The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 61 to 75.
Govt narrative on Aadhaar has not changed in the last six years: Sunil Abraham
http://editors.cis-india.org/internet-governance/news/livemint-march-8-2016-shreeja-sen-govt-narrative-on-aadhaar-has-not-changed-in-last-six-years-sunil-abraham
<b>The bill is basically the same as the UPA version, with some cosmetic changes, and some tokenism towards the right to privacy, says Abraham.</b>
<table class="listing">
<tbody>
<tr>
<td>Shreeja Sen interviewed Sunil Abraham. The article was <a class="external-link" href="http://www.livemint.com/Politics/l0H1RQZEM8EmPlRFwRc26H/Govt-narrative-on-Aadhaar-has-not-changed-in-the-last-six-ye.html">published in Livemint </a> on March 8, 2016.</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">The government’s bid to push financial inclusiveness and access to government services has received a fresh boost, with finance minister Arun Jaitley introducing a proposed law to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).</p>
<p style="text-align: justify; ">This project, which uses a person’s biometric data like fingerprints and iris scans to authenticate identity of people receiving subsidies and other state benefits, will move India towards a cashless economy and help digital initiatives such as biometric attendance, Pradhan Mantri Jan Dhan Yojana, digital certificates, pension payments and the proposed introduction of payments banks.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Sunil Abraham, 42</p>
<p style="text-align: justify; ">Abraham is executive director of Centre for Internet and Society, a Bengaluru-based think tank focusing on accessibility, access to knowledge, telecom and Internet governance. He has written extensively on the UID scheme, and the intersection of privacy and security. He founded Mahiti—an enterprise that aims to reduce the cost and complexity of information and communications technology for the voluntary sector by using free software.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The Aadhaar project has faced its share of roadblocks with cases challenging it pending before the Supreme Court. A constitution bench of the court will decide whether the right to privacy is a fundamental right and if Aadhaar violates it.</p>
<p style="text-align: justify; ">Sunil Abraham, the executive director of Centre for Internet and Society, a Bengaluru-based policy research institute, is a critic of Aadhaar for several reasons. He explained his concerns in an interview. Edited excerpts:</p>
<p style="text-align: justify; "><strong>Have any of the concerns regarding the Aadhaar project since its inception in 2009 been addressed?</strong></p>
<p style="text-align: justify; ">Whatever we complained about six or seven years ago, whatever complaints were made by the civil society...all of those complaints remain in the exact same situation.</p>
<p style="text-align: justify; ">Nothing has changed.</p>
<p style="text-align: justify; "><strong>What kind of concerns?</strong></p>
<p style="text-align: justify; ">The first thing to remember is that privacy and security are just two sides of the same coin. You cannot have one without the other.</p>
<p style="text-align: justify; ">Our first concern with the project is centralization. Whenever you build an information system, and you create a central point of failure, then it will fail because the possibility of failure exists. The Internet has no central point of failure. That is why it is so difficult for you to bring the Internet down. Complaint number 2 is the opaque technology.</p>
<p style="text-align: justify; ">UIDAI keeps saying that “we have built a technology using a free software and open standard stack”. The first is a de-duplication software and the second one is the authentication software—those are the most important pieces of software.</p>
<p style="text-align: justify; ">This software is proprietary and nobody knows how they work and nobody can independently audit them.</p>
<p style="text-align: justify; ">The third complaint is the use of an irrevocable and non-consensual authentication factor. In the UID scheme, the biometrics serve two purposes: it can be used to identify a citizen and it can be used to authenticate a transaction. Authentication factors, commonly known as passwords, should always be revocable. That means if the password is compromised, you should be able to change the password or at least say that this password is no longer valid. The use of biometrics eliminates those two important requirements.</p>
<p style="text-align: justify; ">Further, in most other authentication, the process of authentication ensures that you are consenting. For example, PIN (personal identity number) authentications. But suppose I am authenticating you through your irises, then as long as your eyes are open, the machine will think you’re authenticating. There’s no way of saying I don’t want to authenticate. Or if you’re sleeping, somebody can hold your fingers over a biometric reader and open your iPhone. So that’s complaint number three.</p>
<p style="text-align: justify; ">The fourth complaint from the privacy perspective is: there is a very important database that they don’t talk about. I call it the transactions database. Suppose there is somebody who is using the UIDAI service to authenticate a transaction, then UIDAI should keep a record of that successful or unsuccessful transaction authentication. That means you have been registered into the database.</p>
<p style="text-align: justify; ">You go to a fair price shop to purchase subsidized grain and at that fair price shop or ration shop, you use your finger on the biometric reader, and then the UIDAI system says “yes you are indeed who you say you are”.</p>
<p style="text-align: justify; ">So, at that point, later the shop should not be able to say X never came here, or X came twice. So, in order for them to not say all those things, a record should be made on the UID database, that on this day, from this geographical location, this particular biometric reader sent us X’s biometric template and asked if the template matched against X’s UID number...the transaction database can be used for profiling. They never talk about it.</p>
<p style="text-align: justify; ">They never tell us what that database holds and how long they’re keeping all those records. None of that is clear.</p>
<p style="text-align: justify; "><strong>Does Aadhaar bill help assuage your doubts about the project?</strong></p>
<p style="text-align: justify; ">The government narrative has not changed in the last six years; the bill is basically the same as the UPA (United Progressive Alliance) version, with some cosmetic changes, and some tokenism towards the right to privacy. The proof that the technology is fallible is in the bill.</p>
<p style="text-align: justify; ">If the technology was infallible, as the UIDAI would like us to believe, then the bill would not criminalize the following: (1) impersonation at the time of enrolment; (2) unauthorized access to the Central Identities Data Repository.</p>
<p style="text-align: justify; ">Imagine that the bill admits that every Indian’s biometric can be stolen from one single centralized database. Now why don’t we have a similar offence for stealing all private keys from the Internet—we don’t because that is technical impossibility thanks to decentralization.</p>
<p style="text-align: justify; ">Therefore we don’t need a law to make (it) illegal. We’ve suggested changes to both the technology and the law. We’ve written seven open letters to the UIDAI, and we’ve never gotten any response. Very few of our concerns have been addressed. We’ve seen dogs getting UID, various other things getting UID, so there’s a lot of evidence that the system does not work. From Kerala we have stories of one person getting several UIDs, so we have no idea about technological feasibility of the project.</p>
<p style="text-align: justify; ">One of our distinguished fellows, Hans Varghese Mathews, has published an academic paper in the latest <i>EPW</i> (<i>Economic and Political Weekly</i>), by extrapolating UIDAI field trial data to national scale. He predicts that by the time the number crosses 1 billion, every time UIDAI tries to register someone new, they will match with about 850 people already in the database positively. So, the unique identification capability of the UIDAI will not scale above the billion. The consequence of the technology failing is not trivial. If someone replaces your biometrics in the central database, then the onus is on you to prove that you are a resident of India.</p>
<p style="text-align: justify; ">Previously, human beings determined the answer to this question, and they had to find proof that you were not a resident. Now, a fallible technology will be asked to answer this important question.</p>
<p style="text-align: justify; "><strong>Isn’t the basic function of the Aadhaar project to ensure that benefits reach the person they are meant for, and it’s easier for people to get an identity proof for those who have no other ID, like migrant workers?</strong></p>
<p style="text-align: justify; ">Two responses: is it good anti- corruption technology? Unfortunately not, because it is intended at retail fraud. The person under surveillance is very poor. But the person responsible for corruption is not poor. So, I believe you should be surveilling those responsible for corruption.</p>
<p style="text-align: justify; ">What I had said is UID should be first given to every single bureaucrat and every single politician in the country. From Delhi till the Panchayat office, till the ration shop in the village, that supply chain must be monitored and documented using cryptography, so that nobody can deny anything. We need non-repudiatable audit trail from New Delhi to the village because according to all analyses, that is where the theft is happening—in the supply chain. The villager who is taking false benefits, that is called retail fraud.</p>
<p style="text-align: justify; ">The bulk of the fraud is actually wholesale fraud. Please tackle wholesale fraud using non-repudiatable public audit trail from New Delhi to the village first, before you start surveilling the poor.</p>
<p style="text-align: justify; ">The second point is that people find it easy to get the UID. That is fine, but there is a problem; that it’s not uniquely identifying anybody. So, people will keep registering and the UID system will keep giving them more and more UIDs because there are no human checks and balances. Because you’ve gone with a pure technological solution, it’s very easy to fool (the system).</p>
<p style="text-align: justify; ">So, the ease of registration has not served the purpose.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-march-8-2016-shreeja-sen-govt-narrative-on-aadhaar-has-not-changed-in-last-six-years-sunil-abraham'>http://editors.cis-india.org/internet-governance/news/livemint-march-8-2016-shreeja-sen-govt-narrative-on-aadhaar-has-not-changed-in-last-six-years-sunil-abraham</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-03-16T16:37:19ZNews ItemAadhaar is actually surveillance tech: Sunil Abraham
http://editors.cis-india.org/internet-governance/news/business-standard-sahil-makkar-march-12-2016-aadhaar-is-actually-surveillance-tech-sunil-abraham
<b>On March 12, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, paving the way for giving legal status to Aadhaar, a 12-digit unique identification number generated after collecting biometric and other details of an Indian resident.</b>
<p style="text-align: justify; ">Sahil Makkar on behalf of Business Standard interviewed Sunil Abraham. The <a class="external-link" href="http://www.business-standard.com/article/opinion/aadhaar-is-actually-surveillance-tech-sunil-abraham-116031200790_1.html">article was published </a>on March 12, 2016.</p>
<hr />
<p style="text-align: justify; ">The government intends to use Aadhaar to roll out more subsidy schemes and allay privacy concerns. However, activists are not convinced. <strong>Sunil Abraham</strong>, executive director of Bengaluru based-research organisation The Centre for Internet & Society, tells <em>Sahil Makkar</em> that the concept of Aadhaar is principally flawed and it doesn't substantially help in plugging leakages in government schemes. Edited excerpts:</p>
<p style="text-align: justify; "><strong>What is your position on Aadhaar and the UIDAI Bill?<br /><br /></strong> What technology has broken cannot be fixed by the law. Aadhaar is a broken technology; it is surveillance technology disguised as developmental intervention that identifies people without their consent and authenticates transactions on their behalf. The architecture is a disaster from the security perspective and there is no recourse in law for citizens whose rights have been infringed. The other objection should be to the subtitle of the Bill that mentions "services": it is unclear whether Aadhaar is to be provided to the residents or the citizens. A bulk of the government services is meant for citizens.<br /><br /><strong>What are the repercussions of this "broken technology"?</strong><br /><br /> Consent happens without conscious cooperation during the authentication process of getting access to a subsidy or a service. Also, the person providing the service is holding a biometric reader and he may say the device is not working and hence, refuse the subsidy. Yet the database will reflect that the subsidy has been availed of because authentication has already been completed. So you have to accept what the person is saying because only that person and the UIDAI have access to the information. Aadhaar makes the citizen transparent to the state but makes the state completely opaque and unaccountable to its citizens.<br /><br /><strong>Will the beneficiary not receive a message about the transaction?</strong><br /><br /> That will only happen when the banks are involved. At the subsidised ration shop the beneficiary will get nothing. The world over security professionals don't trust biometric-based authentication, relying rather on other revocable authentication factors. It is irrevocable if the biometric details are compromised. Instead, writable smart cards could be used to record details of government officers on the cards of beneficiaries and make both the state and the resident transparent to each other.<br /><br /><strong>Hasn't the National Population Register under the Ministry of Home Affairs been advocating the use of smart cards?</strong><br /><br /> In this case biometrics should be used only to link the individual to the smart card. Biometric information should be stored on smart cards and under no circumstances should there be a central repository of biometrics at one place. Maintaining a central database is akin to getting the keys of every house in Delhi and storing them at a central police station. The chances of getting a central database compromised depend on the nature of information stored in it. For the sake of security one can't create a honey pot to be attacked by many. The internet is secure because it doesn't have a central database. The other difference is that faking biometrics is much easier than faking smart cards.<br /><br /><strong>So your principle opposition is to the setting up of a central repository of biometrics?</strong><br /><br /> I am also opposed to the use of biometrics for identification and authentication; this is nothing but surveillance. It is very easy to capture iris data of any individual with the use of next generation cameras. Imagine a situation when the police is secretly capturing the iris data of protesters and then identifying them through their biometric records.<br /><br /><strong>But if the security agencies are able to identify those who create law and order problems, what is the hitch?</strong><br /><br /> It is exactly the same argument that Apple is giving while refusing back-door entry to intelligence and investigating agencies. Once you build surveillance capacity for good governance, it may be misused by a repressive government, a rogue corporation or by criminals. Fear of this type of surveillance will deter people from holding any protest.<br /><br /><strong>Doesn't the Aadhaar or the UIDAI conform to safety and security provisions in the IT Act?</strong><br /><br /> The standards in our IT Act are woefully inadequate in comparison to European regulators and courts. If it adhered to the highest standards, the European privacy commissioner and data protection authorities would have given India adequacy status. The second problem is that the current IT Act doesn't apply to the government. If the government holds your data, it is under no obligation to protect your rights.<br /><br /><strong>You have been part of the Justice A P Shah Committee on privacy. How important is it to have a separate privacy law in the present context?</strong><br /><br /> It is not only important for the purpose of safeguarding human rights, but also to protect the competitiveness of our BPO, ITeS and KPO sectors. We need a data protection law that is compliant with European Data Protection Regulation.<br /><br /><strong>How will such a law help a common man whose data have been compromised?</strong><br /><br /> It will provide clarity to an individual about where he or she stands with regard to privacy. It is strange that the government took diametrically opposite stands in two cases related to privacy in the Supreme Court. When some activists demanded that the UIDAI be scrapped, the government argued before the court that there was no Constitutional right to privacy. When the police asked for the biometric records from the UIDAI, the same government argued there was a right to privacy and that it couldn't divulge the details to the police. The government is not speaking in the same voice; even courts are not speaking in the same voice, because there have been conflicting judgements. So the proposed law will provide clarity on privacy and people will be able to seek compensation under it.<br /><br /><strong>At the same time it cannot be denied that Aadhaar can plug leakages and save hundreds and thousands of rupees for the exchequer....</strong><br /><br /> Aadhaar is only answering two questions: Is this particular biometric unique (enrolment) and does it match the template in the database? If you bring a Bangladeshi into the system, it will answer both the questions in the affirmative. The Aadhaar only eliminates the possibility of one person receiving the benefits twice. At the same time it is very easy to put a ghost beneficiary back into the system. If Aadhaar has to work, we need a publicly visible auditable trail of subsidy moving from Delhi to the villages. That will eliminate corruption in the supply chain.<br /><br /><strong>Isn't it difficult for a large number of ghost beneficiaries to get into the system?</strong><br /><br /> There is no way to check whether a genuine or a ghost beneficiary has been removed from the list. It is not a foolproof system because no one is vouching for anybody. In the current system it is difficult to find out who created this ghost beneficiary. Nobody loses a job for creating a ghost; in fact, here everyone has an incentive.<br /><br /><strong>If there are problems with the UIDAI system, why is the government upbeat about it?</strong><br /><br /> As techno-utopians our government wants technology to answer everything and solve all our problems. If anything goes wrong, it can easily be blamed on technology.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/business-standard-sahil-makkar-march-12-2016-aadhaar-is-actually-surveillance-tech-sunil-abraham'>http://editors.cis-india.org/internet-governance/news/business-standard-sahil-makkar-march-12-2016-aadhaar-is-actually-surveillance-tech-sunil-abraham</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-03-16T17:07:39ZNews ItemForget privacy, Aadhaar Bill gives too much power to the executive
http://editors.cis-india.org/internet-governance/news/hindustan-times-march-17-2016-aloke-tikku-forget-privacy-aadhaar-bill-gives-too-much-power-to-the-executive
<b>The government promotes the Aadhaar programme because it believes the 12-digit unique identification number will let them track every penny spent from the exchequer. But money is not all that the Aadhaar number can track.</b>
<p style="text-align: justify; ">The article by Aloke Tikku was <a class="external-link" href="http://www.hindustantimes.com/india/forget-privacy-aadhaar-bill-gives-too-much-power-to-the-executive/story-ZZjsWwMypqyw7Q5nIFWXcJ.html">published in the Hindustan Times</a> on March 17, 2016. Sunil Abraham gave inputs.</p>
<hr />
<p style="text-align: justify; ">It can help track people too with amazing efficiency. This is at the centre of the controversy around the programme, and the Aadhaar bill that requires every resident to get the number to access government subsidies and services.</p>
<p style="text-align: justify; ">Finance minister Arun Jaitley put up a spirited defence of the bill in the Rajya Sabha on Wednesday when the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 came up for passage. And he was right.</p>
<p style="text-align: justify; ">As far as privacy is concerned, the NDA government’s version is much more stringent than the creaky draft proposed by the UPA in 2010.</p>
<p style="text-align: justify; ">Jaitley said there were only two circumstances in which personal data collected by UIDAI could be shared under this bill.</p>
<p style="text-align: justify; ">One, if the Aadhaar number holder consents to his details being shared. Second, if a government agency wants to access this data on grounds of national security.</p>
<p style="text-align: justify; ">But the debate around privacy concerns – that neither the NDA nor the UPA governments addressed – and the new bill is much more fundamental.</p>
<p style="text-align: justify; ">The Aadhaar bill gives the executive too much power to decide how to administer the law.</p>
<p style="text-align: justify; ">Every law requires the government to frame rules to specify the nitty-gritty of its implementation.</p>
<p style="text-align: justify; ">But the Aadhaar bill passed by Parliament gives the Unique Identification Authority of India (UIDAI) the power to prescribe regulations for nearly every provision, right down to what biometric or biological attributes need to be captured.</p>
<p style="text-align: justify; ">“The law leaves too much power in the hands of the executive,” said Sunil Abraham, executive director of the Bengaluru-headquartered research advocacy group, Centre for Internet and Society.</p>
<p style="text-align: justify; ">For instance, the bill gives the Unique identification Authority of India (UIDAI) powers to determine if it should collect any biological attribute of people too. This means the government could at a later date mandate that DNA of all Aadhaar numbers too be collected.</p>
<p style="text-align: justify; ">The example echoed in the Rajya Sabha on Wednesday as well.</p>
<p style="text-align: justify; ">“No power should be delegated to the UID Authority because then the UID Authority will decide tomorrow that DNA is required, and they will then have the powers to take DNA information as well,” Congress MP Jairam Ramesh said.</p>
<p style="text-align: justify; ">The minister tried to explain the reliance on regulations issued by UIDAI – the word ‘regulations’ does appear some 50 times through the legislation – as compared to less than 10 in, say, the right to information law or the 2010 version of the bill.</p>
<p style="text-align: justify; ">He said MPs could still review notifications issued by UIDAI when they are placed for parliamentary approval.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/hindustan-times-march-17-2016-aloke-tikku-forget-privacy-aadhaar-bill-gives-too-much-power-to-the-executive'>http://editors.cis-india.org/internet-governance/news/hindustan-times-march-17-2016-aloke-tikku-forget-privacy-aadhaar-bill-gives-too-much-power-to-the-executive</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-03-17T14:44:12ZNews ItemIndia's billion-member biometric database raises privacy fears
http://editors.cis-india.org/internet-governance/news/reuters-march-16-2016-sanjeev-miglani-and-manoj-kumar-indias-billion-member-biometric-database-raises-privacy-fears
<b>India's parliament is set to pass legislation that gives federal agencies access to the world's biggest biometric database in the interests of national security, raising fears the privacy of a billion people could be compromised.</b>
<p style="text-align: justify; ">The article by Sanjeev Miglani and Manoj Kumar was <a class="external-link" href="http://www.reuters.com/article/us-india-biometrics-idUSKCN0WI14E">published by Reuters</a> on March 16, 2016. Sunil Abraham was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The move comes as the ruling Bharatiya Janata Party (BJP) cracks down on student protests and pushes a Hindu nationalist agenda in state elections, steps that some say erode India's traditions of tolerance and free speech.</p>
<p style="text-align: justify; ">It could also usher in surveillance far more intrusive than the U.S. telephone and Internet spying revealed by former National Security Agency (NSA) contractor Edward Snowden in 2013, some privacy advocates said.</p>
<p style="text-align: justify; ">The Aadhaar database scheme, started seven years ago, was set up to streamline payment of benefits and cut down on massive wastage and fraud, and already nearly a billion people have registered their finger prints and iris signatures.</p>
<p style="text-align: justify; ">Now the BJP, which inherited the scheme, wants to pass new provisions including those on national security, using a loophole to bypass the opposition in parliament.</p>
<p style="text-align: justify; ">"It has been showcased as a tool exclusively meant for disbursement of subsidies and we do not realize that it can also be used for mass surveillance," said Tathagata Satpathy, a lawmaker from the eastern state of Odisha.</p>
<p style="text-align: justify; ">"Can the government ... assure us that this Aadhaar card and the data that will be collected under it – biometric, biological, iris scan, finger print, everything put together – will not be misused as has been done by the NSA in the U.S.?"</p>
<p style="text-align: justify; ">Finance Minister Arun Jaitley has defended the legislation in parliament, saying Aadhaar saved the government an estimated 150 billion rupees ($2.2 billion) in the 2014-15 financial year alone.</p>
<p style="text-align: justify; ">A finance ministry spokesman added that the government had taken steps to ensure citizens' privacy would be respected and the authority to access data was exercised only in rare cases.<br /> <br />According to another government official, the new law is in fact more limited in scope than the decades-old Indian Telegraph Act, which permits national security agencies and tax authorities to intercept telephone conversations of individuals in the interest of public safety.</p>
<p style="text-align: justify; ">"POLICE STATE"</p>
<p style="text-align: justify; "><span id="midArticle_12"> </span></p>
<p style="text-align: justify; ">Those assurances have not satisfied political opponents and people from religious minorities, including India's sizeable Muslim community, who say the database could be used as a tool to silence them.</p>
<p style="text-align: justify; "><span id="midArticle_13"> </span></p>
<p style="text-align: justify; ">"We are midwifing a police state," said Asaduddin Owaisi, an opposition MP.</p>
<p style="text-align: justify; "><span id="midArticle_14"> </span> <span class="second-article-divide"> </span></p>
<p style="text-align: justify; ">Raman Jit Singh Chima, global policy director at Access, an international digital rights organization, said the proposed Indian law lacked the transparency and oversight safeguards found in Europe or the United States, which last year reformed its bulk telephone surveillance program.</p>
<p style="text-align: justify; "><span id="midArticle_15"> </span></p>
<p style="text-align: justify; ">He pointed to the U.S. Foreign Intelligence Surveillance Court, which must approve many surveillance requests made by intelligence agencies, and European data protection authorities as oversight mechanisms not present in the Indian proposal.</p>
<p style="text-align: justify; "><span id="midArticle_0"> </span></p>
<p style="text-align: justify; ">The Indian government brought the Aadhaar legislation to the upper house of parliament on Wednesday in a bid to secure passage before lawmakers go into recess.</p>
<p style="text-align: justify; "><span id="midArticle_1"> </span></p>
<p style="text-align: justify; ">To get around its lack of a majority there, the BJP is presenting it as a financial bill, which the upper chamber cannot reject. It can return it to the lower house, where the ruling party has a majority.</p>
<p style="text-align: justify; "><span id="midArticle_2"> </span> <span class="third-article-divide"> </span></p>
<p style="text-align: justify; ">In its assessment of the measure, New Delhi-based PRS Legislative Research said law enforcement agencies could use someone's Aadhaar number as a link across various datasets such as telephone and air travel records.</p>
<p style="text-align: justify; ">That would allow them to recognize patterns of behavior and detect potential illegal activities.</p>
<p style="text-align: justify; "><span id="midArticle_4"> </span></p>
<p style="text-align: justify; ">But it could also lead to harassment of individuals who are identified incorrectly as potential security threats, PRS said.</p>
<p style="text-align: justify; "><span id="midArticle_5"> </span></p>
<p style="text-align: justify; ">Sunil Abraham, executive director of the Bengaluru-based Centre for Internet and Society, said Aadhaar created a central repository of biometrics for almost every citizen of the world's most populous democracy that could be compromised.</p>
<p style="text-align: justify; "><span id="midArticle_6"> </span></p>
<p style="text-align: justify; ">"Maintaining a central database is akin to getting the keys of every house in Delhi and storing them at a central police station," he said.</p>
<p style="text-align: justify; "><span id="midArticle_7"> </span></p>
<p style="text-align: justify; ">"It is very easy to capture iris data of any individual with the use of next generation cameras. Imagine a situation where the police is secretly capturing the iris data of protesters and then identifying them through their biometric records.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/reuters-march-16-2016-sanjeev-miglani-and-manoj-kumar-indias-billion-member-biometric-database-raises-privacy-fears'>http://editors.cis-india.org/internet-governance/news/reuters-march-16-2016-sanjeev-miglani-and-manoj-kumar-indias-billion-member-biometric-database-raises-privacy-fears</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-03-17T15:25:45ZNews ItemPrivacy Concerns Overshadow Monetary Benefits of Aadhaar Scheme
http://editors.cis-india.org/internet-governance/blog/hindustan-times-amber-sinha-pranesh-prakash-march-12-2016-privacy-concerns-overshadow-monetary-benefits-of-aadhaar-scheme
<b>Since its inception in 2009, the Aadhaar system has been shrouded in controversy over issues of privacy, security and viability. It has been implemented without a legislative mandate and has resulted in a PIL in the Supreme Court, which referred it to a Constitution bench. On Friday, it kicked up more dust when the Lok Sabha passed a Bill to give statutory backing to the unique identity number scheme.</b>
<p style="text-align: justify; ">The article was published in the <a class="external-link" href="http://www.hindustantimes.com/india/privacy-concerns-overshadow-monetary-benefits-of-aadhaar-scheme/story-E3o0HRwc6XOdlgjqgmmyAM.html">Hindustan Times </a>on March 12, 2016.</p>
<hr />
<p style="text-align: justify; ">There was an earlier attempt to give legislative backing to this project by the UPA government, but a parliamentary standing committee, led by BJP leader Yashwant Sinha, had rejected the bill in 2011 on multiple grounds. In an about-turn, the BJP-led NDA government decided to continue with Aadhaar despite most of those grounds still remaining.</p>
<p style="text-align: justify; ">Separately, there have been orders passed by the Supreme Court that prohibit the government from making Aadhaar mandatory for availing government services whereas this Bill seeks to do precisely that, contrary to the government’s argument that Aadhaar is voluntary.</p>
<p style="text-align: justify; ">In some respects, the new Aadhaar Bill is a significant improvement over the previous version. It places stringent restrictions on when and how the UID Authority (UIDAI) can share the data, noting that biometric information — fingerprint and iris scans — will not be shared with anyone. It seeks prior consent for sharing data with third party. These are very welcome provisions.</p>
<p style="text-align: justify; ">But a second reading reveals the loopholes.</p>
<p style="text-align: justify; ">The government will get sweeping power to access the data collected, ostensibly for “efficient, transparent, and targeted delivery of subsidies, benefits and services” as it pleases “in the interests of national security”, thus confirming the suspicions that the UID database is a surveillance programme masquerading as a project to aid service delivery.</p>
<p style="text-align: justify; ">The safeguards related to accessing the identification information can be overridden by a district judge. Even the core biometric information may be disclosed in the interest of national security on directions of a joint secretary-level officer. Such loopholes nullify the privacy-protecting provisions.</p>
<p style="text-align: justify; ">Amongst the privacy concerns raised by the Aadhaar system are the powers it provides private third parties to use one’s UID number. This concern, which wouldn’t exist without a national ID squarely relates to Aadhaar and needs a more comprehensive data protection law to fix it. The supposed data protection under the Information Technology Act is laughable and inadequate.</p>
<p style="text-align: justify; ">The Bill was introduced as a Money Bill, normally reserved for matters related to taxation, borrowing and the Consolidated Fund of India (CFI), and it would be fair to question whether this was done to circumvent the Rajya Sabha.</p>
<p style="text-align: justify; ">None of the above arguments even get to the question of implementation.</p>
<p style="text-align: justify; ">Aadhaar hasn’t been working. When looking into reasons why 22% of PDS cardholders in Andhra Pradesh didn’t collect their rations it was found that there was fingerprint authentication failure in 290 of the 790 cardholders, and in 93 instances there was an ID mismatch. A recent paper in the Economic and Political Weekly by Hans Mathews, a mathematician with the CIS, shows the programme would fail to uniquely identify individuals in a country of 1.2 billion.</p>
<p style="text-align: justify; ">The debate shouldn’t be only about the Aadhaar Bill being passed off as a Money Bill and about the robustness of its privacy provisions, but about whether the Aadhaar project can actually meet its stated goals.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/hindustan-times-amber-sinha-pranesh-prakash-march-12-2016-privacy-concerns-overshadow-monetary-benefits-of-aadhaar-scheme'>http://editors.cis-india.org/internet-governance/blog/hindustan-times-amber-sinha-pranesh-prakash-march-12-2016-privacy-concerns-overshadow-monetary-benefits-of-aadhaar-scheme</a>
</p>
No publisherPranesh Prakash and Amber SinhaAadhaarInternet GovernancePrivacy2016-03-17T16:12:26ZBlog EntryAnalysis of Aadhaar Act in the Context of A.P. Shah Committee Principles
http://editors.cis-india.org/internet-governance/blog/analysis-of-aadhaar-act-in-context-of-shah-committee-principles
<b>Whilst there are a number of controversies relating to the Aadhaar Act including the fact that it was introduced in a manner so as to circumvent the majority of the opposition in the upper house of the Parliament and that it was rushed through the Lok Sabha in a mere eight days, in this paper we shall discuss the substantial aspects of the Act in relation to privacy concerns which have been raised by a number of experts. In October 2012, the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee submitted its report which listed nine principles of privacy which all legislations, especially those dealing with personal should adhere to. In this paper, we shall discuss how the Aadhaar Act fares vis-à-vis these nine principles.</b>
<p> </p>
<h2>Introduction</h2>
<p>The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “Aadhaar Act”) was introduced in the Lok Sabha (lower house of the Parliament) by Minister of Finance, Mr. Arun Jaitley, in on March 3, 2016, and was passed by the Lok Sabha on March 11, 2016. It was sent back by the Rajya Sabha with suggestions but the Lok Sabha rejected those suggestions, which means that the Act is now deemed to have been passed by both houses as it was originally introduced as a Money Bill. Whilst there are a number of controversies relating to the Aadhaar Act including the fact that it was introduced in a manner so as to circumvent the majority of the opposition in the upper house of the Parliament and that it was rushed through the Lok Sabha in a mere eight days, in this paper we shall discuss the substantial aspects of the Act in relation to privacy concerns which have been raised by a number of experts. In October 2012, the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee submitted its report which listed nine principles of privacy which all legislations, especially those dealing with personal should adhere to. In this paper, we shall discuss how the Aadhaar Act fares vis-à-vis these nine principles.</p>
<p>In order for the reader to better understand the frame of reference on which we shall analyse the Aadhaar Act, the nine principles contained in the report of the Group of Experts on Privacy are explained in brief below:</p>
<ul><li><strong>Principle 1: Notice</strong> - Does the legislation/regulation require that entities governed by the Act give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them.</li>
<li><strong>Principle 2: Choice and Consent</strong> - Does the legislation/regulation require that entities governed under the Act provide the individual with the option to opt in/opt out of providing their personal information.</li>
<li><strong>Principle 3: Collection Limitation</strong> - Does the legislation/regulation require that entities governed under the Act collect personal information from individuals only as is necessary for a purpose identified.</li>
<li><strong>Principle 4: Purpose Limitation</strong> - Does the legislation/regulation require that personal data collected and processed by entities governed by the Act be adequate and relevant to the purposes for which they are processed.</li>
<li><strong>Principle 5: Access and Correction</strong> - Does the legislation/regulation allow individuals: access to personal information about them held by an entity governed by the Act; the ability to seek correction, amendments, or deletion of such information where it is inaccurate, etc.</li>
<li><strong>Principle 6: Disclosure</strong> - Does the legislation ensure that information is only disclosed to third parties after notice and informed consent is obtained. Is disclosure allowed for law enforcement purposes done in accordance with laws in force.</li>
<li><strong>Principle 7: Security</strong> - Does the legislation/regulation ensure that information that is collected and processed under that Act, is done so in a manner that protects against loss, unauthorized access, destruction, etc.</li>
<li><strong>Principle 8: Openness</strong> - Does the legislation/regulation require that any entity processing data take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data that is collected and processed and is this information made available to all individuals in an intelligible form, using clear and plain language?</li>
<li><strong>Principle 9: Accountability</strong> - Does the legislation/regulation provide for measures that ensure compliance of the privacy principles? This would include measures such as mechanisms to implement privacy policies; including tools, training, and education; and external and internal audits.</li></ul>
<p> </p>
<h2>Analysis of the Aadhaar Act</h2>
<p>The Aadhaar Act has been brought about to give legislative backing to the most ambitious individual identity programme in the world which aims to provide a unique identity number to the entire population of India. The rationale behind this scheme is to correctly identify the beneficiaries of government schemes and subsidies so that leakages in government subsidies may be reduced. In furtherance of this rationale the Aadhaar Act gives the Unique Identification Authority of India (“UIDAI”) the power to enroll individuals by collecting their demographic and biometric information and issuing an Aadhaar number to them. Below is an analysis of the Act based on the privacy principles enumerated I the A.P. Shah Committee Report.</p>
<h3>Collection Limitation</h3>
<p><strong>Collection of Biometric and Demographic Information:</strong> The Aadhaar Act entitles every “resident”
<strong>[1]</strong> to obtain an Aadhaar number by submitting his/her biometric (photograph, finger print, Iris scan) and demographic information (name, date of birth, address <strong>[2]</strong>) <strong>[3]</strong>. It must be noted that the Act leaves scope for further information to be included in the collection process if so specified by regulations. It must be noted that although the Act specifically provides what information can be collected, it does not specifically prohibit the collection of further information. This becomes relevant because it makes it possible for enrolling agencies to collect extra information relating to individuals without any legal implications of such act.</p>
<p><strong>Authentication Records:</strong> The UIDAI is mandated to maintain authentication records for a period which is yet to be specified (and shall be specified in the regulations) but it cannot collect or keep any information regarding the purpose for which the authentication request was made <strong>[4]</strong>.</p>
<p><strong>Unauthorized Collection:</strong> Any person who in not authorized to collect information under the Act, and pretends that he is authorized to do so, shall be punishable with imprisonment for a term which may extend to three years or with a fine which may extend to Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- <strong>[5]</strong>. It must be noted that the section, as it is currently worded seems to criminalize the act of impersonation of authorized individuals and the actual collection of information is not required to complete this offence. It is not clear if this section will apply if a person who is authorized to collect information under the Act in general, collects some information that he/she is not authorized to collect.</p>
<h3>Notice</h3>
<p><strong>Notice during Collection:</strong> The Aadhaar Act requires that the agencies enrolling people for distribution of Aadhaar numbers should give people notice regarding: (a) the manner in which the information shall be used; (b) the nature of recipients with whom the information is intended to be shared during authentication; and (c) the existence of a right to access information, the procedure for making requests for such access, and details of the person or department in-charge to whom such requests can be made <strong>[6]</strong>. A failure to comply with this requirement will make the agency liable for imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- <strong>[7]</strong>. It must be noted that the Act leaves the manner of giving such notice in the realm of regulations and does not specify how this notice is to be provided, which leaves important specifics to the realm of the executive.</p>
<p><strong>Notice during Authentication:</strong> The Aadhaar Act requires that authenticating agencies shall give information to the individuals whose information is to be authenticated regarding (a) the nature of information that may be shared upon authentication; (b) the uses to which the information received during authentication may be put by the requesting entity; and (c) alternatives to submission of identity information to the requesting entity <strong>[8]</strong>. A failure to comply with this requirement will make the agency liable for imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- <strong>[9]</strong>. Just as in the case of notice during collection, the manner in which the notice is required to be given is left to regulations leaving an unclear picture as to how comprehensive, accessible, and frequent this notice must be.</p>
<h3>Access and Correction</h3>
<p><strong>Updating Information:</strong> The Aadhaar Act give the UIDAI the power to require residents to update their demographic and biometric information from time to time so as to maintain its accuracy <strong>[10]</strong>.</p>
<p><strong>Access to Information:</strong> The Aadhaar Act provides that Aadhaar number holders may request the UIDAI to provide access to their identity information expect their core biometric information <strong>[11]</strong>. It is not clear why access to the core biometric information <strong>[12]</strong> is not provided to an individual. Further, since section 6 seems to place the responsibility of updation and accuracy of biometric information on the individual, it is not clear how a person is supposed to know that the biometric information contained in the database has changed if he/she does not have access to the same. It may also be noted that the Aadhaar Act provides only for a request to the UIDAI for access to the information and does not make access to the information a right of the individual, this would mean that it would be entirely upon the discretion of the UIDAI to refuse to grant access to the information once a request has been made.</p>
<p><strong>Alteration of Information:</strong> The Aadhaar Act gives individuals the right to request the UIDAI to alter their demographic if the same is incorrect or has changed and biometric information if it is lost or has changed. Upon receipt of such a request, if the UIDAI is satisfied, then it may make the necessary alteration and inform the individual accordingly. The Act also provides that no identity information in the Central database shall be altered except as provided in the regulations <strong>[13]</strong>. This section provides for alteration of identity information but only in the circumstances given in the section, for example demographic information cannot be changed if it has been lost, similarly biometric information cannot be changed if it is inaccurate. Further, the section does not give a right to the individual to get the information altered but only entitles him/her to request the UIDAI to make a change and the final decision is left to the “satisfaction” of the UIDAI.</p>
<p><strong>Access to Authentication Record:</strong> Every individual is given the right to obtain his/her authentication record in a manner to be specified by regulations. [14]</p>
<h3>Disclosure</h3>
<p><strong>Sharing during Authentication:</strong> The UIDAI is entitled to reply to any authentication query with a positive, negative or any other response which may be appropriate and may share identity information except core biometric information with the requesting entity <strong>[15]</strong>. The language in this provision is ambiguous and it is unclear what 'identity information' may be shared and why it would be necessary to share such information as Aadhaar is meant to be only a means of authentication so as to remove duplication.</p>
<p><strong>Potential Disclosure during Maintenance of CIDR:</strong> The UIDAI has been given the power to appoint any one or more entities to establish and maintain the Central Identities Data Repository (CIDR) <strong>[16]</strong>. If a private entity is involved in the maintenance and establishment of the CIDR it can be presumed that there is the possibilty that they would, to some degree, have access to the information stored in the CIDR, yet there are no clear standards in the Act regarding this potential access. And the process for appointing such entities. The fact that the UIDAI has been given the freedom to appoint an outside entity to maintain a sensitive asset such as the CIDR raises security concerns.</p>
<p><strong>Restriction on Sharing Information:</strong> The Aadhaar Act creates a blanket prohibition on the usage of core biometric information for any purpose other than generation of Aadhaar numbers and also prohibits its sharing for any reason whatsoever <strong>[17]</strong>. Other identity information is allowed to be shared in the manner specified under the Act or as may be specified in the regulations <strong>[18]</strong>. The Act further provides that the requesting entities shall not disclose the identity information except with the prior consent of the individual to whom the information relates <strong>[19]</strong>. There is also a prohibition on publicly displaying Aadhaar number or core biometric information except as specified by regulations <strong>[20]</strong>. Officers or the UIDAI or the employees of the agencies employed to maintain the CIDR are prohibited from revealing the information stored in the CIDR or authentication record to anyone <strong>[21]</strong>. It is not clear why an exception has been carved out and what circumstances would require publicly displaying Aadhaar numbers and core biometric information, especially since the reasons for which such important information may be displayed has been left up to regulations which have relatively less oversight. The section also provides the requesting entities with an option to further disclose information if they take consent of the individuals. This may lead to a situation where a requesting entity, perhaps the of an essential service, may take the consent of the individual to disclose his/her information in a standard form contract, without the option of saying no to such a request. It may lead to situations where the option is between giving consent to disclosure or denial or service altogether. For this reason it is necessary that there should be an opt in and opt out provision wherever a requesting entity has the power to ask for disclosure of information, so that people are not coerced into giving consent.</p>
<p><strong>Disclosure in Specific Cases:</strong> The prohibition on disclosure of information (except for core biometric information) does not apply in case of any disclosure made pursuant to an order of a court not below that of a District Judge <strong>[22]</strong>. There is another exception to the prohibition on disclosure of information (including core biometric information) in the interest of national security if so directed by an officer not below the rank of a Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government. Before any such direction can take effect, it will be reviewed by an oversight committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology. Any such direction shall be valid for a period of three months and may be extended by another three months after the review by the Oversight Committee <strong>[23]</strong>. Although this provision has been criticized, and rightly so, for the lack of accountability since the entire process is being handled within the executive and there is no independent oversight, however it must be mentioned that the level of oversight provided here is similar to that provided to interception requests, which involve a much graver if not the same level of invasion of privacy.</p>
<p><strong>Penalty for Disclosure:</strong> Any person who intentionally and in an unauthorized manner discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication shall be punishable with imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/ <strong>[24]</strong>. Further any person who intentionally and in an unathorised manner, accesses information in the CIDR <strong>[25]</strong>, downloads, copies or extracts any data from the CIDR <strong>[26]</strong>, or reveals or shares or distributes any identity information, shall be punishable with imprisonment of upto 3 years and a fine of not less than Rs. 10,00,000/-.</p>
<h3>Consent</h3>
<p><strong>Consent for Authentication:</strong> A requesting entity has to take the consent of the individual before collecting his/her identity information for the purposes of authentication and also has to inform the individual of the alternatives to submission of the identity information <strong>[27]</strong>. Although this provision requires entities to take consent from the individuals before collecting information for authentication, however how useful this requirement of consent would be, still remains to be seen. There may be instances where a requesting entity may take the consent of the individual in a standard form contract, without the individual realizing what he/she is consenting to.</p>
<p><strong>Note:</strong> The Aadhaar Act provides no requirement or standard for the form of consent that must be taken during enrollment. This is significant as it is the point at which individuals are providing raw biometric material and during previous enrollment, has been a point of weakness as the consent taken is an enabler to function creep as it allows the UIDAI to share information with engaged in delivery of welfare services <strong>[28]</strong>.</p>
<h3>Purpose</h3>
<p><strong>Use of Information:</strong> The authenticating entities are allowed to use the identity information only for the purpose of submission to the CIDR for authentication <strong>[29]</strong>. Further, the Act specifies that identity information available with a requesting entity shall not be used for any purpose other than that specified to the individual at the time of submitting the information for authentication <strong>[30]</strong>. The Act also provides that any authentication entity which uses the information for any purpose not already specified will be liable to punishment of imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/ <strong>[31]</strong>.</p>
<h3>Security</h3>
<p><strong>Security and Confidentiality of Information:</strong> It is the responsibility of the UIDAI to ensure the security and confidentiality of the identity and authentication information and it is required to take all necessary action to ensure that the information in the CIDR is protected against unauthorized access, use or disclosure and against accidental or intentional destruction, loss or damage <strong>[32]</strong>. The UIDAI is required to adopt and implement appropriate technical and organisational security measures and also ensure that its contractors do the same <strong>[33]</strong>. It is also required to ensure that the agreements entered into with its contractors impose the same conditions as are imposed on the UIDAI under the Act and that they shall act only upon the instructions of the UIDAI <strong>[34]</strong>.</p>
<p><strong>Biometric Information to be Electronic Record:</strong> The biometric information collected by the UIDAI has been deemed to be an “electronic record” as well as “sensitive personal data or information”, which would mean that in addition to the provisions of the Aadhaar Act, the provisions contained in the Information Technology Act, 2000 will also apply to such information <strong>[35]</strong>. It must be noted that while the Act lays down the principle that UIDAI is required to ensure the saecurity of the information, it does not lay down any guidelines as to the minimum security standards to be implemented by the Authority. However, through this section the legislature has linked the security standards contained in the IT Act to the information contained in this Act. While this is a clean way of dealing with the issue, some people may argue that the extremely sensitive nature of the information contained in the CIDR requires the standards for security to be much stricter than those provided in the IT Act. However, a perusal of Rule 8 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 shows that the Rules themselves provide that the standard of security must be commensurate with the information assets being protected. It would thus seem that the Act provides enough room to protect such important information, but perhaps leaves too much room for interpretation for such an important issue.</p>
<p><strong>Penalty for Unauthorised Access:</strong> Apart from the security provisions included in the legislation, the Aadhaar Act also provides for punishment of imprisonment of upto 3 years and a fine which shall not be less than Rs. 10,00,000/-, in case of the following offences:</p>
<ol><li>introduction of any virus or other computer contaminant in the CIDR <strong>[36]</strong>;</li>
<li>causing damage to the data in the CIDR <strong>[37]</strong>;</li>
<li>disruption of access to the CIDR <strong>[38]</strong>;</li>
<li>denial of access to any person who is authorised to access the CIDR <strong>[39]</strong>;</li>
<li>destruction, deletion or alteration of any information stored in any removable storage media or in the CIDR or diminishing its value or utility or affecting it injuriously by any means <strong>[40]</strong>;</li>
<li>stealing, concealing, destroying or altering any computer source code used by the Authority with an intention to cause damage <strong>[41]</strong>.</li></ol>
<p>Further, unauthorized usage or tampering with the data in the CIDR or in any removable storage medium with the intent of modifying information relating to Aadhaar number holder or discovering any information thereof, is also punishable with imprisonment for a term which may extend to 3 years and also a fine which may extend to Rs. 10,000/- <strong>[42]</strong>.</p>
<h3>Accountability</h3>
<p><strong>Inspections and Audits:</strong> One of the functions listed in the powers and functions of the UIDAI is the power to call for information and records, conduct inspections, inquiries and audit of the operations of the CIDR, Registrars, enrolling agencies and other agencies appointed under the Aadhaar Act <strong>[43]</strong>.</p>
<p><strong>Grievance Redressal:</strong> Another function of the UIDAI is to set up facilitation centres and grievance redressal mechanisms for redressal of grievances of individuals, Registrars, enrolling agencies and other service providers <strong>[44]</strong>. It must be said here that considering the importance that the government has given to and intends to give to Aadhaar in the future, an essential task such as grievance redressal should not be left entirely to the discretion of the UIDAI and some grievance redressal mechanism should be incorporated into the Act itself.</p>
<h3>Openness</h3>
<p>There does not seem to be any provision in the Aadhaar Act which requires the UIDAI to make its privacy policies and procedure available to the public in general even though the UIDAI has the responsibility to maintain the security and confidentiality of the information.</p>
<p> </p>
<h2>Endnotes</h2>
<p><strong>[1]</strong> A resident is defined as any person who has resided in India for a period of atleasy 182 days in the previous 12 months.</p>
<p><strong>[2]</strong> It has been specified that demographic information will not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.</p>
<p><strong>[3]</strong> Section 3(1) of the Aadhaar Act.</p>
<p><strong>[4]</strong> Section 32(1) and 32(3) of the Aadhaar Act.</p>
<p><strong>[5]</strong> Section 36 of the Aadhaar Act.</p>
<p><strong>[6]</strong> Section 3(2) of the Aadhaar Act.</p>
<p><strong>[7]</strong> Section 41 of the Aadhaar Act.</p>
<p><strong>[8]</strong> Section 8(3) of the Aadhaar Act.</p>
<p><strong>[9]</strong> Section 41 of the Aadhaar Act.</p>
<p><strong>[10]</strong> Section 6 of the Aadhaar Act.</p>
<p><strong>[11]</strong> Section 28, <em>proviso</em> of the Aadhaar Act.</p>
<p><strong>[12]</strong> Core biometric information is defined as fingerprints, iris scan or other biological attributes which may be specified by regulations.</p>
<p><strong>[13]</strong> Section 31 of the Aadhaar Act.</p>
<p><strong>[14]</strong> Section 32(2) of the Aadhaar Act.</p>
<p><strong>[15]</strong> Section 8(4) of the Aadhaar Act.</p>
<p><strong>[16]</strong> Section 10 of the Aadhaar Act.</p>
<p><strong>[17]</strong> Section 29(1) of the Aadhaar Act.</p>
<p><strong>[18]</strong> Section 29(2) of the Aadhaar Act.</p>
<p><strong>[19]</strong> Section 29(3)(b) of the Aadhaar Act.</p>
<p><strong>[20]</strong> Section 29(4) of the Aadhaar Act.</p>
<p><strong>[21]</strong> Section 28(5) of the Aadhaar Act.</p>
<p><strong>[22]</strong> Section 33(1) of the Aadhaar Act.</p>
<p><strong>[23]</strong> Section 33(2) of the Aadhaar Act.</p>
<p><strong>[24]</strong> Section 37 of the Aadhaar Act.</p>
<p><strong>[25]</strong> Section 38(a) of the Aadhaar Act.</p>
<p><strong>[26]</strong> Section 38(b) of the Aadhaar Act.</p>
<p><strong>[27]</strong> Section 8(2)(a) and (c) of the Aadhaar Act.</p>
<p><strong>[28]</strong> For example, see: <a href="http://www.karnataka.gov.in/aadhaar/Downloads/Application%20form%20-%20English.pdf">http://www.karnataka.gov.in/aadhaar/Downloads /Application%20form%20-%20English.pdf</a>.</p>
<p><strong>[29]</strong> Section 8(2)(b) of the Aadhaar Act.</p>
<p><strong>[30]</strong> Section 29(3)(a) of the Aadhaar Act.</p>
<p><strong>[31]</strong> Section 37 of the Aadhaar Act.</p>
<p><strong>[32]</strong> Section 28(1), (2) and (3) of the Aadhaar Act.</p>
<p><strong>[33]</strong> Section 28(4)(a) and (b) of the Aadhaar Act.</p>
<p><strong>[34]</strong> Section 28(4)(c) of the Aadhaar Act.</p>
<p><strong>[35]</strong> Section 30 of the Aadhaar Act.</p>
<p><strong>[36]</strong> Section 38(c) of the Aadhaar Act.</p>
<p><strong>[37]</strong> Section 38(d) of the Aadhaar Act.</p>
<p><strong>[38]</strong> Section 38(e) of the Aadhaar Act.</p>
<p><strong>[39]</strong> Section 38(f) of the Aadhaar Act.</p>
<p><strong>[40]</strong> Section 38(h) of the Aadhaar Act.</p>
<p><strong>[41]</strong> Section 38(i) of the Aadhaar Act.</p>
<p><strong>[42]</strong> Section 39 of the Aadhaar Act.</p>
<p><strong>[43]</strong> Section 23(2)(l) of the Aadhaar Act.</p>
<p><strong>[44]</strong> Section 23(2)(s) of the Aadhaar Act.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/analysis-of-aadhaar-act-in-context-of-shah-committee-principles'>http://editors.cis-india.org/internet-governance/blog/analysis-of-aadhaar-act-in-context-of-shah-committee-principles</a>
</p>
No publisherVipul KharbandaBig DataPrivacyInternet GovernanceFeaturedDigital IndiaAadhaarBiometricsHomepage2016-03-17T19:43:53ZBlog EntrySalient Points in the Aadhaar Bill and Concerns
http://editors.cis-india.org/internet-governance/salient-points-in-the-aadhaar-bill-and-concerns
<b>Since the release of the Aadhaar Bill, the Centre for Internet and Society has been writing a number of posts analyzing the Bill and calling out problematic areas and the implications of the same. This post is meant to contribute to this growing body of writing and call out our major concerns with the Bill. </b>
<p id="docs-internal-guid-7301bf10-976a-ed8c-7f3d-7dde76418a24" dir="ltr"><strong>Use of Aadhaar Number</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<ul id="docs-internal-guid-7301bf10-9771-2472-c5e8-991b7fefebd0"><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Used to establish identity: The Aadhaar number can be used by any government or private agency to validate a person’s identity for any lawful purpose, but it cannot be used as a proof of citizenship. (Sections 4, 6, and 57)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Mandatory for access to government services: The government can make it mandatory for a person to authenticate her/his identity using Aadhaar number before receiving any government subsidy, benefit, or service whose expenditure is incurred from the Consolidated Fund of India.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Those without a number, must apply for one: If someone attempting to access an applicable service does not have an Aadhaar number, he/she should make an application for enrolment, and will be allowed to use an alternative method of identification in the meantime. (Section 7)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Open to use by public and private bodies: The Bill does not prevent the use of Aadhaar number to establish identity for other lawful purposes by the State or other private bodies. (Section 57)</p>
</li></ul>
<em>Concerns:</em>
<ul id="docs-internal-guid-7301bf10-9773-5f01-28d6-bc08ffea2788"><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Aadhaar is not voluntary: Section 7 makes its mandatory to have an Aadhaar number to access services, subsidies and benefits, and stipulates that in case one does not have the Aadhaar number they must apply for it. This is counter to the repeated claims about Aadhaar being purely voluntary, and the Supreme Court order dated August 11, 2015 which prevents making Aadhaar mandatory, barring a few specified services. The Bill does not limit mandatory use of Aadhaar to those services, and leaves the door open for the government to route more benefits, subsidies and services through the Consolidated Fund of India and expand the scope of Aadhaar.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">There are limited and unclear alternatives: While there is a proviso in the Act which speaks for “viable and alternative” means of identification where Aadhaar number is not issued, the language is not clear and speaks of cases where Aadhaar “is not assigned” rather than simply stating that it is applicable to anyone who does not have an Aadhaar number.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">There is a conflict in the objects and actual scope of the Bill: There is a conflict between the objects of the Bill which is stated as identification of individuals for targeted delivery of entitlements and Section 57 which allows all entities, public or private, to use the Aadhaar number for authentication.</p>
</li></ul>
<p dir="ltr"><strong><br /></strong></p>
<p dir="ltr"><strong>Enrollment Process</strong></p>
<strong>
</strong>
<p dir="ltr"><em>What the Bill says:</em></p>
<em>
</em>
<ul id="docs-internal-guid-7301bf10-9772-9fda-b2a1-8587dbdd816b"><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Enrolling agencies must provide notice: At the time of enrollment, the enrolling agency will inform the individual of the following details— i) how their information will be used; ii) what type of entities the information will be shared with; and iii) that they have a right to access their information, and also tell them how they can access their information. (Section 3)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Biometrics and demographics will be collected: Biometric information and demographic information will be collected at enrollment. Biometric information means photograph, fingerprint, Iris scan, or any other biological attributes specified by regulations. Demographic information includes information relating to the name, date of birth, address and other relevant information as specified by regulations. (Section 2)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Special measures to ensure enrollment for all: The UIDAI will take special measures to issue Aadhaar number to women, children, senior citizens, persons with disability, unskilled and unorganised workers, nomadic tribes or to such other persons who do not have any permanent residence and similar categories of individuals as specified by the regulations. (Section 5)</p>
</li></ul>
<p dir="ltr"><em>Concerns:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">The Bill fails to address implementation issues: The Bill does not address issues that have arising during enrolment processes that have already been implemented. These include: the collection of additional and unnecessary information, unclear retention, storage, and destruction standards for data collected by enrollment agencies, abuse of methods used to ensure all have access to the enrollment process, inaccuracy in the collection of data. Detailed procedure and chain of custody for the enrollment process needs to be addressed through provisions in the Bill particularly as this process is undertaken by contracted third party registrars and enrolling agencies.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Definition of “Biometric Information” is broad and ambiguous: The Bill defines “biometric information” as “photograph, fingerprint, iris scan, or other such biological attributes of an individual.” This definition is broad and gives sweeping discretionary power to the UIDAI / Central Government to determine “other such biological attributes of an individual”. The definition should be precise and exhaustive in its scope. Any modification to this, and other terms in the Bill, should take place only through a legislative act.</p>
</li></ul>
<p> </p>
<p dir="ltr"><strong>Authentication Process</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Consent and use limitation during authentication: The Bill states that any requesting entity will— (a) take consent from the individual before collecting his/her Adhaar information; (b) use the information only for authentication with the CIDR.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Notice during authentication: Further, the entity requesting authentication will also inform the individual of the following— (a) what type of information will be shared for authentication; (b) what will the information be used for; and (c) whether there is any alternative to submitting the Aadhaar information to the requesting entity. (Section 8)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Retention of authentication records: The UIDAI will maintain the authentication records in the manner and for as long as specified by regulations. (Section 32) The UIDAI will not collect, keep or maintain any information about the purpose of authentication. (Section 32)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Ability to obtain authentication records: Every Aadhaar number holder may obtain his authentication record as specified by regulations. (Section 32)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Requirement to update information: The UIDAI has the power to require residents to update their demographic and biometric information from time to time. (Section 6)</p>
</li></ul>
<p dir="ltr"><em>Concerns:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of strong consent mechanism: While the Bill does provide for seeking consent for collecting and using an Aadhaar for authentication, the Bill does not specify that this must be informed consent with an ‘opt out’ mechanism and does not specify the manner in which such consent should be sought. This leaves it it in the hands of the UIDAI and possibly the third requesting entity to determine the form of consent that is to be taken. This could result in ambiguous, misleading, or inconsistent consent mechanisms being used. </p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of strong notice mechanism: While the Bill does provide that individuals should be given notice of the type of information be shared and what the information will be used for, and any alternative identity that will be accepted during the authentication process this is a minimal notice and does not meet the standards in the (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 which require individuals to be notified of a) the fact that the information is being collected b) the purposes for which the information is being collected c) the intended recipients of the information d) the name and address of the agency collecting the information and the agency that will retain the information. Furthermore, the Bill does not require the UIDAI, contracted bodies, or requesting entities to notify individuals of any changes in organizational privacy policies. </p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">“Obtaining” rather than the right to access: Instead of providing the individual with a clear right to access the information that the UIDAI holds about him or her, the Bill waters down this safeguard by giving the individual the ability to obtain only his authentication record. What ‘obtaining’ will entail and how one will go about it is delegated to regulations. </p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of ability to opt out, withdraw consent and/or ‘exit’ Aadhaar: There are no opt-out mechanisms in the Aadhaar Act.This means that individuals cannot:</p>
</li>
<ul><li style="list-style-type: circle;" dir="ltr">
<p dir="ltr">Opt out and leave the Aadhaar ‘ecosystem’ once enrolled and their information is not deleted.</p>
</li><li style="list-style-type: circle;" dir="ltr">
<p dir="ltr">Opt out of sharing of information at the enrollment stage or authentication stage.</p>
</li><li style="list-style-type: circle;" dir="ltr">
<p dir="ltr">Opt out of any use, disclosure, or retention of their information prescribed by the Act.</p>
</li></ul>
</ul>
<p> </p>
<p dir="ltr"><strong>Security</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Security measures for information with UIDAI: The UIDAI will take measures to ensure that all information with the UIDAI, including CIDR records is secured and protected against access, use or disclosure and against destruction, loss or damage. (Section 28)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Security measures through contract: The UIDAI will adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons. (Section 28)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Security protocol via regulations: The UIDAI has the power to prescribe via regulation various processes relating to data management, security protocol and other technology safeguards (Section 54) </p>
</li></ul>
<p dir="ltr"><em>Concerns:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Undefined security measures: The Bill specifies that appropriate technical and organisational security measures shall be put in place without elaborating upon what those measure should be or defining any standards that they will adhere to. The Bill gives the Authority the power to define broad regulations pertaining to security protocol.</p>
</li></ul>
<p> </p>
<p dir="ltr"><strong>Confidentiality</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Restriction on Sharing, Disclosure, and Use: Unless otherwise provided, the UIDAI or its agents will not reveal any information in the CIDR to anyone. (Section 28) The core biometric information collected will not be a) shared with anyone for any reason, and b) used for any purpose other generation of Aadhaar numbers and authentication. (Section 29) Identity information, other than core biometric information, may be shared as per this Act and regulations specified under it. (Section 29) Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual’s consent. (Section 29) Aadhaar numbers or core biometric information will not be made public except as specified by regulations. (Section 30)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Application of Information Technology Act: All biometric information collected and stored in electronic form will be deemed to be “electronic record” and “sensitive personal data or information” under Information Technology Act, 2000 and its provisions and rules will apply to it in addition to this Act. (Section 30)</p>
</li></ul>
<p dir="ltr"><em>Concerns:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Aadhaar numbers and biometric information to be made public: It is unclear for what purposes it would be necessary for Aadhaar numbers and core biometric information to be made public and it is concerning that such circumstances are left to be defined by regulation. This is different from the Telegraph Act and the IT Act which define the circumstances for interception in the Act and define the procedure for carrying out interception orders in associated Rules. Defining circumstances for such information to be made public is against the disclosure standards in the 43A Rules - which would be applicable to the UIDAI and the disclosure of core biometric information.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Unclear application of Section 43 A Rules: The Bill characterises biometric information collected as ‘sensitive personal data or information’ under the Information Technology Act, 2000 and Section 43A Rules and states that the Act and Rules would be applicable to biometric information. If this is the case, than any body corporate (including the UIDAI) collecting, processing, or storing biometric information would need to follow the standards established in the Rules - including standards for collection, consent, disclosure, sharing, retention, and security. Yet, the Bill allows the UIDAI to make regulations for collection, disclosure, security etc.</p>
</li></ul>
<p> </p>
<p dir="ltr"><strong>Disclosure</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Disclosure during authentication: During authentication, the UIDAI will respond to the authentication request with yes, no, or other appropriate response and share identity information about the Aadhaar number holder, but not share any biometric information. (Section 8)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Exceptions to confidentiality provisions: The UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. Any such order may only be made after UIDAI is allowed to appear in a hearing. (Section 33) The confidentiality provisions in Sections 28 and 29 will not apply with respect to disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose. (Section 33)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Oversight Committee: An Oversight Committee comprising Cabinet Secretary, and Secretaries of two departments — Department of Legal Affairs and DeitY— will review every direction under 33 B above. Any directions in the interest of national security above are valid for 3 months, after which they may be extended following a review by the Oversight Committee. (Section 33) </p>
</li></ul>
<p dir="ltr"><em>Concerns:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Unnecessary disclosure during authentication: Usually authentication would be a binary process leading to a yes or no result, however, Section 8 also allows sharing of identity information in certain cases. It is unclear why any additional information would need to be shared in the authentication process.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of opportunity to data subject: In case of a court order identity information and authentication records of an individual can be revealed without any notice or opportunity of hearing to the individual affected. Aside from allowing the UIDAI a right to be heard, the Bill does not provide any means by which an individual can contest such an order or challenge it after it has been passed.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of defined functions and responsibilities of oversight mechanisms: Section 33 currently specifies a procedure for oversight by a committee, however, there are no substantive provisions laid down as the guiding principles establishing the responsibilities and powers of the oversight mechanism.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Low standards for disclosure order: Though a court order from a District Judge is required to authorize disclosure of information, the Bill fails to define important standards that such an order must meeting including that the order is necessary and proportionate.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Sweeping exception of National Security: Disclosures that are made ‘in the interest of national security’ do not require authorization by a judge and instead can be authorized by the Joint Secretary of the Government of India - a standard lower than that established in the Telegraph Act and IT Act for the interception of communications.</p>
</li></ul>
<p> </p>
<p dir="ltr"><strong>Power of UIDAI to make rules and regulations</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<p dir="ltr">The matters on which the UIDAI may frame rules include:</p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">The process of collecting information,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Verification of information,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Individual access to information,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Sharing and disclosure of information,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Alteration of information,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Request and response for authentication,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Defining use of Aadhaar numbers,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Defining privacy and security processes,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Specifying processes relating to data management, security protocols and other technology safeguards under this Act</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Establishing redressal mechanisms.</p>
</li></ul>
<p dir="ltr"><em>Concerns</em>:</p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Over delegation of powers to the UIDAI: This Bill follows in the tradition of laws like the Information Technology Act, which allows the executive a very high degree of discretionary power. As mentioned above, a number of important powers which should ideally be within the purview of the legislature are delegated to the UIDAI. The UIDAI has been administrating the project since its inception, and a number of problems have already been documented in process such as collection, verification, sharing of information, privacy and security processes. Rather than addressing these problems, the Bill allows the UIDAI to continue to have similar powers.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of independence of grievance redressal mechanism: Within the text of the Bill there are no grievance redressal mechanism created under the Bill. The power to set up such a mechanism is delegated to the UIDAI under Section 23 (2) (s) of the Bill. However, making the entity administering a project, also responsible for providing for the frameworks to address the grievances arising from the project, severely compromises the independence of the grievance redressal body.</p>
</li></ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/salient-points-in-the-aadhaar-bill-and-concerns'>http://editors.cis-india.org/internet-governance/salient-points-in-the-aadhaar-bill-and-concerns</a>
</p>
No publisherAmber Sinha and Elonnai HickokUIDPrivacyInternet GovernanceAadhaarBiometrics2016-03-21T04:37:48ZBlog EntryAadhaar Bill 2016 Evaluated against the National Privacy Principles
http://editors.cis-india.org/internet-governance/aadhaar-bill-2016-evaluated-against-the-national-privacy-principles
<b>In this infographic, we evaluate the privacy provisions of the Aadhaar Bill 2016 against the national privacy principles developed by the Group of Experts on Privacy led by the Former Chief Justice A.P. Shah in 2012. The infographic is based on Vipul Kharbanda’s article 'Analysis of Aadhaar Act in the Context of A.P. Shah Committee Principles,' and is designed by Pooja Saxena, with inputs from Amber Sinha.</b>
<p> </p>
<h4>Download the infographic: <a href="https://github.com/cis-india/website/raw/master/infographics/CIS_Aadhaar-2016-Vs-Privacy-Principles_v.1.0.pdf">PDF</a> and <a href="https://github.com/cis-india/website/raw/master/infographics/CIS_Aadhaar-2016-Vs-Privacy-Principles_v.1.0.png">PNG</a>.</h4>
<p> </p>
<p><strong>License:</strong> It is shared under Creative Commons <a href="https://creativecommons.org/licenses/by/4.0/">Attribution 4.0 International</a> License.</p>
<p> </p>
<img src="https://github.com/cis-india/website/raw/master/infographics/CIS_Aadhaar-2016-Vs-Privacy-Principles_v.1.0.png" alt="Aadhaar Bill 2016 Evaluated against the National Privacy Principles" />
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/aadhaar-bill-2016-evaluated-against-the-national-privacy-principles'>http://editors.cis-india.org/internet-governance/aadhaar-bill-2016-evaluated-against-the-national-privacy-principles</a>
</p>
No publisherPooja Saxena and Amber SinhaUIDBig DataPrivacyInternet GovernanceInfographicDigital IndiaAadhaarBiometrics2016-03-21T08:38:34ZBlog EntryIn India, Biometric Data Storage Sparks Demands for Privacy Laws
http://editors.cis-india.org/internet-governance/news/voice-of-america-anjana-pasricha-march-18-2016-in-india-biometric-data-storage-sparks-demands-for-privacy-laws
<b>In India, calls for strict privacy laws are growing after this week's passage of a measure that allows federal agencies access to biometric data of the nation's citizens, the world's largest such repository.</b>
<p style="text-align: justify; ">The article by Anjana Pasricha was <a class="external-link" href="http://www.voanews.com/content/india-biometrics-privacy/3243744.html">published in Voice of America</a> on March 18, 2016. Pranesh Prakash gave inputs.</p>
<hr />
<p style="text-align: justify; ">The government says the use of biometrics will help cut rampant graft in the distribution of subsidies, but activists and opposition lawmakers warn it could usher in an era of increased state surveillance.</p>
<p style="text-align: justify; ">Raghubir Gaur, who works as an electrician in the capital, New Delhi, says he has never collected subsidized rations such as wheat and rice, because “somebody else has been taking the rations I should have gotten.” Now, with a national proof of identity, or "Aadhaar" card in his hands, Gaur says he is confident he will be able to access his designated subsidies.</p>
<p style="text-align: justify; ">The Aadhaar card is being used to give welfare benefits to the poor, who often cannot provide any proof identity, allowing corrupt officials to siphon entitlements.</p>
<p style="text-align: justify; ">The government says it has saved nearly $2 billion by preventing misuse of the subsidies in the last fiscal year alone.</p>
<h3 style="text-align: justify; ">Critics fear ‘police state’</h3>
<p style="text-align: justify; ">Civil activists and research groups, however, have dubbed the Aadhaar program “surveillance technology” that constitutes a serious breach of privacy. They point to identity-verification systems in other countries, where cards or identification numbers are used for verification without creating a gigantic central database that documents every last transaction.</p>
<p style="text-align: justify; ">Indeed, the Aadhaar database also stores fingerprints and iris scans of every account holder, labeling each with a 12-digit identification number.</p>
<p style="text-align: justify; ">Concerns that this could lead to a massive invasion of privacy have been heightened because the new law allows the data to be used “in the interest of national security.”</p>
<p style="text-align: justify; ">“From verifying yourself to the ticket conductor on a train to someone who is delivering something at your house, all the way to opening a new bank account, all these transactions get logged against the centralized data base," says Pranesh Prakash of the Center for Internet and Society in Bangalore. "So this invades your life completely and thoroughly.”</p>
<p style="text-align: justify; ">Some lawyers and privacy advocates say this has made it even more important to support a strong privacy law to ensure the huge government database isn't misused.</p>
<p style="text-align: justify; ">Finance Minister Arun Jaitley has defended the biometrics legislation, saying the data will be accessed only in rare cases that require authorization by a senior official.</p>
<p style="text-align: justify; ">“You mark my words, you are midwifing a police state,” said lawmaker Asaduddin Owaisi, just one parliamentarian opposed passage of the legislation and found no comfort in Jaitley's assurances.</p>
<h3 style="text-align: justify; ">Fraud concerns</h3>
<p style="text-align: justify; ">Despite objections, the bill was passed by legislators who argued that such a move is critical to ensuring subsidies reach intended beneficiaries in a country where millions are poor and illiterate.</p>
<p style="text-align: justify; ">Attempts to draft a right to privacy bill to protect individuals against misuse of data by government or private agencies date back to 2010, but have made little headway. The latest push started in 2014.</p>
<p style="text-align: justify; ">Citing a cyberattack targeting the U.S. government, in which a hacker gained access to the information of millions of people, research groups have also flagged security concerns around India’s ambitious Aadhaar program.</p>
<p style="text-align: justify; ">“If this database gets leaked, the entire identification system collapses because people will be able to authenticate themselves as anyone else. So identity fraud is a great concern,” said Prakash of the Center for Internet and Society.</p>
<p style="text-align: justify; ">Nearly one billion biometric identity cards have been issued in India in the last six years.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/voice-of-america-anjana-pasricha-march-18-2016-in-india-biometric-data-storage-sparks-demands-for-privacy-laws'>http://editors.cis-india.org/internet-governance/news/voice-of-america-anjana-pasricha-march-18-2016-in-india-biometric-data-storage-sparks-demands-for-privacy-laws</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-03-23T02:27:05ZNews ItemSeven reasons why Parliament should debate the Aadhaar bill (and not pass it in a rush)
http://editors.cis-india.org/internet-governance/news/scroll.in-anumeha-yadav-march-24-2016-seven-reasons-why-parliament-should-debate-the-aadhaar-bill-and-not-pass-it-in-a-rush
<b>Critics say the Aadhaar Bill does not address concerns over privacy, even as government is rushing the Bill without adequate parliamentary scrutiny.</b>
<p style="text-align: justify; ">The blog post by Anumeha Yadav was published in <a class="external-link" href="http://scroll.in/article/804922/seven-reasons-why-parliament-should-debate-the-aadhaar-bill-and-not-pass-it-in-a-rush">Scroll.in</a> on March 11, 2016. Pranesh Prakash was quoted.</p>
<hr />
<p style="text-align: justify; ">Since it was launched by the United Progressive Alliance government in 2009, the Unique Identification project called Aadhaar has functioned without a legal framework. The project, which aims to assign a biometric-based number to every Indian resident, has been run under an executive order, which means Parliament has no oversight over it.</p>
<p style="text-align: justify; ">An Aadhaar Bill was introduced in 2010 but it was rejected by a parliamentary committee over legislative, security, and privacy concerns.</p>
<p style="text-align: justify; ">For long, critics have expressed concerns over collecting and centralising citizens' biometric data ‒ such as fingerprints and retina scans ‒ on a mass scale in the absence of a privacy law. The Supreme Court in several orders in 2014 and 2015 affirmed that the government cannot require people to register for an Aadhaar number and no one can be deprived of a government service for not having an Aadhaar number. The Supreme Court is now set to form a constitution bench to examine the contours of the right to privacy flowing from the government's arguments in the Aadhaar case.</p>
<p style="text-align: justify; ">Before the bench begins its work, however, the Modi government has introduced a new Bill on Aadhaar, which could override the court's orders.</p>
<p style="text-align: justify; ">The <a class="link-external" rel="nofollow" href="http://www.prsindia.org/administrator/uploads/media/AADHAAR/Aadhaar%20Bill,%202016.pdf" target="_blank"><span>Aadhaar </span></a>(Target Delivery of Financial and Other Subsidies, Benefits and Services) Bill was introduced on March 3 in Lok Sabha. Finance minister Arun Jaitley said the new Bill addresses concerns over privacy and the security and confidentiality of information.</p>
<p style="text-align: justify; ">But a close examination of the Bill shows several questions remain.</p>
<p style="text-align: justify; "><strong>1. Does the Bill make it mandatory for you to get an Aadhaar number?<br /></strong>Yes, you may have to compulsorily enrol under Aadhaar, despite the privacy concerns explained in the sections below.</p>
<p style="text-align: justify; ">Four-time member of the Lok Sabha, Bhartruhari Mahtab of the Biju Janata Dal, was on the parliamentary committee on finance that examined the previous Aadhaar Bill introduced in 2010. He said the new Aadhaar Bill does not specify that it will <em>not</em> be made mandatory.</p>
<p style="text-align: justify; ">“There is duplicity over this issue,” said Mahtab. “Nandan Nilekani [the former chairperson of the Unique Identification Authority of India] repeatedly told us in the parliamentary committee that Aadhaar is not mandatory. The Supreme Court also said, 'You cannot make it mandatory.'”</p>
<p style="text-align: justify; ">But if a service agent asks for Aadhaar mandatorily, then as a beneficiary, citizens have no option but to get an Aadhaar number, Mahtab explained. “The government, or a private company, cannot force me to get an Aadhaar number," he said. "The government should bring a law that clearly says Aadhaar is not mandatory.”</p>
<p style="text-align: justify; ">A committee of experts on privacy, chaired by Justice AP Shah, had <a class="link-external" rel="nofollow" href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf" target="_blank"><span>recommended</span></a> in 2012 that the Bill should specify that individuals have the choice to opt-in or out-of providing their Aadhaar number, and a service should not be denied to individuals who do not provide their number. The Unique Identification Authority of India had then stated to the committee that the enrolment in Aadhaar is voluntary.</p>
<p style="text-align: justify; ">But the new Aadhaar Bill does not incorporate a categorical clause on opt-in and opt-out. Instead, it broadens the scope of Aadhaar. Jaitley said the Bill will allow the government to ask a citizen to produce an Aadhaar number to avail of any government subsidy. But section 7 of the Bill is phrased more broadly, and refers to not just subsidies but any “subsidy, benefit or service” for which expense is incurred on the Consolidated Fund of India, or the government treasury.</p>
<blockquote class="cms-block-quote cms-block" style="text-align: justify; ">
<p>7. The Central Government or, as the case may be, the State Government may, for the purpose of establishing identity of an individual as a condition for receipt of a subsidy, benefit or service for which the expenditure is incurred from, or the receipt therefrom forms part of, the Consolidated Fund of India, require that such individual undergo authentication, or furnish proof of possession of Aadhaar number or in the case of an individual to whom no Aadhaar number has been assigned, such individual makes an application for enrolment: Provided that if an Aadhaar number is not assigned to an individual, the individual shall be offered alternate and viable means of identification for delivery of the subsidy, benefit or service.</p>
</blockquote>
<p style="text-align: justify; ">As noted above, the proviso in section 7 is premised on the phrase: “if an Aadhaar number is not assigned”. This, along with language preceding in the section, indicates that a citizen may be compulsorily required to apply for enrolment.</p>
<p style="text-align: justify; ">Section 8 permits a “requesting entity” to utilise identity information for authentication with the Central Identities Data Repository. A “requesting entity” is defined under Section 2(u), and will include private entities.</p>
<p style="text-align: justify; "><strong>2. Does the Bill allow Aadhaar authorities to share your personal data?<br /></strong>Yes, in the "interest of national security", a term that remains undefined.</p>
<p style="text-align: justify; ">Both legal experts and members of Parliament have flagged the provisions in the Bill on the circumstances in which users' data, including core biometrics information, can be shared.</p>
<p style="text-align: justify; ">The debate centres over the interception provisions in section 33.</p>
<p style="text-align: justify; ">In a <a class="link-external" rel="nofollow" href="http://indianexpress.com/article/opinion/columns/aadhaar-bill-lpg-subsidy-mgnrega-paperless-govt-basis-of-a-revolution/#sthash.FJeqBNmJ.dpuf" target="_blank"><span>piece</span></a> in <em>The Indian Express</em>, Nandan Nilekani, the former chairperson of the issuing authority, stated that the Aadhaar Bill provides that no core biometric information can be shared, a principle without exception. “...Clause 29(1) is not overridden by Clause 33(2),” he noted.</p>
<p style="text-align: justify; ">However, a closer reading of the Bill shows this is not the case. Clause 33(2), in fact, does provide an exception to clause 29(1)(b):</p>
<blockquote class="cms-block-quote cms-block" style="text-align: justify; ">
<p>33(2) Nothing contained in sub-section (2) or sub-section (5) of section 28 and <strong>clause (b) of </strong><strong>sub-section (1), </strong>sub-section (2) or sub-section (3) <strong>of section 29</strong> shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security in pursuance of a direction of an officer not below the rank of Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government</p>
</blockquote>
<p style="text-align: justify; ">where, Section 29(1)(b) states:</p>
<blockquote class="cms-block-quote cms-block" style="text-align: justify; ">
<p>29. (1) No core biometric information, collected or created under this Act, shall be — (b) used for any purpose other than generation of Aadhaar numbers and authentication under this Act.</p>
</blockquote>
<p style="text-align: justify; ">Pranesh Prakash, a lawyer and policy director of the Centre for Internet and Society said: “This implies that the core biometric information, collected or created under the Aadhaar Act, may be used for purposes other than the generation of Aadhaar numbers and authentication <em>'in the interest of national security.</em>'"</p>
<p style="text-align: justify; ">Legal experts point out that the phrase “national security” is undefined in the present bill, as well as the General Clauses Act, and thus the circumstances in which an individual's information may be disclosed remains open to interpretation.</p>
<p style="text-align: justify; ">Section 33(1) permits the disclosure of an individual's demographic information (but not biometrics) following an order by a district judge. It says that no such order shall be made without giving an opportunity of hearing to the UIDAI , but <em>not to the person whose data is being disclosed</em>.</p>
<p style="text-align: justify; "><strong>3. Does the Bill protect you from interception and surveillance?<br /></strong>No, the Bill does not provide for transparency concerning covert surveillance.</p>
<p style="text-align: justify; ">Section 33(2), which permits disclosure of demographic and biometric pursuant to directions of the joint secretary in interest of national security, says such disclosures will be for three months initially, and a fresh renewal can be granted for another three months, without a limitation on the number of such renewals.</p>
<p style="text-align: justify; ">This can lead to a user being under continuous surveillance, and without any notification to the user even after the surveillance ceases, violating one of <a class="link-external" rel="nofollow" href="http://www.ohchr.org/Documents/Issues/Privacy/ElectronicFrontierFoundation.pdf" target="_blank"><span>necessary and proportionate principles on communications surveillance</span></a> related to user notification and right to effective remedy. In some countries, this principle has been incorporated in law. For example, in Canada, the law limits the time of wiretapping surveillance, and imposes an obligation to notify the person under surveillance within 90 days of the end of the surveillance, extendable to a maximum of three years at a time.</p>
<p style="text-align: justify; ">“The interception provisions are severely problematic," said Apar Gupta, a technology lawyer. "They are not open to independent scrutiny and even derogate from the already deficient practices which relate to phone tapping (Rule 419-A of the Telegraph Rules) and interception of data (Interception Rules, 2011).”</p>
<p style="text-align: justify; ">Legal scholar Usha Ramanathan pointed out that the Bill lacks provisions on giving notice to a person in case of breach of information, in case of third party use of data, or change in purpose of use of data – which were among provisions recommended by the Justice Shah Committee on Privacy in 2012.</p>
<p style="text-align: justify; "><strong>4. Does the Bill allow you to seek redress in case of breach of information?<br /></strong>Yes, but the provisions are weak.</p>
<p style="text-align: justify; ">Government officials overseeing the project said that the 2016 Bill is an improvement over the 2010 Bill as it safeguards the information of those enrolled as per sections of the Information Technology Act, 2000.</p>
<p style="text-align: justify; ">But technology law experts say the adjudicatory system for disclosure of sensitive personal data under the IT Act has structural flaws and is not functional.</p>
<p style="text-align: justify; ">“Initial complaints against the disclosure of sensitive personal data go to an adjudicating officer who is usually the IT Secretary of the state government and may not be trained in law,” said Gupta, the technology lawyer. “There is no court infrastructure and no permanent seat for such cases. The appellate body, the Cyber Appellate Tribunal, has not been made operational in the last three years. Hence, the civil remedies offered [in the Aadhaar Bill] are at best illusionary and unenforceable.”</p>
<p style="text-align: justify; "><strong>5. Does the Bill give you the right to alter your information?<br /></strong>No, it leaves you to the mercy of the Unique Identification Authority of India.</p>
<p style="text-align: justify; ">Imagine a situation where a user simply wants to change their first or last name, or say, not use their caste name. Under Section 31 of the Bill, individuals can only request the UID authority, which may do so “if it is satisfied”. There is no penalty on the authority if it fails to respond. The Bill does not provide for a user to even be able to approach a court to ask for their information relating to Aadhaar to be corrected.</p>
<p style="text-align: justify; ">International norms for data protection give individuals the right to correct and alter information, if their demographic data changes. They <a class="link-external" rel="nofollow" href="https://ico.org.uk/for-organisations/guide-to-data-protection/principle-6-rights/correcting-inaccurate-personal-data/" target="_blank"><span>provide</span></a> for individuals to have a copy of their information, and to approach courts for an order to rectify, block, erase inaccurate information.</p>
<p style="text-align: justify; ">In an <a class="link-external" rel="nofollow" href="http://www.livemint.com/Politics/l0H1RQZEM8EmPlRFwRc26H/Govt-narrative-on-Aadhaar-has-not-changed-in-the-last-six-ye.html" target="_blank"><span>interview</span></a> to <em>Mint</em>, Sunil Abraham, director of the Centre for Internet and Society, compared the rights of Aadhaar users to the rights we now take for granted as internet users. “Authentication factors [biometrics in the case of Aadhaar], commonly known as passwords, should always be revocable,” noted Abraham. “That means if the password is compromised, you should be able to change the password or at least say that this password is no longer valid.” In its current form, the Aadhaar Bill gives users no such rights.</p>
<p style="text-align: justify; "><strong>6. Is the current Bill an improvement over the previous one?<br /></strong>Not really.</p>
<p style="text-align: justify; ">The Aadhaar Bill 2016 provides that the renewals of requests for disclosure of data will be reviewed by an oversight committee consisting of the cabinet secretary and the secretaries in the department of legal affairs and the department of electronics and information technology.</p>
<p style="text-align: justify; ">This is a watered down version of the provisions in the previous Unique Identification Authority of India <a class="link-external" rel="nofollow" href="http://www.prsindia.org/uploads/media/UID/The%20National%20Identification%20Authority%20of%20India%20Bill,%202010." target="_blank"><span>2010 Bill</span></a>, said Chinmayi Arun, executive director, Centre for Communication Governance at the National Law University Delhi.</p>
<p style="text-align: justify; ">“The previous version or the 2010 Bill provided for a three-member review committee, consisting of the nominees of the prime minister, the leader of the opposition, and a third nominee of a union cabinet minister, with the restriction that these nominees could not be a member of parliament or a member of a political party,” Arun said. “This would be a more independent committee than the one proposed now, wherein there will be executive oversight for executive orders."</p>
<p style="text-align: justify; ">Regarding penalties, the previous 2010 Bill made copying, deleting, stealing, or altering information in the Central Identities Data Repository, punishable with a jail term of upto three years and a fine not less than Rs 1 crore.</p>
<p style="text-align: justify; ">Section 38 of the new Aadhaar Bill now makes the same offence punishable with a jail term of upto three years and reduces the upper limit of the fine to “not less than ten lakh rupees”.</p>
<p style="text-align: justify; "><strong>7. Finally, does the Aadhaar Bill have enough parliamentary scrutiny?<br /></strong>The government has introduced the legislation on Aadhaar in the form of a Money Bill, which means the power of the Rajya Sabha to review and amend the Bill is curtailed ‒ if the Speaker Sumitra Mahajan certifies that this is a Money Bill.</p>
<p style="text-align: justify; ">The parliamentary committee on finance under Bharatiya Janata Party MP Yashwant Sinha had rejected the previous Bill in December 2011 citing legislative, security, and privacy concerns. Despite this, two successive Prime Ministers – Manmohan Singh and Narendra Modi – have pushed ahead with Aadhaar project.</p>
<p style="text-align: justify; ">A common refrain has been that the unique biometric identity will resolve the problem of the poor in India to prove identity and overcome "one of the biggest barriers <a class="link-external" rel="nofollow" href="https://uidai.gov.in/UID_PDF/Front_Page_Articles/Documents/Strategy_Overveiw-001.pdf" target="_blank"><span>preventing the poor</span></a> from accessing benefits and subsidies." But last April, the UIDAI in <a class="link-external" rel="nofollow" href="http://i1.wp.com/128.199.141.55/wp-content/uploads/2015/06/Enrolment-through-introducer.jpg" target="_blank"><span>response</span></a> to an RTI application revealed that of 83.5 crore Aadhaar numbers issued till then, 99.97% were issued to people who already had at least two existing identification documents, only 0.21 million (<a class="link-external" rel="nofollow" href="http://thewire.in/2015/06/03/most-aadhar-cards-issued-to-those-who-already-have-ids-3108/" target="_blank"><span>0.03%</span></a>) used the "introducer system" that provides an exception to those lacking identity proof.</p>
<p style="text-align: justify; ">More recently, there has been no public consultation by the government over the latest Bill.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/scroll.in-anumeha-yadav-march-24-2016-seven-reasons-why-parliament-should-debate-the-aadhaar-bill-and-not-pass-it-in-a-rush'>http://editors.cis-india.org/internet-governance/news/scroll.in-anumeha-yadav-march-24-2016-seven-reasons-why-parliament-should-debate-the-aadhaar-bill-and-not-pass-it-in-a-rush</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-03-24T02:25:24ZNews ItemMaking Aadhaar Mandatory: Gamechanger For Governance?
http://editors.cis-india.org/internet-governance/news/ndtv-march-20-2016-making-aadhaar-mandatory-gamechanger-for-governance
<b>Why a programme that both the Congress and the BJP have hailed as transformational has divided Parliament this week? The Aadhaar Bill which was passed this week aims at facilitating government benefits and subsidies to citizens said Finance Minister Arun Jaitley.</b>
<p style="text-align: justify; ">Yet it became a reason for the Rajya Sabha to raise key questions. On the panel - Chandan Mitra, Rajya Sabha MP, BJP; Ajoy Kumar, Spokesperson, Congress; Tathagat Sathapathy, Lok Sabha MP, Biju Janata Dal; Rajeev Chandrashekhar, Rajya Sabha MP; Sunil Abraham, Executive Director, Centre for Internet & Society; and Shekhar Gupta, Senior Journalist.</p>
<h3 style="text-align: justify; ">Video</h3>
<p><iframe width="420" src="https://www.youtube.com/embed/BY_OPw2ErmM" frameborder="0" height="315"></iframe></p>
<hr />
<p style="text-align: justify; "><a class="external-link" href="http://www.ndtv.com/video/player/the-ndtv-dialogues/making-aadhaar-mandatory-gamechanger-for-governance/408648">Link to NDTV website</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/ndtv-march-20-2016-making-aadhaar-mandatory-gamechanger-for-governance'>http://editors.cis-india.org/internet-governance/news/ndtv-march-20-2016-making-aadhaar-mandatory-gamechanger-for-governance</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-03-24T06:50:10ZNews ItemAadhaar data of over 89 lakh MNREGA workers in Andhra Pradesh leaked online
http://editors.cis-india.org/internet-governance/news/new-indian-express-april-26-2018-aadhaar-data-over-89-lakh-mnrega-workers-in-andhra-pradesh-leaked-online
<b>Independent security researcher Kodali Srinivas tweeted screenshots of Aadhaar data of 89,38,138 MNREGA workers available on the Andhra Pradesh Benefit Disbursement Portal.</b>
<p style="text-align: justify; ">The article was <a class="external-link" href="http://www.newindianexpress.com/states/andhra-pradesh/2018/apr/26/aadhaar-data-of-over-89-lakh-mnrega-workers-in-andhra-pradesh-leaked-online-1806717.html">published in New Indian Express</a> on April 27, 2018.</p>
<hr />
<p style="text-align: justify; ">Independent security researcher Kodali Srinivas, who exposed the leakage of Aadhaar and other personal data of 1.34 lakh beneficiaries on the State Housing Corporation website, on Thursday tweeted screenshots of Aadhaar data of 89,38,138 MNREGA workers availalbe on the Andhra Pradesh Benefit Disbursement Portal, which is maintained by APOnline, a joint venture between the Tata Consultancy Services (TCS) and the State government.</p>
<p style="text-align: justify; ">Hours after he blew the whistle, the website administrators began masking the data. In May 2017, Srinivas had co-authored a report for the Centre for Internet and Society, exposing how the Aadhaar data of 13.5 crore card holders was leaked online. The data was then leaked by four government portals, National Social Assistance Programme, National Rural Employment Guarantee Scheme, Chandranna Bima Scheme of the Government of Andhra Pradesh and Daily Online Payment Reports of NREGA of the Government of Andhra Pradesh.</p>
<p style="text-align: justify; ">It appears that almost a year later, nothing much has changed. Srinivas told TNIE he had sent a mail to the chief operating officer, APOnline and Universal Identification Authority of India, the National Critical Information Infrastructure Protection Centre, and CERT-In, the Centre's cyber response wing. When contacted, Balasubramanyam, Joint Secretary (NREGS) told TNIE, "I have seen it. It is Benefit Disbursement Portal... not maintained by us. We have been very careful ever since that massive leak of data last year."</p>
<p style="text-align: justify; ">Executive (operations), APOnline, S Chandramouleeswara Reddy refused comment saying that he was not the competent authority to speak on the issue. APOnline developed ICT solution for MGNREGA scheme, a framework involving Department of Posts, for disbursement of entitlements after accurate authentication of the entitlements through finger print authentication. TCS implements the ICT solution for MGNREGA in the State.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/new-indian-express-april-26-2018-aadhaar-data-over-89-lakh-mnrega-workers-in-andhra-pradesh-leaked-online'>http://editors.cis-india.org/internet-governance/news/new-indian-express-april-26-2018-aadhaar-data-over-89-lakh-mnrega-workers-in-andhra-pradesh-leaked-online</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-05-05T08:43:53ZNews ItemAadhaar Remains an Unending Security Nightmare for a Billion Indians
http://editors.cis-india.org/internet-governance/news/the-wire-karan-saini-may-11-2018-aadhaar-remains-an-unending-security-nightmare-for-a-billion-indians
<b>Yesterday was the 38th and last day of hearings in the Supreme Court case challenging the constitutional validity of India’s biometric authentication programme. After weeks of arguments from both sides, the Supreme Court has now reserved the matter for judgement.</b>
<p style="text-align: justify; ">The article by Karan Saini was published in the <a class="external-link" href="https://thewire.in/government/aadhaar-remains-an-unending-security-nightmare-for-a-billion-indians">Wire</a> on May 11, 2018.</p>
<hr />
<p style="text-align: justify; ">Since its inception, the Aadhaar project has lurched from controversy to scandal. In the last two years, the debate has heavily centred around issues of data security, privacy and government overreach. This debate, unfortunately, like with most things Aadhaar, has been obfuscated in no small part due to the manner in which the Unique Identification Authority of India (UIDAI) reacts to critical public discussion.</p>
<p style="text-align: justify; ">As India waits for the apex court’s judgement, this is as good time as any to take stock of the security and privacy flaws underpinning the Aadhaar ecosystem.</p>
<h3 style="text-align: justify; ">Poor security standards</h3>
<p style="text-align: justify; ">Let’s start with the lackadaisical attitude towards information security. As has become evident in the <a href="https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof/view" target="_blank">past</a>, harvesting and collecting Aadhaar numbers – or acquiring scans and prints of valid Aadhaar cards – has become a trivial matter.</p>
<p style="text-align: justify; ">There are several government websites which implement Aadhaar authentication while at the same time lack in basic security practices such as the use of SSL to encrypt user traffic and/or the use of captchas to protect against brute-force or scraping attacks. This includes the biometric attendance website of the <a href="http://dgftbct.attendance.gov.in/register/myemp" rel="noopener" target="_blank">Director General of Foreign Trade</a>, the website for the <a href="http://nfsm.gov.in/dbt/aadhaarverification.aspx" rel="noopener" target="_blank">National Food Security Mission</a> and the <a href="http://medleaprhry.gov.in/PvtAddRecord.aspx" rel="noopener" target="_blank">Medleapr website</a>.</p>
<p style="text-align: justify; ">With numerous government websites being susceptible, problematic issues such as the use of open directories to store sensitive data gives us a look into how even the bare minimum – when it comes to adhering to security best practices – isn’t enforced across the gamut of websites which interface with Aadhaar.</p>
<p style="text-align: justify; ">It should not be acceptable practice to have government websites with open web directories containing PDF scans of dozens of Aadhaar cards available for just about anyone to view and/or download. Yet, over the past year and even before, many government websites have been found to either inadvertently or knowingly publish this information without much regard for the potential consequences it could have.</p>
<p style="text-align: justify; ">The UIDAI has repeatedly shown an attitude of hostility and dismissiveness when it comes to fixing security and privacy issues which are present in the Aadhaar ecosystem. It has also shown no signs of how it plans to tackle this problem.</p>
<p style="text-align: justify; ">In my personal experience as a security researcher, I have found and reported a cache of more than 40,000 scanned Aadhaar cards being available through an unsecured database managed by a private company, which relied on those scans for the purposes of verifying and maintaining records of their customers.</p>
<p style="text-align: justify; ">What’s worse is that the media reports regarding Aadhaar information being exposed may only be scratching the surface of the issue as more data may actually be susceptible to access and theft, and simply yet to be found and publicly reported. For example, data could be leaking through publicly available data stores of third-party companies interfacing with Aadhaar, or through inadequately secured API and sensitive portals without proper access controls.</p>
<p style="text-align: justify; ">Not all security incidents become a matter of public knowledge, so what we know at any given point about the illegal exposure of Aadhaar information may just be a glimpse of what is actually out there.</p>
<p style="text-align: justify; ">It should be acknowledged that the possession of these 12-digit numbers and their corresponding demographic information can open up room for potential fraud – or at the very least make it easier for criminals to carry out identity theft and SIM and banking fraud.</p>
<p style="text-align: justify; ">A <a href="https://thewire.in/economy/aadhaar-fraud-uidai" target="_blank">detailed analysis</a> of all publicly-reported Aadhaar-related or Aadhaar-enabled fraud over the last few years shows that the problem is not only real but deserves far more attention than what it has received so far.</p>
<h3 style="text-align: justify; ">Threat level infinity</h3>
<p style="text-align: justify; ">Taking a step back, it’s clear that the Aadhaar project snowballed into an ecosystem that it now struggles to control.</p>
<p style="text-align: justify; ">For instance, demographic information – as is stated in the draft for the <a href="https://www.uidai.gov.in/images/the_aadhaar_act_2016.pdf" rel="noopener" target="_blank">Aadhaar Act</a> (NIDAI Bill 2010) – was originally considered confidential information, meaning no entity could request your demographic information such as name, address, phone number etc. for purposes of eKYC.</p>
<p style="text-align: justify; ">However, as the ecosystem has progressed, the implementation and usage of eKYC have also changed and grown significantly with companies like PayTM utilising eKYC for the purposes of requesting and verifying customer information. It should be considered that data which has been collected by any of these companies through Aadhaar can be accessed by them in the future for an indefinite period of time depending on their own policies regarding storage and retention of the data.</p>
<p style="text-align: justify; ">If there ever is a breach of the CIDR or a mirrored silo containing a significant amount of Aadhaar-related data, it would directly affect more than one billion people. To put this in perspective, it would easily be the single largest breach of data in terms of the sheer number of people affected <i>and</i> it would have far-reaching consequences for everyone affected which might be very hard to offset.</p>
<p style="text-align: justify; ">On a comparatively smaller scale – although just as serious, if not more in terms of potential implications – would be a breach of any given state’s resident data hub (SRDH) repository. In some cases, SRDHs <a href="https://www.thenewsminute.com/article/13-lakh-aadhaar-numbers-leaked-andhra-govt-website-linked-personal-details-80178" rel="noopener" target="_blank">have been known to integrate data</a> acquired from other sources containing information regarding parameters such as caste, banking details, religion, employment status, salaries, and <a href="https://webcache.googleusercontent.com/search?q=cache:-HMXusc-Nm4J:https://mpsrdh.gov.in/aboutUsCitizen.html+&cd=2&hl=en&ct=clnk&gl=in&client=firefox-b-ab" rel="noopener" target="_blank">then linking the same</a> to residents’ corresponding Aadhaar data.</p>
<p style="text-align: justify; ">Damage control would be costly and painstaking due to the number of people enrolled. What adds to the disastrous consequences is that one cannot just deactivate their Aadhaar or opt-out of the programme the way they would with say a compromised Facebook or Twitter account. You can always deactivate Facebook. You cannot deactivate your Aadhaar. It should be noted that even with biometrics set to ‘disabled’, Aadhaar verification transactions can be verified through OTP.</p>
<p style="text-align: justify; ">Additionally, the Aadhaar ecosystem is such that information about individuals can be accessed not just from UIDAI servers but also from other third-party databases where Aadhaar numbers are linked with their own respective datasets. Due to this aspect – multiple points of failure are introduced for possible compromise of data, especially because third-party databases are almost certainly not as secure as the CIDR.</p>
<p style="text-align: justify; ">Recently, after taking a closer look at the ecosystem of websites which incorporate the use of Aadhaar based authentication, I <a href="https://www.karansaini.com/extracting-aadhaar-linked-phone-numbers/" rel="noopener" target="_blank">discovered that it was possible</a> to extract the phone number linked to any given Aadhaar through the use of websites which poorly implemented Aadhaar text-based (OTP) authentication.</p>
<p style="text-align: justify; ">This process worked by first retrieving the last four digits of the phone number linked to an Aadhaar using any website which reveals this information (this includes DigiLocker, NFSM.gov.in and seems to be standard practice which seems to be enforced by UIDAI) and then performing an enumeration attack on the first six digits using websites which allow the user to provide both their Aadhaar number and the verified phone number linked to it.</p>
<p style="text-align: justify; ">This again highlights that while secure practices might be followed by the UIDAI, the errors in implementation and other flaws are introduced neverthelessby third parties who interface with Aadhaar, posing a risk to the privacy and security of its data.</p>
<h3 style="text-align: justify; ">The bank mapper rabbit hole</h3>
<p style="text-align: justify; ">As of February 24, 2017, it <a href="https://thewire.in/government/india-inc-needs-to-fix-numerous-basic-%20information-security-flaws-quickly)" target="_blank">was possible</a> to retrieve bank linking status information directly from UIDAI’s website without any prior verification.</p>
<p style="text-align: justify; ">However, after this information was reported, the ‘<a href="https://uidai.gov.in/" rel="noopener" target="_blank">uidai.gov.in</a>’ website was updated to first require requesters to prove their identity before retrieving Aadhaar bank-linking data from the endpoint on their website.</p>
<p style="text-align: justify; ">A year later – when business technology news site <i>ZDNet </i>published their report regarding a flawed API on the website of a state-owned utility company (later revealed to be Indane) – part of the data revealed included bank linking status information which was identical to what was previously revealed on UIDAI’s website without proper authentication.</p>
<p style="text-align: justify; ">This suggests that both the Indane API and UIDAI website utilised the National Payments Corporation of India (NPCI) to retrieve bank-linking data – but as of now, this remains conjecture since Indane never put out a statement or gave a public comment regarding the flawed API on their website.</p>
<p style="text-align: justify; ">More importantly, what this also suggests is that the NPCI never placed any controls or security mechanisms (such as request throttling or access controls) on the lookup requests it processed for the UIDAI (and seemingly for Indane as well).</p>
<p style="text-align: justify; ">This means that while the UIDAI may have fixed their website to not reveal bank linking data without proper verification – the issue was not rectified at its core by the NPCI – allowing the same to happen a year later in Indane’s case. This practice also classifies as a case of security through obscurity, <a href="http://users.softlab.ntua.gr/~taver/security/secur3.html" rel="noopener" target="_blank">which</a> “is the belief that a system of any sort can be secure so long as nobody outside of its implementation group is allowed to find out anything about its internal mechanisms”.</p>
<h3 style="text-align: justify; ">Who is on the hook?</h3>
<p style="text-align: justify; ">There is a lack of needed accountability when it comes to data breaches. Have any of the organisations against whom allegations of data breach been made been investigated and acted on? Have fines been imposed on those responsible for allowing access/theft of user data? Have there been reports published by any of the affected organisations in which they investigate any alleged breaches to either provide insight regarding the breach and its impact, the scale of data accessed, logs of access and other crucial evidence or dismiss the allegations by proving that there was no intrusion which took place?</p>
<p style="text-align: justify; ">Most of the times, organisations do not even accept that a breach has taken place, let alone take responsibility for the same and strive to better protect user data in the future.</p>
<p style="text-align: justify; ">Switching to ‘PR spin mode’ should never be the answer when dealing with the data of billion-plus Indian citizens and residents. This can be observed in almost all cases where a breach or security lapse was alleged.</p>
<p style="text-align: justify; ">The UIDAI has also acquired the dubious reputation of sending legal notices and slapping cases on journalists and security researchers who seek to highlight the security and privacy problems ailing the Aadhaar infrastructure.</p>
<p style="text-align: justify; ">In March 2017, a case against Sameer Kochhar – chairman of the Skoch Group – was filed on the basis of a complaint from Yashwant Kumar of the UIDAI allegedly for “spreading rumours on the internet about vulnerability of the Aadhaar system”. Kochhar had written an article in February 2017 titled “Is a Deep State at Work to Steal Digital India?” in which a request replay attack on biometric Aadhaar authentication was demonstrated.</p>
<p style="text-align: justify; ">Two months later, The Centre for Internet and Society published a report regarding several government websites which were inadvertently leaking millions of Aadhaar card numbers. A few days after this report was published, the UIDAI <a href="https://in.reuters.com/article/india-aadhaar-breach/critics-of-aadhaar-project-say-they-have-%20been-harassed-put-under-surveillance-idINKCN1FX1SS" rel="noopener" target="_blank">sent a legal notice to the organisation</a>, stating that the people involved with the report had to be “brought to justice”.</p>
<p style="text-align: justify; ">In January 2018, an investigative story was published by Rachna Khaira of <em>The Tribune</em> newspaper – in which she reported that access to an Aadhaar portal was being sold by “agents” for as cheap as Rs 500. In response to this story – the UIDAI first sought to discredit the investigative work by calling it a ‘case of misreporting’ – after which they attempted to downplay the magnitude of the report by citing that biometrics were safe and had not been breached.</p>
<p style="text-align: justify; ">Following this, the Delhi crime branch registered an FIR against the reporter and others named in the article on the basis of a complaint by a UIDAI official, with charges ranging from forgery, cheating by impersonation and unauthorised access of a computer system.</p>
<p style="text-align: justify; ">In March 2018, <em>ZDNet</em> published a report about Aadhaar-related data leaking from an unsecured API on a utility provider’s website. This was the result of days of testing to first confirm the existence issue and its scope. It was preempted by more than a month of attempted communication through several channels of communication – email, phone, even direct messages via Twitter – with both Indane and the UIDAI (and even the Indian Consulate in New York).</p>
<p style="text-align: justify; ">But still, when the report was published after a lack of acknowledgement/response from affected parties, the UIDAI was quick to deny the report as well as any possibility of such a thing occurring. The Aadhaar agency then released a statement in which they said they were ‘contemplating legal action’ against the publication of their report.</p>
<p style="text-align: justify; ">Data security and privacy laws won’t do much to affect the dismissive and hostile attitude the UIDAI seems to have regarding the people that investigate and report on security and privacy issues relating to Aadhaar.</p>
<h3 style="text-align: justify; ">Hide and seek</h3>
<p style="text-align: justify; ">In general, when it comes to reports of security breaches and security incidents, many authorities in India prefer playing the blame-game. This was seen latest in response to an internal letter (ironically marked as ‘SECRET’) that was circulated on social media – which mentioned that data was stolen from the Aadhaar Seeding portal of the EPFO by hackers exploiting a known vulnerability in the Apache Struts framework.</p>
<p style="text-align: justify; ">Following this – the EPFO <a href="https://economictimes.indiatimes.com/wealth/personal-finance-news/epfo-slams-aadhaar-data-theft-reports-on-social-media/articleshow/63999631.cms?utm_source=WAPusers&utm_medium=whatsappshare&utm_campaign=socialsharebutton&from=mdr" rel="noopener" target="_blank">quickly switched to PR mode</a> and publicly issued a statement through their official Twitter account (@socialepfo) denying the breach – saying that “There is no leak from EPFO database. We have already shut down the alleged Aadhaar seeding site run by Common Service Centres on 22.03.2018.”</p>
<p style="text-align: justify; ">Every time reports of a potential breach or leak of data circulate, Indian government agencies are quick to come out and announce that no breach has taken place. However, this is always to be taken just on the basis of their saying so, as opposed to the reports which they’re meant to be arguing (in some cases) contain verifiable evidence which is the result of arduous investigative work.</p>
<p style="text-align: justify; ">Regardless, passing around the blame and in cases completely denying security incidents is not something authorities should be doing when it concerns the data of more than a billion people.</p>
<p style="text-align: justify; ">In response to a recent story by <em>Asia Times</em> <a href="https://www.thewire.in/government/cracked-aadhaar-enrolment-software-being-sold" rel="noopener" target="_blank">regarding Aadhaar enrolment software being cracked and sold</a>, the UIDAI sought to discredit and discount the report through messages shared on their social media profiles – where they stated that the report was “baseless, false, misleading and irresponsible”.</p>
<p style="text-align: justify; ">The UIDAI should have an interest in protecting any and all data which stems from or relates to Aadhaar as it has to do with a project they are ultimately responsible for. It should not matter whether the leak occurred from a portal on EPFO’s website, an API without proper access controls on Indane’s website, a website of the Andhra Pradesh state government, through biometric request replay attacks, through sold access to admin portals and cracked software, or however else. It should ultimately be the UIDAI’s responsibility to not only be reactive about these issues when they’re brought to light but to do so in such a way which does not hinder reporters from continuing their work.</p>
<p style="text-align: justify; ">Additionally, if the UIDAI wishes to keep its systems as secure as they could be – they should proactively seek such reports about flaws or vulnerabilities in critical infrastructure pertaining to their project.</p>
<h3 style="text-align: justify; ">The way forward</h3>
<p style="text-align: justify; ">In April 2018, the head of the Indian Computer Emergency Response Team (CERT-IN), <a href="https://factordaily.com/vulnerability-reported-cert/" rel="noopener" target="_blank">rather defensively noted</a> that “not a single person had reported any incident” to the organisation.</p>
<p style="text-align: justify; ">CERT-In, a part of the IT ministry, is the central agency responsible for dealing with security issues and incidents. To put it bluntly, it has not done a very great job of outreach when it comes to the people it ultimately relies on: security researchers and hackers.</p>
<p style="text-align: justify; ">In India, there is an abundance of skills and talent when it comes to IT security and this could be of immense help to organisations responsible for managing critical infrastructure – but only if they cared enough to utilise it to the fullest extent.</p>
<p style="text-align: justify; ">Ajay Bhushan Pandey, the CEO of UIDAI, promised a secure and legal bug reporting environment for the Aadhaar ecosystem sometime in 2017. However, almost a year later, there are no tangible signs of any steps being taken to ensure the same. In fact, the UIDAI would already be straying from their usual course of action if they stopped harassing people reporting on issues of security and privacy with regard to Aadhaar.</p>
<p style="text-align: justify; ">It has been suggested that the UIDAI employ a bug bounty programme – which involves rewarding hackers with monetary compensation or through means such as an addition to a ‘Security Hall of Fame’ as an incentive.</p>
<p style="text-align: justify; ">I personally believe that there is no need for a bug bounty programme in its traditional sense – meaning that UIDAI should not have to provide material incentives to attract hackers to report valid issues to them. Simply acknowledging the work of those that discover and report valid issues should more than likely be incentive enough to get talent on-board.</p>
<p style="text-align: justify; ">The US Department of Defense (DoD) employs a similar approach <a href="https://www.hackerone.com/sites/default/files/2018-03/Distributed%20Defense-How%20Governments%20Deploy%20Hacker-Powered%20Security.pdf" rel="noopener" target="_blank">where they invite hackers from the world</a> over to test their systems for security vulnerabilities/bugs and then report them in a responsible manner. What the hackers get in return is the acknowledgement of their skill and devotion to ensuring the security of DoD’s platform. Something similar needs to be set up with regard to critical information infrastructures in India so that issues can be reported by anyone who wishes to do so – without hassle and/or fear of persecution hanging over the heads of hackers.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-wire-karan-saini-may-11-2018-aadhaar-remains-an-unending-security-nightmare-for-a-billion-indians'>http://editors.cis-india.org/internet-governance/news/the-wire-karan-saini-may-11-2018-aadhaar-remains-an-unending-security-nightmare-for-a-billion-indians</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-05-13T16:28:40ZNews ItemIndian Cricket Board Exposes Personal Data of Thousands of Players
http://editors.cis-india.org/internet-governance/news/hack-read-waqas-may-15-2018-indian-cricket-board-exposes-personal-data-of-thousands-of-players
<b>The IT security researchers at Kromtech Security Center discovered a trove of personal and sensitive data belonging to around 15,000 to 20,000 Indian applicants participating in cricket seasons 2015-2018.</b>
<p style="text-align: justify; ">The blog post was published on <a class="external-link" href="https://www.hackread.com/indian-cricket-board-exposes-data-of-cricketers/">Hack Read</a> on May 15, 2018.</p>
<hr />
<p style="text-align: justify; ">The authority responsible for protecting this data was The Board of Control for Cricket in India (BCCI) but it was left exposed to the public in two misconfigured AWS (Amazon Web Service) S3 cloud storage buckets.</p>
<p style="text-align: justify; "><a href="https://mackeepersecurity.com/post/bcci-exposed-players-personal-sensitive-data" rel="noopener" target="_blank">According to the analysis</a> from Kromtech researchers, the data was divided into different categories of players including those under 19 years old. The data was accessible to anyone with an Internet connection and basic knowledge of using AWS cloud storage.</p>
<p style="text-align: justify; ">The data was discovered earlier this month and included names, date of birth, place of birth, permanent addresses, email IDs, proficiency details, medical records, birth certificate number, passport number, SSC certificate number, PAN card number, mobile number, landline and phone number of the person who can be contacted in case of emergency.</p>
<p style="text-align: justify; "><img alt="Indian Cricket Board Exposes Personal Data of Thousands of Players" src="https://www.hackread.com/wp-content/uploads/2018/05/indian-cricket-board-exposes-personal-data-of-thousands-of-players-1.png?x62286" /></p>
<p>Screenshot of one of the files that were exposed (Image credit: Kromtech)</p>
<p style="text-align: justify; ">At the time of publishing this article, the BCCI was informed by Kromtech researchers and both misconfigured buckets were secured. However, this is not the first time when such sensitive information was leaked online. In 2017, Bangalore-based Centre for Internet and Society (CIS) <a href="https://www.hackread.com/indian-biometric-system-data-leaked/" rel="noopener" target="_blank">found that</a> names, addresses, date of birth, PAN card details, Aadhaar card numbers and other relevant details of millions of Indian citizen could be found with just a simple Google search.</p>
<p style="text-align: justify; ">On the other hand, lately, AWS buckets have been <a href="https://www.hackread.com/localblox-exposes-millions-of-facebook-linkedin-data/" rel="noopener" target="_blank">making headlines for the wrong reasons</a>. Until now, there have been tons of cases in which misconfigured AWS buckets have been found carrying highly sensitive and confidential data <a href="https://www.hackread.com/unprotected-s3-cloud-bucket-exposed-100gb-of-classified-nsa-data/" rel="noopener" target="_blank">such as classified NSA documents</a> or details about <a href="https://www.hackread.com/misconfigured-amazon-s3-buckets-exposed-us-militarys-social-media-spying-campaign/" rel="noopener" target="_blank">US Military’s social media spying campaign</a>.</p>
<p style="text-align: justify; ">In two such cases, malicious hackers were able to compromise AWS buckets belonging to <a href="https://www.hackread.com/hackers-compromise-tesla-cloud-server-to-mine-cryptocurrency/" rel="noopener" target="_blank">Tesla Motors</a> and <a href="https://www.hackread.com/la-times-website-hacked-mine-monero-cryptocurrency/" rel="noopener" target="_blank">LA Times</a> to secretly mine cryptocurrency. Therefore, if you are an AWS user make sure your cloud server is properly secured.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/hack-read-waqas-may-15-2018-indian-cricket-board-exposes-personal-data-of-thousands-of-players'>http://editors.cis-india.org/internet-governance/news/hack-read-waqas-may-15-2018-indian-cricket-board-exposes-personal-data-of-thousands-of-players</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-05-18T05:01:50ZNews ItemDigital Native: Cause an Effect
http://editors.cis-india.org/raw/indian-express-nishant-shah-june-17-2018-digital-native-cause-an-effect
<b>Aadhaar is a self-contained safe system, its interaction with other data and information systems is also equally safe and benign.</b>
<p style="text-align: justify; ">The article was published in the <a class="external-link" href="https://indianexpress.com/article/technology/social/digital-native-cause-an-effect-5219977/">Indian Express</a> on June 17, 2018.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Statistically, it has been proven, that the consumption of ice cream in the country increases significantly in the summer months. In the same months, the number of housebreak incidents also increase. It might be possible, though ridiculous, to now make an argument that eating ice cream leads to increased frequencies of housebreakings, and, hence, sale and consumption of ice cream should be regulated more rigorously. The humour in this situation arises out of the fact that we know, at a very human level, that correlation is not the same as causation.</p>
<p style="text-align: justify; ">We know that just because two things happen in temporal or spatial proximity with each other doesn’t necessarily mean they are connected or responsible in a chain of events. This is because human communication is designed to make a distinction between cause-and-effect relationship and happened-together relationship between two sets of information.</p>
<p style="text-align: justify; ">However, when it comes to computation, things turn slightly different. Within the database logics of computation, two sets of data, occurring in the same instance, are subjected to a simple scrutiny: Either one of them is linked with the other, or, one of the two is noise, and, hence, needs to be removed from the system. Computation systems are foundationally anchored on logic. Within logical systems, all the events and elements described in the system are interlinked and have a causal relationship with each other. Computational learning systems, thus, do not have the capacity to make a distinction between causal and correlative phenomena.</p>
<p style="text-align: justify; ">This is why computation systems of data mining and profiling are so much more efficient than human cognition. Not only are these systems able to compute a huge range of data, but they are also able to make unprecedented, unforeseen, unexpected, and often unimagined connections between seemingly disparate and separate information streams. I present to you this simplified notion of computer logic because it is at the heart of the biometric identity-based debates around <a href="https://indianexpress.com/article/what-is/what-is-aadhaar-card-and-where-is-it-mandatory-4587547/">Aadhaar</a> right now. Recently, Ajay Bhushan Pandey, CEO, UIDAI, wrote an opinion piece that insisted that the data collective mechanisms of Aadhaar are not only safe but also benign. His opinion is backed by Bill Gates, who also famously suggested that “Aadhaar in itself” is not dangerous.</p>
<p style="text-align: justify; ">And, in many ways, Gates is right, even if Pandey’s willful mischaracterisation of Gates’s statement is not. For Gates, a computer scientist looking at the closed architecture of the Aadhaar system, it might appear, that in as much as any digital system could be safe, Aadhaar is indeed safe. In essence, Gates’s description was, that as a logical system of computational architecture, Aadhaar is safe, and the data within it, in their correlation with each other, does not form any sinister networks that we need to worry about.</p>
<p style="text-align: justify; ">However, Pandey takes this “safe in itself” argument to extend it to the applications and implementations of Aadhaar. He argues that because Aadhaar is a self-contained safe system, its interaction with other data and information systems is also equally safe and benign. In this, Pandey, either out of ignorance or willful mischaracterisation, confuses correlation with causality. He refuses to admit that Aadhaar and the biometrics within that are the central focal point around which a variety of data transactions happen which produce causal links between disconnected subjects.</p>
<p style="text-align: justify; ">Thus, the presence of a digital biometric data set might not in itself be a problem, but when it became the central verification system that connects your cellphone with your geolocation data, your presence and movement with your bank account and your income tax returns, your food and lifestyle consumption with your medical records, it starts a causal link between information which was hitherto unconnected, and, hence, considered trivial.</p>
<p style="text-align: justify; ">The alarm that the critics of Aadhaar have been raising is not about whether the data on Aadhaar is safe or not, but, how, in the hands of unregulated authorities, the correlations that Aadhaar generates and translates into causal profiles have dire consequences on the privacy and liberty of the individuals who carry the trace of Aadhaar in all facets of life. Pandey and his team of governors need to explain not the safety of Aadhaar but what happens when the verification information of Aadhaar is exploited to create non-human correlations of human lives, informing policy, penalisation and pathologisation through these processes.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/raw/indian-express-nishant-shah-june-17-2018-digital-native-cause-an-effect'>http://editors.cis-india.org/raw/indian-express-nishant-shah-june-17-2018-digital-native-cause-an-effect</a>
</p>
No publishernishantResearchers at WorkAadhaarDigital Natives2018-06-26T15:21:01ZBlog Entry