The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 21 to 35.
UIDAI remains silent on #Aadhaarleaks of 13 crore users through government portals
http://editors.cis-india.org/internet-governance/news/newslaundry-shruti-menon-may-2-2017-uidai-remains-silent-on-aadhaar-leaks-of-users-through-govt-portals
<b>As the arguments for making Aadhaar mandatory go on, is there any way to stem the leaks and identify who exactly has all this information.</b>
<p style="text-align: justify; ">The blog post by Shruti Menon was <a class="external-link" href="https://www.newslaundry.com/2017/05/02/uidai-remains-silent-on-aadhaarleaks-of-13-crore-users-through-government-portals">published by Newslaundry</a> on May 2, 2017</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The verdict on linking Aadhaar with Permanent Account Number (PAN) and making it mandatory for filing income tax returns (ITRs) will be out soon. Attorney General Mukul Rohatgi had a tough challenge ahead of him in the Supreme Court as the state presented its argument today. Rohatgi defended the <a href="http://www.livemint.com/Politics/3FcQ9lHm7TWX5B0Hn7ZXiO/Aadhaar-to-be-mandatory-for-income-tax-returns-getting-PAN.html" target="_blank">amendment in income tax law</a> allowing this after senior lawyer Shyam Divan made a <a href="http://www.livemint.com/Politics/sN0S5mYYx641tgrctGf03H/Shyam-Divan-concludes-arguments-in-Aadhaar-case-in-Supreme-C.html" target="_blank">strong case</a> against it on April 26 and 27. Divan became a hero to many overnight after he presented compelling arguments against the amendment citing facets of right to privacy - informational self-determination, personal autonomy, and bodily integrity - as he did so. Though the court has <a href="https://www.thequint.com/opinion/2017/05/01/aadhaar-case-privacy-and-bodily-integrity" target="_blank">refused to entertain</a> arguments pertaining to privacy, he managed to argue these concerns without couching them under right to privacy laws.</p>
<p style="text-align: justify; ">Advocate Gautam Bhatia posted <a href="https://barandbench.com/aadhar-hearing-number-tagging-nazi-concentration-camps/" target="_blank">minute-by-minute developments from the courtroom</a>, and soon, #ThankYouMrDivan became one of the top trends on Twitter.</p>
<p style="text-align: justify; ">A day before the state presented its arguments, the Centre for Internet and Society (CIS) published a <a href="http://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1" target="_blank">report </a>titled “Information, Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information” late on Monday. Authored by Amber Sinha and Srinivas Kodali, the report documents the leaks of over 13 crore Aadhaar numbers and resulting information of beneficiaries through four government portals-two at the centre and two at the state. “We are primarily talking of lack of standards and data fact-checking, storage and how all of this information- account numbers, phone numbers plus, Aadhaar numbers- in public domain increases the nature of risk of the backbone of digital payments,” Kodali told <i>Newslaundry. </i></p>
<p style="text-align: justify; ">The four portals studied by the two are National Social Assistance Programme (NSAP), National Rural Employment Guarantee Act (NREGA) and two databases of Andhra Pradesh- NREGA and their scheme called Chandranna Bima. The report claims that the aforementioned public portals compromised personally identifiable information (PII) including “Aadhaar numbers and financial details such as bank account numbers” of 13 crore people due to a lack of security controls.</p>
<p style="text-align: justify; ">“While the details were masked for public view, someone with login access could get the details,” the report read. “When one of the url query parameters of the website showing the masked personal details was modified from ‘nologin’ to ‘login’, that is, control access to login based pages were allowed providing unmasked details without the need for a password.” What this essentially means is that these portals allow people to explore lists organised by states, districts, area, sub-district, and municipalities which contain the personal information of the people who are enrolled into the schemes.</p>
<p style="text-align: justify; ">The report also cites legal framework under the Aadhaar Act that allows the government or private entities to store Aadhaar numbers on the grounds that they won’t be used for purposes other than those listed in the act. CIS’s study, however, reveals that information pertaining to religion, caste, race, tribe or even income is sometimes collected and published on such portals with little in the way of security checks.</p>
<p style="text-align: justify; ">Speaking to <i>Newslaundry,</i> Anupam Saraph, professor and former governance and IT advisor to Goa’s Chief Minister, Manohar Parrikar, said that the data exposed could be significantly more than what the report shows. “Many more Aadhaar numbers have been exposed on websites relating to Pension Schemes, PDS, Ministry of Water and Sanitation, Ministry of Human Resource Development, Scholarships, Schools, Colleges, Universities, Kendriya Sainik board, PM Avas Yojana to name a few,” he said. “Besides this Registrars to the UIDAI (State Governments and various ministries of the Central government, some Public Sector undertakings) were allowed to retain the Aadhaar number, demographic and biometric data (associated with the Aadhaar number). While this may not be exposed on websites, it is unsecured and possibly accessible to data brokers within and outside government,” said Saraph who has designed delivery channels and ID schemes for better governance.</p>
<p style="text-align: justify; ">What’s worth noting is that the people whose data has been breached are unaware that their information is available on public platforms and vulnerable to data theft. “It is UIDAI’s [Unique Identification Authority of India] job to investigate and inform them,” Kodali told <i>Newslaundry. “</i>At some point of time, everybody is going to have everybody’s information,” he added.</p>
<p style="text-align: justify; ">Currently, the government has an <a href="https://data.gov.in/" target="_blank">open data portal</a>. It describes itself as a platform “intended to be used by Government Ministries/Departments and their organisation to publish datasets, documents, services, tools and applications collected by them for public use”.</p>
<p style="text-align: justify; ">So is it feasible to have open data portals for transparency and accountability? “Having certain government data being publicly accessible is certainly desirable.” Saraph continued that the problem was, data on public expenditure should ideally be openly accessible but it’s also where the most leakage occurs. “Making Aadhaar mandatory is meaningless,” he said, as India does not have a policy on open data portals yet, which can subject Aadhaar data to “misuse”.</p>
<p style="text-align: justify; ">Given that the UIDAI is responsible for investigating and making people aware of any data breach or theft, they have remained silent for an oddly long time. It is unclear whether the UIDAI is itself aware of who has accessed the data that is insecurely published on these government portals. “They’re letting everybody collect this information but they were not aware themselves that who had access to this information, that’s the main problem,” Kodali said. While the Aadhaar ecosystem was to ensure social inclusion and transparency, in its current form, the system looks so opaque that the people who are running it may not be aware themselves of what is going on.</p>
<p style="text-align: justify; "><b>What does it mean to have access to someone else’s Aadhaar?</b></p>
<p style="text-align: justify; ">With an increasing number of social welfare schemes being linked to Aadhaar, it was touted as an attempt to remove the middlemen, frauds and corruption with the government. According to the report, "A cumulative amount of Rs 1,78,694.75 has been transferred using DBT for 138 schemes under 27 ministries since 2013. Various financial frameworks like Aadhaar Payments Bridge (APB) and Aadhaar Enabled Payment Systems (AePS) have been built by National Payment Corporation of India to support DBT and also to allow individuals use Aadhaar for payments."</p>
<p style="text-align: justify; ">Given that such systems are in place to ensure easier and accessible banking, research shows that the Aadhaar seeding process led to government portals putting personal information of so many people under various schemes in the "absence of information security practices to handle so much PII", as per the research. This is not only a breach of privacy but also makes a person vulnerable to financial fraud in cases where their bank details are public. "One of the prime examples is individuals receiving phone calls from someone claiming to be from the bank. Aadhaar data makes this process much easier for fraud and increases the risk around transactions," the report reads.</p>
<p style="text-align: justify; "><b>UIDAI on silent mode</b></p>
<p style="text-align: justify; ">Unfortunately, UIDAI has not addressed this concern, let alone acknowledge it. It has been cracking down on people by filing first information reports (FIRs) against those tracking and exposing the vulnerabilities of the Aadhaar system. Recently, UIDAI’s Chief Executive Officer (CEO), ABP Pandey was accused of blocking twitter handles of prominent security researchers and analysts who have been extensively reporting about vulnerabilities in the Aadhaar system.</p>
<p style="text-align: justify; ">One of the handles was blocked was Saraph’s. “I do not know why they blocked me. I have been vocal about the problems associated with the UID and its use,” he said<i>. </i>He added that he served several <a href="http://www.moneylife.in/article/resisting-violations-of-the-supreme-court-orders-on-aadhaar/49121.html," target="_blank">notices</a> of contempt of court to the CEO of UIDAI and has been questioning the verification and audit of UID database. “Perhaps [he] was annoyed with my efforts to make them accountable and responsible,” he said.</p>
<p style="text-align: justify; ">On April 18, however, in a response to Right to Information (RTI) query filed by Sushil Kambampati, UIDAI denied having blocked any twitter handles. Almost immediately, it was called out on twitter for ‘lying’ in the RTI response as many users claimed it had.</p>
<p style="text-align: justify; ">Saraph declared that such a move, the blocking of users asking questions, was indicative of UIDAI’s cluelessness. Apar Gupta, a Delhi-based lawyer working on cyber security, had told <i>Newslaundry </i>that it was unethical and unconstitutional of government bodies (such as the UIDAI) to block people. He reiterated that in one of his tweets recently.</p>
<p style="text-align: justify; ">Today, however, the Pandey’s individual twitter profile no longer exists. It has now been changed to “ceo_office”. CIS’s report states that the UIDAI has been pushing for more databases to get in sync with Aadhaar, but with little or no accountability. “While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take a little responsibility in ensuring the security and privacy of such data,” the report reads. Kodali, however, told <i>Newslaundry </i>that the report was not aimed at questioning the security of such seeding. “We’re not saying it is not really secure but we’re just saying it increases the risk factors,” he said.</p>
<p style="text-align: justify; ">UIDAI has also not responded to several queries filed by vulnerability testers.</p>
<p style="text-align: justify; "><i>Newslaundry </i>reached out to the UIDAI with the following questions:</p>
<ol style="text-align: justify; ">
<p> </p>
<li><i> According to the report published, four government portals have personally identifiable information of about 13 crore people including their Aadhaar numbers and bank account details. What is being done about this?</i></li>
<p> </p>
<li><i> If a person's privacy has been breached, what are the steps UIDAI would take for redressal?</i></li>
<p> </p>
<li><i> Is UIDAI investigating the 13 crore Aadhaar leaks?</i></li>
<p> </p>
<li><i> The report states "When one of the url query parameters of website showing the masked personal details was modified from “nologin” to “login”, that is control access to login based pages were allowed providing unmasked details without the need for a password." Is this true, and if so, what is your statement?</i></li>
<p> </p>
<li><i> How do you ensure data security on open data portals?</i></li>
</ol>
<p style="text-align: justify; ">This piece will be updated if and when they respond.</p>
<p style="text-align: justify; ">While UIDAI remains silent, A-G Rohatgi argued today that close to 10 lakh PAN cards were found to be fake. "Are they propagating a general public interest or propagating the fraud (fake PANs) which is going in," he said at the court today while suggesting that Aadhaar was the only way of preventing fake or duplicate cards.</p>
<p style="text-align: justify; ">Senior advocate Arvind Datar, who is also appearing for one of the three petitioners in the case said that the government could not take away his right to chose whether or nor to have an Aadhaar. "The Supreme Court had directed them that they cannot make it mandatory. The mandate of the Supreme Court can not be undone. My right of not to have an Aadhaar can not be taken away indirectly."</p>
<p style="text-align: justify; ">Though there are problems with the Aadhaar system and apparently very little redressal at the citizen’s end, Aadhaar is here to stay. As Divan and Rohatgi argue the constitutionality of making Aadhaar mandatory at the Supreme Court, the pertinent question that only the UIDAI can answer is whether they are technologically capable of keeping data secure given how aggressively Aadhaar linkage is being promoted.</p>
<p style="text-align: justify; ">However, Rohatgi's argument in court today, according to a Business Standard report was that the government cannot destroy the Aadhaar cards of people even after their death. Instead of being reassuring, this only seems to increase the possibilities for identity theft, as if there is little in the way of redressal mechanisms in life, what choices do the dead have?</p>
<p style="text-align: justify; "><b>The author can be contacted on Twitter <a href="https://twitter.com/shrutimenon10" target="_blank">@shrutimenon10</a>.</b></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/newslaundry-shruti-menon-may-2-2017-uidai-remains-silent-on-aadhaar-leaks-of-users-through-govt-portals'>http://editors.cis-india.org/internet-governance/news/newslaundry-shruti-menon-may-2-2017-uidai-remains-silent-on-aadhaar-leaks-of-users-through-govt-portals</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-05-20T11:06:16ZNews ItemUIDAI puts posers to CIS over Aadhaar data leak claim
http://editors.cis-india.org/internet-governance/news/financial-express-may-19-2017-pti-uidai-puts-posers-to-cis-over-aadhaar-data-leak-claim
<b>Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were "leaked" and provide details of servers where they are stored.</b>
<p style="text-align: justify; ">The article originally published by PTI was also <a class="external-link" href="http://www.financialexpress.com/economy/uidai-puts-posers-to-cis-over-aadhaar-data-leak-claim/675814/">published by the Financial Express</a> on May 19, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were “leaked” and provide details of servers where they are stored. In a precursor to initiating a probe into the matter, the Unique Identification Authority of India (UIDAI) also wants CIS to clarify just how much of such “sensitive data” are still with it or anyone else. The UIDAI — which has vehemently denied any breach of its database — shot off a letter to CIS yesterday asking for the details, including the servers where the downloaded “sensitive data” are residing and information about usage or sharing of such data.</p>
<p style="text-align: justify; ">Underscoring the importance of bringing to justice those involved in “hacking such sensitive information”, the UIDAI sought CIS’ “assistance” in this regard and has given it time till May 30 to revert on the issue. “Your report mentions 13 crore people’s data have been leaked. Please specify how much (of) this data have been downloaded by you or are in your possession, or in the possession of any other persons that you know,” the UIDAI said in its communication to CIS.</p>
<p style="text-align: justify; ">Interestingly, in what market watchers described as an apparent flip-flop, CIS has now clarified that there was no leak’ or ‘breach’ of Aadhaar numbers, but rather ‘public disclosure’. Meanwhile, the UIDAI has quoted sections of the Information Technology Act, 2000, and the Aadhaar Act to emphasise that violation of the clauses are punishable with rigorous imprisonment of up to 10 years. “While your report suggests that there is a need to strengthen IT security of the government websites, it is also important that persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law,” it said.</p>
<p style="text-align: justify; ">The UIDAI has also sought technical details on how access was gained for the National Social Assistance Programme (NSAP) site — one of the four portals where the alleged leak happened. When contacted, UIDAI CEO Ajay Bhushan Pandey said, “We do not comment on individual matters.” The UIDAI has also asked for details of systems that were involved in downloading and storing of the sensitive data so that forensic examination of such machines can be conducted to assess the quantum and extent of damage to privacy of data.</p>
<p style="text-align: justify; ">The UIDAI letter comes after a CIS’ report early this month which claimed that Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals due to lack of IT security practices. “Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report had said.</p>
<p style="text-align: justify; ">However, in a apparent course correction on May 16, a day before the UIDAI’s letter went out — CIS updated its report and clarified that although the term ‘leak’ was originally used 22 times in its report, it is “best characterised as an illegal data disclosure or publication and not a breach or a leak”. CIS has also claimed that some of its findings were “misunderstood or misinterpreted” by the media, and that it never suggested that the biometric database had been breached. “We completely agree with both Dr Pandey (UIDAI CEO) and Sharma (Trai Chairman R S Sharma) that CIDR (Aadhaar central repository) has not been breached, nor is it suggested anywhere in the report,” CIS said in its latest update.</p>
<div class="youmaylike" style="text-align: justify; "></div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/financial-express-may-19-2017-pti-uidai-puts-posers-to-cis-over-aadhaar-data-leak-claim'>http://editors.cis-india.org/internet-governance/news/financial-express-may-19-2017-pti-uidai-puts-posers-to-cis-over-aadhaar-data-leak-claim</a>
</p>
No publisherpraskrishnaUIDAIAadhaarInternet GovernancePrivacy2017-05-19T09:28:33ZNews ItemUIDAI introduces new two-layer security system to improve Aadhaar privacy
http://editors.cis-india.org/internet-governance/news/economic-times-january-11-2018-uidai-introduces-new-two-layer-security-system-to-improve-aadhaar-privacy
<b>The Unique Identification Authority of India (UIDAI) has introduced a system of virtual authentication for citizens enrolled on its database and limited the access available to service providers in a move aimed at allaying widespread concern over security breaches that have dogged the world's largest repository of citizen data. </b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="https://economictimes.indiatimes.com/news/economy/policy/uidai-introduces-new-two-layer-security-system-to-improve-aadhaar-privacy/articleshow/62442873.cms">Economic Times</a> on January 11, 2018.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">In one of the most significant security upgrades by the eightyear old agency, the UIDAI announced the creation of a "virtual ID" which can be used in lieu of the 12-digit Aadhaar number at the time of authentication for any service.</p>
<p style="text-align: justify; ">The UIDAI has also limited access to stored personal information and mandated the use of unique tokens through which authenticating agencies can access required data. It claims that the measures will strengthen privacy and also prevent combining of databases linked to Aadhaar.</p>
<p style="text-align: justify; ">ET was the first to report about the UIDAI plan to introduce virtual numbers to address security concerns in its November 20 edition last year.</p>
<p style="text-align: justify; ">A top government official told ET that UIDAI has been working on this technology since July of 2016. "This is going to be one of the biggest innovations ever, people can change their virtual ID whenever they want or after every authentication or every 10 seconds." He added that this will silence most critics of Aadhaar.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">"The Aadhaar number being the permanent ID for life, there is need to provide a mechanism to ensure its continued use while optimally protecting the collection and storage in many databases," the UIDAI said in a notification on Wednesday while announcing the new measures.</p>
<h3 style="text-align: justify; ">More Needed to be Done: Experts</h3>
<p style="text-align: justify; ">"The collection and storage of Aadhaar number by various entities has heightened privacy concerns," it stated.</p>
<p style="text-align: justify; ">Under the new regime, for every Aadhaar number, the authority will issue a 16-digit virtual identity number which will be "temporary and revocable at any time."</p>
<p style="text-align: justify; ">This virtual ID can be generated only by the individual Aadhaar holder and can be replaced by a new one after a minimum validity period.</p>
<p style="text-align: justify; ">In addition, while some Authentication User Agencies (AUA) — categorised by the UIDAI as 'Global' — will have access to all the details or the e-KYC of a specific Aadhaar number, all other agencies will only have access to limited data through the virtual identity number.</p>
<p style="text-align: justify; ">"So this is a very very significant thing and I think this is a great step forward," said Nandan Nilekani, former chairman of UIDAI, in an interview to television channel ET Now on Wednesday.</p>
<p style="text-align: justify; ">Nilekani, widely regarded as the architect of Aadhaar, said that through these new security measures the possibility of the Aadhaar number being stored in many databases also goes away.</p>
<p style="text-align: justify; ">It will make a huge difference in allaying the concerns and it really "eliminates all the arguments against Aadhaar," he told ET Now.</p>
<p style="text-align: justify; ">Last week, Chandigarh-based daily The Tribune reported that demographic data from the Aadhaar database could be accessed for as little as Rs 500. The expose led to the UIDAI barring over 5,000 officials from accessing its portal through login ids and passwords. It also introduced biometric authentication for future access, as reported by ET on Tuesday.</p>
<p style="text-align: justify; ">The widespread fear of misuse of demographic data is heightened by the fact that India still does not have a data protection legislation. The country's apex court is scheduled to resume its hearing on the validity of the Aadhaar scheme next week on January 17.</p>
<p style="text-align: justify; ">Kamlesh Bajaj, former CEO of the Data Security Council of India said by limiting access to only those agencies mandated by law, the UIDAI has ensured that "someone will not be able to combine database. It's a positive development in my view and technologically feasible," he said</p>
<h3 style="text-align: justify; ">Expert Views</h3>
<p style="text-align: justify; ">Privacy experts and activists were of the view that more needs to be done to ensure foolproof security for critical personal information.</p>
<p style="text-align: justify; ">The Bengaluru-based research organisation Centre for Internet and Society has suggested that all the Aadhaar seeding with all the existing databases should be revoked. "Until then, it is one step ahead and but not enough," said Sunil Abraham, executive director of CIS.</p>
<p style="text-align: justify; ">To enable a speedy rollout of the new safety standards, the UIDAI plans to release the required technical updates by March 1, 2018 and all the Authentication agencies using the Aadhaar database will need to upgrade their systems latest by June 1, 2018.</p>
<p style="text-align: justify; ">In its circular, UIDAI has also said that agencies not allowed to use or store the Aadhaar number should make changes inside their systems to replace Aadhaar number within their databases with UID Token.</p>
<p style="text-align: justify; ">"Unless there is complete revocation, some database with Aadhaar numbers will still float around and secondly there is no reason why some data controllers should be trusted, the tokenisation should be implemented for everyone," said CIS's Abraham.</p>
<p style="text-align: justify; ">The circular said that authentication using virtual ID will be performed in the same manner as the Aadhaar number and people can generate or retrieve their virtual numbers (in case they forget) at the UIDAI's resident portal, Aadhaar Enrolment Centers, or through the Aadhaar mobile application.</p>
<p style="text-align: justify; ">In addition to the virtual numbers, UIDAI will also provide "unique tokens" to each agency against an Aadhaar number to ensure that they are to establish the uniqueness of beneficiaries in their database such as for distributing government subsidies under cooking gas or scholarships.</p>
<p style="text-align: justify; ">Activists argue that most service providers — even digital ones — work with a paper ID card system. "They don't cross-check it with the UIDAI database. UIDAI is not issuing virtual ids for paper cards, and a new category of so called Global AUAs are exempted from using the virtual ids, so citizens are not protected almost anywhere that they need to use Aadhaar," said Kiran Jonnalagadda, co-founder of the Internet Freedom Foundation, who said the change doesn't help enough to secure the ecosystem.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/economic-times-january-11-2018-uidai-introduces-new-two-layer-security-system-to-improve-aadhaar-privacy'>http://editors.cis-india.org/internet-governance/news/economic-times-january-11-2018-uidai-introduces-new-two-layer-security-system-to-improve-aadhaar-privacy</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-16T23:08:34ZNews ItemUIDAI goes after org that disclosed government departments were releasing Aadhaar data
http://editors.cis-india.org/internet-governance/news/medianama-nikhil-pahwa-may-19-2017-uidai-cis-india-aadhaar
<b>If there was ever a case of shoot the messenger, it is this. </b>
<p style="text-align: justify; ">The blog post by Nikhil Pahwa was published by <a class="external-link" href="http://www.medianama.com/2017/05/223-uidai-cis-india-aadhaar/">Medianama</a> on May 19, 2017. Pranesh Prakash was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The UIDAI, the body which runs the Aadhaar project in India, has written to the Centre for Internet & Society suggesting that <a href="http://www.medianama.com/2017/05/223-aadhaar-numbers-data-leak/">their disclosure of the fact that the data of 130 million Aadhaar users is being publicly disclosed on the Internet</a> is owed to a hack-attack, <a href="http://timesofindia.indiatimes.com/india/provide-hacker-details-outfit-that-claimed-data-leak-told/articleshow/58725132.cms?from=mdr" rel="noopener noreferrer">reports the Times of India</a>. On being contacted by MediaNama, Pranesh Prakash, Policy Director at CIS told MediaNama that “We are waiting for an official copy of the letter, and once we receive it we will decide on our future course of action.” The UIDAI told MediaNama that they’ll get back to us, and declined to share a copy of the letter with MediaNama.</p>
<p><a class="external-link" href="http://www.medianama.com/2017/05/223-uidai-cis-india-aadhaar/">Read the full story on Medianama</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/medianama-nikhil-pahwa-may-19-2017-uidai-cis-india-aadhaar'>http://editors.cis-india.org/internet-governance/news/medianama-nikhil-pahwa-may-19-2017-uidai-cis-india-aadhaar</a>
</p>
No publisherNikhil PahwaUIDAIAadhaarInternet GovernancePrivacy2017-05-20T10:46:36ZNews ItemUIDAI denies any breach of Aadhaar database
http://editors.cis-india.org/internet-governance/news/livemint-komal-gupta-january-7-2018-uidai-denies-any-breach-of-aadhaar-database
<b>Personal data, including biometric information, of citizens safe and secure, says UIDAI on Aadhaar data breach.
</b>
<p style="text-align: justify; ">The article by Komal Gupta was published by <a class="external-link" href="http://www.livemint.com/Politics/bw5gRWcZoFYOjixGVVSqiP/UIDAI-says-Aadhaar-misuse-traceable-system-secure.html">Livemint</a> on January 7, 2018</p>
<hr />
<p style="text-align: justify; ">The Unique Identification Authority of India (UIDAI) on Thursday clarified that there has not been any breach in the Aadhaar database and the personal data of citizens, including biometric information, is safe and secure.</p>
<p style="text-align: justify; ">The clarification comes in response to a news report titled ‘Rs 500, 10 minutes, and you have access to a billion Aadhaar details’ published in The Tribune on Thursday. The report claims that a WhatsApp group sold all Aadhaar data available with UIDAI for a sum of Rs. 500.</p>
<p id="_mcePaste" style="text-align: justify; ">UIDAI maintained that the reported case appeared to be an instance of misuse of the grievance redressal search facility. As UIDAI maintains complete logs and traceability of the facility, legal action including lodging of FIR against the persons involved in the case is being undertaken.</p>
<div style="text-align: justify; "></div>
<div style="text-align: justify; "></div>
<div style="text-align: justify; "></div>
<div id="_mcePaste" style="text-align: justify; "></div>
<p style="text-align: justify; ">UIDAI maintained that the reported case appeared to be an instance of misuse of the grievance redressal search facility. As UIDAI maintains complete logs and traceability of the facility, legal action including lodging of FIR against the persons involved in the case is being undertaken. UIDAI maintained that the reported case appeared to be an instance of misuse of the grievance redressal search facility. As UIDAI maintains complete logs and traceability of the facility, legal action including lodging of FIR against the persons involved in the case is being undertaken. UIDAI clarified in a press statement that displayed demographic information cannot be misused; it would need to be paired with an individual’s biometrics.</p>
<p style="text-align: justify; ">There are more than 1.19 billion Aadhaar card holders in the country.</p>
<p style="text-align: justify; "><span>“If it is not a data breach, then this means that some people who have legitimate access to the data are selling it illegitimately. This poses a greater problem,” said Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank.</span></p>
<h2></h2>
<h2></h2>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-komal-gupta-january-7-2018-uidai-denies-any-breach-of-aadhaar-database'>http://editors.cis-india.org/internet-governance/news/livemint-komal-gupta-january-7-2018-uidai-denies-any-breach-of-aadhaar-database</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-07T12:03:13ZNews ItemUIDAI declining multiple requests by police to share Indian citizens’ biometrics
http://editors.cis-india.org/internet-governance/news/biometric-update-july-4-2017-justin-lee-uidai-declining-multiple-requests-by-police-to-share-indian-citizens-biometrics
<b>The Unique Identification Authority of India (UIDAI), the governing agency in charge of Aadhaar, has declined multiple requests from all law enforcement agencies, including the Delhi Police, for biometrics of citizens for criminal investigations, according to a report by The Indian Express.</b>
<p style="text-align: justify; ">The blog post by Justin Lee was <a class="external-link" href="http://www.biometricupdate.com/201707/uidai-declining-multiple-requests-by-police-to-share-indian-citizens-biometrics">published by Biometric Update</a> on July 4, 2017.</p>
<hr />
<p style="text-align: justify; ">Investigating agencies such as CBI and NIA have been repeatedly requesting the details of Aadhaar cardholders including their biometrics, UIDAI said.</p>
<p style="text-align: justify; ">UIDAI Deputy Director General Rajesh Kumar Singh has written to the heads of each agency, ordering them to stop asking for such details.</p>
<p style="text-align: justify; ">“This is regarding requests frequently received by the UIDAI from police and other law enforcement agencies, seeking demographic and biometric information of residents for facilitating identification of individuals in different cases,” Singh said in his letter. “In this regard, I would like to draw your kind attention to provisions under Sections 28 and 29 of the Aadhaar (Targeted delivery of financial and other subsidies, benefits and services) Act, 2016, which prohibits sharing of core biometric and identity related information with other authorities.”</p>
<p style="text-align: justify; ">Rather than asking forensic labs to match fingerprints, state police and investigating agencies are requesting biometrics data from UIDAI.</p>
<p style="text-align: justify; ">“Identity information cannot be shared by UIDAI,” Singh said. “The requests received from law enforcement agencies lead to avoidable delays in investigation by the police authorities and unnecessary increase in the workload of subordinate authorities.”</p>
<p style="text-align: justify; ">UIDAI is also concerned about data potentially leaking as the central government has confirmed that identities of individuals, including Aadhaar numbers and other private information, has been leaked to the public.</p>
<p style="text-align: justify; "><a href="http://www.biometricupdate.com/201705/report-claims-millions-of-aadhaar-registration-and-bank-numbers-compromised">In May</a>, the Centre for Internet and Society published a report that claimed between 130 to 135 million numbers in India’s Aadhaar biometric registry system, and around 100 million bank numbers of pensioners and rural jobs-for-work beneficiaries, have been leaked online by four key government programs.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/biometric-update-july-4-2017-justin-lee-uidai-declining-multiple-requests-by-police-to-share-indian-citizens-biometrics'>http://editors.cis-india.org/internet-governance/news/biometric-update-july-4-2017-justin-lee-uidai-declining-multiple-requests-by-police-to-share-indian-citizens-biometrics</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-07-06T15:25:32ZNews ItemUIDAI asks Centre for Internet & Society to provide hacker details
http://editors.cis-india.org/internet-governance/news/economic-times-may-18-2017-mahendra-singh-uidai-asks-centre-for-internet-and-society-to-provide-hacker-details
<b>The Unique Identification Authority of India (UIDAI), the regulatory authority for Aadhaar, has written to a Bengaluru-based research organisation, Centre for Internet & Society (CIS), seeking details about a suspected hack attack on government websites that led to the leak of information about 13 crore users.</b>
<p style="text-align: justify; ">The article by Mahendra Singh was published in the <a class="external-link" href="http://tech.economictimes.indiatimes.com/news/technology/uidai-asks-centre-for-internet-society-to-provide-hacker-details/58731336">Times of India</a> on May 18, 2017.</p>
<hr />
<p style="text-align: justify; ">The Unique Identification Authority of India (UIDAI), the regulatory authority for Aadhaar, has written to a Bengaluru-based research organisation, Centre for Internet & Society (CIS), seeking details about a suspected hack attack on government websites that led to the leak of information about 13 crore users.<br /><br />In a recent report, CIS had highlighted that websites run by various government departments, owing to a poor security framework, had publicly displayed sensitive personal financial information and Aadhaar numbers of beneficiaries of certainprojects.<br /><br />In its letter, UIDAI argued that the data downloaded from one of the websites could not have been accessed unless the website was hacked. As hacking is a grave offence under the law, the UIDAI has asked CIS to provide details of the persons involved in the data theft.<br /><br />According to a source, the UIDAI said that access to data on the website for the 'National Social Assistance Program' was only possible for someone in possession of authorised login details, or if the site (http://nsap.nic.in) was hacked or breached. The UIDAI said in its letter that such illegal access was against the provisions of the Aadhaar Act, 2016, and the IT Act, 2000, and that the persons involved had committed a grave offence.<br /><br />Asking the CIS to reply before May 30, the UIDAI also said, "Aadhaar system is a protected system under Section 70 of the IT Act, 2000, the violation of which is punishable with rigorous imprisonment for a period up to 10 years." It added that the penalty clauses for violations are also provided in Section 36, Section 38 and Section 39 of the Aadhaar Act.<br />The UIDAI, however, maintained that even if the Aadhaar details were known to someone it did not pose a real threat to the people whose information was publicly available because the Aadhaar number could not be misused without biometrics.<br /><br />The UIDAI letter said, "While, as your report suggests, there is a need to strengthen IT security of government websites, it is also important that the persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law."<br /><br />"Your report mentions 13 crore people's data has been 'leaked'. Please specify how much of this data had been downloaded by you or are in your possession or in the possession of any other persons that you know. Please provide the details," the UIDAI added in its letter. The UIDAI also urged CIS to provide the details of the persons/organisations with whom it shared the data, if it did.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/economic-times-may-18-2017-mahendra-singh-uidai-asks-centre-for-internet-and-society-to-provide-hacker-details'>http://editors.cis-india.org/internet-governance/news/economic-times-may-18-2017-mahendra-singh-uidai-asks-centre-for-internet-and-society-to-provide-hacker-details</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-06-07T12:21:47ZNews ItemUIDAI and Welfare Services: Exclusion and Countermeasures (Bangalore, August 27)
http://editors.cis-india.org/internet-governance/events/uidai-and-welfare-services-exclusion-and-countermeasures-aug-27
<b>The Centre for Internet and Society (CIS) invites you to a one day workshop, on Saturday, August 27, 2016, to discuss, raise awareness of, and devise countermeasures to exclusion due to implementation of UID-based verification for and distribution of welfare services. We look forward to making this a forum for knowledge exchange and a learning opportunity for our friends and colleagues.</b>
<p> </p>
<h3>Invitation</h3>
<p><a href="http://cis-india.org/internet-governance/files/uidai-and-welfare-services-exclusion-and-countermeasures/at_download/file">Download</a> (PDF)</p>
<p> </p>
<h3>Venue</h3>
<p>Institution of Agricultural Technologists, No. 15, Queen’s Road, Bangalore, 560 052.</p>
<p>Location on Google Map: <a href="https://www.google.com/maps/place/Institution+of+Agricultural+Technologists/" target="_blank">https://www.google.com/maps/place/Institution+of+Agricultural+Technologists/</a>.</p>
<p> </p>
<h3>Agenda</h3>
<p><strong>10:00-10:30</strong> Tea and Coffee</p>
<p><strong>10:30-11:00</strong> Introductions and Updates from Delhi Workshop</p>
<p><strong>11:00-12:45</strong> Reconfiguration of Welfare Governance by UIDAI</p>
<p><strong>12:45-14:00</strong> Lunch</p>
<p><strong>14:00-15:00</strong> Updates on Ongoing Cases against UIDAI</p>
<p><strong>15:00-15:15</strong> Tea and Coffee</p>
<p><strong>15:15-16:45</strong> Open Discussion on Countering Welfare Exclusion</p>
<p><strong>16:45-17:00</strong> Tea and Coffee</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/events/uidai-and-welfare-services-exclusion-and-countermeasures-aug-27'>http://editors.cis-india.org/internet-governance/events/uidai-and-welfare-services-exclusion-and-countermeasures-aug-27</a>
</p>
No publishersumandroExclusionDigital GovernancePrivacyInternet GovernanceDigital IndiaAadhaarWelfare GovernanceUID2016-08-22T13:25:03ZEventUIDAI admits 210 government websites made Aadhaar details public
http://editors.cis-india.org/internet-governance/news/financial-express-november-20-2017-government-websites-made-aadhaar-details-public
<b>The Unique Identification Authority of India (UIDAI) has admitted that Aadhaar details were leaked on over 200 central and state government websites.</b>
<p style="text-align: justify; ">The article was <a class="external-link" href="http://www.financialexpress.com/economy/uidai-admits-210-government-websites-made-aadhaar-details-public/940545/">published in the Financial Express</a> on November 20, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The Unique Identification Authority of India (UIDAI) has admitted that Aadhaar details were made public on over 200 central and state government websites. According to an RTI reply, these websites publicly displayed name, address and other details of Aadhaar beneficiaries, which was removed when the breach was identified.</p>
<p style="text-align: justify; ">However, UIDAI does not have information about the time of the breach. It also said that Aadhaar details have never been made public by UIDAI. “However, it was found that approximately 210 websites of the central government, state government departments including educational institutes were displaying the list of beneficiaries along with their name, address, other details and Aadhaar numbers for information of the general public,” it said.</p>
<p style="text-align: justify; ">UIDAI issues Aadhaar — a 12-digit unique identification number — which acts as a proof of identity and addresses anywhere in the country. Lately, Aadhaar has been creating furore for security and privacy reasons, especially after the <a href="http://www.financialexpress.com/tag/narendra-modi/" target="_blank">Narendra Modi</a> government began aggressively pushing the identification number to be linked with social benefits, banks, PAN, mobile number et al. In a landmark judgement this August, the Supreme Court ruled that privacy was a fundamental right of citizens, weakening the case for pushing Aadhar.</p>
<p style="text-align: justify; ">Currently, cases are being heard in the apex court on linking Aadhaar to banks and mobile numbers. In May, the Centre for Internet and Society had claimed that Aadhaar numbers of as many as 135 millions could have been leaked. “Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report by CIS had said. Further, as many as 100 million bank account numbers could have been “leaked” from the four portals, it had added.</p>
<p style="text-align: justify; ">UIDAI and the government had been vehemently denying that Aadhaar details can be leaked despite apprehension from different sections of society. Soon after the RTI reply appeared in media, UIDAI refuted the news of leaks, calling it a “skewed presentation of facts. “Such report is a skewed presentation of the facts and poses as if the Aadhaar data is breached or leaked which is not the true presentation. Aadhaar data is fully safe and secure and there has been no data leak or breach at UIDAI,” press release by PIB said.</p>
<p style="text-align: justify; ">It said that the data on these websites was placed in public domain as a measure of proactive disclosure under the RTI Act.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/financial-express-november-20-2017-government-websites-made-aadhaar-details-public'>http://editors.cis-india.org/internet-governance/news/financial-express-november-20-2017-government-websites-made-aadhaar-details-public</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2017-11-21T16:03:29ZNews ItemUID and NPR: Towards Common Ground
http://editors.cis-india.org/internet-governance/blog/uid-npr-towards-common-ground
<b>The UID (Unique Identification) and NPR (National Population Register) are both government identity schemes that aggregate personal data, including biometric data for the provision of an identification factor, and aim to link them with the delivery of public utility services.</b>
<p style="text-align: justify; ">The differences between the two exist in terms of collection of data, the type of identification factor issued, authorities involved and the outcome.</p>
<p style="text-align: justify; ">Despite the differences, there has been talk of combining the two schemes because of the overlap.<a href="#_ftn1" name="_ftnref1">[1]</a> In the same breath, it has been argued that the two schemes are incompatible. <a href="#_ftn2" name="_ftnref2">[2]</a></p>
<p style="text-align: justify; ">One of the UIDAI’s (Unique Identification Authority of India) functions is to harmonize the two schemes. <a href="#_ftn3" name="_ftnref3">[3]</a></p>
<p style="text-align: justify; ">As it stands, the schemes are distinct. Enrolment for a UID does not lead to automatic enrolment in the NPR. The NPR website expressly states that even if a data subject has undergone census or has been granted a UID Number, it is necessary to visit a data collection centre to provide biometric data for the NPR.<a href="#_ftn4" name="_ftnref4">[4]</a></p>
<h2 style="text-align: justify; ">UID and NPR: The Differences</h2>
<h3 style="text-align: justify; ">The Basis of identity/ Unit of Survey</h3>
<p style="text-align: justify; ">The most striking difference between the UID and NPR Schemes is their notion of identity. The UID is individual based, whereas the NPR scheme focuses on the household or the family as a composite unit. Thus, the UID seeks to enroll individuals while the NPR seeks to gather data of the members of a household or family as a composite unit during the census and later register each person for an NPR Card, on the basis of the census data. To this extent, analysis of the data gathered from the two schemes will be different and will require differing analytical tools. The definition of the data subject and the population is different. In one scheme, the unit is an individual; in the other it is the household/family. Though the family is the composite unit in the NPR, the data is finally extracted it is unpaired to provide individuals NPR cards, but the family based association is not lost and it is argued that this household association of NPR should be used to calculate and provide subsidies. Some states have put on hold transfer of cooking gas subsidy, which is calculated for each household, through Aadhar-linked bank accounts.<a href="#_ftn5" name="_ftnref5">[5]</a> If both schemes were merged, the basis for determining entitlement to subsidies would be non-uniform.</p>
<h3 style="text-align: justify; ">Differences in Information Collection</h3>
<p style="text-align: justify; ">The UID and NPR have different procedures for collection of information. In the UID scheme, all data is collected in data collection centres whereas NPR data is collected door to door in part and in collection centres for the other part.</p>
<p style="text-align: justify; ">UID data is collected by the UIDAI themselves or by private parties, under contract. These contractors are private parties: often, online marketing service providers.<a href="#_ftn6" name="_ftnref6">[6]</a> The data subjects were initially allowed registration through an introducer and without any documentation. This was replaced with the verification system where documents were to be produced for registration for UID.</p>
<p style="text-align: justify; ">The NPR involves a dual collection process- the first stage is the door-to-door collection of data as part of the Census. This information is collected through questionnaire. No supporting documents/ proof is produced to verify this data. The verification happens at a later stage, through public display of the information. This data is digitized. The data subjects are then to give their biometric data at the data collection centres, on the production of the census slip. The biometric data collectors are parties who are empanelled by the UIDAI and are eligible to collect data under the UID Scheme. A subject’ s data is aggregated and then de-duplicated by the UIDAI. <a href="#_ftn7" name="_ftnref7">[7]</a></p>
<p style="text-align: justify; ">This shows two points of merger. It can be suggested that when data is collected for the UID number, then the subject should not have to give their biometrics for the NPR Scheme again. The sharing of biometrics across the schemes will reduce cost and redundancy. While sharing of UID data with NPR is feasible, the reverse is not true, since UID is optional and NPR is not. If NPR data is to be shared with UID, then the subject has the right to refuse. However, the consent for using NPR data for the UID is a default YES in the UID form. <a href="#_ftn8" name="_ftnref8">[8]</a> Prohibiting the information sharing is no option.</p>
<h3 style="text-align: justify; ">Differences in Stated Purposes</h3>
<p style="text-align: justify; ">The NPR is linked to citizenship status. The NPR exercise is being conducted to create a national citizen register and to assist in identifying and preventing illegal immigration. The NPR card, a desired outcome, is aimed to be a conduit for transactions relating to subsidies and public utilities.<a href="#_ftn9" name="_ftnref9">[9]</a> So is the UID Number, which was created to provide the residents of India an identity. The linkage and provision of subsidies through the NPR and UID cards have not taken off on a large scale and there is a debate as to which will be more appropriate for direct benefit transfer, with some leaders proclaiming that the NPR scheme is more suited to direct benefit transfer.<a href="#_ftn10" name="_ftnref10">[10]</a> Since the UID Number is linked to direct benefit transfer, but not to citizenship, benefits such as those under the MNREGA scheme, may be availed by non-citizens as well, though only citizens are eligible for the scheme.<a href="#_ftn11" name="_ftnref11">[11]</a></p>
<p style="text-align: justify; ">C. Chandramouli, the Registrar General and Census Commissioner of India, states that the conflict between the two schemes is only perceived, and results from a poor understanding of the differences in objective. The NPR, he states is created to provide national security through the creation of a citizen register, starting with a register of residents after authentication and verification of the residence of the subjects. On the other hand, the UID exercise is to provide a number that will be used to correctly identify a person.<a href="#_ftn12" name="_ftnref12">[12]</a></p>
<h3 style="text-align: justify; ">Difference in Legal Sanctity</h3>
<p style="text-align: justify; ">The UIDAI was set up through an executive notification, which dictates a few of its responsibility, including: assigning a UID number, collating the UID and NPR schemes, laying down standards for interlinking with partner databases and so on. However, the UIDAI has not expressed responsibility to collect, or authorize collection of data under this scheme. The power to authorize the collection of biometrics is vested with the National Identification Authority of India (NIAI), which will be set up under the National Identification Authority of India Bill, (NIAI Bill, which is at times referred to as the UID Bill).</p>
<p style="text-align: justify; ">The NPR Scheme has been created pursuant to the 2004 Amendment of the Citizenship Act. Under S. 14A of the Citizenship Act, the central government has the power to compulsorily register citizens for an Identity Card. This gives the NPR exercise sanctity. However, no authority to collect biometric information has been given either under this Act or Rules framed under it.</p>
<h2 style="text-align: justify; ">Future of Aadhaar</h2>
<p style="text-align: justify; ">The existence of both the UID and NPR Schemes leads to redundancy. Therefore, many have advocated for their merger. This seems impractical, as the standards in collection and management of data are not the same.</p>
<p style="text-align: justify; ">For some time, it was thought that the Aadhaar Scheme would be scrapped. This belief was based on the present government’s opposition to the scheme during and before the election. This was further strengthened by the fact that they did not expressly mention the continuance of the scheme in their manifesto. The Cabinet Committee on UIDAI was disbanded and the enrolment for the UID Number was stopped, only to be resumed a short while later.<a href="#_ftn13" name="_ftnref13">[13]</a></p>
<p style="text-align: justify; ">However, recent events show that the Aadhaar scheme will continue. First, the new government has stated that the UID scheme will continue. In support of the UID Scheme, the government has made budgetary allocation for the scheme to enable, <i>inter-alia,</i> it being sped-up. The Government even intends to enact a law to give the scheme sanctity. <a href="#_ftn14" name="_ftnref14">[14]</a></p>
<p style="text-align: justify; ">Second, the Government is assigning the UID Number new uses. To track attendance of government employees, the Government shall use a biometric attendance system, which is linked to the employees UID Number. <a href="#_ftn15" name="_ftnref15">[15]</a> The attendance will be uploaded onto a website, to boost transparency.</p>
<p style="text-align: justify; ">Third, direct benefit transfers under the UID will become more vigorous.</p>
<p style="text-align: justify; ">The UID is already necessary for registration under the NPR, which is compulsory.</p>
<p style="text-align: justify; ">Providing one’s UID Number for utilities such as cooking gas is also compulsory in several areas, despite the Courts diktat that it should not be so.<a href="#_ftn16" name="_ftnref16">[16]</a></p>
<h2 style="text-align: justify; ">Conclusion</h2>
<p style="text-align: justify; ">The government is in favour of continuing both the schemes. Therefore, it is unlikely that either scheme will be scrapped or that the two schemes will be combined. The registration for UID is becoming compulsory by implication as it is required for direct benefit transfers and for utilities. Data collected under NPR is being shared with the UIDAI by default, when one registers for a UID number. However, the reverse is unlikely, as the UID collects secondary data, whereas NPR requires primary data, which it collects through physical survey and authentication. Perhaps the sharing of data could be incorporated when one goes to the data collection centre to submit biometrics for the NPR. The subject could fill in the UID form and submit verification documents at this stage, completing both exercises in one go. This will drastically reduce the combined costs of the two exercises.</p>
<hr style="text-align: justify; " />
<p><a href="#_ftnref1" name="_ftn1">[1]</a> Rajesh Aggarwal, Merging UID and NPR???, Igovernment, accessed 5 September, 2014 <a href="http://www.igovernment.in/igov/opinion/41631/merging-npr-uid">http://www.igovernment.in/igov/opinion/41631/merging-npr-uid</a>; Bharti Jain, Rajnath Hints at Merger of NPR and Aadhar, Times of India, accessed 5 September, 2014 <a href="http://timesofindia.indiatimes.com/india/Rajnath-hints-at-merger-of-NPR-and-Aadhaar/articleshow/35740480.cms">http://timesofindia.indiatimes.com/india/Rajnath-hints-at-merger-of-NPR-and-Aadhaar/articleshow/35740480.cms</a></p>
<p style="text-align: justify; "><a href="#_ftnref2" name="_ftn2">[2]</a> Raju Rajagopal, The Aadhar-NPR Conundrum, Mint, accessed 5 September, 2014 <a href="http://www.livemint.com/Opinion/tvpoCYeHxrs2Z7EkAAu7bP/The-AadhaarNPR-conundrum.html">http://www.livemint.com/Opinion/tvpoCYeHxrs2Z7EkAAu7bP/The-AadhaarNPR-conundrum.html</a> .</p>
<p style="text-align: justify; "><a href="#_ftnref3" name="_ftn3">[3]</a> Cl, 4 of the Notification on the creation o fthe UIDAI, No. A-43011/02/2009-Admin.1 of the Planning Commission of India, dated 28 January, 2009</p>
<p style="text-align: justify; "><a href="#_ftnref4" name="_ftn4">[4]</a> FAQ for NPR, accessed: 3 September, 2014. <a href="http://censusindia.gov.in/2011-Common/FAQs.html">http://censusindia.gov.in/2011-Common/FAQs.html</a></p>
<p style="text-align: justify; "><a href="#_ftnref5" name="_ftn5">[5]</a> A Jolt for Aadhar: UPA Shouldn’t Have to Put on Hold its Only Good Idea,Business Standard, accessed 5 September, 2014 <a href="http://www.business-standard.com/article/opinion/a-jolt-for-aadhaar-114020301243_1.html">http://www.business-standard.com/article/opinion/a-jolt-for-aadhaar-114020301243_1.html</a></p>
<p style="text-align: justify; "><a href="#_ftnref6" name="_ftn6">[6]</a> Prakash Chandra Sao, The Unique ID Project in India: An Exploratory Study, accessed: 21 August, 2014 <a href="http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/">http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/</a></p>
<p style="text-align: justify; "><a href="#_ftnref7" name="_ftn7">[7]</a> NPR Activities, accessed 5 September, 2014, <a class="external-link" href="http://ditnpr.nic.in/NPR_Activities.aspx">http://ditnpr.nic.in/NPR_Activities.aspx</a></p>
<p style="text-align: justify; "><a href="#_ftnref8" name="_ftn8">[8]</a> R. Dinakaran, NPR and Aadhar- A Confused Process, The Hindu BusinessLine, accessed: 4 September, 2014 <a href="http://www.thehindubusinessline.com/blogs/blog-rdinakaran/npr-and-aadhaar-a-confused-process/article4940976.ece">http://www.thehindubusinessline.com/blogs/blog-rdinakaran/npr-and-aadhaar-a-confused-process/article4940976.ece</a></p>
<p style="text-align: justify; "><a href="#_ftnref9" name="_ftn9">[9]</a> More than sixty-five thousand NPR cards have been issued and biometric data of more than twenty-five lakh people has been captured, as on 28 August, 2014 <a href="http://censusindia.gov.in">http://censusindia.gov.in</a></p>
<p style="text-align: justify; "><a href="#_ftnref10" name="_ftn10">[10]</a> NPR, not Aadhaar, best tool for cash transfer: BJP's Sinha, accessed: 3 September, <a class="external-link" href="http://www.moneycontrol.com/master_your_money/stocks_news_consumption.php?autono=1035033">http://www.moneycontrol.com/master_your_money/stocks_news_consumption.php?autono=1035033</a></p>
<p style="text-align: justify; "><a href="#_ftnref11" name="_ftn11">[11]</a> Bharati Jain, NDA's national ID cards may kill UPA's Aadhaar, accessed 3 September, 2014 <a href="http://timesofindia.indiatimes.com/india/NDAs-national-ID-cards-may-kill-UPAs-Aadhaar/articleshow/36791858.cms">http://timesofindia.indiatimes.com/india/NDAs-national-ID-cards-may-kill-UPAs-Aadhaar/articleshow/36791858.cms</a></p>
<p style="text-align: justify; "><a href="#_ftnref12" name="_ftn12">[12]</a> <i>Id.</i></p>
<p style="text-align: justify; "><a href="#_ftnref13" name="_ftn13">[13]</a> Aadhar Enrolment Drive Begins Again, accessed 3 Spetember, 2014 <a href="http://timesofindia.indiatimes.com/city/gurgaon/Aadhaar-enrolment-drive-begins-again/articleshow/38280932.cms">http://timesofindia.indiatimes.com/city/gurgaon/Aadhaar-enrolment-drive-begins-again/articleshow/38280932.cms</a></p>
<p style="text-align: justify; "><a href="#_ftnref14" name="_ftn14">[14]</a> Mahendra Singh, Modi govt to give legal backing to Aadhaar, Times of India, <a href="http://timesofindia.indiatimes.com/india/Modi-govt-to-give-legal-backing-to-Aadhaar/articleshow/38336812.cms">http://timesofindia.indiatimes.com/india/Modi-govt-to-give-legal-backing-to-Aadhaar/articleshow/38336812.cms</a></p>
<p style="text-align: justify; "><a href="#_ftnref15" name="_ftn15">[15]</a> Narendra Modi Government to Launch Website to Track Attendance of Central Government Employees, DNA, accessed: 4 September, 2014 <a href="http://www.dnaindia.com/india/report-narendra-modi-government-to-launch-website-to-track-attendance-of-central-government-employees-2014684">http://www.dnaindia.com/india/report-narendra-modi-government-to-launch-website-to-track-attendance-of-central-government-employees-2014684</a></p>
<p style="text-align: justify; "><a href="#_ftnref16" name="_ftn16">[16]</a> No gas supply without Aadhaar card, Deccan Chronicle, accessed: 4 September, 2014, <a href="http://www.deccanchronicle.com/140829/nation-current-affairs/article/no-gas-supply-without-aadhaar-card">http://www.deccanchronicle.com/140829/nation-current-affairs/article/no-gas-supply-without-aadhaar-card</a></p>
<hr />
<p>Note: This is an anonymous post.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/uid-npr-towards-common-ground'>http://editors.cis-india.org/internet-governance/blog/uid-npr-towards-common-ground</a>
</p>
No publisherMukta BatraUIDAadhaarInternet GovernancePrivacy2014-10-15T13:06:40ZBlog EntryToken security or tokenized security?
http://editors.cis-india.org/internet-governance/news/livemint-january-9-2018-manasa-venkataraman-ajay-patri-token-security-or-tokenized-security
<b>Implementing a system of tokenization for Aadhaar verification will address the security loopholes highlighted in recent reports.</b>
<p style="text-align: justify; ">The article by Manasa Venkataraman and Ajay Patri was published in <a class="external-link" href="http://www.livemint.com/Opinion/Kx7GIb4P73EpEtpxOFzi6M/Token-security-or-tokenized-security.html">Livemint</a> <span>on January 9, 2018.</span></p>
<hr style="text-align: justify; " />
<p class="S3l" style="text-align: justify; ">Those who were reassured that the Aadhaar architecture is safe and secure have faced a few rude shocks lately. First, there was the recent report in <i>The Tribune </i>on how one of its reporters was easily able to log in to the Aadhaar website and access any enrolled Indian’s personal information, all for a grand fee of Rs500. While the veracity of this report is still being contested by the Unique Identification Authority of India (UIDAI), it has stirred panic over the security of personal data entrusted to the government. This came close on the heels of reports last month that a telecom company was utilizing the eKYC (know your customer) data of its mobile subscribers to open payment bank accounts without their consent.</p>
<p style="text-align: justify; ">These two instances highlight scenarios where data from the Aadhaar database is vulnerable. In the first, the weaknesses in security measures and processes around the database leave information susceptible to an attack. In the second, providing third-party entities loosely regulated access to an individual’s data leaves scope for abuse.</p>
<p style="text-align: justify; ">There is a need to protect the data belonging to individuals in these situations, providing the government with two possible policy options: it can choose to either overhaul the Aadhaar architecture completely, or it can build in additional security measures to ensure that individual data is not compromised.</p>
<p style="text-align: justify; ">Uninventing Aadhaar is not a practical proposal. It would have to include repealing the statute on Aadhaar, disbanding the database already created, and figuring out alternative means of delivering the services that are now dependent on Aadhaar. A more sustainable way forward is to better secure Aadhaar. This will involve not only the secure collection and storage of personal data, but also a safe regulation of the manner in which third parties use it for authentication.</p>
<p style="text-align: justify; ">One way to protect Aadhaar-related communications is to channel them through a secure conduit. This can be achieved through a system of temporary tokens for Aadhaar-based verifications. Sunil Abraham from the Centre for Internet and Society (CIS) has recommended a system of using dummy or virtual Aadhaar numbers along with a smart card to protect information belonging to individuals.</p>
<p style="text-align: justify; ">Tokenization is the process of masking sensitive personal data with another innocuous dataset, allowing it to be shared with third parties without the risk of the personal data being exposed. So, every time a service provider asks for identification, the individual can provide a one-time-ID number generated by an Aadhaar app or on UIDAI’s website. The service provider can authenticate the one-time-ID number with the Aadhaar database, without needing to know or store the Aadhaar number. The algorithm used to generate the one-time-ID number must be constructed using hard-to-replicate information and kept a well-guarded secret. No two service providers will have the same one-time ID, making it harder for personal profiles to be constructed by mining data from multiple service providers, thus enabling a higher level of privacy protection.</p>
<p style="text-align: justify; ">Allowing such a system of tokenization for every eKYC can create a welcome layer of ambiguity around individuals’ personal data and preserve the individuals’ Aadhaar-related information with the government. This system also breaks the link between the Aadhaar database and any third party having access to an individual’s Aadhaar number. If this link is not broken, then any entity—government or private—would have access to potentially millions of Aadhaar card numbers, opening endless possibilities for data abuse.</p>
<p style="text-align: justify; ">The tokenization process allows the authority to arrest any attempts at data abuse. In fact, to make this system of tokens or one-time-ID numbers effective, the law must build in measures to penalize any attempt to recreate an individual’s Aadhaar number from the unique token number. In other words, the service provider is given a token number for authentication, but prohibited from obtaining the Aadhaar number it corresponds to.</p>
<p style="text-align: justify; ">Tokenization is an improvement over the status quo, but only in one aspect—making Aadhaar secure. It is imperative that the government pays equal attention to the manner in which all data is collected, stored and disposed of by the authority. There are two facets to be explored here: first, ensuring secure storage of the vast information database, and second, plugging security loopholes that happen at collection by limiting access to the database.</p>
<p style="text-align: justify; ">The adoption of appropriate technical safeguards is indispensable to thwart external threats to the Aadhaar database, such as ransomware attacks. Having appropriate security, and having periodic audits to test the adequacy of such security, is indispensable.</p>
<p style="text-align: justify; ">Equally, limiting access to the database is crucial for preventing leaks, such as the ones reported in <i>The Tribune</i>. It is important that only a select few individuals have access to the database and that these personnel are properly vetted before being vested with such responsibility.</p>
<p style="text-align: justify; ">These various facets of the Aadhaar ecosystem are likely to be further examined in the public in the weeks to come as the Supreme Court gears up to hear the petitions on Aadhaar. Regardless of the verdict, there is an urgent need to improve the safety of the Aadhaar ecosystem and the use of tokenization goes some way towards achieving this objective.</p>
<p style="text-align: justify; "><i>Manasa Venkataraman and Ajay Patri are researchers at the Takshashila Institution, an independent, non-partisan think tank and school of public policy.</i></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-january-9-2018-manasa-venkataraman-ajay-patri-token-security-or-tokenized-security'>http://editors.cis-india.org/internet-governance/news/livemint-january-9-2018-manasa-venkataraman-ajay-patri-token-security-or-tokenized-security</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-17T00:17:41ZNews ItemTo protect data, don’t opt for plastic or laminated Aadhaar card: UIDAI
http://editors.cis-india.org/internet-governance/news/livemint-komal-gupta-february-7-2017-to-protect-data-dont-opt-for-plastic-or-laminated-Aadhaar
<b>Unauthorized printing of Aadhaar cards could render the QR (quick response) code dysfunctional or even expose personal data without an individual’s informed consent, UIDAI says.</b>
<p>The article by Komal Gupta was <a class="external-link" href="http://www.livemint.com/Politics/5Gr7j4bgNoLRVtf10cjrzK/To-protect-data-dont-opt-for-plastic-or-laminated-Aadhaar.html">published by Livemint</a> on February 7, 2017</p>
<hr />
<p class="S3l" style="text-align: justify; ">To protect information provided by holders of Aadhaar, the Unique Identification Authority of India (UIDAI) on Tuesday cautioned people against opting for plastic or laminated “smart” cards.</p>
<p style="text-align: justify; ">Unauthorized printing of the cards could render the QR (quick response) code dysfunctional or even expose personal data without an individual’s informed consent, it said in a statement on Tuesday.</p>
<p style="text-align: justify; ">Besides, opting for plastic or laminated cards opened up the possibility of Aadhaar details (personal sensitive demographic information) being shared with devious elements without the informed consent of holders, the statement added.</p>
<p>According to UIDAI, the Aadhaar letter sent by it, a cutaway portion or downloaded versions of Aadhaar on ordinary paper or mAadhaar are perfectly valid.</p>
<p style="text-align: justify; ">“If a person has a paper Aadhaar card, there is absolutely no need to get his/her Aadhaar card laminated or obtain a plastic Aadhaar card or so called smart Aadhaar card by paying money. There is no concept such as smart or plastic Aadhaar card,” UIDAI chief executive officer Ajay Bhushan Pandey said in a statement.</p>
<p style="text-align: justify; ">Printing Aadhaar on a plastic/PVC sheet privately can cost anywhere between Rs50 and Rs300 or more, UIDAI said. It added that a printout of the downloaded Aadhaar card, even in black and white, is as valid as the original Aadhaar letter sent by UIDAI.</p>
<p>It added that in case a person loses his Aadhaar card, he can download the card free from <i>https://eaadhaar.uidai.gov.in.</i></p>
<p style="text-align: justify; ">Pandey asked holders not to share Aadhaar number or personal details with unauthorized agencies for getting the card laminated, or printed on plastic.</p>
<p style="text-align: justify; ">The agency also directed unauthorized agencies not to collect Aadhaar information from people, reminding them that collecting such information or unauthorized printing of Aadhaar card is a criminal offence punishable with imprisonment.</p>
<p style="text-align: justify; ">“I feel a lot more has to be done by UIDAI. Sadly, by encouraging people to rely on printed Aadhaar ‘cards’, UIDAI is ending up with the worst of both worlds with respect to personal data protection: photocopies of so-called Aadhaar cards/letter are being circulated to facilitate identity fraud as well as the kind of dangerous personal data disclosures that centralized databases enable,” said Pranesh Prakash, policy director at think tank Centre for Internet and Society.</p>
<p style="text-align: justify; ">Last month, UIDAI put in place a two-layer security to reinforce privacy protections for Aadhaar holders—it introduced a virtual identification so that the actual number need not be shared to authenticate their identity. Simultaneously, it further regulated the storage of the Aadhaar numbers within various databases.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-komal-gupta-february-7-2017-to-protect-data-dont-opt-for-plastic-or-laminated-Aadhaar'>http://editors.cis-india.org/internet-governance/news/livemint-komal-gupta-february-7-2017-to-protect-data-dont-opt-for-plastic-or-laminated-Aadhaar</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-02-07T01:00:00ZNews ItemThe soon-to-be launched Aadhaar Pay will let you make purchases using your fingerprint
http://editors.cis-india.org/internet-governance/news/economic-times-indulekha-aravind-january-15-2017-the-soon-to-be-launched-aadhaar-pay-will-let-you-make-purchases-using-your-fingerprint
<b>Paying for your groceries and other goods by using your biometrics instead of an e-wallet, debit card or cash seems to be the next phase in the Centre’s ambitious push to shift the country to a “less cash” economy, as its mandarins term it.</b>
<p style="text-align: justify; ">The article by Indulekha Aravind was <a class="external-link" href="http://economictimes.indiatimes.com/news/economy/policy/the-soon-to-be-launched-aadhaar-pay-will-let-you-make-purchases-using-your-fingerprint/articleshow/56542475.cms">published in the Economic Times</a> on 15 January 2017. Sunil Abraham was <a class="external-link" href="http://economictimes.indiatimes.com/et-now/experts/sunil-abraham-on-aadhaars-misuse-during-demonetisation/videoshow/56544492.cms">consulted for this</a>.</p>
<hr />
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">Ajay Bhushan Pandey, CEO of the Unique Identification Authority of India (UIDAI), says it will be rolling out Aadhaar-enabled payment system, or Aadhaar Pay, for merchants in the next few weeks. This will be an app for merchants that enables them to receive payments through biometric authentication of the customer, provided their bank accounts are linked to their Aadhaar number. "A pilot is under way in fair price shops in Andhra Pradesh where shopkeepers are accepting payments from PDS beneficiaries. The results are very encouraging," says Pandey.</p>
<p style="text-align: justify; ">The idea takes off from the existing Aadhaar-enabled payment system (AEPS) used by bank business correspondents (BCs) in rural areas to disburse and accept cash, using micro ATMs. "We are trying to tweak this so that a similar device can be used by a local merchant," says Pandey. Adoption will depend on two factors: merchants’ acceptance of it and whether they can use an app rather than a micro ATM. The biggest advantage through this method of payment, says Pandey, is that the customer will not need a credit or debit card, or even a smartphone.</p>
<p style="text-align: justify; "><img alt="The soon-to-be launched Aadhaar Pay will let you make purchases using your fingerprint" class="gwt-Image" src="http://img.etimg.com/photo/56542603/page-19-1.jpg" title="The soon-to-be launched Aadhaar Pay will let you make purchases using your fingerprint" /></p>
<p style="text-align: justify; ">The limits for transactions using AEPS, such as the number of daily transactions, will be left to the discretion of the banks. In the long term, the AEPS will be migrated to the BHIM (Bharat Interface for Money) platform but the rollout of Aadhaar Pay will happen before that. Post demonetisation, banking BC’s number of transactions using AEPS has leapt from 4-5 lakh to 14-15 lakh, says Pandey. According to Reserve Bank of India data on electronic payment systems, the total volume of such transactions jumped from 671 million in November 2016 to 957 million in December. USSD-based payments, which can be done using a basic feature phone, are among the biggest beneficiaries: the volume rose from just 7,000 in November to 1,02,000 in December, and value of transactions from over Rs 7,000 to over Rs 1 lakh. Prepaid payment instruments — mainly mobile wallets — rose from 59 million to 88 million in the same period (and value from Rs 1,300 crore to Rs 2,100 crore).</p>
<p style="text-align: justify; ">While Aadhaar Pay is likely to ride the demonetisation wave if it is launched soon, certain concerns remain, as the list is how secure such a payment system will be. The UIDAI CEO says it is a paramount concern for the organisation, too. "We are using the latest technology to ensure the information stays encrypted end to-end, so that information is not leaked or misused. In the months to come, we will strengthen the security."</p>
<p style="text-align: justify; "><b>Wary About Security</b> <br /> Sunil Abraham, executive director of the Centre for Internet and Society, a think tank that has been analysing the Aadhaar project for six years, outlines several reasons why Aadhaar-based biometrics is inappropriate for authentication in payments, unlike card-based payments that use cryptography. <br /> <br /> "With biometrics, there is always an error ratio. It is imprecise matching, whereas with cryptography (smart cards), there is no false positive or negative. You either have the key (PIN) or you don’t. It is also very cheap to defeat biometric authentication — even an unlettered person can do it," says Abraham. It would be easy enough, he says, to replicate someone else’s fingerprint by pressing it against lukewarm wax and filling the mould with glue to get a dummy finger. In contrast, compromising a smart card requires more cost and effort, from tech-savviness to machines such as a skimmer that will read the card. "And once you are compromised,you are compromised forever. You can’t change it, like a debit card PIN."</p>
<p style="text-align: justify; ">Using Aadhaar for authentication had proved to be a failure during the exchange of currency notes following demonetisation, he adds, pointing to how the poor and the middle class stood in queues for money while stacks of new currency were recovered from the homes of businessmen and bureaucrats. "When you have bank officials who are corrupt, giving them your biometrics is giving them more ammunition for corruption." To catch the criminals, law enforcement agencies had to resort to CCTV footage,a relatively older technology, he says. Others point out that while it may be secure, certain factors stand in the way of making biometrics-based payment authentication a large-scale success. Amrish Rau, CEO of PayU India, a payment gateway provider, cites a list of reasons why it would inevitably take off but only in 5-10 years.</p>
<p style="text-align: justify; ">"For one, the technology is not yet good enough. There are also bandwidth and data constraints in sending biometric data," says Rau. Even in more mature markets, it has yet to find widespread acceptance, he says, pointing to the slow adoption of Apple Pay and Samsung Pay in the US. "It’s not the answer today.” This is in contrast to NITI Aayog CEO Amitabh Kant’s recent remarks that cards and PoS machines would become redundant by 2020 because Indians would be making payments using their thumb (biometrics). "... my view is that in the next two and a half years, India will make all its debit cards, credit cards, all ATM machines, all PoS machines totally irrelevant,” Kant had said at a Pravasi Bharatiya Divas session in Bengaluru.</p>
<div style="text-align: justify; ">UIDAI’s Pandey is more circumspect. “I wouldn’t say who would replace what. But from the government’s side we are encouraging all modes of digital payment. India has a diverse population and some people might prefer using a card, others a wallet. Collectively, they will contribute to a less-cash society.”</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/economic-times-indulekha-aravind-january-15-2017-the-soon-to-be-launched-aadhaar-pay-will-let-you-make-purchases-using-your-fingerprint'>http://editors.cis-india.org/internet-governance/news/economic-times-indulekha-aravind-january-15-2017-the-soon-to-be-launched-aadhaar-pay-will-let-you-make-purchases-using-your-fingerprint</a>
</p>
No publisherpraskrishnaDemonetisationDigital PaymentDigital GovernanceDigital EconomyPrivacyInternet GovernanceDigital MoneyVideoAadhaarBiometrics2017-01-16T03:14:22ZNews ItemThe New Aadhaar Bill in Plain English
http://editors.cis-india.org/internet-governance/blog/the-new-aadhaar-bill-in-plain-english
<b>We have put together a plain English version of the The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016.
</b>
<h2 id="docs-internal-guid-4528559b-63ee-ea8a-5fc7-ff5b32b069f6" dir="ltr">The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016</h2>
<p> </p>
<p>Chapter I. PRELIMINARY</p>
<p> </p>
<p dir="ltr">Section 1</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">This Act is called Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">It will be applicable in whole of India (except the state of Jammu and Kashmir).</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">It will become applicable on a date to be notified by the Central Government.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 2</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“Aadhaar number” is the identification number issued to an individual under the Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“Aadhaar number holder” is the person who has been given an Aadhaar number;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“authentication” is the process of verifying the Aadhaar number, demographic information and biometric information of any person by the Central Identities Data Repository (CIDR);</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“authentication record” is the record of the authentication which will contain the identity of the requesting entity and the response of the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“Authority” or “UIDAI” refers to the Unique Identification Authority of India established under this Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“benefit” means any relief or payment which may be notified by the Central Government;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“biometric information” means photograph, fingerprint, Iris scan, or any other biological attributes specified by regulations;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“Central Identities Data Repository” or “CIDR” means a centralised database containing all Aadhaar numbers, demographic information and biometric information and other related information;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“Chairperson” means the Chairperson of the UIDAI;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“core biometric information” means fingerprint, Iris scan, or any biological attributes specified by regulations;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“demographic information” includes information relating to the name, date of birth, address and other relevant information as specified by regulations. This information will not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“enrolling agency” means an agency appointed by the UIDAI or a Registrar for collecting demographic and biometric information of individuals for issuing Aadhaar numbers;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“enrolment” means the process of collecting demographic and biometric information from individuals for the purpose of issuing Aadhaar numbers;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“identity information” in respect of an individual, includes his Aadhaar number, his biometric information and his demographic information;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“Member” includes the Chairperson and Member of the Authority appointed under section 12;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“notification” means a notification published in the Official Gazette and the expression “notified” with its cognate meanings and grammatical variations will be construed accordingly;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“prescribed” means prescribed by rules made by the Central Government under this Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“records of entitlement” means the records of benefits, subsidies or services provided to any individual under any government programme;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“Registrar” means any person authorized by the UIDAI to enroll individuals under the Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“regulations” means the regulations made by the UIDAI under this Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“requesting entity” means an agency that submits the Aadhaar number and other information of an individual to the CIDR for authentication;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“resident” means a person who has resided in India for atleast 182 days in the last twelve months before the date of application for enrolment;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“service” means any facility or assistance provided by the Central Government in any form;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“subsidy” means any form of aid, support, grant, etc. in cash or kind as notified by the Central Government.</p>
</li></ol>
<p> </p>
<h5 dir="ltr">Chapter II. ENROLMENT</h5>
<p> </p>
<p dir="ltr">Section 3</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Every resident is entitled to get an Aadhaar number.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">At the time of enrollment, the enrolling agency will inform the individual of the following details—</p>
</li>
<ol><li style="list-style-type: lower-alpha;" dir="ltr">
<p dir="ltr">how their information will be used;</p>
</li><li style="list-style-type: lower-alpha;" dir="ltr">
<p dir="ltr">what type of entities the information will be shared with; and</p>
</li><li style="list-style-type: lower-alpha;" dir="ltr">
<p dir="ltr"> that they have a right to see their information and also tell them how they can see their information.</p>
</li></ol>
<li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr"> After collecting and verifying the information given by the individuals, the UIDAI will issue an Aadhaar number to each individual.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 4</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Once an Aadhaar number has been issued to a person, it will not be re-assigned to any other person.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">An Aadhaar number will be a random number and will not contain any attributes or identity of the Aadhaar number holder.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">if adopted by a service provider, an Aadhaar number may be accepted as proof of identity of the person.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 5</p>
<p dir="ltr">The UIDAI will take special measures to issue Aadhaar number to women, children, senior citizens, persons with disability, unskilled and unorganised workers, nomadic tribes or to such other persons who do not have any permanent residence and similar categories of individuals.</p>
<p> </p>
<p dir="ltr">Section 6</p>
<p dir="ltr">The UIDAI may require Aadhaar number holders to update their Aadhaar information, so that it remains accurate.</p>
<p> </p>
<h5 dir="ltr">Chapter III. AUTHENTICATION</h5>
<p> </p>
<p dir="ltr">Section 7</p>
<p dir="ltr">As a condition for receiving subsidy for which the expenditure is incurred from the Consolidated Fund of India, the Government may require that a person should be authenticated or give proof of the Aadhaar number to establish his/her identity. In the case a person does not have an Aadhaar number, he/she should make an application for enrolment. If an Aadhaar number is not assigned, the person will be offered viable and alternate means of identification for receiving the subsidy, benefit or service.</p>
<p> </p>
<p dir="ltr">Section 8</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will authenticate the Aadhaar information of people as per the conditions prescribed by the government and may also charge a fees for doing so.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Any requesting entity will— (a) take consent from the individual before collecting his/her Adhaar information; (b) use the information only for authentication with the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The entity requesting authentication will also inform the individual of the following— (a) what type of information will be shared for authentication; (b) what will the information be used for; and (c) whether there is any alternative to submitting the Aadhaar information to the requesting entity.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will respond to the authentication request with yes, no, or other appropriate response and share identity information about the Aadhaar number holder but not share any biometric information.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 9</p>
<p dir="ltr">The Aadhaar number or its authentication will not be a proof of citizenship or domicile.</p>
<p> </p>
<p dir="ltr">Section 10</p>
<p dir="ltr">The UIDAI may engage any number of entities to establish and maintain the CIDR and to perform any other functions specified by the regulations.</p>
<h5 dir="ltr"><br class="kix-line-break" />Chapter IV. UNIQUE IDENTIFICATION AUTHORITY OF INDIA</h5>
<p dir="ltr"><br class="kix-line-break" />Section 11</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr"> The UIDAI will be established by the Central Government to be responsible for the processes of enrolment and authentication of Aadhaar numbers.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will be a body corporate with the power to buy and sell property, to enter into contracts and to sue or be sued.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The head office of the UIDAI will be in New Delhi.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI may establish its offices at other places in India.<br class="kix-line-break" /><br class="kix-line-break" /></p>
</li></ol>
<p dir="ltr">Section 12</p>
<p dir="ltr">The UIDAI will have a Chairperson, two part-time Members and a chief executive officer, who to be appointed by the Central Government.<br class="kix-line-break" /><br class="kix-line-break" /></p>
<p dir="ltr">Section 13</p>
<p dir="ltr">The Chairperson and Members will be competent people with at least 10 years experience and knowledge in technology, governance, law, development, economics, finance, management, public affairs or administration.<br class="kix-line-break" /><br class="kix-line-break" /></p>
<p dir="ltr">Section 14</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Chairperson and the Members will be appointed for 3 years and can be re-appointed after their term. But no Member or Chairperson will be more than 65 years of age.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Chairperson and Members will take an oath of office and of secrecy.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Chairperson or Member may— (a) resign from office, by giving an advance written notice of at least 30 days; or (b) be removed from his office because she/he gets disqualified on any of the grounds mentioned in section 15.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The salaries and allowances of the Members and Chairperson will be prescribed under the government. <br class="kix-line-break" /><br class="kix-line-break" /></p>
</li></ol>
<p dir="ltr">Section 15</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Central Government may remove a Chairperson or Member, who—<br class="kix-line-break" />(a) has gone bankrupt; <br class="kix-line-break" />(b) is physically or mentally unable to do his/her job;<br class="kix-line-break" />(c) has been convicted of an offence involving moral turpitude;<br class="kix-line-break" />(d) has a financial conflict of interest in performing his/her functions; or<br class="kix-line-break" />(e) has abused his/her position so that the government needs to remove him/her in public interest.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Chairperson or a Member will be given a chance to present his/her side of the story before being removed, unless he/she is being removed on the grounds of bankruptcy or criminal conviction. <br class="kix-line-break" /><br class="kix-line-break" /></p>
</li></ol>
<p dir="ltr">Section 16</p>
<p dir="ltr">An Ex-Chairperson or Ex-Member will have to take the approval of the Central Government,—</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">to accept any job in any entity (other than a government organization) which was associated with any work done for the UIDAI while that person was a Chairperson or Member, for a period of three years after ceasing to hold office;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">to act or advise any entity on any particular transaction for which that person had provided advice to the UIDAI while he/she was the Chairperson or a Member;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">to give advice to any person using information which was obtained as the Chairperson or a Member which is not available to the public in general; or</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">to accept any offer of employment or appointment as a director of any company with which he/she had direct and significant official dealings during his/her term of office, for a period of three years.<br class="kix-line-break" /><br class="kix-line-break" /></p>
</li></ol>
<p dir="ltr">Section 17</p>
<p dir="ltr">The Chairperson will preside over the meetings of the UIDAI and have the powers and perform the functions of the UIDAI.<br class="kix-line-break" /><br class="kix-line-break" /></p>
<p dir="ltr">Section 18</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr"> The chief executive officer (CEO) of the UIDAI will not be below the rank of Additional Secretary to the Government of India.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The chief executive officer will be responsible for— (a) the day-to-day administration of the UIDAI; (b) implementing the programmes and decisions of the UIDAI; (c) making proposals for the UIDAI; (d) preparation of the accounts and budget of the UIDAI; and (e) performing any other functions prescribed in the regulations.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The CEO will annually submit the following things to the UIDAI for its approval — (a) a general report covering all the activities of the Authority in the previous year; (b) programmes of work; (c) the annual accounts for the previous year; and (d) the budget for the coming year.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The CEO will have administrative control over the officers and other employees of the Authority.</p>
</li></ol>
<p dir="ltr"><br class="kix-line-break" />Section 19</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr"> The time and place of the meetings of the UIDAI and the rules and procedures of those meetings will be prescribed by regulations.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The meetings will be presided by the Chairperson, and if they are absent, then the senior most Member of the UIDAI.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">All decisions at the meetings of the UIDAI will be taken by a majority vote. In case of a tie, the person presiding the meeting will have the casting vote.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">All decisions of the UIDAI will be signed by the Chairperson or any other Member or the Member-Secretary authorised by the UIDAI in this behalf.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">If any Member, who is a director of a company and because of this has any financial interest in matters coming up for consideration at a meeting, that member should disclose the financial interest and not take any further part in the discussions and decision on that matter.<br class="kix-line-break" /><br class="kix-line-break" /></p>
</li></ol>
<p dir="ltr">Section 20</p>
<p dir="ltr">No actions or proceeding of the UIDAI will become invalid merely because of—</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">any vacancy in, or any defect in the constitution of, the UIDAI;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">any defect in the appointment of a person as Chairperson or Member of the Authority; or</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">any irregularity in the procedure of the Authority not affecting the merits of the case.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 21</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI, with the approval of the Government, can decide on the number and types of officers and employees that it would require.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The salaries and allowances of the employees, officer and chief executive officer will be prescribed under the government.<br class="kix-line-break" /><br class="kix-line-break" /></p>
</li></ol>
<p dir="ltr">Section 22.</p>
<p dir="ltr">Once the UIDAI is establishment—</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr"> all the assets and liabilities of the existing Unique Identification Authority of India, established by the Government of India through notification dated the 28th January, 2009, will stand transferred to the new UIDAI.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">all data and information collected during enrolment, all details of authentication performed, by the existing Unique Identification Authority of India will be deemed to have been done by the UIDAI. All debts, liabilities incurred and all contracts entered into by the Unique Identification Authority of India will be deemed to have been entered into by the UIDAI;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">all money due to the existing Unique Identification Authority of India will be deemed to be due to the UIDAI; and</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">all suits and other legal proceedings instituted by or against such Unique Identification Authority of India may be continued by or against the UIDAI.<br class="kix-line-break" /><br class="kix-line-break" /></p>
</li></ol>
<p dir="ltr">Section 23</p>
<p dir="ltr">The UIDAI will develop the policy, procedure and systems for issuing Aadhaar numbers to individuals and perform their authentication. The powers and functions of the UIDAI include—</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">specifying the demographic information and biometric information required for enrolment and the processes for collection and verification of that information;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">collecting demographic information and biometric information from people seeking Aadhaar numbers;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">appointing of one or more entities to operate the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">generating and assigning Aadhaar numbers to individuals;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">performing authentication of Aadhaar numbers;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">maintaining and updating the information of individuals in the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">omitting and deactivating an Aadhaar number;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">specifying the manner of use of Aadhaar numbers for the purposes of providing or availing of various subsidies and other purposes for which Aadhaar numbers may be used;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">specifying the terms and conditions for appointment of Registrars, enrolling agencies and service providers and revocation of their appointments;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">establishing, operating and maintaining of the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">sharing the information of Aadhaar number holders;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">calling for information and records, conducting inspections, inquiries and audit of the operations of the CIDR, Registrars, enrolling agencies and other agencies appointed under this Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">specifying processes relating to data management, security protocols and other technology safeguards under this Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">specifying the conditions/procedures for issuance of new Aadhaar number to existing Aadhaar number holder;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">levying and collecting the fees or authorising the Registrars, enrolling agencies or other service providers to collect fees for the services provided by them under this Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">appointing committees necessary to assist the Authority in discharge of its functions;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">promoting research and development for advancement in biometrics and related areas;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">making and specifying policies and practices for Registrars, enrolling agencies and other service providers;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">setting up facilitation centres and grievance redressal mechanisms;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">other powers and functions as prescribed.</p>
</li></ol>
<p dir="ltr">The Authority may,— (a) enter into agreements with various state governments and Union Territories for collecting, storing, securing or processing of information or delivery of Aadhaar numbers to individuals or performing authentication; (b) appoint Registrars, engage and authorize agencies to collect, store, secure, process information or do authentication or perform other functions under this Act. The Authority may engage consultants, advisors and other persons required for efficient discharge of its functions.<br class="kix-line-break" /><br class="kix-line-break" /></p>
<h5 dir="ltr">Chapter V. GRANTS, ACCOUNTS AND AUDIT AND ANNUAL REPORT</h5>
<p> </p>
<p dir="ltr">Section 24</p>
<p dir="ltr">The Central Government may grant money to the UIDAI as it may decide, upon due appropriation by Parliament.</p>
<p> </p>
<p dir="ltr">Section 25</p>
<p dir="ltr">Fees/revenue collected by the UIDAI will be credited to the Consolidated Fund of India</p>
<p> </p>
<p dir="ltr">Section 26</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will prepare an annual statement of accounts in the format prescribed by Central Government</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Comptroller and Auditor-General will audit the account of the UIDAI annually at intervals decided by him, at the UIDAI’s expense.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Comptroller and Auditor-General or his appointees will have the same powers of audit they usually have to audit Government accounts.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will forward the statement of accounts certified by the Comptroller and Auditor-General and the audit report, to the Central Government who will lay it before both houses of Parliament.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 27</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will provide returns, statements and particulars as sought, to the Central Government, as and when required.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will prepare an annual report containing the description of work for previous years, annual accounts of previous year, and the programmes of work for coming year.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The copy of the annual report will be laid before both houses of Parliament by the Central Government.</p>
</li></ol>
<p> </p>
<h5 dir="ltr">Chapter VI. PROTECTION OF INFORMATION</h5>
<p> </p>
<p dir="ltr">Section 28</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will ensure the security and confidentiality of identity information and authentication records.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will take measures to ensure that all information with the UIDAI, including CIDR records is secured and protected against access, use or disclosure and against destruction, loss or damage.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Unless otherwise provided, the UIDAI or its agents will not reveal any information in the CIDR to anyone.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">An Aadhaar number holders may request UIDAI to provide access his information (excluding the core biometric information) as per the regulations specified.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 29</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The core biometric information collected will not be a) shared with anyone for any reason, and b) used for any purpose other generation of Aadhaar numbers and authentication.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Identity information, other than core biometric information, may be shared only as per this Act and regulations specified under it.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual’s consent.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Aadhaar numbers or core biometric information will not be made public except as specified by regulations.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 30</p>
<p dir="ltr">All biometric information collected and stored in electronic form will be deemed to be “electronic record” and “sensitive personal data or information” under Information Technology Act, 2000 and its provisions and rules will apply to it in addition to this Act.</p>
<p> </p>
<p dir="ltr">Section 31</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">If the demographic or biometric information about any Aadhaar number holder changes, is lost or is found to be incorrect, they may request the UIDAI to make changes to their record in the CIDR, as necessary.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The identity information in the CIDR will not be altered, except as provided in this Act.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 32</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will maintain the authentication records in the manner and for as long as specified by regulations.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Every Aadhaar number holder may obtain his authentication record as specified by regulations.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will not collect, keep or maintain any information about the purpose of authentication.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 33</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. Any such order may only be made after UIDAI is allowed to appear in a hearing.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The confidentiality provisions in Sections 28 and 29 will not apply with respect to disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">An Oversight Committee comprising Cabinet Secretary, and Secretaries of two departments — Department of Legal Affairs and DeitY— will review every direction under 33 B above.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Any directions under 33 B above are valid for 3 months, after which they may be extended following a review by the Oversight Committee.</p>
</li></ol>
<p> </p>
<h5 dir="ltr">Chapter VII. OFFENCES AND PENALTIES</h5>
<p> </p>
<p dir="ltr">Section 34</p>
<p dir="ltr">Impersonating or attempting to impersonate another person by providing false demographic or biometric information will punishable by imprisonment of up to three years, and/or fine of up to ten thousand rupees.</p>
<p> </p>
<p dir="ltr">Section 35</p>
<p dir="ltr">Changing or attempting to change any demographic or biometric information of an Aadhaar number holder by impersonating another person (or attempting to do so), with the intent of i) causing harm or mischief to an Aadhaar number holder, or ii) appropriating the identity of an Aadhaar number holder, is punishable with imprisonment up to three years and fine up to ten thousand rupees.</p>
<p> </p>
<p dir="ltr">Section 36</p>
<p dir="ltr">Collection of identity information by one not authorised by this Act, by way of pretending otherwise, is punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).</p>
<p> </p>
<p dir="ltr">Section 37</p>
<p dir="ltr">Intentional disclosure or dissemination of identity information, to any person not authorised under this Act, or in violation of any agreement entered into under this Act, will be punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).</p>
<p> </p>
<p dir="ltr">Section 38</p>
<p dir="ltr">The following intentional acts, when not authorised by the UIDAI, will be punishable with imprisonment up to three years and a fine not less than ten lakh rupees:</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">accessing or securing access to the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">downloading, copying or extracting any data from the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">introducing or causing any virus or other contaminant into the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">damaging or causing damage to the data in the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">disrupting or causing disruption to access to CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">causing denial of access to an authorised to the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">revealing information in breach of (D) in Section 28, or Section 29;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">destruction, deletion or alteration of any files in the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">stealing, destruction, concealment or alteration of any source code used by the UIDAI.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 39</p>
<p dir="ltr">Tampering of data in the CIDR or removable storage medium, with the intention to modify or discover information relating to Aadhaar number holder will be punishable with imprisonment up to three years and a fine up to ten thousand rupees.</p>
<p> </p>
<p dir="ltr">Section 40</p>
<p dir="ltr">Use of identity information in violation of Section 8 (3) by a requesting entity will be punishable with imprisonment up to three years and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).</p>
<p dir="ltr"><br class="kix-line-break" />Section 41</p>
<p dir="ltr">Violation of Section 8 (3) or Section 3 (2) by a requesting entity or enrolling agency will be punishable with imprisonment up to one year and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).</p>
<p> </p>
<p dir="ltr">Section 42</p>
<p dir="ltr">Any offence against this Act or regulations made under it, for which no specific penalty is provided, will be punishable with be punishable with imprisonment up to one year and/or a fine up to twenty five thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).</p>
<p> </p>
<p dir="ltr">Section 43</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">In case of an offence under Act committed by a Company, all person in charge of and responsible for the conduct of the company will also be held to be guilty and liable for punishment unless they can prove lack of knowledge of the offense or that they had exercised all due diligence to prevent it.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">In case an offence is committed by a Company with the consent, connivance or neglect of a director, manager, secretary or other officer of a company, they will also be held guilty of the offence.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 44</p>
<p dir="ltr">This Act will also apply to offences committed outside of India by any person, irrespective of their nationality, if the offence involves any data in the CIDR.</p>
<p> </p>
<p dir="ltr">Section 45</p>
<p dir="ltr">Offences under this Act will not be investigated by police officers below the rank of Inspector of Police.</p>
<p> </p>
<p dir="ltr">Section 46</p>
<p dir="ltr">Penalties imposed under this Act will not prevent imposition of any other penalties or punishment under any other law in force.</p>
<p> </p>
<p dir="ltr">Section 47</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Courts will take cognizance of offences under this Act only upon complaint being made by the UIDAI or any officer authorised by it.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">No court inferior to that of a Chief Metropolitan Magistrate or a Chief Judicial Magistrate will try any offence under this Act.</p>
</li></ol>
<p> </p>
<h5 dir="ltr">Chapter VIII. MISCELLANEOUS</h5>
<p> </p>
<p dir="ltr">Section 48</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Central Government has the power to supersede the UIDAI, through a notification, not for longer than six months, in the following circumstances: i) In case of circumstances beyond the control of the UIDAI, ii) The UIDAI has defaulted in complying with directions of the Central Government, affecting financial position of the UIDAI, iii) Public emergency</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Upon publication of notification, Chairperson and Members of the UIDAI must vacate the office</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Powers, functions and duties will be performed by person(s) authorised by the President.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Properties controlled and owned by UIDAI will vest in the Central Government.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Central Government will reconstitute the UIDAI upon expiration of supersession, with fresh appointment of Chairperson and Members.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 49</p>
<p dir="ltr">Chairperson, members, employees etc. are deemed to be public servants within the meaning of section 21 of the Indian Penal Code.</p>
<p> </p>
<p dir="ltr">Section 50</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Central Government has the power to issue directions to the UIDAI on questions of policy (to be decided by the Government), except technical and administrative matters and the UIDAI will be bound by it.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will be given an opportunity to express views before direction is given.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 51</p>
<p dir="ltr">The UIDAI may delegate its powers and functions to a Member or officer of the UIDAI.</p>
<p> </p>
<p dir="ltr">Section 52</p>
<p dir="ltr">No suit, prosecution or other legal proceedings will lie against the Central Government, UIDAI, Chairperson, any Member, officer, or other employees of the UIDAI for an act done in good faith.</p>
<p> </p>
<p dir="ltr">Section 53</p>
<p dir="ltr">The Central Government has the power to makes Rules for matters prescribed under this provision.</p>
<p> </p>
<p dir="ltr">Section 54</p>
<p dir="ltr">UIDAI has the power to make regulations for matters prescribed under this provision.</p>
<p> </p>
<p dir="ltr">Section 55</p>
<p dir="ltr">Rules and regulations under this Act will be laid before each House of Parliament for a total period of thirty days, both Houses must agree in making modification, and then the Rules will come into effect.</p>
<p> </p>
<p dir="ltr">Section 56</p>
<p dir="ltr">Provisions of this Act are in addition to, and not in derogation of any other law currently in effect.</p>
<p> </p>
<p dir="ltr">Section 57</p>
<p dir="ltr">This Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies.</p>
<p> </p>
<p dir="ltr">Section 58</p>
<p style="text-align: justify;" dir="ltr">The Central Government may pass an order to remove a difficulty in giving effect to the provisions of this Act, not beyond three years from the commencement of this Act.</p>
<p> </p>
<p dir="ltr">Section 59</p>
<p style="text-align: justify;" dir="ltr">Action take by Central Government under the Resolution of the Government of India for setting up the UIDAI or by the Department of Electronics and Information Technology under the notification including the UIDAI under the Ministry of Communications and Information Technology will be deemed to have been validly done or taken.</p>
<p> </p>
<h5 dir="ltr">STATEMENT OF OBJECTS AND REASONS</h5>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Correct identification of targeted beneficiaries for delivery of subsidies, services, frants, benefits, etc has become a challenge for the Government</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">This has proved to be a major hindrance for successful implementation of these programmes.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">In the absence of a credible system to authenticate identity of beneficiaries, it is difficult to ensure that the subsidies, benefits and services reach to intended beneficiaries.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI was established to lay down policies and implement the Unique Identification Scheme of the Government, by which residents of India were to be provided unique identity number.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Upon successful authentication, this number would serve as proof of identity for identification of beneficiaries for transfer of benefits, subsidies, services and other purposes.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">With increased use of the Aadhaar number, steps to ensure security of such information need to be taken and offences pertaining to certain unlawful actions, created.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">It has been felt that the processes of enrolment, authentication, security, confidentiality and use of Aadhaar related information must be made statutory.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 seeks to provide for issuance of Aadhaar numbers to individuals on providing his demographic and biometric information to the UIDAI, requiring Aadhaar numbers for identifying an individual for delivery of benefits, subsidies, and services, authentication of the Aadhaar number, establishment of the UIDAI, maintenance and updating the information of individuals in the CIDR, state measures pertaining to security, privacy and confidentiality of information in possession or control of the UIDAI including information stored in the Central Identities Data Repository and identify offences and penalties for contravention of relevant statutory provisions.</p>
</li></ol>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-new-aadhaar-bill-in-plain-english'>http://editors.cis-india.org/internet-governance/blog/the-new-aadhaar-bill-in-plain-english</a>
</p>
No publisherAmber Sinha, Vanya Rakesh and Vipul KharbandaUIDPrivacyInternet GovernanceAadhaarBiometrics2016-03-11T04:41:38ZBlog EntryThe Last Chance for a Welfare State Doesn’t Rest in the Aadhaar System
http://editors.cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system
<b>Boosting welfare is the message, which is how Aadhaar is being presented in India. The Aadhaar system as a medium, however, is one that enables tracking, surveillance, and data monetisation. This piece by Sumandro Chattapadhyay was published in The Wire on April 19, 2016.</b>
<p> </p>
<p><em>Originally published in and cross-posted from <a href="http://thewire.in/2016/04/19/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system-30256/">The Wire</a>.</em></p>
<hr />
<p>Once upon a time, a king desired that his parrot should be taught all the ancient knowledge of the kingdom. The priests started feeding the pages of the great books to the parrot with much enthusiasm. One day, the king asked the priests if the parrot’s education has completed. The priests poked the belly of the parrot but it made no sound. Only the rustle of undigested pages inside the belly could be heard. The priests declared that the parrot is indeed a learned one now.</p>
<p>The fate of the welfare system in our country is quite similar to this parrot from Tagore’s parable. It has been forcefully fed identification cards and other official documents (often four copies of the same) for years, and always with the same justification of making it more effective and fixing the leaks. These identification regimes are in effect killing off the welfare system. And some may say that that has been the actual plan in any case.</p>
<p>The Aadhaar number has been recently offered as <a href="http://indianexpress.com/article/opinion/columns/aadhaar-project-uidai-last-chance-for-a-welfare-state/">the ‘last chance’ for the ailing welfare system</a> – a last identification regime that it needs to gulp down to survive. This argument wilfully overlooks the acute problems with the Aadhaar project.</p>
<p>Firstly, the ‘last chance’ for a welfare state in India is not provided by implementing a new and improved identification regime (Aadhaar numbers or otherwise), but by enabling citizens to effectively track, monitor, and ensure delivery of welfare, services, and benefits. This ‘opening up’ of the welfare bureaucracy has been most effectively initiated by the Right to Information Act. Instead of a centralised biometrics-linked identity verification platform, which gives the privilege of tracking and monitoring welfare flows only to a few expert groups, an effective welfare state requires the devolution of such privilege and responsibility.</p>
<p>We should harness the tracking capabilities of electronic financial systems to disclose how money belonging to the Consolidated Fund of India travel around state agencies and departmental levels. Instead, the Aadhaar system effectively stacks up a range of entry barriers to accessing welfare – from malfunctioning biometric scanners, to connectivity problems, to the burden of keeping one’s fingerprint digitally legible under all labouring and algorithmic circumstances.</p>
<p>Secondly, authentication of welfare recipients by Aadhaar number neither make the welfare delivery process free of techno-bureaucratic hurdles, nor does it exorcise away corruption. Anumeha Yadav has recently documented the emerging <a href="http://scroll.in/article/805909/in-rajasthan-there-is-unrest-at-the-ration-shop-because-of-error-ridden-aadhaar">‘unrest at the ration shop’ across Rajasthan</a>, as authentication processes face technical and connectivity delays, people get ‘locked out’ of public services for not having or having Aadhaar number with incorrect demographic details, and no mechanisms exist to provide rapid and definitive recourse.</p>
<p>RTI activists at the <a href="http://www.snsindia.org/">Satark Nagrik Sangathan</a> have highlighted that the Delhi ration shops, using Aadhaar-based authentication, maintain only two columns of data to describe people who have come to the shop – those who received their ration, and those who did not (without any indication of the reason). This leads to erasure-by-design of evidence of the number of welfare-seekers who are excluded from welfare services when the Aadhaar-based authentication process fails (for valid reasons, or otherwise).</p>
<p>Reetika Khera has made it very clear that using Aadhaar Payments Bridge to directly transfer cash to a beneficiary’s account, in the best case scenario, <a href="http://www.epw.in/journal/2013/05/commentary/cost-benefit-analysis-uid.html">may only take care of one form of corruption</a>: deception (a different person claiming to be the beneficiary). But it does not address the other two common forms of public corruption: collusion (government officials approving undue benefits and creating false beneficiaries) and extortion (forceful rent seeking after the cash has been transferred to the beneficiary’s account). Evidently, going after only deception does not make much sense in an environment where collusion and extortion are commonplace.</p>
<p>Thirdly, the ‘relevant privacy question’ for Aadhaar is not limited to how UIDAI protects the data collected by it, but expands to usage of Aadhaar numbers across the public and private sectors. The privacy problem created by the Aadhaar numbers does begin but surely not end with internal data management procedures and responsibilities of the UIDAI.</p>
<p>On one hand, the Aadhaar Bill 2016 has reduced the personal data sharing restrictions of the NIAI Bill 2010, and <a href="http://scroll.in/article/806297/no-longer-a-black-box-why-does-the-revised-aadhar-bill-allow-sharing-of-identity-information">has allowed for sharing of all data except core biometrics (fingerprints and iris scan)</a> with all agencies involved in authentication of a person through her/his Aadhaar number. These agencies have been asked to seek consent from the person who is being authenticated, and to inform her/him of the ways in which the provided data (by the person, and by UIDAI) will be used by the agency. In careful wording, the Bill only asks the agencies to inform the person about “alternatives to submission of identity information to the requesting entity” (Section 8.3) but not to provide any such alternatives. This facilitates and legalises a much wider collection of personal demographic data for offering of services by public agencies “or any body corporate or person” (Section 57), which is way beyond the scope of data management practices of UIDAI.</p>
<p>On the other hand, the Aadhaar number is being seeded to all government databases – from lists of HIV patients, of rural citizens being offered 100 days of work, of students getting scholarships meant for specific social groups, of people with a bank account. Now in some sectors, such as banking, inter-agency sharing of data about clients is strictly regulated. But we increasingly have non-financial agencies playing crucial roles in the financial sector – from mobile wallets to peer-to-peer transaction to innovative credit ratings. Seeding of Aadhaar into all government and private databases would allow for easy and direct joining up of these databases by anyone who has access to them, and not at all by security agencies only.</p>
<p>When it becomes publicly acceptable that <a href="http://indianexpress.com/article/opinion/columns/aadhaar-project-uidai-last-chance-for-a-welfare-state/">the <em>money bill route</em> was a ‘remedial’ instrument to put the Rajya Sabha ‘back on track’</a>, one cannot not wonder about what was being remedied by avoiding a public debate about the draft bill before it was presented in Lok Sabha. The answer is simple: <em>welfare is the message, surveillance is the medium</em>.</p>
<p>Acceptance and adoption of all medium requires a message, a content. The users are interested in the message. The message, however, is not the business. Think of Free Basics. Facebook wants people with none or limited access to internet to enjoy parts of the internet at zero data cost. Facebook does not provide the content that the users consume on such internet. The content is created by the users themselves, and also provided by other companies. Facebook own and control the medium, and makes money out of all content, including interactions, passing through it.</p>
<p>The UIDAI has set up a biometric data bank and related infrastructure to offer authentication-as-a-service. As the Bill clarifies, almost all agencies (public or private, national or global) can use this service to verify the identity of Indian residents. Unlike Facebook, the content of these services do not flow through the Aadhaar system. Nonetheless, Aadhaar keeps track of all ‘authentication records’, that is records of whose identity was authenticated by whom, when, and where. This database is gold (data) mine for security agencies in India, and elsewhere. Further, as more agencies use authentication based on Aadhaar numbers, it becomes easier for them to combine and compare databases with other agencies doing the same, by linking each line of transaction across databases using Aadhaar numbers.</p>
<p>Welfare is the message that the Aadhaar system is riding on. The message is only useful for the medium as far as it ensures that the majority of the user population are subscribing to it. Once the users are enrolled, or on-boarded, the medium enables flow of all kinds of messages, and tracking and monetisation (perhaps not so much in the case of UIDAI) of all those flows. It does not matter if the Aadhaar system is being introduced to remedy the broken parliamentary process, or the broken welfare distribution system. What matters is that the UIDAI is establishing the infrastructure for a universal surveillance system in India, and without a formal acknowledgement and legal framework for the same.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system'>http://editors.cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system</a>
</p>
No publishersumandroUIDData SystemsPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-04-19T13:18:42ZBlog Entry