofindia.indiatimes.com/india/Aadhaar-card-must-for-LPG-subsidy-after-November/articleshow/54680322.cms" target="_blank">made Aadhaar mandatory</a> for those who wanted to avail cooking gas at subsidized prices.</p>
<p style="text-align: justify; ">“No matter how many laws are made about not making Aadhaar mandatory, ultimately it depends on the last mile person who is offering any service to inform citizens about their rights,” Satpathy added.</p>
<p style="text-align: justify; ">“These last-mile service providers are companies who would benefit from collecting and bartering big data for profit. They would be least interested to inform citizens about their rights and about the not mandatory status of Aadhaar.</p>
<p style="text-align: justify; ">“As Aadhaar percolates more and is used by more government and private services, the citizen will start assuming it's a part of their life. This card is already being misunderstood as if it is essential like a passport,” he added.</p>
<p style="text-align: justify; ">“My worry is that this data will be used by government for mass surveillance, ethnic cleansing and other insidious purposes,” Satpathy said. “Once you have information about every citizen, the powerful will not refrain from misusing it and for retention of power. The use of big data for psycho-profiling is not unknown to the world anymore.”</p>
<p style="text-align: justify; "><i>Mashable India</i> reached out to UIDAI on Feb. 8 for comment on the privacy and security concerns made in this report. At the time of publication, the authority hadn't responded to our queries.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/mashable-india-february-14-2017-india-aadhaar-uidai-privacy-security-debate'>http://editors.cis-india.org/internet-governance/news/mashable-india-february-14-2017-india-aadhaar-uidai-privacy-security-debate</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-02-14T14:57:33ZNews ItemWill Aadhaar Act Address India’s Dire Need For a Privacy Law?
http://editors.cis-india.org/internet-governance/blog/the-quint-march-31-2016-nehaa-chaudhari-will-aadhaar-act-address-indias-dire-need-for-a-privacy-law
<b></b>
<p>The article was published by <a class="external-link" href="http://www.thequint.com/opinion/2016/03/30/will-aadhaar-act-address-indias-dire-need-for-a-privacy-law">Quint </a>on March 31, 2016.</p>
<hr />
<table class="plain">
<tbody>
<tr>
<th><img src="http://editors.cis-india.org/home-images/Snapshot.jpg" alt="Snapshot" class="image-inline" title="Snapshot" /></th>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">The passage of the <i>Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016</i> (will hereby be referred to as “the Act”) has led to flak for the government from <a href="http://cis-india.org/internet-governance/blog/aadhaar-bill-fails-to-incorporate-suggestions-by-the-standing-committee" rel="external"><span>privacy advocates</span></a>, academia and <a href="http://cis-india.org/internet-governance/blog/list-of-recommendations-on-the-aadhaar-bill-2016" rel="external"><span>civil society</span></a>, to name a few.</p>
<p style="text-align: justify; ">To my mind, the opposition deserves its fair share of criticism (lacking so far), for its absolute failure to engage with and act as a check on the government in the passage of the Act, and the events leading up to it.</p>
<p style="text-align: justify; ">The government’s introduction of the Act as a ‘money bill’ under Article 110 of the <a href="http://indiacode.nic.in/coiweb/welcome.html" rel="external"><span>Constitution of India</span></a> (“this/the Article”) is a mockery of the constitutional process. It renders redundant, the role of the Rajya Sabha as a check on the functioning of the Lower House.</p>
<blockquote class="quoted">Article 110 limits a ‘money bill’ only to six specific instances: covering tax, the government’s financial obligations and, receipts and payments to and from the Consolidated Fund of India, and, connected matters.</blockquote>
<p>The Act lies well outside the confines of the Article; the government’s action may attract the attention of the courts.</p>
<h2>Political One-Upmanship</h2>
<table class="plain">
<tbody>
<tr>
<th><img src="http://editors.cis-india.org/home-images/copy_of_Arun.jpg/@@images/93b5fc12-dc62-419d-8ef1-e0b188a12db9.jpeg" alt="Arun Jaitely" class="image-inline" title="Arun Jaitely" /></th>
</tr>
<tr>
<td>Finance Minister Arun Jaitley (left) listens to Reserve Bank of India (RBI) Governor Raghuram Rajan. (Photo: Reuters)</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">In the past, the Supreme Court (“the Court”) has stepped into the domain of the Parliament or the Executive when there was a complete and utter disregard for India’s constitutional scheme. In recent constitutional history, this is perhaps most noticeable in the anti-defection cases, (beginning with Kihoto Hollohan in 1992); and, in the SR Bommai case in 1994, on the imposition of the President’s rule in states.</p>
<p style="text-align: justify; ">In hindsight, although India has benefited from the Court’s action in the <i>Bommai </i>and <i>Hollohan </i>cases, it is unlikely that the passage of the Aadhaar Act as a ‘money bill’, reprehensible as it is, meets the threshold required for the Court’s intervention in Parliamentary procedure.</p>
<p>Besides, the manner of its passage, the Act warrants</p>
<ul>
<li>Censure for its <a href="http://cis-india.org/internet-governance/blog/epw-27-february-2016-hans-varghese-mathews-flaws-in-uidai-process" rel="external"><span>process</span></a></li>
<li>Its (in)<a href="http://www.thehindu.com/opinion/lead/lead-article-on-aadhaar-bill-by-chinmayi-arun-privacy-is-a-fundamental-right/article8366413.ece" rel="external"><span>compatibility with fundamental rights</span></a></li>
<li>The<a href="http://thewire.in/2016/03/10/aadhaar-bill-fails-to-incorporate-standing-committees-suggestions-24433/" rel="external"><span> failure to incorporate the suggestions</span></a> of the Yashwant Sinha-led Standing Committee to UPA’s NIDAI Bill</li>
<li>The <a href="http://economictimes.indiatimes.com/news/politics-and-nation/aadhaar-more-intrusive-than-us-surveillance-exposed-by-snowden-say-privacy-advocates/articleshow/51425678.cms" rel="external"><span>possibility of surveillance</span></a> that it presents</li>
<li>The lack of measures to protect personal information</li>
<li>Its inadequate privacy safeguards</li>
<li>The <a href="http://www.business-standard.com/article/economy-policy/aadhaar-linked-lpg-govt-says-rs-15-000-cr-saved-survey-says-only-rs-14-cr-in-fy15-116031800039_1.html" rel="external"><span>questions</span></a> around the realisation of its <a href="http://www.business-standard.com/article/economy-policy/aadhaar-enabled-e-kyc-can-save-rs-10-000-cr-over-next-5-yrs-survey-116031800760_1.html" rel="external"><span>stated purpose</span></a>.</li>
</ul>
<p>Instead, a part of the Aadhaar debate has involved political one-upmanship between the Congress and the BJP, <a href="http://www.businesstoday.in/current/policy/nda-aadhaar-is-a-far-cry-from-what-upa-proposed/story/230403.html" rel="external"><span>pitting the former’s NIDAI Bill against the latter’s Aadhaar Act</span></a>.</p>
<p>While an academic <a href="http://cis-india.org/internet-governance/blog/a-comparison-of-the-2016-aadhaar-bill-and-the-2010-nidai-bill" rel="external"><span>comparison </span></a>between the two is welcome, its use as a tool for political supremacy would be laughable, were it not deeply problematic, given the many serious concerns highlighted above.</p>
<h2>Better Than UPA Bill?</h2>
<table class="plain">
<tbody>
<tr>
<th><img src="http://editors.cis-india.org/home-images/copy2_of_PrivacyLaw.jpg/@@images/ce543cf9-a4aa-4bcd-8483-98e0c3a58148.jpeg" alt="Privacy" class="image-inline" title="Privacy" /></th>
</tr>
<tr>
<td style="text-align: center; ">The Act may have more privacy safeguards than the earlier UPA Bill. (Photo: iStockphoto)</td>
</tr>
</tbody>
</table>
<div>
<p>And while the Act may have more privacy safeguards than the earlier UPA Bill, <a href="http://economictimes.indiatimes.com/news/politics-and-nation/aadhaar-more-intrusive-than-us-surveillance-exposed-by-snowden-say-privacy-advocates/articleshow/51425678.cms" rel="external"><span>critics have argued</span></a> that they not up to the international standard, and instead, that they are plagued by opacity.</p>
<p>Additionally, despite claims that the Act is a <a href="http://scroll.in/article/805348/corex-correction-the-real-problem-with-the-recent-ban-of-344-drugs-in-india" rel="external"><span>significant improvement over the UPA Bill</span></a>, it fails to address concerns, including around the centralised storage of information, that were<a href="http://www.livemint.com/Politics/l0H1RQZEM8EmPlRFwRc26H/Govt-narrative-on-Aadhaar-has-not-changed-in-the-last-six-ye.html" rel="external"><span> raised by civil society members</span></a> and others.</p>
<p style="text-align: justify; ">Perhaps most problematically, however, the Act takes away an individual’s control of her own information. Subsidies, government benefits and services are linked to the mandatory possession of an Aadhar number (Section 7 of the Act), effectively <a href="http://www.firstpost.com/india/no-aadhaar-for-invading-privacy-uid-is-mandatory-even-though-govt-wants-you-to-believe-its-not-2681214.html" rel="external"><span>negating the ‘freedom’ </span></a>of voluntary enrollment (Section 3 of the Act). This directly contradicts the recommendations of the Justice AP Shah Committee, before whom the Unique Identification Authority of India <a href="http://scroll.in/article/804922/seven-reasons-why-parliament-should-debate-the-aadhaar-bill-and-not-pass-it-in-a-rush" rel="external"><span>had earlier stated that </span></a>enrollment in Aadhaar was voluntary.</p>
<p>To make matters worse, the individual does not have the authority to correct, modify or alter her information; this lies, instead, with the UIDAI alone (Section 31 of the Act). And the sharing of such personal information does not require a court order in all cases.</p>
<table class="plain">
<tbody>
<tr>
<th><img src="http://editors.cis-india.org/home-images/Students.jpg/@@images/af2356b9-df1f-45b9-8a7b-8fb3321769f7.jpeg" alt="Students" class="image-inline" title="Students" /></th>
</tr>
<tr>
<td style="text-align: center; ">Kanhaiya Kumar speaking in JNU on 3 March 2016. (Photo: PTI)</td>
</tr>
</tbody>
</table>
</div>
<p> </p>
<div>It may be authorised by Executive authorities under the vague, ill-understood concept of ‘national security’, (Section 33(2) of the Act) which the Act does not define. We would do well to learn the dangers of leaving ‘national security’ open to interpretation, in the aftermath of the recent events at JNU.</div>
<div></div>
<p><br />These recent events around Aadhaar have only underscored the dire urgency for comprehensive privacy legislation in India and, the need to overhaul our data protection laws to meet our constitutional commitments along with international standards.</p>
<div style="text-align: justify; ">Meanwhile, constitutional challenges to the Aadhaar scheme are currently pending in the Supreme Court. The Court’s verdict may well decide the future of the Aadhaar Act, with the stage already set for a constitutional challenge to the legislation. The BJP’s victory in this case may be short-lived.</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-quint-march-31-2016-nehaa-chaudhari-will-aadhaar-act-address-indias-dire-need-for-a-privacy-law'>http://editors.cis-india.org/internet-governance/blog/the-quint-march-31-2016-nehaa-chaudhari-will-aadhaar-act-address-indias-dire-need-for-a-privacy-law</a>
</p>
No publishernehaaAadhaarInternet GovernancePrivacy2016-04-05T16:01:06ZBlog EntryIndia's biometric database crosses billion-member mark
http://editors.cis-india.org/internet-governance/news/daily-mail-april-4-2016-afp-india-biometric-database-crosses-billion-member-mark
<b>India's biometric database notched up one billion members on Monday, as the government sought to allay concerns about privacy breaches in the world's biggest such scheme.</b>
<p style="text-align: justify; ">The <a class="external-link" href="http://www.dailymail.co.uk/wires/afp/article-3522960/Indias-biometric-database-crosses-billion-member-mark.html">news by AFP was published by Daily Mail, UK</a> on April 4, 2016. Sunil Abraham gave inputs.</p>
<hr />
<p style="text-align: justify; ">The database was set up seven years ago to streamline benefit payments to millions of poor people as well as to cut fraud and wastage. Under the scheme, called Aadhaar, almost 93 percent of India's adult population have now registered their fingerprints and iris signatures and been given a biometric ID, according to the government.</p>
<p style="text-align: justify; ">IT minister Ravi Shankar Prasad hailed it as "an instrument of good governance" at a ceremony in New Delhi marking the crossing of the one-billion member mark.</p>
<p style="text-align: justify; ">Prasad said the initiative, inherited from the previous left-leaning Congress government, had enabled millions to receive cash benefits directly rather than dealing with middlemen.</p>
<p style="text-align: justify; ">He said the government had saved 150 billion rupees ($2.27 billion) on its gas subsidy scheme alone -- by paying cash directly to biometric card holders instead of providing cylinders at subsidised rates.</p>
<p style="text-align: justify; ">He also said all adequate safeguards were in place to ensure the personal details of card holders could not be stolen or misused by authorities given access to the database.</p>
<p style="text-align: justify; ">"We have taken all measures to ensure privacy. The data will not be shared with anyone except in cases of national security," Prasad said.</p>
<p style="text-align: justify; ">His comments come after parliament passed legislation last month giving government agencies access to the database in the interests of national security.</p>
<p style="text-align: justify; ">It was passed using a loophole to circumvent the opposition in parliament, where the ruling Bharatiya Janata Party (BJP) lacks a majority in the upper house.</p>
<p style="text-align: justify; ">The way it was passed, as well as the legislation itself, raised concerns about government agencies accessing private citizens' details.</p>
<p style="text-align: justify; ">Internet experts have also raised fears about the safety of such a massive database, including hacking and theft of details.</p>
<p style="text-align: justify; ">"It was as if Indian lawmakers wrote an open letter to criminals and foreign states saying, 'we are going to collect data to non-consensually identify all Indians and we are going to store it in a central repository. Come and get it!'," Sunil Abraham, executive director of the Centre for Internet and Society, wrote in India's Frontline news magazine.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/daily-mail-april-4-2016-afp-india-biometric-database-crosses-billion-member-mark'>http://editors.cis-india.org/internet-governance/news/daily-mail-april-4-2016-afp-india-biometric-database-crosses-billion-member-mark</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-04-07T02:54:08ZNews ItemFAQ on the Aadhaar Project and the Bill
http://editors.cis-india.org/internet-governance/blog/aadhaar-project-and-bill-faq
<b>This FAQ attempts to address the key questions regarding the Aadhaar/UIDAI project and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 (henceforth, Bill). This is neither a comprehensive list of questions, nor does it contain fully developed answers. We will continue to add questions to this list, and edit/expand the answers, based on our ongoing research. We will be grateful to receive your comments, criticisms, evidences, edits, suggestions for new answers, and any other responses. These can either be shared as comments in the document hosted on Google Drive, or via tweets sent to the information policy team at @CIS_InfoPolicy. </b>
<p> </p>
<h4>To comment on and/or download the file, click <a href="https://docs.google.com/document/d/1ib5bQUgZZ7PABurMHlzmfwZK6932DFQI6hUlad-vwfI/edit?usp=sharing" target="_blank">here</a>.</h4>
<hr />
<iframe src="https://docs.google.com/document/d/1ib5bQUgZZ7PABurMHlzmfwZK6932DFQI6hUlad-vwfI/pub?embedded=true" height="500" width="100%"></iframe>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/aadhaar-project-and-bill-faq'>http://editors.cis-india.org/internet-governance/blog/aadhaar-project-and-bill-faq</a>
</p>
No publisherElonnai Hickok, Vanya Rakesh, and Vipul KharbandaUIDPrivacyInternet GovernanceFeaturedDigital IndiaAadhaarBiometricsHomepage2016-04-13T14:06:43ZBlog EntryIndia's National ID Project Brings Pain to Those it Aims to Help
http://editors.cis-india.org/internet-governance/news/ozy-aayush-soni-may-11-2018-indias-national-id-project-brings-pain-to-those-it-aims-to-help
<b>Poor management, corruption and fraud are threatening to derail the world’s largest national identity project. </b>
<p style="text-align: justify; ">The blog post by Aayush Soni was <a class="external-link" href="https://www.ozy.com/fast-forward/indias-national-id-project-brings-pain-to-those-it-aims-to-help/86381">published in Ozy.com</a> on May 11, 2018.</p>
<hr />
<p style="text-align: justify; ">For Phoolmati, a resident of the Kusumpur Pahari slum in south <a href="https://www.ozy.com/good-sht/how-delhi-went-hipster/69430" target="_blank">Delhi</a>, standing every month in a queue at the neighborhood fair-price shop was a trusted routine. When her turn came up, she would place her thumb on a scanning machine that confirmed her identity. But on a biting-cold morning this past January, she had to return home empty-handed because, the shopkeeper told her, the “server was down.”</p>
<p style="text-align: justify; ">The next day, it happened again. On her third try, Phoolmati thought she had gotten lucky when the machine scanned her thumb successfully. But she was in for a shock. “The shopkeeper told me that, according to the computer records, I’ve already taken my quota of wheat flour for the month,” she says. When she protested and showed her ration card, another form of identification, the shopkeeper wouldn’t accept it.</p>
<p style="text-align: justify; ">Left with no choice, Phoolmati had to buy wheat flour from the open market at 25 rupees per kilogram — more than 12 times the amount she usually paid at fair-price shops. She wasn’t alone. At a weekly meeting of slum residents in a temple courtyard in April, many women complained about the difficulty of buying subsidized food grains to the Satark Nagrik Sangathan (Alert Citizens Organization), a nonprofit that seeks accountability from government agencies. Nanno Devi, a 67-year-old homemaker whose fingers are wrinkled with age, said that she didn’t receive her quota of wheat flour for January because a fingerprint-scanning machine couldn’t detect her thumb impression.</p>
<p style="text-align: justify; ">Nor are the urban poor, like Phoolmati, the only ones with such complaints. Students with government scholarships, senior citizens with pensions, farmers entitled to subsidies, religious minorities and backward castes eligible for benefits, patients at public hospitals, young couples trying to get married and professionals updating their bank details are all on the front line of an unparalleled experiment that was meant to help them but is hurting them instead.</p>
<p style="text-align: justify; ">Theirs is the lived experience of <a href="https://www.ozy.com/fast-forward/whos-ready-for-the-biometric-id-revolution/30972" target="_blank">Aadhaar</a>, a unique 12-digit identity system that includes an individual’s biometrics and demographic data — and that must verify an individual’s identity for the government, increasingly, to even recognize their existence. First rolled out in 2010, it is modeled on America’s Social Security number system, with the aim that government subsidies and welfare programs reach the intended beneficiaries and aren’t siphoned off by middlemen.</p>
<p style="text-align: justify; ">But over the past three years, India’s Narendra Modi government has cajoled, pressured and often effectively forced people into enrolling for this ID, even though it isn’t required by law. Today, a person’s bank account risks being frozen if it isn’t linked to her Aadhaar number. Her PAN (permanent account number) card, used to file income tax, could be declared invalid. Mobile phone companies can disconnect her number if it isn’t authenticated through biometrics. An Aadhaar number (or an enrollment number, in case someone has already applied for it) is mandatory to open a new bank account, get a new passport, invest in mutual funds or register a marriage. A joke making the rounds on Twitter is that very soon, Aadhaar will be mandatory for a person to swipe right on Tinder.</p>
<p style="text-align: justify; ">In the absence of any privacy law, much of the concern within sections of India’s educated middle class has focused on questions about personal freedom, data security and mass surveillance. But a parallel tide of complaints is rising from those the program was meant to help, rooted in complications it has instead imposed upon them. This growing frustration is threatening to derail the initiative in a manner privacy can’t, in a nation where millions live in cramped city apartments with strangers, and the distinction between personal and public is often blurred.</p>
<p style="text-align: justify; ">Cases of fraud, mismanagement and corruption hurting Aadhaar beneficiaries are tumbling out into the public domain almost every week. In late March, hackers used weaknesses in the Aadhaar database to steal data from a government organization that manages more than $120 billion in the pensions and savings of millions of Indians. In January, a 10-year-old girl from the Dalit community — historically at the bottom of India’s caste ladder — was denied a school scholarship because officials had misnamed her on her Aadhaar card. Last October, a farm loan waiver program in Maharashtra state ran into trouble after officials discovered that 100 farmers had the same Aadhaar identity number.</p>
<p style="text-align: justify; ">The Modi government maintains that it takes both the security of personal data and the concerns of Aadhaar beneficiaries seriously. But it is reluctant to answer any questions about identity theft, corruption, privacy or misappropriated benefits. Neither Ajay Bhushan Pandey, the current CEO of the Unique Identification Authority of India (UIDAI), which runs Aadhaar, nor Vikas Shukla, its spokesperson, responded to multiple requests for comment.</p>
<p style="text-align: justify; ">At a public rally in early May, Modi — who had himself opposed the program before he came to power in 2014 — called critics of Aadhaar “opponents of technology” unwilling to evolve with the times. Increasingly, though, many are questioning whether it’s Aadhaar’s own identity that has changed the most from when the idea first came up. “From a project of inclusion, it has become a project of exclusion,” says Usha Ramanathan, a lawyer who focuses on issues of development and poverty. Just ask Phoolmati.</p>
<p style="text-align: justify; ">Aadhaar was the brainchild of Nandan Nilekani, a former CEO of tech giant Infosys, who in a 2009 book argued that multiple forms of identification made it “difficult” to establish a “definitive identity” for India’s citizens.</p>
<p style="text-align: justify; ">A single identity linked to passports, PAN cards and other national databases, Nilekani argued, would not only solve this problem but also help eliminate the exasperating processes that India’s bureaucracy is notorious for — mountains of paper, proof of identity in triplicate and a glacial pace of work. It would help citizens avail government benefits that are rightfully theirs. Such a system would reduce a citizen’s dependence on distribution mechanisms susceptible to leakages and make “the moral scruples of our bureaucrats redundant,” Nilekani wrote. “An IT-enabled, accessible national <a href="https://www.ozy.com/fast-forward/should-you-carry-a-municipal-id-card/31240" target="_blank">ID system</a> would be nothing less than revolutionary in how we distribute state benefits and welfare handouts.”</p>
<p style="text-align: justify; ">That same year, the Congress Party–led United Progressive Alliance government offered Nilekani a chance to translate his idea into reality, appointing him UIDAI chairman. Under Nilekani the UIDAI hired people from within the Indian bureaucracy as well as those outside it. The initial team of 50 included software engineers, designers and entrepreneurs from Silicon Valley as well as lawyers and policy wonks who worked at the head office in New Delhi. Each of the eight regional offices had a staff of 20.</p>
<p style="text-align: justify; ">In its early-stage avatar, the team had thought out solutions to problems such as the ones the residents of Kusumpur Pahari faced, says a policy consultant who worked with the UIDAI in 2010 and spoke on condition of anonymity. “You can use old methods and physically verify a person’s name and address [by going to their house] if biometrics aren’t working,” the consultant says. “It’s built into the architecture [of Aadhaar].” In his view, the current government under <a href="https://www.ozy.com/provocateurs/the-man-busting-narendra-modis-tall-tales/83435" target="_blank">Modi</a> — whose Bharatiya Janata Party defeated the Congress Party and came to power in 2014 — and the UIDAI setup have made a “mess” of the program. He also believes that the goal has shifted from inclusion to mass enrollment. Nilekani did not respond to a request for comment.</p>
<p style="text-align: justify; ">For sure, Aadhaar has staunch supporters too, who argue that it has helped reduce the misuse of government subsidies. In July 2017, India’s junior minister for consumer affairs, food and public distribution, C.R. Chaudhary, told the country’s Parliament that Aadhaar had helped the government delete nearly 25 million fake ration cards that the poor use to access subsidized food ingredients.</p>
<div class="pagebreak" style="text-align: justify; "></div>
<div class="ozy-advert-wrapper" style="text-align: justify; ">
<div id="sas_86381_2"></div>
</div>
<p style="text-align: justify; ">“This unnecessary fearmongering around Aadhaar is uncalled for,” says Sanjay Anandaram of iSpirit, a software industry think tank. In his view, it’s “last-mile deployment challenges” like fingerprint authentication, one-time-password systems and server glitches that need to be fixed, not Aadhaar. He juxtaposes anecdotal examples of people struggling to gain benefits with the “larger purpose” he believes Aadhaar serves. “It is a revolutionary system to ensure governance improves — especially for centrally administered programs,” he says.</p>
<p style="text-align: justify; ">The UIDAI has made some efforts too, if not to improve security of personal data then at least to allow citizens to check whether their Aadhaar identity has been misused. They can go online and view any occasions when their Aadhaar identity was used to access benefits.</p>
<p style="text-align: justify; ">But for millions of Indians dependent on subsidies, pensions, scholarships and other benefits, the concerns go well beyond privacy. Getting an Aadhaar identity can be a struggle. Earlier this year, the Punjab government conceded that it can’t process nearly 200,000 farm loan waiver claims either because intended beneficiaries don’t have Aadhaar cards or because the UIDAI is still processing their applications. At the same time, not signing on to Aadhaar is increasingly not an option. In February 2017, Chaudhary’s ministry made it mandatory for individuals to have an Aadhaar card to access subsidized food grains. Then, in October, an 11-year-old girl died of starvation in the central state of Jharkhand because the local ration dealer refused to give her family food grains for six months, as they had not linked their ration cards to Aadhaar. Facing criticism, the government asked states not to deny the poor the food grains they are entitled to, but the incident underscored how the Aadhaar initiative is cutting the needy off from subsidy access, rather than helping them, suggests Ramanathan, the lawyer. “People are dying because of Aadhaar,” she says.</p>
<p style="text-align: justify; ">But the <a href="https://www.ozy.com/rising-stars/can-modis-new-nemesis-take-down-the-prime-minister/85152" target="_blank">Modi government</a> has shown no signs of rethinking either the ways in which Aadhaar appears to hurt the poorest in Indian society or its data security protocols. Instead, it has appeared keener to target whistle-blowers pointing out weaknesses in the initiative.</p>
<p style="text-align: justify; ">It cost Rachna Khaira, a reporter, only 500 rupees ($7.50) to access the entire Aadhaar database — the names, addresses, fingerprint scans, iris scans, mobile phone numbers, email addresses, postal index numbers (PINs) and Aadhaar numbers of 830 million Indians. She “purchased” the service offered by anonymous sellers on WhatsApp and transferred the money via Paytm, a popular digital wallet company, to an “agent,” who created a “gateway” for Khaira. He then gave her a log-in ID and a password to that gateway, which allowed Khaira unrestricted access to the Aadhaar database. Her report, published in January in <em>The Tribune</em>, one of India’s oldest English dailies, created a national stir. Instead of trying to plug the holes the report had revealed, the UIDAI filed criminal cases against Khaira and the newspaper, accusing them of breaching privacy.</p>
<p style="text-align: justify; ">Khaira’s wasn’t the first piece of evidence to expose the vulnerability of the Aadhaar database. In May 2017, a report by the Centre for Internet and Society, a nonprofit organization, claimed that 130 million to 135 million Aadhaar numbers were published on four websites: the National Social Assistance Programme, the National Rural Employment Guarantee Scheme and two projects run by Andhra Pradesh state. “This is the largest exercise in the world of the conversion of public information into an asset and then its privatization,” says Nikhil Pahwa, editor of MediaNama and a critic of Aadhaar.</p>
<p style="text-align: justify; ">These breaches of security highlight corruption and mismanagement that belie claims the government continues to peddle. In April 2017, Ravi Shankar Prasad, India’s minister of information and technology, told Parliament that “Aadhaar is robust. Aadhaar is safe. Aadhaar is secure, and totally accountable.” The government hasn’t appeared too perturbed by privacy concerns. On July 22, 2015, Mukul Rohatgi, the then attorney general, argued before the country’s Supreme Court that “the right of privacy is not a guaranteed right under our constitution.” That set off a two-year-long hearing before a nine-judge bench of the court, which unanimously ruled in 2017 that the right to privacy was indeed a fundamental right.</p>
<p style="text-align: justify; ">The criticism from social groups Aadhaar was meant to benefit, though, has left the Modi administration on the defensive. Since the passage of the 2016 Aadhaar law, civil society activists have filed 12 petitions in the <a href="https://www.ozy.com/provocateurs/why-this-rohingya-refugee-is-taking-on-indias-government/82487" target="_blank">Supreme Court</a> challenging its legality. In January, the All India Kisan Sabha, one of India’s largest farmer organizations with millions of members, petitioned the top court against government moves to link subsidies to Aadhaar identities. Some leaders from Modi’s party, the BJP, have also started questioning their own government in Parliament about cases of beneficiaries denied their due because of the Aadhaar program. The Supreme Court, which is holding regular hearings on the case, has extended indefinitely the date by which citizens must link all identity documents to their Aadhaar number, until it rules on the validity of the legislation. At stake is the trust the Indian people can place in their government.</p>
<p style="text-align: justify; ">Back in Kusumpur Pahari, much of that trust has already eroded. In his 2014 election campaign, Modi had promised to stand guard as a <em>chaukidaar</em> (watchman) over the country’s resources, to prevent corruption. But when someone illegally withdrew Phoolmati’s grains by using her Aadhaar identity, the watchman wasn’t able to stop the theft.</p>
<p style="text-align: justify; ">For Phoolmati and other residents of Kusumpur Pahari, their ration cards guaranteed them food, and were a rare pillar of certainty in an unstable life. The Aadhaar-linked fingerprint authentication system is a source of frustration, and they don’t want it, they make clear at their weekly meeting. They now get their ration some months, and other months they don’t. Life on the fringes of society was already tough. Aadhaar, they say, has made it harder still.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/ozy-aayush-soni-may-11-2018-indias-national-id-project-brings-pain-to-those-it-aims-to-help'>http://editors.cis-india.org/internet-governance/news/ozy-aayush-soni-may-11-2018-indias-national-id-project-brings-pain-to-those-it-aims-to-help</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-05-12T00:53:39ZNews ItemFrom 1 March, only registered devices to be used to authenticate Aadhaar
http://editors.cis-india.org/internet-governance/news/livemint-komal-gupta-february-8-2018-from-march-1-only-registered-devices-to-be-used-to-authenticate-aadhaar
<b>UIDAI directive to Aadhaar authentication agencies aims to avoid putting citizens’ biometric data at risk</b>
<p style="text-align: justify; ">The article by Komal Gupta was <a class="external-link" href="http://www.livemint.com/Politics/FgXy2gorgyXaGVvpkl4yKN/From-1-Mar-only-registered-devices-to-be-used-to-authentica.html">published in Livemint</a> on February 8, 2018.</p>
<hr />
<p style="text-align: justify; ">The Unique Identification Authority of India (UIDAI) has directed all Aadhaar authentication agencies to use only registered biometric devices from 1 March to avoid putting residents’ data at risk.</p>
<p style="text-align: justify; "><span>The initial deadline to upgrade these devices was 1 June 2017, but it has been extended several times. The latest is the sixth extension.</span></p>
<p style="text-align: justify; ">The UIDAI wants the biometric devices registered with the Aadhaar system for encryption key management. The Aadhaar authentication server can individually identify and validate these devices and manage encryption keys on each registered device.</p>
<p style="text-align: justify; ">“It is reiterated that to ensure encryption of biometrics of residents at time of capture, it is absolutely essential to use only the registered devices. Any further use of non-registered devices will be putting residents’ privacy at risk,” a UIDAI circular dated 2 February said.</p>
<p style="text-align: justify; ">In January last year, UIDAI had instructed all the authentication user agencies (AUAs) and authentication service agencies (ASAs) to adhere to its new encryption standards and accordingly upgrade the devices to the new norms.</p>
<p style="text-align: justify; ">The AUA is an entity engaged in providing Aadhaar-enabled services. It may be a government, public or a private legal agency registered in India which uses Aadhaar authentication services provided by UIDAI.</p>
<p style="text-align: justify; ">The ASA is any entity that transmits authentication requests to the Central Identities Data Repository (CIDR) on behalf of one or more AUAs.</p>
<p style="text-align: justify; ">Requests from AUAs to extend the timeline has been cited as the reason for delay by UIDAI. The last deadline was 31 January.</p>
<p style="text-align: justify; ">Still, UIDAI claims most of the entities have migrated to registered devices and “no further extension will be given in this regard.” Failure to meet the February-end deadline will lead to loss or disruption of services, the circular added.</p>
<p style="text-align: justify; ">A privacy expert called for better security in the Aadhaar system.</p>
<p style="text-align: justify; ">“The UIDAI should have gone in for smart cards, which are inherently more secure and would have proven a better basis for a national ID system. Given its choice of biometrics, UIDAI should have required hardware-level encryption — the yet-to-be-specified (Level 1) security standard— from 2010,” said Pranesh Prakash, policy director at think tank Centre for Internet and Society.</p>
<p style="text-align: justify; ">“Making the much-delayed Level 1 mandatory is what UIDAI should be focusing on; sadly, even basic registration and easily-defeated software-level encryption (Level 0) is yet to be made mandatory,” he said.</p>
<p style="text-align: justify; ">UIDAI has been under the scanner over the past few months over charges that random entities have been accessing personal information without the consent of individual Aadhaar number holders.</p>
<p style="text-align: justify; ">Last month, UIDAI put in place a two-layer security to reinforce privacy protections for Aadhaar holders—it introduced a virtual identification so that the actual number need not be shared to authenticate their identity. Simultaneously, it further regulated the storage of the Aadhaar numbers within various databases.<br />There are more than 1.2 billion Aadhaar holders in the country.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-komal-gupta-february-8-2018-from-march-1-only-registered-devices-to-be-used-to-authenticate-aadhaar'>http://editors.cis-india.org/internet-governance/news/livemint-komal-gupta-february-8-2018-from-march-1-only-registered-devices-to-be-used-to-authenticate-aadhaar</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-02-24T07:59:39ZNews ItemAadhaar unique IDs in India: a qualified success?
http://editors.cis-india.org/internet-governance/news/the-paypers-march-16-2018-aadhaar-unique-ids-in-india-a-qualified-success
<b>Anshuman Jaswal form Kapronasia shares insights into the security and privacy concerns related to Aadhaar, which are often overlooked</b>
<p style="text-align: justify; "><em>This editorial was first published in our <a href="https://www.thepaypers.com/reports/web-fraud-prevention-and-online-authentication-market-guide-2017-2018/r770429" target="_blank">Web Fraud Prevention and Online Authentication Market Guide 2017/2018</a>. The Guide is a complete overview of the fraud management, digital identity verification and authentication ecosystem provided by thought leaders in the industry from leading solution providers (both established and new players) to associations and experts.</em></p>
<p style="text-align: justify; ">The Digital India project initiated by the Government of India has made significant headway in the last few years. As part of this project, the Unique Identification Authority of India (UIDAI) has presided over the allotment of unique identification numbers to all Indian residents since 2009. Currently, more than 1.1 billion Indian citizens and residents have Aadhaar IDs, making this the largest exercise of this kind the world has ever seen. There are many potential benefits of such a scheme, but there are also concerns and pitfalls. Besides the advantages, this article also focuses on some of the security and privacy concerns related to Aadhaar, which are often overlooked.</p>
<p style="text-align: justify; "><strong>Benefits of Aadhaar</strong></p>
<p style="text-align: justify; ">India is the second most populous nation on earth, with more than 1.3 billion people. Having a unique identification system in place would be a fillip for the government, as it would allow government schemes for poverty alleviation and improvement in health and educational well-being to be better targeted. For example, if a needy person’s bank account is linked to their Aadhaar biometric ID, then it would be easier for the government to provide funds to the individual without using any intermediary. In a country struggling with corruption throughout the government machinery, being able to reach the target audience directly is a significant benefit. Similarly, if both the bank accounts and the tax IDs of individuals are linked to the Aadhaar ID, then the government can trace the income and expenditure of its citizens, thereby obtaining vital information that would allow it to counter money-laundering and the shadow economy.</p>
<p style="text-align: justify; "><strong>Security challenges are paramount</strong></p>
<p style="text-align: justify; ">Creating a monumental technology infrastructure to meet the requirements of a population of more than 1.3 billion people does not come without its problems. Many people have questioned the wisdom of concentrating so much critical personal information in a government platform that is not known for having a robust security framework. There have been two prominent instances in which the Aadhaar database has been compromised.</p>
<p style="text-align: justify; "><a href="https://www.ndtv.com/india-news/aadhaar-issuing-authority-uidai-asks-research-firm-cis-to-justify-data-leak-claim-1695574" target="_blank">In May 2017</a>, the Bengaluru-based Centre for Internet and Society (CIS) alleged that there had been an illegal breach of the database, and Aadhaar identity numbers of more than 130 million people had been leaked online, along with their dates of birth, addresses, and tax IDs (PAN). It is believed that the revealed information did not include the biometric identification of the people affected, but the breach was significant nonetheless as it exposed millions of people to possible fraud.</p>
<p style="text-align: justify; ">The response of the UIDAI was also insightful, because it asked the CIS to reveal on which servers the data was stored, and who might have been responsible for the breach. The UIDAI response quoted the relevant laws, namely sections of the Information Technology Act, 2000 and the Aadhaar Act, underlining the liability under law. The aggressive approach of the UIDAI forced the CIS to retract some of its claims, but then the focus of the discussion was shifted from the loss of critical information to the semantics of the claims of CIS. Instead of calling the breach a “leak”, after receiving the letter from UIDAI, CIS stated that it was merely an “illegal disclosure”.</p>
<p style="text-align: justify; ">The second instance of a breach occurred between <a href="https://www.medianama.com/2017/08/223-ola-ekyc-aadhaar-police-bangalore/" target="_blank">January to July 2017</a>, when an IT expert hacked into the Aadhaar-enabled e-hospital system created under the Digital India project of the Government of India. His intention was to access the central identities data repository of UIDAI for verification of Aadhaar numbers, to be used for an ‘eKYC Verification’ app created by him. The UIDAI database gave him access considering that it was the e-hospital system that was requesting the Aadhaar identity verification. The hack shows that the security protocols of the UIDAI require significant overhaul before it can be trusted to protect the hundreds of millions of digital identities in its database.</p>
<p style="text-align: justify; "><strong>Aadhaar and the right to privacy</strong></p>
<p style="text-align: justify; ">The Indian constitution does not mention a right to privacy. This has been raised as a serious concern by the critics of Aadhaar, since there is no related privacy framework that outlines how the government can use the Aadhaar information. However, the Supreme Court of India addressed some of these concerns when it stated, in August 2017, that privacy is a fundamental right under the Constitution with reasonable restrictions. It was a landmark decision in the Indian context, since it could affect the way in which the unique identification data is collected, and especially the means for which it is used. For example, in the past, the government has mandated that Aadhaar data to be linked to citizens’ information from bank accounts, tax filings, medical records and phone numbers. Once this is achieved, the government would have unregulated access to such information. There is currently no statute or legal precedent to guard against abuse or to allow an individual to file a complaint.</p>
<p style="text-align: justify; ">The Supreme Court decision gives encouragement to citizens and institutions that are concerned about the rights of ordinary individuals, while also laying the groundwork for further work that needs to be done to create a robust legal framework in this field.</p>
<hr />
<p style="text-align: justify; ">Read the original blog post published by the <a class="external-link" href="https://www.thepaypers.com/expert-opinion/aadhaar-unique-ids-in-india-a-qualified-success-/772349">Paypers here</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-paypers-march-16-2018-aadhaar-unique-ids-in-india-a-qualified-success'>http://editors.cis-india.org/internet-governance/news/the-paypers-march-16-2018-aadhaar-unique-ids-in-india-a-qualified-success</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-03-17T12:49:51ZNews ItemAadhaar safety
http://editors.cis-india.org/internet-governance/news/asian-age-march-25-2018-aadhaar-safety
<b>We get experts to give their take on a current issue each week and lend their perspective to a much-discussed topic.</b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="http://www.asianage.com/life/more-features/250318/aadhaar-safety.html">Asian Age</a> on March 25, 2018.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Attorney General K. K. Venugopal claiming before a five-judge constitutional Bench of the Supreme Court that Aadhaar data remains safe and secure behind a complex with 13-ft high and 5-ft thick walls has resulted in a series of trolls and hilarious responses. We ask tech experts if this is the proper way to ensure safety of digital data and their opinions on alternatives, if any, to keep public data safe.</p>
<p style="text-align: justify; "><strong>‘Safety claims are bogus’<br /><em>Hrishikesh Bhaskaran, Privacy Activist</em></strong><br />Aadhaar safety claims are bogus. It is vulnerable and its vulnerabilities were pointed out by many information security experts in the past. If someone says that a 13-ft high 5-ft thick wall complex is protecting your digital data (which is well connected to the outside network) be sure that a village is missing its idiot. Digital data leak almost always happens through the network. Multiple cases were reported about the Aadhaar data leak (The Tribune report for example). Many government sites are leaking Aadhaar details of citizens and are available publicly through a simple Google search. (Read as the data are already in public without anyone hacking into it).</p>
<p style="text-align: justify; ">The system is defective by design and is maintained by mediocre talents and technology. I feel that their claims about the huge walled protection are a tactic to divert discussion on the human rights angle because otherwise, the government will have no choice but to scrap the whole Aadhaar idea. The only way to protect the personal data of citizens is to start afresh.</p>
<p style="text-align: justify; "><strong>‘Multi-level security assumes added significance’<br /><em>Jaideep Mehta, CEO of VCCircle.com</em></strong><br />Physical security is an important component in the overall security architecture. In addition there is a need to protect the data with multiple levels of cyber security including data encryption, bio-metric driven access, protection against malware and so on. Multi-dimensional security assumes added significance as this is a nationally important database.</p>
<p style="text-align: justify; "><strong>‘Tightening system, or line of human command more important’<br /><em>Ershad Kaleebullah, Technology Editor</em></strong><br />There are right ways to secure digital data. I know of solutions at the individual user level. But for something of Aadhaar’s size the security of digital data will obviously happen at a much, much larger scale. All the resident data and raw biometrics are stored in UIDAI’s datacentre and even fortifying it with the world’s thickest and tallest wall is not going to protect them. I’m really not sure of any foolproof data security systems in the world at that scale. Tightening the system or the line of human command is more important. If Snowden can walk out of NSA with highly confidential information on a lowly thumb drive, Aadhaar data can be easily hacked. If I have to be blunt here, Indians can’t keep a secret to save their lives.</p>
<p style="text-align: justify; "><strong>‘Your data security is in your hands, always be cautious’<br /><em>Viraj Kumar Pratapwant, Senior Software Design Engineer</em></strong><br />First off, no hacker is going to run into a data center and rob data disks. The idea to construct high and thick walls will make anyone chuckle. Speaking about alternatives, let's talk about data. Basically there are two types of data: Data in Motion and Data at Rest. With the right set of firewalls guarding these two kinds will ensure some amount of security. Sensitive and vital information should always be encrypted and kept out of reach for any external source to access this data. Having multiple steps of verification could help the user safeguard his authenticity. Your data and privacy are the most important factor, they should only be shared with trusted sources and with your consent. A lot of data are going digital and soon our lives will completely rely on digital data. The government should enforce strict vigilance to public data. They should make sure that the consumers should follow all the security guidelines and must prove that the data will be saved responsibly. Any compromise caused by any sources should be penalised by law. Lastly, your data security is in your hands, always be cautious about who and where you are giving the data.</p>
<p style="text-align: justify; "><em><strong>Sunil Abraham, Executive Director at Centre for Internet and Society</strong></em><br />Encryption, regardless of the key length, is only useful when citizens have absolute control of the private key. If the UIDAI had gone with smart cards my private key would have only been stored on my smart card. Even though the data in encrypted in the CIDR - the deduplication software needs to compare the bio metric of the person getting enrolled with the unencrypted bio metric of others already in the database. This means that the engineer who controls the software has access to the whole bio metric database. If a foreign state installs a Trojan on the engineer's system it can get into the CIDR. The deduplication software is a proprietary black box software which is owned by a foreign corporation. We don't know what hidden capabilities are there in this software.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/asian-age-march-25-2018-aadhaar-safety'>http://editors.cis-india.org/internet-governance/news/asian-age-march-25-2018-aadhaar-safety</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-03-26T17:09:26ZNews ItemSecurity experts say need to secure Aadhaar ecosystem, warn about third party leaks
http://editors.cis-india.org/internet-governance/news/economic-times-march-26-2018-nilesh-christopher-security-experts-say-need-to-secure-aadhaar-ecosystem-warn-about-third-party-leaks
<b>The public reckoning of data leaks in India’s national ID database, Aadhaar is still on hold while reports of data leakage through third-parties keep coming. </b>
<p style="text-align: justify; ">The article by Nilesh Christopher was published in <a class="external-link" href="https://economictimes.indiatimes.com/news/politics-and-nation/there-is-a-need-to-secure-full-aadhaar-ecosystem-experts/articleshow/63459367.cms">Economic Times</a> on March 26, 2018. Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; ">While the Unique Identification Authority of India (UIDAI) has maintained that its database is secure and there are no breaches of <a class="external-link" href="https://economictimes.indiatimes.com/topic/Aadhaar">Aadhaar</a> data from its system, security researchers warn that leaks are happening in third-party sites and it is important for the agency to ensure that its ecosystem adopts measures to keep data safe.</p>
<p style="text-align: justify; ">While the Unique Identification Authority of India (<a class="external-link" href="https://economictimes.indiatimes.com/topic/UIDAI">UIDAI</a>) has maintained that its database is secure and there are no breaches of Aadhaar data from its system, security researchers warn that leaks are happening in third-party sites and it is important for the agency to ensure that its ecosystem adopts measures to keep data safe.</p>
<p style="text-align: justify; ">“Securing an entire ecosystem is more important than secure individual databases,” said security researcher Srinivas Kodali. Over the weekend, technology publication <a class="external-link" href="https://economictimes.indiatimes.com/topic/ZDnet">ZDnet </a>citing an Indian security researcher said that it identified Aadhaar data leaks on a system run by a state-owned utility company <a class="external-link" href="https://economictimes.indiatimes.com/topic/Indane">Indane</a> that allowed anyone to access sensitive information like a name, Aadhar number, bank details. The leak was plugged soon after the report appeared.</p>
<p style="text-align: justify; ">UIDAI came out with a strong statement denying the breach. “There is no truth in the story as there has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure,” the government agency said.</p>
<p style="text-align: justify; ">There have been no reports of any breach in the core database so far. However, it is the third-parties that have acted as weak links.</p>
<p style="text-align: justify; ">“The simple parallel that can be drawn is, though Facebook’s core database of users information was secure, the data leak happened through third-party developers and organisation like Cambridge Analytica that have allegedly misused it,” Kodali said.</p>
<p style="text-align: justify; ">In case of Aadhar too, the allegations of breaches have not been on ‘Aadhaar database’ but rather at insecure government websites and third-parties with API access to the database. “In this aspect, the issue in Facebook and Aadhaar is similar. In both the cases there was no breach of database, but it was third parties that acted as the weakest link. In both cases, it was a legitimate means of access through API that was open for abuse,” said Sunil Abraham, executive director, Center for Internet and Society.</p>
<p style="text-align: justify; ">UIDAI could take a leaf from Indian Space Research Organisation while handling <a class="external-link" href="https://economictimes.indiatimes.com/topic/data-breach">data breach</a> reports. The state-run space agency put out a note appreciating security researches for their efforts. An email ID to report flaws is more important than summoning people regarding data breaches.</p>
<p style="text-align: justify; ">“The fear of criminal prosecution hanging over the heads of ethical hackers would not help us develop a robust and strong security architecture,” said Karan Saini, a Delhi-based security researcher who first highlighted the Aadhaar leak at Indane.</p>
<p style="text-align: justify; ">“UIDAI is working on a policy to enable security experts to report issues in a legal and safe manner,” tweeted Ajay Bhushan Pandey, chief executive of India's Unique Identification Authority (UIDAI), the government department that administers the Aadhaar database. Seven months after the tweet, Pandey’s promise of a bug-reporting mechanism has still has not fructified.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/economic-times-march-26-2018-nilesh-christopher-security-experts-say-need-to-secure-aadhaar-ecosystem-warn-about-third-party-leaks'>http://editors.cis-india.org/internet-governance/news/economic-times-march-26-2018-nilesh-christopher-security-experts-say-need-to-secure-aadhaar-ecosystem-warn-about-third-party-leaks</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-03-26T22:37:30ZNews ItemUIDAI servers or third parties, Aadhaar leaks are dangerous: Experts
http://editors.cis-india.org/internet-governance/news/business-standard-mayank-jain-march-27-2018-uidai-servers-or-third-parties-aadhaar-leaks-are-dangerous-experts
<b>Even though the UIDAI has denied these reports, its arguments rest on shaky grounds, according to experts.</b>
<p style="text-align: justify; ">The article by Mayank Jain was published in <a class="external-link" href="http://www.business-standard.com/article/current-affairs/uidai-servers-or-third-parties-aadhaar-leaks-are-dangerous-experts-118032601008_1.html">Business Standard</a> on March 27, 2018. Pranesh Prakash was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The government has told the Supreme Court that the Aadhaar data “remains safely behind 13-feet high walls” and it will take “the age of the universe” to break one key in the Unique Identification Authority of India’s (UIDAI’s) encryption.</p>
<p style="text-align: justify; ">Even if this claim is taken at face value, experts suggest leaks from third-party databases seeded with Aadhaar numbers are equally dangerous and the UIDAI is responsible for the damage. <span>The most recent case came from a report published online and it said random numbers could provide access to the Aadhaar data, which also includes people’s financial information, from a state-owned company’s database. </span><span>Even though the UIDAI has denied these reports, its arguments rest on shaky grounds, according to experts.“There is no truth in this story as there has been absolutely no breach of the UIDAI’s Aadhaar database.</span></p>
<p style="text-align: justify; ">Aadhaar remains safe and secure,” the UIDAI said on Twitter shortly after the story broke on ZDNet.The authority added even if the report was taken to be true, “it would raise security concerns on the database of that Utility Company and has nothing to do with the security of the UIDAI’s Aadhaar database”.This has been the authority’s defence in several such cases but those in the know of things say it doesn’t hold water simply because the Aadhaar data is not concentrated in the UIDAI’s complexes anymore and has spread across various databases.“Publishing this by the state entities is a violation under the Aadhaar Act.</p>
<p style="text-align: justify; ">Even if you publish your Aadhaar number, it is a violation of the law,” said Pranesh Prakash, policy director at the Centre for Internet and Society.“Saying that the UIDAI has not been compromised is thoroughly insufficient because for customers, it doesn’t matter if the leak comes from servers operated by the UIDAI or from others holding copies of the UIDAI database.”Prakash said it should be the authority’s responsibility to help others comply with the law and prevent data leaks.</p>
<p style="text-align: justify; ">He gave the example of biometric leaks from Gujarat government servers and how criminals used them to forge fingerprints.The possibility of data leaks was demonstrated when Robert Baptiste, purportedly a French app developer, announced on Twitter how he got access to thousands of scanned Aadhaar card copies through simple Google searches.In an interview to Business Standard, Baptiste said the major threat was data handling by third parties, which could lead to identity theft.Even the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, has provisions that debar making public citizens’ Aadhaar-related information public unless required for certain purposes.</p>
<p style="text-align: justify; ">“Whoever intentionally discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication to any person not authorised under this Act” can be in jail for three years and pay a fine of ~10,000 under the Act.A lawyer appearing on the petitioners’ side in the ongoing Supreme Court case on the constitutional validity of Aadhaar said only the UIDAI had the powers to file cases against people who published Aadhaar information. Hence everyone else is helpless despite the leaks.</p>
<p style="text-align: justify; ">The UIDAI’s argument that Aadhaar information can’t be misused is duplicitous because the regulations under the Aadhaar Act assure individuals that if biometric authentication fails, they should have other means of identifying themselves, says Kiran Jonnalagadda, founder of HasGeek.“So the regulations guarantee that anyone in possession of stolen identity information will be able to misuse it without biometric authentication,” he said.Prakash agreed with this. He said demographic authentication, which is an acceptable authentication method under the Aadhaar Act, was prone to misuse as long as Aadhaar numbers remained public.“Aadhaar is used as just a piece of paper, unlike security features embedded in passports or even permanent account number cards. Thus, demographic authentication merely involves providing Aadhaar numbers and details like addresses, which can be used even for things like getting entry into an airport by just printing a ticket and having a fake Aadhaar,” he said.</p>
<p style="text-align: justify; "><em>Queries sent to the UIDAI were not answered till the time of going to press</em></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/business-standard-mayank-jain-march-27-2018-uidai-servers-or-third-parties-aadhaar-leaks-are-dangerous-experts'>http://editors.cis-india.org/internet-governance/news/business-standard-mayank-jain-march-27-2018-uidai-servers-or-third-parties-aadhaar-leaks-are-dangerous-experts</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-03-27T02:16:55ZNews ItemPension won’t be denied for want of Aadhaar, says EPFO
http://editors.cis-india.org/internet-governance/news/livemint-prashant-k-nanda-and-komal-gupta-pension-wont-be-denied-for-want-of-aadhaar-epfo
<b>The move is aimed at ensuring that no retired government employee is deprived of pension for want of Aadhaar or failure of fingerprint authentication.</b>
<p style="text-align: justify; ">The article by Prashant K. Nanda and Komal Gupta published by <a class="external-link" href="https://www.livemint.com/Politics/J0wTnWuLVVNsejAcJygdRO/Dont-delay-pension-disbursal-in-pretext-of-Aadhaar-linking.html">Livemint</a> on April 11, 2018 quoted Pranesh Prakash.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Tens of thousands of pensioners under the employees pension scheme will not be denied their monthly pension if their Aadhaar authentication fails or they do not have the 12-digit unique ID, the Employees Provident Fund Organisation (EPFO) has indicated.</p>
<p style="text-align: justify; ">The retirement fund manager has asked banks and post offices to facilitate pension disbursement without making senior citizens do the rounds.</p>
<p style="text-align: justify; ">The move comes after EPFO received several complaints of denial of pension by banks.</p>
<p style="text-align: justify; "><span>For paying pension to those whose fingerprint authentication fails, “banks may make provisions for iris scanner, along with the fingerprint scanner in bank branches. It has been observed that in many cases, iris authentication is successful even though fingerprint authentication may have failed. This is particularly true for many senior citizens. In such cases, digital life certificate may be generated on the basis of iris authentication and pension may be given,” the EPFO said in a circular on Monday.</span></p>
<p style="text-align: justify; ">And when both iris and fingerprint authentication are not feasible, “an entry should be made in the exception register with reasons and pension may be provided on the basis of paper life certificate and physical Aadhaar card or E-Aadhaar card of the pensioner after due verification as deemed fit by the bank,” the circular said.</p>
<p style="text-align: justify; ">The move is aimed at ensuring that no senior citizen is deprived of pension for want of Aadhaar or failure of fingerprint authentication.</p>
<p style="text-align: justify; "><span>Banks have been advised to ensure that benefits of the pension scheme reach the citizens and a proper mechanism for “handling exceptions” is put in place.</span></p>
<p style="text-align: justify; ">“Banks should make special arrangements for the bed-ridden, differently abled, or senior citizens who are unable to visit the Aadhaar enrolment centre,” the circular said.</p>
<p style="text-align: justify; ">EPFO has also instructed pension disbursing banks and post offices to make necessary arrangements for enrolling pensioners for Aadhaar and to carry out authentication through iris, especially for those who cannot be verified through fingerprints.</p>
<p style="text-align: justify; "><span>The Unique Identification Authority of India (UIDAI) has been under the scanner over the past few months over allegations of access to pension being denied as the fingerprints of the elderly do not match biometrics in the Aadhaar database.</span></p>
<p style="text-align: justify; ">So far, pensioners had to furnish a life certificate and needed to authenticate it using biometrics.</p>
<p style="text-align: justify; ">“The fact that it is coming now means that the Unique Identification Authority of India’s claim in the Supreme Court about no person having been denied any benefit due to the lack of Aadhaar is simply untrue,” said Bengaluru-based Pranesh Prakash, an affiliated fellow with the Yale Law School’s Information Society Project that works on issues related to the intersection of law, technology and society.</p>
<p style="text-align: justify; "><span>Prakash, however, welcomed EPFO’s move laying down “a procedure both for those who don’t have an Aadhaar number, as well as those whose biometrics fail for any reason”.</span></p>
<p style="text-align: justify; ">Prakash further said that “as per the UIDAI’s own data, failure rates for iris authentication are higher (8.54%) than for fingerprints (6%). So the utility of pushing for iris authentication is unclear.”</p>
<p style="text-align: justify; ">There are more than 1.2 billion Aadhaar holders in the country.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-prashant-k-nanda-and-komal-gupta-pension-wont-be-denied-for-want-of-aadhaar-epfo'>http://editors.cis-india.org/internet-governance/news/livemint-prashant-k-nanda-and-komal-gupta-pension-wont-be-denied-for-want-of-aadhaar-epfo</a>
</p>
No publisherAdminAadhaarInternet Governance2018-04-10T22:33:39ZNews ItemShould Aadhaar be mandatory?
http://editors.cis-india.org/internet-governance/blog/should-aadhaar-be-mandatory
<b>This week, a constitutional bench of the Supreme Court will adjudicate on limited questions of stay orders in the Aadhaar case. After numerous attempts by the petitioners in the Aadhaar case, the court has agreed to hear this matter, just shy of the looming deadline of December 31 for the linking of Aadhaar numbers to avail government services and benefits. </b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="http://www.deccanherald.com/content/647320/should-aadhaar-mandatory.html">Deccan Herald</a> on December 9, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Getting their day in the court to hear interim matters is but a small victory in what has been a long and frustrating fight for the petitioners. In 2012, Justice K S Puttaswamy, a former Karnataka High Court judge, filed a petition before the Supreme Court questioning the validity of the Aadhaar project due its lack of legislative basis (the Aadhaar Act was passed by Parliament in 2016) and its transgressions on our fundamental rights.</p>
<p style="text-align: justify; ">Over time, a number of other petitions also made their way to the apex court challenging different aspects of the Aadhaar project. Since then, five different interim orders of the Supreme Court have stated that no person should suffer because they do not have an Aadhaar number.<br /><br />Aadhaar, according to the Supreme Court, could not be made mandatory to avail benefits and services from government schemes. Further, the court has limited the use of Aadhaar to only specific schemes, namely LPG, PDS, MNREGA, National Social Assistance Program, the Pradhan Mantri Jan Dhan Yojna and EPFO.<br /><br />The then Attorney General, Mukul Rohatgi, in a hearing before the court in July 2015 stated that there is no constitutionally guaranteed right to privacy. But the judgement by the nine-judge bench earlier this year was an emphatic endorsement of the constitutional right to privacy.<br /><br />In the course of a 547-page judgement, the bench affirmed the fundamental nature of the right to privacy, reading it into the values of dignity and liberty.<br /><br />Yet months after the judgement, the Supreme Court has failed to hear arguments in the Aadhaar matter. The reference to a larger bench and subsequent deferrals have since delayed the entire matter, even as the government has moved to make Aadhaar mandatory for a number of government schemes.<br /><br />At this point, up to 140 government services have made linking with Aadhaar mandatory to avail these services. Chief Justice of India Dipak Misra has promised a constitution bench this week, likely to look only into interim matters of stay on the deadline of Aadhaar-linking. It is likely that the hearings for the final arguments are still some months away. The refusal of the court to adjudicate on this issue has been extremely disappointing, and a grave disservice to the court's intended role as the champion of individual rights.<br /><br />It is worth noting that the interim orders by the Supreme Court that no person should suffer because they do not have an Aadhaar number, and limiting its use only to specified schemes, still stand.<br /><br />However, since the passage of the Aadhaar Act, which allows the use of Aadhaar by both private and public parties, permits making it mandatory for availing any benefits, subsidies and services funded by the Consolidated Fund of India, the spate of services for which Aadhaar has been made mandatory suggests that as per the government, the Aadhaar Act has, in effect, nullified the orders by the Supreme Court.<br /><br />This was stated in so many words by Union Law Minister Ravi Shankar Prasad in the Rajya Sabha in April. This view is an erroneous one. While acts of Parliament can supersede previous judicial orders, they must do so either through an express statement in the objects of the Act, or implied when the two are mutually incompatible. In this case, the Aadhaar Act, while permitting the government authorities to make Aadhaar mandatory, does not impose a clear duty to do so.<br /><br />Therefore, reading the orders and the legislation together leads one to the conclusion that all instances of Aadhaar being made mandatory under the Aadhaar Act are void.<br /><br />The question may be more complicated for cases where Aadhaar has been made mandatory through other legislations, such as Prevention of Money Laundering Act, as they clearly mandate the linking of Aadhaar numbers, rather than merely allowing it. However, despite repeated appeals of the petitioners, the court has so far refused to engage with the question of the legality of such instances. <br /><br />How may the issues finally be resolved? When the court deigns to hear final arguments, the Aadhaar case will be instructive in how the court defines the contours of the right to privacy. The right to privacy judgement, while instructive in its exposition of the different aspects of privacy, does not delve deeply into the question of what may be legitimate limitations on this right.<br /><br />In one of the passages of the judgement, "ensuring that scarce public resources are not dissipated by the diversion of resources to persons who do not qualify as recipients" is mentioned as an example of a legitimate incursion into the right to privacy. However, it must be remembered that none of the opinions in the privacy judgement were majority judgements.<br /><br />Therefore, in future cases, lawyers and judges must parse through the various opinions to arrive at an understanding of the majority opinion, supported by five or more judges. While the privacy judgement was a landmark one, its actual impact on the rights discourse and on matters like Aadhaar will depend extensively on the how the judges choose to interpret it.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/should-aadhaar-be-mandatory'>http://editors.cis-india.org/internet-governance/blog/should-aadhaar-be-mandatory</a>
</p>
No publisheramberAadhaarInternet GovernancePrivacy2017-12-18T15:54:39ZBlog EntryAadhaar linking deadline approaches: Here are all the myths and facts
http://editors.cis-india.org/internet-governance/news/aadhaar-linking-deadline-approaches-here-are-all-the-myths-and-facts
<b>Love it or hate it, you just can't escape it. We're talking about Aadhaar, which is a bigger buzzword than usual in the face of the looming end-December deadline for linkages with bank accounts, PPF, insurance policies, ration card and perhaps even PAN. As India rushes to comply, there are a number of myths and half-truth making the rounds. </b>
<p style="text-align: justify; ">The article was published by <a class="external-link" href="http://www.businesstoday.in/current/policy/aadhar-linking-deadline-last-day-uidai-bank-account/story/265465.html">Business Today</a> on December 7, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The official website of the Unique Identification Authority of India (UIDAI), the body issuing the biometrics-based Aadhaar number, helpfully lists out some of them, while others came to light when activists took up cudgels on behalf of Aadhaar-harassed citizens. But, either ways, you need to know the hard truth behind them.</p>
<p style="text-align: justify; "><strong>Myth:</strong> Aadhaar-linkage is not only mandatory for every Indian citizen but also every person residing in the country.<br /><strong>Fact:</strong> In a notification dated May 11, 2017, the Central Board of Direct Taxes exempted the following categories from mandatory Aadhaar enrolment: <br />Those who are not citizens of India, non-resident Indians as per Income Tax Laws, those aged over 80 years at any time during the tax year, and the residents of Assam, Meghalaya and Jammu & Kashmir.</p>
<p style="text-align: justify; ">The UIDAI has also made it clear that NRIs and those holding the Overseas Citizen of India (OCI) card are not eligible to obtain Aadhaar as per the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. "NRI/OCI need not verify their bank account or SIM or PAN with Aadhaar. If required, they may inform the service provider(s) that they being NRI/OCI are exempted from Aadhaar verification," the UIDAI had said on Twitter way back in October, and followed it up with a circular in mid-November.</p>
<p style="text-align: justify; ">As per the Aadhaar Act, only a "resident" is entitled to obtain Aadhaar, which refers to an individual, irrespective of nationality, who has resided in India for a period aggregating 182 days or more in the year immediately preceding the date of application for enrolment. So, this means that even NRIs and expats fulfilling the above criteria can apply for Aadhaar, but they cannot be forced to link their Indian bank accounts with it.<br /><strong><br />Myth:</strong> I had to give my fingerprints to get a SIM card and now the telecom company will keep my biometrics for future use<br /><strong><br />Fact:</strong> According to UIDAI, a telecom company cannot store your biometrics at its end. All the biometrics collected should be encrypted by the service provider and sent to UIDAI at that instant itself. Any storage of biometric by any agency is a serious crime punishable with up to three years of imprisonment under the Aadhaar Act.</p>
<p style="text-align: justify; "><strong>Myth:</strong> Aadhaar is prone to data breaches and leaks<strong><br />Fact: </strong>Yes, there have been at least two serious leaks reported in the media, but the UIDAI has denied both of them.</p>
<p style="text-align: justify; ">In May 2017, The Centre for Internet and Society, a Bangalore-based non-profit research organisation, had reportedly investigated three government portals linked with social welfare schemes that together leaked Aadhaar information of around 1.3 crore people. Then, two months later, came news about over 200 government websites Aadhaar information public. This raised a lot of concerns and detractors cried themselves hoarse.</p>
<p style="text-align: justify; ">According to the UIDAI, some agencies of central or state governments had been proactively putting up details of their beneficiaries as required under the RTI Act. While the said information was promptly removed from the offending websites, the authority points out that no biometrics were displaced.</p>
<p style="text-align: justify; ">"Therefore to say that Aadhaar has been breached, data has been leaked, is completely incorrect and misleading," it says.</p>
<p style="text-align: justify; ">Moreover, the Aadhaar Act and IT Act are now in place, which impose restrictions on publication of Aadhaar numbers, bank account, and other personal details.</p>
<p style="text-align: justify; "><strong>Myth:</strong> Aadhaar has a poorly verified database.<br /><strong>Fact:</strong> Several security measures are in place to ensure that Aadhaar enrolment system is secure. It is done through registrars-credible institutions like state government, banks, Common Service Centres which employ enrolment agencies empanelled by UIDAI. The latter, in turn, employ operators certified by the authority. Aadhaar enrolments are done only through customized software developed and provided by UIDAI. Every day, the operators have to log into the enrolment machine through their Aadhaar number and fingerprints. Once an enrolment is done, the operator is required to sign through his/ her biometrics. Moreover, at the time of enrolment itself, the captured data is encrypted and can't be read by anyone other than the UIDAI server.</p>
<p style="text-align: justify; "><strong>Myth:</strong> People are being denied benefits and rations because they don't have Aadhaar or because of biometrics issues<strong><br />Fact:</strong> UIDAI CEO Ajay Bhushan Pandey has clarified to the media that though Section 7 of the Aadhaar Act stipulates that benefits and subsidies from the Consolidated Fund of India shall be given on the basis of Aadhaar or proof of possession of an Aadhaar number, the lack of it cannot be grounds for denial. "Section 7 specifies that till Aadhaar number is prescribed, the benefits should be given through alternate means of identification," Pandey said to The Hindu.</p>
<p style="text-align: justify; ">The Act also provides for statutory protection to those who are unable to authenticate because of worn-out fingerprints, medical conditions like leprosy or other reasons such as technical faults. "The field agencies have been accordingly instructed through the notifications issued by the government. In spite of this, if a person is denied because he does not have Aadhaar or he is unable to biometrically authenticate, it is undisputedly a violation of instructions issued by the government and such violators have to be punished," added Pandey.</p>
<p style="text-align: justify; "><strong>Myth:</strong> Publicly sharing the Aadhaar number, to track a lost Amazon package, for instance, makes one susceptible to identity fraud<br /><strong>Fact:</strong> Your Aadhaar number, just like your mobile phone number or bank account number, is not a secret though it is certainly sensitive personal information. Just as no one can hack into your bank account using just the account number, identity theft is impossible using the Aadhaar number alone.</p>
<p style="text-align: justify; ">What you need to assiduously protect are things like passwords, including OTPs, and PINs. A prudent practice would be to never put up any sensitive personal information on websites or social media platforms.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/aadhaar-linking-deadline-approaches-here-are-all-the-myths-and-facts'>http://editors.cis-india.org/internet-governance/news/aadhaar-linking-deadline-approaches-here-are-all-the-myths-and-facts</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-01T16:04:25ZNews ItemIndia’s Data Protection Regime Must Be Built Through an Inclusive and Truly Co-Regulatory Approach
http://editors.cis-india.org/internet-governance/blog/the-wire-amber-sinha-december-1-2017-inclusive-co-regulatory-approach-possible-building-indias-data-protection-regime
<b>We must move India past its existing consultative processes for rule-making, which often prompts stakeholders to take adversarial and extremely one-sided positions.
</b>
<p style="text-align: justify; ">The article was published in the <a class="external-link" href="https://thewire.in/201123/inclusive-co-regulatory-approach-possible-building-indias-data-protection-regime/">Wire</a> on December 1, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Earlier this week, the Ministry of Electronics and Information Technology released <a title="a white paper" href="http://meity.gov.in/white-paper-data-protection-framework-india-public-comments-invited" target="_blank"><span style="text-decoration: underline;">a white paper</span></a> by a “committee of experts” appointed a few months back led by former Supreme Court judge, Justice B.N. Srikrishna, on a data protection framework for India. The other members of the committee are Aruna Sundararajan, Ajay Bhushan Pandey, Ajay Kumar, Rajat Moona, Gulshan Rai, Rishikesha Krishnan, Arghya Sengupta and Rama Vedashree.</p>
<p style="text-align: justify; ">With the exception of Justice Srikrishna and Krishnan, the rest of the committee members are either part of the government or part of organisations that have worked closely with the government on separate issues relating to technology, with some of them also having taken positions against the fundamental right to privacy.</p>
<p style="text-align: justify; ">Refreshingly, the committee and the ministry has opted for a consultative process outlining the issues they felt relevant to a data protection law, and espousing provisional views on each of the issues and seeking public responses on them. The paper states that on the basis of the response received, the committee will conduct public consultations with citizens and stakeholders. Legitimate concerns <a title="were raised earlier" href="http://indianexpress.com/article/india/citizens-group-questions-data-privacy-panel-composition-aadhaar-4924220/" target="_blank"><span style="text-decoration: underline;">were raised earlier</span></a> about the constitution of the committee and the lack of inclusion of different voices on it. However, if the committee follows an inclusive, transparent and consultative process in the drafting of the data protection legislation, it would go a long way in addressing these concerns.</p>
<p style="text-align: justify; ">The paper seeks response to as many as 231 questions covering a broad spectrum of issues relating to data protection – including definitions of terms such as personal data, sensitive personal data, processing, data controller and processor – the purposes for which exemptions should be available, cross border flow of data, data localisation and the right to be forgotten.</p>
<p style="text-align: justify; ">While a thorough analysis of all the issues up for discussion would require a more detailed evaluation, at this point, the process of rule-making and the kind of governance model envisaged in this paper are extremely important issues to consider.</p>
<p style="text-align: justify; ">In part IV of the paper on ‘Regulation and Enforcement’, there is a discussion on a co-regulatory approach for the governance of data protection in India. The paper goes so far as to provisionally take a view that it may be appropriate to pursue a co-regulatory approach which involves “a spectrum of frameworks involving varying levels of government involvement and industry participation”.</p>
<p style="text-align: justify; ">However, the discussion on co-regulation in the white paper is limited to the section on regulation and enforcement. A truly inclusive and co-regulatory approach ought to involve active participation from non-governmental stakeholders in the rule-making process itself. In India, unfortunately, we lack a strong tradition of lawmakers engaging in public consultations and participation of other stakeholders in the process of drafting laws and regulation. One notable exception has been the Telecom Regulatory Authority of India (TRAI), which periodically seeks public responses on consultation papers it releases and also holds open houses occasionally. It is heartening to see the committee of experts and the ministry follow a similar process in this case.</p>
<p style="text-align: justify; ">However, these are essentially examples of ‘notice and comment’ rulemaking where the government actors stand as neutral arbiters who must decide on written briefs submitted to it in response to consultation papers or draft regulations that it notifies to the public.</p>
<p style="text-align: justify; ">This process is, by its very nature, adversarial, and often means that different stakeholders do not reveal their true priorities but must take extreme one-sided positions, as parties tend to at the beginning of a negotiation.This also prevents the stakeholders from sharing an honest assessment of the actual regulatory challenge they may face, lest it undermine their position.</p>
<p style="text-align: justify; ">This often pits industry and public interest proponents against each other, sometimes also leading to different kinds of industry actors in adversarial positions. An excellent example of this kind of posturing, also relevant to this paper, is visible in the responses submitted to the TRAI on the its recent consultation paper on ‘Privacy, Security and Ownership of data in Telecom Sector’. One of the more contentious issue raised by the TRAI was about the adequacy of the existing data protection framework under the license agreement with telecom companies, and if there was a need to bring about greater parity in regulation between telecom companies and over-the-top (OTT) service providers. Rather than facilitating an actual discussion on what is a complex regulatory issues, and the real practical challenges it poses for the stakeholders, this form of consultation simply led to the telecom companies and OTT services providers submitting contrasting extreme positions without much scope for engagement between two polar arguments.</p>
<p style="text-align: justify; ">A truly co-regulatory approach which also extends to rulemaking would involve collaborative processes which are far less adversarial in their design and facilitate joint problem solving through multiple face to face meetings. Such processes are also more likely to lead to better rule making by using the more specialised knowledge of the different stakeholders about technology, domain-specific issues, industry realities and low cost solutions. Further, by bringing the regulated parties into the rulemaking process, the ownership of the policy is shared, often leading to better compliance.</p>
<p style="text-align: justify; ">Within the domain of data protection law itself, we have a few existing models of robust co-regulation which entail the involvement of stakeholders not just at the level of enforcement but also at the level of drafting. The oldest and most developed form of this kind of privacy governance can be seen in the study of the Dutch privacy statute. It involved a central privacy legislations with broad principles, sectoral industry-drafted “codes of conduct”, government evaluations and certifications of these codes; and a legal safe harbour for those companies that follow the approved code for their sector. Over a period of 20 years, the Dutch experience saw the approval of 20 sectoral codes across a variety of sectors such as banking, insurance, pharmaceuticals, recruitment and medical research.</p>
<p style="text-align: justify; ">Other examples of policies espousing this approach include two documents from the US – first, a draft bill titled ‘Commercial Privacy Bill of Rights Act of 2011’ introduced before the Congress by John McCain and John Kerry, and second, a White House Paper titled ‘Consumer Data Privacy In A Networked World: A Framework For Protecting Privacy And Promoting Innovation In The Global Digital Economy’ released by the Obama administration. Neither of these documents have so far led to a concrete policy. Both of these policies envisioned broadly worded privacy requirements to be passed by the Congress, followed by the detailed rules to be<span> drafted</span>. The Obama administration white paper is more inclusive in mandating that ‘multi-stakeholder groups’ draft the codes that include not only industry representatives but also privacy advocates, consumer groups, crime victims, academics, international partners, federal and state civil and criminal law enforcement representatives and other relevant groups.</p>
<p style="text-align: justify; ">The principles that emerge out this consultative process are likely to guide the data protection law in India for a long time to come. Among democratic regimes with a significant data-driven market, India is extremely late in arriving at a data protection law. The least that it can do at this point is to learn from the international experience and scholarship which has shown that merits of a co-regulatory approach which entails active participation of the government, industry, civil society and academia in the drafting and enforcement of a robust data protection law.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-wire-amber-sinha-december-1-2017-inclusive-co-regulatory-approach-possible-building-indias-data-protection-regime'>http://editors.cis-india.org/internet-governance/blog/the-wire-amber-sinha-december-1-2017-inclusive-co-regulatory-approach-possible-building-indias-data-protection-regime</a>
</p>
No publisheramberAadhaarInternet GovernancePrivacy2018-01-01T16:18:54ZBlog EntryAttempted data breach of UIDAI, RBI, ISRO and Flipkart is worrisome
http://editors.cis-india.org/internet-governance/news/daily-o-october-4-2017-attempted-data-breach-of-uidai-rbi-isro-and-flipkart
<b>Perhaps, we got lucky this time, but the ongoing problem of massive cyber-security breaches wouldn't stop at one thwarted attempt to steal sensitive information from the biggest and most important databases. </b>
<p style="text-align: justify; ">This was published by <a class="external-link" href="https://www.dailyo.in/variety/uidai-rbi-isro-flipkart-hack-cyber-security-data-breach-dark-net/story/1/19893.html">DailyO</a> on October 4, 2017.</p>
<hr />
<p style="text-align: justify; "><span>An</span><span> <a href="http://www.moneycontrol.com/news/trends/current-affairs-trends/uidai-bse-among-6000-indian-organisations-reportedly-affected-by-data-breach-2404223.html/amp" rel="nofollow" target="_blank">alarming report </a></span><span>on a potential data breach impacting almost 6,000 Indian organisations — including the Unique Identification Authority of India (UIDAI) that hosts Aadhaar numbers, Reserve Bank of India, Bombay Stock Exchange and Flipkart — has surfaced and supposedly been contained.</span></p>
<p style="text-align: justify; ">A cyber security firm in Pune, Seqrite, had found in its Cyber Intelligence Labs that India's national internet registry, IRINN (Indian Registry for Internet Names and Numbers), which comes under NIXI (National Internet Exchange of India), was compromised, though the issue has reportedly been "addressed".</p>
<p style="text-align: justify; ">Sequite tracked an advertisement on the "dark net" — the digital underworld — offering access to servers and database dump of more than 6,000 Indian businesses and public assets, including the big ones such as UIDAI, RBI, BSE and Flipkart.</p>
<p style="text-align: justify; ">The report states that the "dealer could have had access to usernames, email ids, passwords, organisation name, invoices and billing documents, and few more important fields, and could have potentially shut down an entire organisation".</p>
<p style="text-align: justify; ">The UIDAI has <span><a href="https://twitter.com/UIDAI/status/915528090230517761" rel="nofollow" target="_blank">denied</a></span> the security breach of Aadhaar data in the IRINN attacks, in an expected move. "UIDAI reiterated that its existing security controls and protocols are robust and capable of countering any such attempts or malicious designs of data breach or hacking," said the report, which is basically a rebuttal from the powerful organisation at the heart of centralising all digital information of all Indians.</p>
<p style="text-align: justify; ">Though the aggrieved parties have been notified, and the NCIIPC (National Critical Information Infrastructure Protection Centre) is looking at the issue, what this means is that digital information is a minefield susceptible to all kinds of threats from criminals as well as foreign adversaries, along with being commercially exploited by major conglomerates.</p>
<p style="text-align: justify; ">Till August 2017 alone, around <span><a href="https://www.medianama.com/2017/08/223-ransomware-india-wannacry-petya/" rel="nofollow" target="_blank">37 incidents</a></span> of ransomware attacks have been reported, including the notorious WannaCry attacks. But what makes the attacks very, very threatening is the government's insistence — illegal at that — to link Aadhaar with every service, and create a centralised nodal, superior network of all networks.</p>
<p style="text-align: justify; ">This "map of maps" has been rightly called out as a potential <span><a href="https://thewire.in/118541/national-security-case-aadhaar/" rel="nofollow" target="_blank">national security threat</a></span>, as it makes a huge reservoir of data vulnerable to cyberthreats from mercenaries, the digital underworld and foreign adversaries.</p>
<p style="text-align: justify; "><img alt="A widely circulated report prepared by the Centre for Internet and Society (CIS) underlined the major flaws in the 2016 Aadhaar Act, that makes it vulnerable to several digital threats. Photo: Reuters" src="https://smedia2.intoday.in/dailyo//story/embed/201710/data-inside_100417083834.jpg" title="data-inside_100417083834.jpg" /></p>
<p style="text-align: justify; "><span><strong>A widely circulated report prepared by the Centre for Internet and Society (CIS) underlined the major flaws in the 2016 Aadhaar Act, that makes it vulnerable to several digital threats. Photo: Reuters</strong></span></p>
<p style="text-align: justify; ">That the data dump in the digital black market provides access to entire servers for a meagre sum of Rs 42 lakh, as mentioned in the report, is a sign of how insecure our personal information could be on the servers of the biggest government organisations and commercial/online retail giants. This includes the likes of Flipkart, which store our passwords, emails, phone numbers and other important information linked to our bank details and more.</p>
<p style="text-align: justify; ">Whilst UIDAI was declared a <span><a href="http://meity.gov.in/writereaddata/files/UIDAI%20CII%20notification%20Dec15.pdf" rel="nofollow" target="_blank">"protected system"</a></span> under Section 70 of the Information Technology Act, and a critical information infrastructure, in practice, there are way too many breaches and leaks of Aadhaar data to merit that tag.</p>
<p style="text-align: justify; ">Because the current (officially thwarted) attempt to hack into these nodal databases involved the data of hundreds of millions of Indians, the matter has been dealt with the required seriousness. However, as the report states, "among the companies whose emails they found were Tata Consultancy Services, Wipro, Indian Space Research Organisation, Mastercard/Visa, Spectranet, Hathway, IDBI Bank and EY".</p>
<p style="text-align: justify; ">This is a laundry list of the biggest and most significant organisations, with massive digital footprints, which are sitting on enormous databanks. Hacking into ISRO, for example, could pose a formidable risk to India's space programmes as well as jeopardise information safety of crucial space projects that are jointly conducted with friendly countries such as Russia, China and the US.</p>
<p style="text-align: justify; ">A widely circulated report prepared by the Centre for Internet and Society (CIS) on the Aadhaar Act and <span><a href="https://cis-india.org/internet-governance/blog/aadhaar-act-and-its-non-compliance-with-data-protection-law-in-india" rel="nofollow" target="_blank">its non-compliance with data protection law</a></span> in India underlined the major flaws in the 2016 Aadhaar Act, that makes it vulnerable to several digital threats.</p>
<p style="text-align: justify; ">Moreover, CIS also reported how government websites, especially "those run by National Social Assistance Programme under Ministry of Rural Development, National Rural Employment Guarantee Act (NREGA) run by Ministry of Rural Development, Daily Online Payment Reports under NREGA (Governemnt of Andhra Pradesh) and Chandranna Bima Scheme (also run by Government of Andhra Pradesh) combined were responsible for<a href="http://m.thehindubusinessline.com/info-tech/aadhaar-data-leak-exposes-cyber-security-flaws/article9677360.ece" rel="nofollow" target="_blank"><span> publicly exposing</span> </a>personal and Aadhaar details of over 13 crore citizens".</p>
<p style="text-align: justify; ">The government has been rather lackadaisical about the grave security threats posed by India's shaky digital infrastructure, saying it's robust when it's not: the UIDAI itself has been brushing the allegations of exclusion, data breach and leaking of data from various government and private operators' servers and there have been several documentations of the security threat as well as the human rights violations that the digital breaches pose for India's institutions and its citizens.</p>
<p style="text-align: justify; ">As noted welfare economist Jean Dreze <span><a href="http://indianexpress.com/article/opinion/columns/dissent-and-aadhaar-4645231/" rel="nofollow" target="_blank">says</a></span>, "With Aadhaar immensely reinforcing the government's power to reward loyalty and marginalise dissenters, the embers of democracy are likely to be further smothered."</p>
<p style="text-align: justify; ">Even as India's jurisprudence held privacy and autonomy as supreme, Indians remain vulnerable to institutional failures and an abject lack of awareness on the gravity of digital destabilisation.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/daily-o-october-4-2017-attempted-data-breach-of-uidai-rbi-isro-and-flipkart'>http://editors.cis-india.org/internet-governance/news/daily-o-october-4-2017-attempted-data-breach-of-uidai-rbi-isro-and-flipkart</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-02T16:20:58ZNews Item