The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 31 to 45.
Aadhaar's new security measures are good, it is still work in progress
http://editors.cis-india.org/internet-governance/news/business-standard-january-25-2018-alnoor-peermohamed-aadhaars-new-security-measures-are-good-it-is-still-work-in-progress
<b>Here's a rundown of the three new features that the UIDAI will introduce to make Aadhaar seemingly more secure.</b>
<p style="text-align: justify; ">The article by Alnoor Peermohamed was <a class="external-link" href="http://www.business-standard.com/article/economy-policy/aadhaar-s-new-security-measures-are-good-it-is-still-work-in-progress-118012400982_1.html">published in Business Standard</a> on January 25, 2018.</p>
<hr />
<p style="text-align: justify; ">While public pressure over the security of <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>might have forced the Unique Identification Authority of India (UIDAI) to introduce new features such as face authentication, <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=virtual+id" target="_blank">virtual ID </a>and limited KYC, experts who have worked on the system say such updates are incremental and need to keep happening.</p>
<p style="text-align: justify; ">Be it Google, Facebook or Aadhaar, a digital system serving billions of people needs to remain secure for which it continually has to evolve, sometimes adapting to issues that are found. The three new features will certainly help improve security, but many questions still remain over how the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=uidai" target="_blank">UIDAI </a>will tackle the recently highlighted issue of rogue <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>agents.</p>
<p style="text-align: justify; ">An article in the Tribune newspaper which claimed that <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>information of individuals was on sale for as little as Rs 500, sparked off the biggest security scare against the digital identity keeper in a while. Even though the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=uidai" target="_blank">UIDAI </a>asserted that its systems had not been breached, proof that <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>details of an individual could be bought had been delivered. The agency has also not inspired confidence among public and security researchers with the way it has responded to <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>data that has been put in public domain in violation of privacy of individuals.</p>
<p style="text-align: justify; "><span>"As an economy and an ecosystem, we have to understand that there is no such thing as a 100 percent secure system. When it was on paper it was not secure and now that it is digital, it is not a 100 percent secure. Security gaps may exist, but those should not cause large-scale theft of people's identity or cause significant damage. It's an arms race and this means that </span><a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a><span>has to improve constantly," says Lalitesh Katragadda, former head of Google's product centre in India who has helped build </span><a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar.</a></p>
<p style="text-align: justify; "><strong>Here's a rundown of the three new features that the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=uidai" target="_blank">UIDAI </a>will introduce to make <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>seemingly more secure:</strong></p>
<p style="text-align: justify; "><strong>Face Auth</strong></p>
<p style="text-align: justify; "><a class="storyTags" href="http://www.business-standard.com/search?type=news&q=face+authentication" target="_blank">Face Authentication </a>or 'Face Auth' is an additional biometric that the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=uidai" target="_blank">UIDAI </a>will roll out in order to cut down on the number of failed attempts which is increasingly being highlighted as an issue. By matching a user's face, captured through a camera at the time of authentication to the image of their face which was taken at the time of <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>enrolment, the identity of an individual can be more accurately verified.</p>
<p style="text-align: justify; ">Facial recognition in the consumer landscape has once again been popularised by Apple's latest iPhone X device that uses an array of sensors and infrared light to map a person's face in three dimensions. The company claims this is more accurate than its previous fingerprint-based TouchID technology, but this isn't the case with UIDAI's facial recognition technology.</p>
<p style="text-align: justify; ">The <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=uidai" target="_blank">UIDAI </a>will utilise webcams and low-end hardware to enable Face Auth and therefore the conscious decision to use a person's face in conjunction to another layer of authentication - fingerprint, iris scan or a one-time password sent to the user's registered mobile device was taken.</p>
<p style="text-align: justify; ">How exactly applications built on <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>will utilise this new Face Auth feature is not known yet, and neither are the technical specifications. Srikanth Nadhamuni, the former Chief Technology Officer of Aadhaar, envisions a scenario where a farmer using <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>to get his PDS witnesses a failure to authenticate using his fingerprint, prompting the application to capture his photo and check whether it matches with the existing photo on the UIDAI's database.</p>
<p style="text-align: justify; ">Activists, however, point out that it's far easier to fake facial recognition software, which in some cases get fooled into giving out positives by simply holding photos of the user in front of a camera. "At the end of the day your face is again biometric, and that comes with the same host of issues that are plaguing the other biometrics that has so far been used," says Sunil Abraham, Executive at Bengaluru-based think tank Centre for Internet and Society (CIS).</p>
<p style="text-align: justify; "><strong>Virtual ID</strong></p>
<p style="text-align: justify; ">As its name suggests, <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=virtual+id" target="_blank">Virtual ID </a>gives users a stand-in for their 12-digit <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>number if they're worried that it will be stolen, leaked online or misused in any way. Any <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>user will be able to log into an online portal, visit an <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>enrollment centre or use the mAadhaar app to generate a 16-digit <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=virtual+id" target="_blank">Virtual ID.</a></p>
<p style="text-align: justify; ">By virtue, the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=uidai" target="_blank">UIDAI </a>has built the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=virtual+id" target="_blank">Virtual ID </a>to be temporary and a user can ask for any number of Virtual IDs - when a new one is generated, the old one is destroyed and can even be assigned to another user. The key here is that only the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=uidai" target="_blank">UIDAI </a>will be able to make the link to a <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=virtual+id" target="_blank">Virtual ID </a>and <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>number and no-one else.</p>
<p style="text-align: justify; ">After years of arguing that leaking of the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>number itself wasn't an issue, the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=uidai" target="_blank">UIDAI </a>is finally giving users a tool that allows them to keep their <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>number private. While Abraham agrees that the feature will make <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>safer, he says its effectiveness will only be valid if a user opts in as it has not been made a feature by design.</p>
<p style="text-align: justify; ">Nadhamuni argues on the contrary, that making <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=virtual+id" target="_blank">Virtual ID </a>a mandatory process would hurt more people than it helps. "A lot of people in rural India are using their <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>for authentication of PDS and MNREGA and so on and it's working for them.</p>
<p style="text-align: justify; ">You don't want to confuse all of them and ask them to create yet another number. You'd have to make a farmer understand the concept of <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=virtual+id" target="_blank">Virtual ID </a>when he's completely happy with the way things are today," he says.</p>
<p style="text-align: justify; "><strong>Limited KYC</strong></p>
<p style="text-align: justify; ">The process of KYC (Know Your Customer) through <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>has all along given public bodies and private companies access to a user's details such as name, age, sex, address and photograph. With limited KYC, the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=uidai" target="_blank">UIDAI </a>will categorise a body seeking <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">aadhaar </a>details into two buckets, ones that get the full information and ones with whom only partial information is shared.</p>
<p style="text-align: justify; ">Realising that not all bodies or companies need all the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>details, is the biggest change that <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=limited+kyc" target="_blank">Limited KYC </a>will bring in. The idea is that the fewer places a person's <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>details are stored, the fewer chances of it leaking. Moreover, by giving only critical services full <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>details the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=uidai" target="_blank">UIDAI </a>is hoping it will eliminate its problem of having to share details with less secure systems.</p>
<p style="text-align: justify; "><a class="storyTags" href="http://www.business-standard.com/search?type=news&q=limited+kyc" target="_blank">Limited KYC </a>will also bring in a tokenized system for agencies to ensure uniqueness while not storing a user's <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>number on their databases. A 72 digit alphanumeric UID Token will be generated at the time of authentication which only <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=uidai" target="_blank">UIDAI </a>will be able to map back to a particular <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>number. However, there isn't clarity on who will be exempt from this as there is word that banks and tax authorities will be allowed to store user <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>numbers.</p>
<p style="text-align: justify; ">The UID Tokens will also be backdated, meaning all previous KYC attempts a user had made with a particular body or company will also be migrated to the new system, ensuring that if two databases leak, the perpetrators are not able to easily use <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>numbers to match users and improve the quality of the data they've stolen. Some details on this are still missing though.</p>
<p style="text-align: justify; "><strong>Security: Work in Progress</strong></p>
<p style="text-align: justify; ">Experts who worked on building <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>say that such features were discussed during the very inception of the national biometric database, but were not rolled out until now to avoid complexity. Katragadda, who has worked on building many large APIs at Google agrees that all large systems avoid complexity during the kickoff and add them based on needs of users later.</p>
<p style="text-align: justify; ">Like him, both Nadhamuni and even Abraham agree that the new features will make <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>more secure, while the latter had his reservations on how secure it would be which only the fine print would reveal. The experts also agree that the public discourse which <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>security has taken is a good thing, since the digital security of over a billion people is now public discussion.</p>
<p style="text-align: justify; ">"Security breaches are like earthquakes. It's better to have many tiny tremors than be oblivious to gaps in our system and lose everything with that one massive earthquake. So it's better to have our ears close to the ground, have ethical hacking competitions where we ask people to hack the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>system, find gaps in security. The best APIs in the world do this," says Katragadda.</p>
<p style="text-align: justify; ">He adds that India should not be scared to build large digital systems for public good in the fear that there will be security breaches. Even the paper based system before <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>had several security lapses, but were not visible. "Otherwise we need to have this holy grail of a system which is perfectly automated and we're at least 20 years away from full robotics," he adds.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/business-standard-january-25-2018-alnoor-peermohamed-aadhaars-new-security-measures-are-good-it-is-still-work-in-progress'>http://editors.cis-india.org/internet-governance/news/business-standard-january-25-2018-alnoor-peermohamed-aadhaars-new-security-measures-are-good-it-is-still-work-in-progress</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-26T01:52:51ZNews ItemAadhaar-privacy debate: How the 12-digit number went from personal identifier to all pervasive transaction tool
http://editors.cis-india.org/internet-governance/news/first-post-january-18-2018-aadhaar-privacy-debate-how-the-12-digit-number-went-from-personal-identifier-to-all-pervasive-transaction-tool
<b>Depending on who you ask, the Aadhaar is either a convenience or a curse. </b>
<p style="text-align: justify; ">The article was published by <a class="external-link" href="http://www.firstpost.com/india/aadhaar-privacy-debate-how-the-12-digit-number-went-from-personal-identifier-to-all-pervasive-transaction-tool-4308043.html">First Post</a> on January 18, 2018.</p>
<hr />
<p style="text-align: justify; ">The ongoing <a href="http://www.firstpost.com/india/aadhaar-a-giant-electronic-leash-distorts-states-relation-with-citizen-petitioner-tells-supreme-court-4307107.html">hearing in the Supreme Court</a> is testing the constitutional validity of a scheme that has been around in one shape or another since 2003, ever since the need for an identification project was first felt.</p>
<p style="text-align: justify; ">By the government's own estimates, the Aadhaar initiative has <a href="http://www.thehindubusinessline.com/economy/policy/aadhaar-covers-98-of-adult-population-says-prasad/article9091254.ece" rel="nofollow" target="_blank">covered 98 percent of the adult population</a> in India and, as of 7 September, the Unique Identification Authority of India (UIDAI) has generated cards for 105.11 crore people. So, if you are an Indian adult, chances are that you possess an Aadhaar card by now.</p>
<p style="text-align: justify; ">The Aadhaar database is one of the largest government databases on the planet, where a 12 digit unique-identity number has been assigned to the majority of the Indian citizens. This database contains both the demographic as well as biometric data of the citizens.</p>
<p style="text-align: justify; ">What started as a unique identification number to streamline the distribution of welfare to the needy has now turned into an all-pervasive tool that can arm the government with sensitive data of all Indians. At the heart of this issue is the sheer quantity of data being amassed as part of the scheme and the many privacy and security concerns generated as a result of it.</p>
<p style="text-align: justify; ">The Aadhaar of today, in addition to basic personal information, includes biometric data like your fingerprints, your iris scan and now even your facial scans (albeit introduced as a safety feature). This is designed to address the issue of failed biometric authentication, as an alternative for people having difficulty authenticating, due to factors like worn out fingerprints, or changing biometric data due to old age, hard work conditions, accidents and the like.</p>
<p style="text-align: justify; ">But what it fails to address is the growing unease among citizens about the scale of the project, its intent, and the actual legality of enabling such an architecture, which could threaten the citizens with the possibility of State surveillance.</p>
<p style="text-align: justify; ">The sheer amount of private and confidential data amassed in one singular database has given rise to concerns over data security and its privacy.</p>
<p style="text-align: justify; ">However, worst fears about Aadhaar <a href="http://www.firstpost.com/economy/you-should-be-worried-with-aadhaar-you-are-at-govts-mercy-1315823.html" target="_blank">have come true</a> after the developments that have happened over the past few weeks. A recent investigation by <a href="http://www.tribuneindia.com/news/nation/rs-500-10-minutes-and-you-have-access-to-billion-aadhaar-details/523361.html" rel="nofollow" target="_blank"><em>The Tribune</em></a> revealed that the details of any of the billion Aadhaar numbers issued in India were accessible for as little as Rs 500.</p>
<p style="text-align: justify; ">Since then, the UIDAI and every other government machinery have been in top gear, trying to allay the fears around Aadhaar. It even introduced a flurry of steps to make sure that the database is safe and secure, and that the data is protected. But not everyone is convinced. Critics say, biometrics only make the citizen transparent to the State and that it does not make the State transparent to citizens.</p>
<p style="text-align: justify; ">"We warned the government six years ago, but they ignored us," Sunil Abraham, executive director of Bengaluru-based research organisation, Centre for Internet and Society, was quoted by <a href="http://www.thehindubusinessline.com/specials/india-file/aadhaar-the-12digit-conundrum/article9582271.ece" rel="nofollow" target="_blank"><em>The Hindu Business Line</em></a> as saying.</p>
<p style="text-align: justify; ">According to him, the legislation implementing Aadhaar has almost no data protection guarantees for citizens. He also believes that by opting for biometrics instead of smart cards the government is using surveillance technology instead of e-governance technology.</p>
<p style="text-align: justify; ">On the other hand, finance minister Arun Jaitley said recently that an Aadhaar card could become the sole identifier for a person in future. "A stage may come that the unique identity will become the only card," Jaitley said. "There are many countries where such a situation exists. There is a social security number in America and in India it (Aadhaar) could be the counterpart."</p>
<p style="text-align: justify; ">Since its inception, the Aadhaar was always pitched as a scheme integral to the modernisation of social welfare in India.</p>
<p style="text-align: justify; ">But, according to a <a href="https://scroll.in/article/825103/aadhaar-shows-indias-governance-is-susceptible-to-poorly-tested-ideas-pushed-by-powerful-people" rel="nofollow" target="_blank"><em>Scroll</em></a> report, state governments are struggling to use Aadhaar-based fingerprint authentication in ration shops. Whereas, at the same time, a rising number of companies are integrating Aadhaar into their databases for private services that have nothing to do with the welfare delivery system.</p>
<p style="text-align: justify; ">So, why is the scheme failing at the very job it was created for, while proving useful to private endeavours elsewhere? Why did the BJP, a dispensation critical of Aadhaar in 2014, make a complete u-turn and become a champion for a cause backed by the UPA in its time? Are the security, privacy concerns a small price to pay for better delivery of welfare schemes or is it an instrument of surveillance and a potential goldmine for hackers?</p>
<p style="text-align: justify; ">The debate around Aadhaar and the explanations for its need and/or threats are biased, incomplete and solely depend on who you ask. Therefore, it might do well to trace the roots of the Aadhaar mission and retrace its critical moments.</p>
<h3 style="text-align: justify; ">Origins of Aadhaar</h3>
<p style="text-align: justify; ">According to the <em>Scroll</em> report, India first fiddled with the idea to assign numbers to people in 2003, in the aftermath of the Kargil war.</p>
<p style="text-align: justify; ">With rising security concerns, the then BJP government under Atal Bihari Vajpayee wanted every Indian citizen to be accounted for. This desire eventually took the shape of the National Population Register, that aimed to identify citizens amongst the country's residents.</p>
<p class="body" style="text-align: justify; ">The Citizenship Act was amended in 2004 by the incumbent Congress government to make way for the National Population Register (NPR).</p>
<p style="text-align: justify; ">The second and major push for an identity project was introduced subsequently by the UPA-1 government in late 2008. With welfare spending on the rise, adds the report, bureaucrats in the erstwhile Planning Commission were worried about leakages.</p>
<p style="text-align: justify; ">Thus, the idea of constituting an authority that would aggregate all databases of social welfare programmes to create a mother database emerged.</p>
<p style="text-align: justify; ">Such a database would "weed out ghosts and duplicates so that a person who gets the LPG subsidy doesn’t also get the kerosene subsidy," <em>Scroll</em> quoted a former UIDAI official as saying, on conditions of anonymity.</p>
<p style="text-align: justify; ">Eventually, in 2009, Aadhaar, or UIDAI, surfaced as a 12-digit identification number that served as proof of identity and address — meaning, it applies to all residents whether they are citizens or not, unlike with the NPR. Biometric data was not in the picture at this time.</p>
<p style="text-align: justify; ">And then, in 2016, the Centre notified the new Aadhaar Act, which gives the unique identity number assigned to each Indian citizen statutory backing. The idea of this Act was to empower Aadhaar with legal backing for the purpose of transferring subsidies and government benefits to beneficiaries through designated bank accounts.</p>
<p style="text-align: justify; ">The government said in a notification that the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016 will provide “efficient, transparent, and targeted delivery of subsidies, benefits and services, the expenditure for which is incurred from the Consolidated Fund of India, to individuals residing in India through assigning of unique identity numbers to such individuals."</p>
<p style="text-align: justify; ">Another interesting aspect of the Aadhaar debate is the politics of it all. The Opposition, BJP back then and UPA now, has shaped much of the debate against the use of Aadhaar. But one thing that stands out in this melee is that many in the current dispensation, who are currently the biggest proponents of the scheme, had once opposed it vehemently.</p>
<p style="text-align: justify; ">"The people who thought of themselves as having given birth to IT in this country refused to listen to a common man like me. Even the SC has demanded answers,” Narendra Modi had famously said when he was the Gujarat chief minister. He had alleged that the Aadhaar programme was a bundle of lies to loot the country’s treasury.</p>
<p style="text-align: justify; ">In 2014, Modi had tweeted: "On Aadhaar, neither the team that I met nor PM could answer my Qs on security threat it can pose. There is no vision, only political gimmick."</p>
<p style="text-align: justify; ">So, how was it that one of Aadhaar's most vehement opponents became its biggest proponent?</p>
<p style="text-align: justify; ">According to a report in <a href="http://www.thehindubusinessline.com/blink/cover/the-aadhaar-of-all-things/article9609603.ece" rel="nofollow" target="_blank"><em>The Hindu Business Line</em></a>, the destiny of the Aadhaar scheme was shaped by two meetings – between Nilekani and Modi with Jaitley, and the second with Vijay Madan, the UIDAI director general and mission director.</p>
<p style="text-align: justify; ">Through the course of these meetings, the <a href="http://www.governancenow.com/news/regular-story/50k-crore-reason-modi-backed-aadhaar" rel="nofollow" target="_blank">potential savings from plugging subsidy leakages</a>was put across to Modi, a figure of "up to ₹50,000 crore a year".</p>
<p class="body" style="text-align: justify; ">Modi in his keenness to showcase the arrival of <em>"acche din",</em> the report adds, immediately sought a 100-crore enrolment target at the ‘earliest’, putting paid to speculations that the new government would shelve the UIDAI project.</p>
<p style="text-align: justify; ">Thus, the current Aadhaar project was born.</p>
<h3 style="text-align: justify; ">Inclusion of biometric data</h3>
<p style="text-align: justify; ">Although an extension of UPA's idea, the new Aadhaar act <a href="http://www.firstpost.com/business/upa-vs-nda-check-out-how-aadhaar-act-2016-differs-from-the-2010-bill-2700706.html">had some crucial differences</a>:</p>
<p style="text-align: justify; ">- As per the new Act, "any person who has resided in India for 182 days (in the one year preceding the application for Aadhaar)". The UPA's Bill said any person residing in India.</p>
<p style="text-align: justify; ">- Further, the new Act says that the number can be used to verify the identity of any person, for any purpose, by any public or private entity. In the UPA's Bill, no such provision was there.</p>
<p style="text-align: justify; ">- The new Act stipulated all these identity facets to be maintained: photograph, biometric information (iris scan and fingerprint), demographic information (name, date of birth, address but excludes race, religion, caste, etc.), and Aadhaar number. The authority may specify any other biological and demographic information to be collected.</p>
<h3 style="text-align: justify; ">Data security debate</h3>
<p style="text-align: justify; ">Over the last one year, there have been multiple instances of Aadhaar data leaking online through government websites or its mobile app. The most recent case was when an RTI query pushed UIDAI to reveal that about <a href="http://www.firstpost.com/india/uidai-reveals-210-govt-websites-made-aadhaar-details-public-did-not-specify-when-breach-took-place-4217597.html" target="_blank">210 government websites made</a> the Aadhaar details of people with Aadhaar, public on the internet.</p>
<p style="text-align: justify; ">Centre for Internet and Society (CIS) also pointed out that <a href="http://www.firstpost.com/tech/news-analysis/130-mn-aadhaar-numbers-were-not-leaked-they-were-treated-as-publicly-shareable-data-cis-3702187.html" target="_blank">about 130 million Aadhar numbers</a> along with other sensitive data were available on the internet.</p>
<p style="text-align: justify; ">The recent <em>Tribune</em> report has only highlighted the deeper, infrastructural fallibility of singular mega-database of sensitive data.</p>
<p style="text-align: justify; ">As per this <a href="http://www.firstpost.com/india/aadhaar-data-breach-uidai-must-address-privacy-concerns-urgently-simply-denying-leak-not-enough-4288825.html"><em>Firstpost</em></a> piece, the UIDAI's <a href="http://www.firstpost.com/business/aadhaar-data-breach-uidai-refutes-media-reports-says-biometric-information-safe-and-secure-no-leakage-occurred-4287237.html">response to such an obvious data breach</a> and violation of privacy is extremely worrying. It is yet another reiteration of the privacy concerns with Aadhaar, and the constant denial of privacy concerns by the UIDAI instead of sitting up and addressing the problem at hand.</p>
<p style="text-align: justify; ">The large-scale collection of data and the binding of said data with almost all services raises a pertinent question: Is the government capable of safeguarding the massive amounts of data collected as part of the Aadhaar project? The answer, again, depends on who you ask.</p>
<h3 style="text-align: justify; ">Concerns over privacy</h3>
<p style="text-align: justify; ">Apart from the security concerns, Aadhaar has brought up a question of the citizen's privacy, given that access to such sensitive data empowers the government to keep a close scrutiny of a person's financial, personal information.</p>
<p class="A5l" style="text-align: justify; ">The Supreme Court had held recently that privacy is a fundamental right under the Constitution with reasonable restrictions. This decision is bound to impact the Aadhaar project in one way or another, as collectively biometric data of citizens can be construed as a violation of said right.</p>
<p style="text-align: justify; ">The Supreme Court started hearing the crucial cases related to the constitutional validity of Aadhaar on Wednesday. A five-judge bench heard the arguments of the petitioner, maintaining that the government's mandatory biometric identification project is, in essence, seeking to change a people's Constitution into State's Constitution.</p>
<p style="text-align: justify; ">The petitioners made submissions ranging from the Standing Committee's observations, to the precedents as adopted by other nations to pointing out basic moral and administrative defects in amassing biometric data of citizens on such a large scale, perhaps trying to patiently drive the point that the Aadhaar project can never be safely assumed to be leakproof, hence safe, ergo, legal.</p>
<p style="text-align: justify; ">The petitioner also argued that Aadhaar could lead to millions of people being denied access to essential services and benefits in violation of their human rights, as he pointed out that biometric details of almost 6.2 crore people <a href="https://timesofindia.indiatimes.com/city/bhubaneswar/30-lakh-people-from-state-rejected-for-Aadhar-card/articleshow/27812115.cms" rel="nofollow" target="_blank">have been rejected</a>, mainly due to calloused hands and fingertips, wherein biometric data could not be recorded.</p>
<p style="text-align: justify; ">"These are not dishonest people or ghosts," he said. Even the <a href="http://www.prsindia.org/uploads/media/UID/uid%20report.pdf" rel="nofollow" target="_blank">Standing Committee report</a> on Aadhaar points out: "<em>..it has been proven again and again that in the Indian environment, the failure to enrol with fingerprints is as high as 15 percent due to the prevalence of a huge population dependent on manual labour. These are essentially the poor and marginalised sections of the society. So, while the poor do indeed need identity proofs, Aadhaar is not the right way to do that"</em></p>
<p style="text-align: justify; ">In December 2017, the court had <a href="http://www.firstpost.com/india/supreme-court-extends-deadline-for-linking-aadhaar-with-various-services-and-schemes-till-31-march-2018-4259711.html" target="_blank">extended the deadline</a> for mandatory linking of Aadhaar with various services and welfare schemes till 31 March, 2018. It had also modified its earlier order with regard to linking Aadhaar with mobile services and said the deadline of 6 February, 2018 for this purpose also stood extended till 31 March.</p>
<h3 style="text-align: justify; ">Right to Privacy and its effect on Aadhaar</h3>
<p style="text-align: justify; ">In August 2017, the Supreme Court in a unanimous 9:0 judgment had <a href="http://www.firstpost.com/india/in-a-9-0-verdict-supreme-court-says-right-to-privacy-is-a-fundamental-right-highlights-from-judgment-3967839.html" target="_blank">declared the Right to Privacy</a> to be a Fundamental Right. It was hailed as a big victory for pro-privacy advocates who could now point to the Constitutional Bench <a href="http://www.firstpost.com/india/privacy-is-your-fundamental-right-says-9-judge-supreme-court-bench-heres-547-page-full-judgment-of-verdict-3968491.html" target="_blank">judgment</a> should the right ever be questioned.</p>
<p style="text-align: justify; ">However, the judgment only <a href="https://twitter.com/alokpi/status/900592316938727424" rel="nofollow" target="_blank">established</a> the theoretical Right to Privacy. It removed the earlier hurdles of the cases of MP Sharma and Kharak Singh which had held Right to Privacy not to be a Fundamental Right. However, the actual freedoms protected by the Right had to be enshrined into in separate judgments.</p>
<p style="text-align: justify; ">As far Aadhaar is concerned, the judgment <a href="http://www.ndtv.com/india-news/right-to-privacy-privacy-is-a-fundamental-right-says-supreme-court-10-developments-1741368" rel="nofollow" target="_blank">did not invalidate it</a> in any way. However, it did give a boost to anti-Aadhaar arguments which rely on privacy as now the government can no longer say that there is no Right to Privacy.</p>
<p style="text-align: justify; ">With 1.08 billion citizens already enrolled, the ‘mandatory vs. voluntary’ debate on Aadhaar is now mostly a thing of the past. What remains to be seen now is how the Supreme Court will rule on the constitutional validity of the Aadhaar and if the government will be willing to reform/modify the current scheme to allay fears over data security and privacy in order to retailer the project to meet its original goal, the timely and secure delivery of welfare to those who need it.</p>
<p style="text-align: justify; "><em>With inputs from agencies</em></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/first-post-january-18-2018-aadhaar-privacy-debate-how-the-12-digit-number-went-from-personal-identifier-to-all-pervasive-transaction-tool'>http://editors.cis-india.org/internet-governance/news/first-post-january-18-2018-aadhaar-privacy-debate-how-the-12-digit-number-went-from-personal-identifier-to-all-pervasive-transaction-tool</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-18T15:01:48ZNews ItemToken security or tokenized security?
http://editors.cis-india.org/internet-governance/news/livemint-january-9-2018-manasa-venkataraman-ajay-patri-token-security-or-tokenized-security
<b>Implementing a system of tokenization for Aadhaar verification will address the security loopholes highlighted in recent reports.</b>
<p style="text-align: justify; ">The article by Manasa Venkataraman and Ajay Patri was published in <a class="external-link" href="http://www.livemint.com/Opinion/Kx7GIb4P73EpEtpxOFzi6M/Token-security-or-tokenized-security.html">Livemint</a> <span>on January 9, 2018.</span></p>
<hr style="text-align: justify; " />
<p class="S3l" style="text-align: justify; ">Those who were reassured that the Aadhaar architecture is safe and secure have faced a few rude shocks lately. First, there was the recent report in <i>The Tribune </i>on how one of its reporters was easily able to log in to the Aadhaar website and access any enrolled Indian’s personal information, all for a grand fee of Rs500. While the veracity of this report is still being contested by the Unique Identification Authority of India (UIDAI), it has stirred panic over the security of personal data entrusted to the government. This came close on the heels of reports last month that a telecom company was utilizing the eKYC (know your customer) data of its mobile subscribers to open payment bank accounts without their consent.</p>
<p style="text-align: justify; ">These two instances highlight scenarios where data from the Aadhaar database is vulnerable. In the first, the weaknesses in security measures and processes around the database leave information susceptible to an attack. In the second, providing third-party entities loosely regulated access to an individual’s data leaves scope for abuse.</p>
<p style="text-align: justify; ">There is a need to protect the data belonging to individuals in these situations, providing the government with two possible policy options: it can choose to either overhaul the Aadhaar architecture completely, or it can build in additional security measures to ensure that individual data is not compromised.</p>
<p style="text-align: justify; ">Uninventing Aadhaar is not a practical proposal. It would have to include repealing the statute on Aadhaar, disbanding the database already created, and figuring out alternative means of delivering the services that are now dependent on Aadhaar. A more sustainable way forward is to better secure Aadhaar. This will involve not only the secure collection and storage of personal data, but also a safe regulation of the manner in which third parties use it for authentication.</p>
<p style="text-align: justify; ">One way to protect Aadhaar-related communications is to channel them through a secure conduit. This can be achieved through a system of temporary tokens for Aadhaar-based verifications. Sunil Abraham from the Centre for Internet and Society (CIS) has recommended a system of using dummy or virtual Aadhaar numbers along with a smart card to protect information belonging to individuals.</p>
<p style="text-align: justify; ">Tokenization is the process of masking sensitive personal data with another innocuous dataset, allowing it to be shared with third parties without the risk of the personal data being exposed. So, every time a service provider asks for identification, the individual can provide a one-time-ID number generated by an Aadhaar app or on UIDAI’s website. The service provider can authenticate the one-time-ID number with the Aadhaar database, without needing to know or store the Aadhaar number. The algorithm used to generate the one-time-ID number must be constructed using hard-to-replicate information and kept a well-guarded secret. No two service providers will have the same one-time ID, making it harder for personal profiles to be constructed by mining data from multiple service providers, thus enabling a higher level of privacy protection.</p>
<p style="text-align: justify; ">Allowing such a system of tokenization for every eKYC can create a welcome layer of ambiguity around individuals’ personal data and preserve the individuals’ Aadhaar-related information with the government. This system also breaks the link between the Aadhaar database and any third party having access to an individual’s Aadhaar number. If this link is not broken, then any entity—government or private—would have access to potentially millions of Aadhaar card numbers, opening endless possibilities for data abuse.</p>
<p style="text-align: justify; ">The tokenization process allows the authority to arrest any attempts at data abuse. In fact, to make this system of tokens or one-time-ID numbers effective, the law must build in measures to penalize any attempt to recreate an individual’s Aadhaar number from the unique token number. In other words, the service provider is given a token number for authentication, but prohibited from obtaining the Aadhaar number it corresponds to.</p>
<p style="text-align: justify; ">Tokenization is an improvement over the status quo, but only in one aspect—making Aadhaar secure. It is imperative that the government pays equal attention to the manner in which all data is collected, stored and disposed of by the authority. There are two facets to be explored here: first, ensuring secure storage of the vast information database, and second, plugging security loopholes that happen at collection by limiting access to the database.</p>
<p style="text-align: justify; ">The adoption of appropriate technical safeguards is indispensable to thwart external threats to the Aadhaar database, such as ransomware attacks. Having appropriate security, and having periodic audits to test the adequacy of such security, is indispensable.</p>
<p style="text-align: justify; ">Equally, limiting access to the database is crucial for preventing leaks, such as the ones reported in <i>The Tribune</i>. It is important that only a select few individuals have access to the database and that these personnel are properly vetted before being vested with such responsibility.</p>
<p style="text-align: justify; ">These various facets of the Aadhaar ecosystem are likely to be further examined in the public in the weeks to come as the Supreme Court gears up to hear the petitions on Aadhaar. Regardless of the verdict, there is an urgent need to improve the safety of the Aadhaar ecosystem and the use of tokenization goes some way towards achieving this objective.</p>
<p style="text-align: justify; "><i>Manasa Venkataraman and Ajay Patri are researchers at the Takshashila Institution, an independent, non-partisan think tank and school of public policy.</i></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-january-9-2018-manasa-venkataraman-ajay-patri-token-security-or-tokenized-security'>http://editors.cis-india.org/internet-governance/news/livemint-january-9-2018-manasa-venkataraman-ajay-patri-token-security-or-tokenized-security</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-17T00:17:41ZNews ItemIndia To Introduce Virtual ID For Aadhaar To Strengthen Privacy
http://editors.cis-india.org/internet-governance/news/bloomberg-quint-january-11-2018-india-to-introduce-virtual-id-for-aadhaar-to-strengthen-privacy
<b>The government will introduce a virtual identification number for Aadhaar to help strengthen privacy following several instances of data leaks.</b>
<p style="text-align: justify; ">The blog post was published by <a class="external-link" href="https://www.bloombergquint.com/aadhaar/2018/01/10/india-to-introduce-virtual-id-for-aadhaar-to-strengthen-privacy">Bloomberg Quint </a>on January 11, 2018.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; "><span>The additional layer of security is meant to help Aadhaar users avoid sharing their unique identification number at the time of authentication to avail various services and welfare schemes, UIDAI said in a circular seen by BloombergQuint. The virtual ID will be an optional feature and users will be allowed to provide Aadhaar for verification.</span></p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">The Aadhaar-issuing body, Unique Identification Authority of India, will also introduce limited know-your-customer rules to eliminate the need for agencies to store the biometric ID. Migration to the new system will start from June 1, it added.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">Virtual IDs should be made mandatory and the UIDAI should itself generate these codes instead of having the user do it, said Pranesh Prakash, policy director at the Center for Internet Security, which has published reports on the security flaws in the world’s largest database.</p>
<p style="text-align: justify; ">The additional layer of security is meant to help Aadhaar users avoid sharing their unique identification number at the time of authentication to avail various services and welfare schemes, UIDAI said in a circular seen by BloombergQuint. The virtual ID will be an optional feature and users will be allowed to provide Aadhaar for verification.</p>
<p style="text-align: justify; ">The Aadhaar-issuing body, Unique Identification Authority of India, will also introduce limited know-your-customer rules to eliminate the need for agencies to store the biometric ID. Migration to the new system will start from June 1, it added.</p>
<p style="text-align: justify; ">Virtual IDs should be made mandatory and the UIDAI should itself generate these codes instead of having the user do it, said Pranesh Prakash, policy director at the Center for Internet Security, which has published reports on the security flaws in the world’s largest database.</p>
<blockquote class="quoted" style="text-align: justify; ">This takes into account concerns of third-party databases being combined without the consent of the individual but fails to address issues of government surveillance, exclusion and cybersecurity, he added.</blockquote>
<p style="text-align: justify; ">The move comes barely a week after The Tribune, a Chandigarh-based newspaper, reported that it could access the Aadhaar database by paying Rs 500, raising privacy concerns. Petitions challenging the validity of Aadhaar and the government’s decision to make it mandatory for everything from bank accounts to mobile services are pending in the Supreme Court.</p>
<p style="text-align: justify; ">As of now, citizens are required to share their Aadhaar number for authentication to avail certain services. With the introduction of the virtual ID that would change.</p>
<p style="text-align: justify; ">It would be a randomly generated 16-digit number that'd be digitally linked to a person's Aadhaar number. This ID would be temporary and revocable. There can be only one active and valid virtual ID for an Aadhaar number at any given point in time. Aadhaar holders will be able to use the virtual ID whenever authentication is required.</p>
<p class="callout" style="text-align: justify; ">Virtual ID, by design being temporary, cannot be used by agencies for duplication.<br /><span><strong>UIDAI Circular</strong></span></p>
<p style="text-align: justify; ">Only Aadhaar holders themselves can generate a virtual ID and set a minimum validity period for that after which it will have to be replaced by a new one. The virtual IDs can be changed through UIDAI's portal, at an Aadhaar enrolment centre or using the mAadhaar mobile application, the circular said.</p>
<h3 style="text-align: justify; ">Who Can Store Your Aadhaar Data?</h3>
<p style="text-align: justify; ">The UIDAI will limit the number of agencies that can access and store your Aadhaar number. For this purpose, it will divide the agencies that seek to use Aadhaar authentication for services into two categories—global and local.</p>
<p style="text-align: justify; ">Global authentication agencies will be allowed to "securely" store the Aadhaar number, while local agencies won't. The latter would be the ones that’d use the virtual IDs and a unique token for authentication.</p>
<p style="text-align: justify; ">The Aadhaar-issuing body has not clearly defined what would classify as a global agency. It has only said that it will "from time to time" evaluate authentication agencies "based on the laws governing them and categorise them" as global agencies. Any authentication agency that is not classified as global would be local.</p>
<h3 style="text-align: justify; ">Transition To New System</h3>
<p style="text-align: justify; ">UIDAI has told all agencies that use Aadhaar authentication to update their applications and processes for accepting virtual IDs instead of the Aadhaar number and allow authentication using the UID token. This has to be done by June 1.</p>
<p style="text-align: justify; ">If an agency fails to migrate to the new system by then, their authentication services "may be discontinued" and a penalty may be imposed, UIDAI said.</p>
<p style="text-align: justify; ">UIDAI will release the updated tools and protocols required for building the authentication software by March 1. All authentication agencies would also receive technical documents, workshops and training session to ensure smooth implementation.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/bloomberg-quint-january-11-2018-india-to-introduce-virtual-id-for-aadhaar-to-strengthen-privacy'>http://editors.cis-india.org/internet-governance/news/bloomberg-quint-january-11-2018-india-to-introduce-virtual-id-for-aadhaar-to-strengthen-privacy</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-17T00:11:13ZNews ItemVirtual Aadhaar ID: too little, too late?
http://editors.cis-india.org/internet-governance/news/hindu-yuthika-bhargava-january-11-2018-virtual-aadhaar-id-too-little-too-late
<b>Problems persist as many have already shared their 12-digit number with various entities, say experts</b>
<p style="text-align: justify; ">The article by Yuthika Bhargava was <a class="external-link" href="http://www.thehindu.com/news/national/virtual-aadhaar-id-too-little-too-late/article22423218.ece">published in the Hindu</a> on January 11, 2018</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The move to introduce an “untested” virtual ID to address security concerns over Aadhaar database is a step in the right direction, but may be a case of too little, too late, according to experts, as many of the 119 crore Aadhaar holders have already shared their 12-digit numbers with various entities.</p>
<p style="text-align: justify; ">“What about all the databases that are already linked up with our Aadhaar number? Virtual ID will therefore not attack the root of the problem. At best, it is band-aid,” said Reetika Khera, faculty, Indian Institute of Technology-Delhi.</p>
<p style="text-align: justify; ">“Can we realistically expect rural folks to use this to protect themselves? Or are we pushing the barely literate into the hands of middlemen who will ‘help’ them navigate it?” she questioned.</p>
<p style="text-align: justify; ">The Unique Identification Authority of India (UIDAI) on Wednesday introduced the concept of a virtual ID that can be used in lieu of the Aadhaar number at the time of authentication, thus eliminating the need to share and store Aadhaar numbers. It can be generated only by the Aadhaar number-holder via the UIDAI website, Aadhaar enrolment centre, or its mobile application.</p>
<p style="text-align: justify; ">Experts pointed out that the virtual ID is voluntary and the Aadhaar number will still need to be used at some places.</p>
<p style="text-align: justify; ">“Unless all entities are required to use virtual IDs or UID tokens, and are barred from storing Aadhaar numbers, the new measures won’t really help,” said Pranesh Prakash, Policy Director, Centre for Internet and Society, Bengaluru.</p>
<p style="text-align: justify; ">Kiran Jonnalagadda, co-founder of the Internet Freedom Foundation, agreed. “The idea is good but it should have been done in 2010, as now all the data is already out. Now, what can be done is revoke everybody’s Aadhaar and give new IDs.”</p>
<p style="text-align: justify; ">Mr. Jonnalagadda added that Authentication User Agencies (AUAs) categorised as ‘global AUAs’ by the UIDAI will be exempted from using the virtual IDs. “These are likely to be entities which require de-duplication for subsidy transfer, such as banks and government agencies. All the leaks have happened till now from these entities. So, basically, the move will exempt the parties that are the problem,” he said.</p>
<p style="text-align: justify; ">Vipin Nair, one of the advocates representing the petitioners who have challenged the Aadhaar Act in the Supreme Court said, “It is potentially a case of unmitigated chaos purely from an Information Technology perspective.”</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/hindu-yuthika-bhargava-january-11-2018-virtual-aadhaar-id-too-little-too-late'>http://editors.cis-india.org/internet-governance/news/hindu-yuthika-bhargava-january-11-2018-virtual-aadhaar-id-too-little-too-late</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-16T23:59:21ZNews ItemUIDAI's Virtual ID, limited KYC does little to protect Aadhaar data already collected, say critics
http://editors.cis-india.org/internet-governance/news/uidais-virtual-id-limited-kyc-does-little-to-protect-aadhaar-data-already-collected-say-critics
<b>Aadhaar-issuing body, Unique Identification Authority of India (UIDAI), had barely started patting itself on the back for introducing the Virtual ID concept, what CEO Ajay Bhushan Pandey called "one of biggest recent innovations in this field", when detractors came crawling out of the woodwork, all guns blazing.</b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="http://www.businesstoday.in/current/economy-politics/uidais-virtual-id-limited-kyc-little-protect-aadhaar-data-collected-critics/story/267924.html">Business Today</a> on January 12, 2018.</p>
<hr />
<p style="text-align: justify; "><span>"Under compulsion, millions of persons have already shared Aadhaar number with many service providers. New security layer is like locking the stable after horses have bolted," tweeted P. Chidambaram, Congress veteran and former finance minister. This is not just an opposition party member taking potshots at the government. As of last month, close to 14 crore out of about 30 crore Permanent Account Numbers (PANs) had already been linked to Aadhaar and 70% of the estimated 100 crore bank accounts had been seeded. This will be the case for insurance policies as well as all government-sponsored welfare schemes and services since the Supreme Court ruling to extend the deadline for mandatory Aadhaar linking came just a fortnight before the government's December 21 deadline. So how does the new two-tier security system protect all that Aadhaar data already collected by sundry agencies?</span></p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">The short answer is that it does not. According to media reports, banks and other service providers have not been asked to delete stored Aadhaar data from their databases. The only directive is to enforce the new security system within the June 1 deadline. In the absence of a legal mandate, agencies can very well choose to retain any Aadhaar data previously collected on their servers, leaving it open to any number of security breaches in the future.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<div id="_mcePaste" style="text-align: justify; ">So, it would appear that the new VID and limited KYC norms are good ideas, just too late in arriving. Only procrastinators putting off linking Aadhaar to essential services stand to gain, unless the government decides to revoke all existing Aadhaar cards and issue fresh 12-digit unique identification numbers post June 1.</div>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">Where the new security system definitely scores is on the privacy front. To remind you, VID a temporary, 16-digit, randomly-generated number that an Aadhaar holder can use for authentication or KYC services along with his/her fingerprint instead in lieu of the Aadhaar number. The VID together with biometrics of the user would give any authorized agency, say, a mobile company, limited details like name, address and photograph, which are enough for any verification. You can generate/replace Virtual IDs on the UIDAI website, Aadhaar mobile app and at enrolment centres.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">Since the system-generated VID will be mapped to an individual's Aadhaar number at the back end, it will do away with the need for the user to share Aadhaar number with sundry service agencies. This will, in turn, reduce the collection of Aadhaar numbers by various agencies. VIDs being temporary cannot be de-duplicated and as an added precaution, agencies that undertake authentication will not be allowed to generate VIDs on behalf of Aadhaar holders.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">Furthermore, under limited KYC, UIDAI will evaluate all Authentication User Agencies (AUAs) and split them into two categories: Global AUAs and Local AUAs. Only agencies whose services, by law, require them to store the Aadhaar number-qualified as Global AUAs-will enjoy access to full demographic details of an individual. All the remaining AUAs will be branded as Local AUAs and will neither get access to full KYC, nor can they store the Aadhaar number on their systems. Instead, they will get a tokenised number issued by UIDAI to identify their customers. The 72 character alphanumeric 'UID Token' for your Aadhaar number will reportedly be different for every authentication body you approach so agencies will no longer be able to merge databases, thus enhancing privacy substantially.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">However, there's a problem here, too. As Pranesh Prakash, Policy Director of Bengaluru-based Centre for Internet and Society, told The Hindu, "unless all entities are required to use VIDs or UID tokens, and are barred from storing Aadhaar numbers, the new measures won't really help."</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">In a recent online survey, conducted by social engagement platform LocalCircles, 52% of 15,000 respondents said they feared that their Aadhaar data might not be safe from unauthorised access by hackers and information sellers. The UIDAI's latest move does little to allay this doubt.</p>
<p style="text-align: justify; ">"Under compulsion, millions of persons have already shared Aadhaar number with many service providers. New security layer is like locking the stable after horses have bolted," tweeted P. Chidambaram, Congress veteran and former finance minister. This is not just an opposition party member taking potshots at the government. As of last month, close to 14 crore out of about 30 crore Permanent Account Numbers (PANs) had already been linked to Aadhaar and 70% of the estimated 100 crore bank accounts had been seeded. This will be the case for insurance policies as well as all government-sponsored welfare schemes and services since the Supreme Court ruling to extend the deadline for mandatory Aadhaar linking came just a fortnight before the government's December 21 deadline. So how does the new two-tier security system protect all that Aadhaar data already collected by sundry agencies?</p>
<p style="text-align: justify; ">The short answer is that it does not. According to media reports, banks and other service providers have not been asked to delete stored Aadhaar data from their databases. The only directive is to enforce the new security system within the June 1 deadline. In the absence of a legal mandate, agencies can very well choose to retain any Aadhaar data previously collected on their servers, leaving it open to any number of security breaches in the future.</p>
<p style="text-align: justify; ">So, it would appear that the new VID and limited KYC norms are good ideas, just too late in arriving. Only procrastinators putting off linking Aadhaar to essential services stand to gain, unless the government decides to revoke all existing Aadhaar cards and issue fresh 12-digit unique identification numbers post June 1.</p>
<p style="text-align: justify; ">Where the new security system definitely scores is on the privacy front. To remind you, VID a temporary, 16-digit, randomly-generated number that an Aadhaar holder can use for authentication or KYC services along with his/her fingerprint instead in lieu of the Aadhaar number. The VID together with biometrics of the user would give any authorized agency, say, a mobile company, limited details like name, address and photograph, which are enough for any verification. You can generate/replace Virtual IDs on the UIDAI website, Aadhaar mobile app and at enrolment centres.</p>
<p style="text-align: justify; ">Since the system-generated VID will be mapped to an individual's Aadhaar number at the back end, it will do away with the need for the user to share Aadhaar number with sundry service agencies. This will, in turn, reduce the collection of Aadhaar numbers by various agencies. VIDs being temporary cannot be de-duplicated and as an added precaution, agencies that undertake authentication will not be allowed to generate VIDs on behalf of Aadhaar holders.</p>
<p style="text-align: justify; ">Furthermore, under limited KYC, UIDAI will evaluate all Authentication User Agencies (AUAs) and split them into two categories: Global AUAs and Local AUAs. Only agencies whose services, by law, require them to store the Aadhaar number-qualified as Global AUAs-will enjoy access to full demographic details of an individual. All the remaining AUAs will be branded as Local AUAs and will neither get access to full KYC, nor can they store the Aadhaar number on their systems. Instead, they will get a tokenised number issued by UIDAI to identify their customers. The 72 character alphanumeric 'UID Token' for your Aadhaar number will reportedly be different for every authentication body you approach so agencies will no longer be able to merge databases, thus enhancing privacy substantially.</p>
<p style="text-align: justify; ">However, there's a problem here, too. As Pranesh Prakash, Policy Director of Bengaluru-based Centre for Internet and Society, told The Hindu, "unless all entities are required to use VIDs or UID tokens, and are barred from storing Aadhaar numbers, the new measures won't really help."</p>
<p style="text-align: justify; ">In a recent online survey, conducted by social engagement platform LocalCircles, 52% of 15,000 respondents said they feared that their Aadhaar data might not be safe from unauthorised access by hackers and information sellers. The UIDAI's latest move does little to allay this doubt.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/uidais-virtual-id-limited-kyc-does-little-to-protect-aadhaar-data-already-collected-say-critics'>http://editors.cis-india.org/internet-governance/news/uidais-virtual-id-limited-kyc-does-little-to-protect-aadhaar-data-already-collected-say-critics</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-16T23:51:44ZNews ItemAadhaar Body Talked About Virtual ID 7 Years Ago, Put It Off: UIDAI Chief
http://editors.cis-india.org/internet-governance/news/ndtv-sukriti-dwivedi-january-13-2018-aadhaar-body-talked-about-virtual-id-7-years-ago-put-it-off-uidai-chief
<b>"And at that time, it was felt that let us first give Aadhaar number, let us see how it plays out and then, at an appropriate time, this will be introduced," Ajay Bhushan Pandey, the chief executive officer of UIDAI, or the Unique Identification Authority of India said in an interview to NDTV this week. He called it an "extra layer of security" for the 119 crore people issued Aadhaar numbers.</b>
<p style="text-align: justify; ">The blog post by Sukriti Dwivedi was <a class="external-link" href="https://www.ndtv.com/india-news/aadhaar-body-talked-about-virtual-id-7-years-ago-put-it-off-uidai-chief-1799467">published by NDTV</a> on January 13, 2018.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Virtual ID, the 16-digit temporary number, announced by UIDAI this week had been suggested way back in 2009-10 when its architects were still designing the system. But the Aadhaar authority, which has called Virtual ID a unique innovation to enhance privacy and security, decided against rolling it out at that time.</p>
<p id="_mcePaste" style="text-align: justify; ">"And at that time, it was felt that let us first give Aadhaar number, let us see how it plays out and then, at an appropriate time, this will be introduced," Ajay Bhushan Pandey, the chief executive officer of UIDAI, or the Unique Identification Authority of India said in an interview to NDTV this week. He called it an "extra layer of security" for the 119 crore people issued Aadhaar numbers.</p>
<p style="text-align: justify; "><span>It may be a step forward. But not everyone is as convinced.</span></p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">Cyber security Jiten Jain is one of them. Mr Jain told NDTV that UIDAI should first of all decide if the Aadhaar number was confidential information or not because it had changed its stance on this aspect on more than one occasion.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">Like when government departments put out lakhs of Aadhaar number, the government agency had insisted that there was nothing really confidential about the number which could not be misused. Or when The Tribune earlier this month claimed to have found gaps in UIDAI's security system that let the newspaper demographic details of an individual, UIDAI claimed that "the Aadhaar number is not a secret number" anyways.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">Also, a point is being made that if hiding an Aadhaar number enhances privacy, then what about the crores of people who have been forced to share their Aadhaar numbers - and a copy of their Aadhaar cards - all these years.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">Experts suggest the timing of the announcement may not have been a coincidence. The initiative came against the backdrop of mounting privacy concerns after the newspaper expose. The hearing by a five-judge Constitution Bench of the Supreme Court to decide if the Aadhaar project violates citizens' privacy is to start hearing from next week, January 17.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">Srinivas Kodali, cyber security expert and an Aadhaar researcher, said it was clear that the UIDAI had brought it hurriedly. "They said they will release the codes by March 1. So it clearly looks like they haven't planned this thoroughly," he said.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">There are also concerns about the ability of people living in remote areas to generate the Virtual IDs, in terms of connectivity and literacy. That means a large proportion of people would not be able to generate the Virtual IDs.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">UIDAI chief Mr Pandey said there was nothing to prevent them from continuing to use their Aadhaar number. It is an option, he stressed.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">This, experts at the Bengaluru-based research group, Centre for Internet and Society, which has long advocated for a token system such as the Virtual ID, said was a problem area.</p>
<p style="text-align: justify; ">"And at that time, it was felt that let us first give Aadhaar number, let us see how it plays out and then, at an appropriate time, this will be introduced," Ajay Bhushan Pandey, the chief executive officer of UIDAI, or the Unique Identification Authority of India said in an interview to NDTV this week. He called it an "extra layer of security" for the 119 crore people issued Aadhaar numbers. It may be a step forward. But not everyone is as convinced.</p>
<p style="text-align: justify; ">Cyber security Jiten Jain is one of them. Mr Jain told NDTV that UIDAI should first of all decide if the Aadhaar number was confidential information or not because it had changed its stance on this aspect on more than one occasion.</p>
<p style="text-align: justify; ">Like when government departments put out lakhs of Aadhaar number, the government agency had insisted that there was nothing really confidential about the number which could not be misused. Or when The Tribune earlier this month claimed to have found gaps in UIDAI's security system that let the newspaper demographic details of an individual, UIDAI claimed that "the Aadhaar number is not a secret number" anyways.</p>
<p style="text-align: justify; ">Also, a point is being made that if hiding an Aadhaar number enhances privacy, then what about the crores of people who have been forced to share their Aadhaar numbers - and a copy of their Aadhaar cards - all these years.</p>
<p style="text-align: justify; ">Experts suggest the timing of the announcement may not have been a coincidence. The initiative came against the backdrop of mounting privacy concerns after the newspaper expose. The hearing by a five-judge Constitution Bench of the Supreme Court to decide if the Aadhaar project violates citizens' privacy is to start hearing from next week, January 17.</p>
<p style="text-align: justify; ">Srinivas Kodali, cyber security expert and an Aadhaar researcher, said it was clear that the UIDAI had brought it hurriedly. "They said they will release the codes by March 1. So it clearly looks like they haven't planned this thoroughly," he said.</p>
<p style="text-align: justify; ">There are also concerns about the ability of people living in remote areas to generate the Virtual IDs, in terms of connectivity and literacy. That means a large proportion of people would not be able to generate the Virtual IDs.</p>
<p style="text-align: justify; ">UIDAI chief Mr Pandey said there was nothing to prevent them from continuing to use their Aadhaar number. It is an option, he stressed.</p>
<p style="text-align: justify; ">This, experts at the Bengaluru-based research group, Centre for Internet and Society, which has long advocated for a token system such as the Virtual ID, said was a problem area.</p>
<p style="text-align: justify; ">"Privacy can be protected by design and not by choice," said CIS executive director Sunil Abraham, who believes the biggest flaw with Aadhaar was its design.</p>
<p style="text-align: justify; ">"Since it is not mandatory most people will just use the Aadhaar number instead of getting into the hassle of generating a VID... This is privacy through hurdles instead of privacy by design. I suggest authorities should generate VIDs for people and ensure that third parties only use VID and not the Aadhaar number," Pranesh Prakash at the CIS' policy director told NDTV.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/ndtv-sukriti-dwivedi-january-13-2018-aadhaar-body-talked-about-virtual-id-7-years-ago-put-it-off-uidai-chief'>http://editors.cis-india.org/internet-governance/news/ndtv-sukriti-dwivedi-january-13-2018-aadhaar-body-talked-about-virtual-id-7-years-ago-put-it-off-uidai-chief</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-16T23:42:58ZNews ItemHammered government offers Virtual ID firewall to protect your Aadhaar
http://editors.cis-india.org/internet-governance/news/indian-express-january-11-2018-
<b>Days after reports surfaced claiming security breaches, the Unique Identification Authority of India (UIDAI) on Wednesday announced the implementation of a new security protocol that would remove the need to divulge Aadhaar numbers during authentication processes and limit third-party access to KYC details.</b>
<p>The article was published in <a class="external-link" href="http://www.newindianexpress.com/nation/2018/jan/11/hammered-government-offers-virtual-id-firewall-to-protect-your-aadhaar-1750466.html">New Indian Express</a> on January 11, 2018.</p>
<hr />
<p style="text-align: justify; ">Admitting that the “collection and storage of Aadhaar numbers by various entities has heightened privacy concerns”, the UIDAI circular said Authentication User Agencies (AUAs) providing Aadhaar services have to be ready to implement the protocol from March 1, 2018. From June 1 use of Virtual ID for authentication would be mandatory.</p>
<p style="text-align: justify; ">The linchpin of the new protocol will be the virtual ID (VID) — a “temporary, revocable 16-digit random number” that can be used instead of Aadhaar to verify or link services. VIDs will have a limited validity and can be generated only by the Aadhaar holder. “UIDAI will provide various options to generate, retrieve and replace VIDs… these will be made available via UIDAI’s resident portal, Aadhaar Enrolment Centre, mAadhaar mobile application, etc.,” it said. While only one VID per Aadhaar number will be valid at a time, users can revoke and generate new VIDs as many times as desired.</p>
<p style="text-align: justify; ">UIDAI will also limit KYC details accessible by AUAs by classifying them as Global AUAs, which are required to use Aadhaar e-KYC by law, and Local AUAs. Only the former will have full access to e-KYC details and can store Aadhaar numbers. Local AUAs will only have access to limited KYC details and be prohibited from storing Aadhaar numbers. UIDAI will also generate UID tokens which will be used to identify customers within agencies’ systems, but these will not be usable by other AUAs.</p>
<p style="text-align: justify; ">However, cybersecurity experts say that even if the new “patch” is effective, verification processes will have to be redone to prevent misuse of already-leaked Aadhaar numbers. “The concept is attractive, but the devil is in the details,” observed Pavan Duggal, cyberlaw expert, adding that the new system does not address those who have already gained unauthorised access to Aadhaar numbers. Sunil Abraham, executive director, Centre for Internet and Society, was more categorical. “If it has to be effective, they will have to redo (Aadhaar-KYC) from scratch.”</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/indian-express-january-11-2018-'>http://editors.cis-india.org/internet-governance/news/indian-express-january-11-2018-</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-16T23:34:12ZNews ItemBengaluru gives data safety tips to panel
http://editors.cis-india.org/internet-governance/news/deccan-herald-january-14-2018-pranshu-rathee-bengaluru-gives-data-safety-tips-to-panel
<b>A crucial consultation ahead of the framing of the country's data protection laws witnessed animated discussions here on Saturday.</b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="http://www.deccanherald.com/content/653716/bengaluru-gives-data-safety-tips.html">Deccan Heral</a>d on January 14, 2018</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Participants raised a variety of concerns. Held on the IISc campus, it discussed everything from revenge porn and human genomics to artificial intelligence and the right to be forgotten.</p>
<p style="text-align: justify; ">Cybersecurity experts, academics, lawyers and others attended the day-long event.</p>
<p style="text-align: justify; ">They made their submissions to the Srikrishna Committee, formed on July 31 last year to frame principles for data protection laws.</p>
<p style="text-align: justify; ">The session was chaired by Justice B N Srikrishna, retired Supreme Court judge. Also on the panel were Rama Vedashree, CEO, Data Security Council of India, and Gopalakrishnan S.</p>
<p style="text-align: justify; ">The basis of the discussion was a 200-page document drafted by the nine members of the Srikrishna Committee. January 31 is the deadline to respond to the committee's white paper.</p>
<h3 style="text-align: justify; ">Classification of data</h3>
<p style="text-align: justify; ">Several dystopian scenarios, such as profiling and discrimination with the help of behavioural and psychometric data, led to discussions on the need for classification of data types.</p>
<p style="text-align: justify; ">Darshana, a lawyer from the People's Union of Civil Liberties (PUCL), spoke about how people were being denied rations for not holding Aadhaar.</p>
<p style="text-align: justify; ">The collection of children's biometric data brought up the question of consent.</p>
<p style="text-align: justify; ">Srikrishna clarified the white paper contained a chapter on consent: it suggests an age limit below which parental consent will have to be mandatory.</p>
<p style="text-align: justify; ">A discussion on the right to be forgotten arose after some participants sought a provision to revoke consent already given.</p>
<p style="text-align: justify; ">Questions associated with genome sequencing were raised by Vijay Chandru, professor, IISc.</p>
<p style="text-align: justify; ">"We need to pay special attention to this type of information. The collection of DNA in the form of saliva, when, say, you make a visit to a weight loss clinic, has become the commercial norm. The Insurance Regulatory Act can have huge implications as genetic data can be used to discriminate and deny health coverage," Chandru said.</p>
<p style="text-align: justify; ">Sunil Abraham, head of the Centre for Internet and Society, said he was delighted with the quality of debate and discussion.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/deccan-herald-january-14-2018-pranshu-rathee-bengaluru-gives-data-safety-tips-to-panel'>http://editors.cis-india.org/internet-governance/news/deccan-herald-january-14-2018-pranshu-rathee-bengaluru-gives-data-safety-tips-to-panel</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-16T23:19:00ZNews ItemUIDAI introduces new two-layer security system to improve Aadhaar privacy
http://editors.cis-india.org/internet-governance/news/economic-times-january-11-2018-uidai-introduces-new-two-layer-security-system-to-improve-aadhaar-privacy
<b>The Unique Identification Authority of India (UIDAI) has introduced a system of virtual authentication for citizens enrolled on its database and limited the access available to service providers in a move aimed at allaying widespread concern over security breaches that have dogged the world's largest repository of citizen data. </b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="https://economictimes.indiatimes.com/news/economy/policy/uidai-introduces-new-two-layer-security-system-to-improve-aadhaar-privacy/articleshow/62442873.cms">Economic Times</a> on January 11, 2018.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">In one of the most significant security upgrades by the eightyear old agency, the UIDAI announced the creation of a "virtual ID" which can be used in lieu of the 12-digit Aadhaar number at the time of authentication for any service.</p>
<p style="text-align: justify; ">The UIDAI has also limited access to stored personal information and mandated the use of unique tokens through which authenticating agencies can access required data. It claims that the measures will strengthen privacy and also prevent combining of databases linked to Aadhaar.</p>
<p style="text-align: justify; ">ET was the first to report about the UIDAI plan to introduce virtual numbers to address security concerns in its November 20 edition last year.</p>
<p style="text-align: justify; ">A top government official told ET that UIDAI has been working on this technology since July of 2016. "This is going to be one of the biggest innovations ever, people can change their virtual ID whenever they want or after every authentication or every 10 seconds." He added that this will silence most critics of Aadhaar.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">"The Aadhaar number being the permanent ID for life, there is need to provide a mechanism to ensure its continued use while optimally protecting the collection and storage in many databases," the UIDAI said in a notification on Wednesday while announcing the new measures.</p>
<h3 style="text-align: justify; ">More Needed to be Done: Experts</h3>
<p style="text-align: justify; ">"The collection and storage of Aadhaar number by various entities has heightened privacy concerns," it stated.</p>
<p style="text-align: justify; ">Under the new regime, for every Aadhaar number, the authority will issue a 16-digit virtual identity number which will be "temporary and revocable at any time."</p>
<p style="text-align: justify; ">This virtual ID can be generated only by the individual Aadhaar holder and can be replaced by a new one after a minimum validity period.</p>
<p style="text-align: justify; ">In addition, while some Authentication User Agencies (AUA) — categorised by the UIDAI as 'Global' — will have access to all the details or the e-KYC of a specific Aadhaar number, all other agencies will only have access to limited data through the virtual identity number.</p>
<p style="text-align: justify; ">"So this is a very very significant thing and I think this is a great step forward," said Nandan Nilekani, former chairman of UIDAI, in an interview to television channel ET Now on Wednesday.</p>
<p style="text-align: justify; ">Nilekani, widely regarded as the architect of Aadhaar, said that through these new security measures the possibility of the Aadhaar number being stored in many databases also goes away.</p>
<p style="text-align: justify; ">It will make a huge difference in allaying the concerns and it really "eliminates all the arguments against Aadhaar," he told ET Now.</p>
<p style="text-align: justify; ">Last week, Chandigarh-based daily The Tribune reported that demographic data from the Aadhaar database could be accessed for as little as Rs 500. The expose led to the UIDAI barring over 5,000 officials from accessing its portal through login ids and passwords. It also introduced biometric authentication for future access, as reported by ET on Tuesday.</p>
<p style="text-align: justify; ">The widespread fear of misuse of demographic data is heightened by the fact that India still does not have a data protection legislation. The country's apex court is scheduled to resume its hearing on the validity of the Aadhaar scheme next week on January 17.</p>
<p style="text-align: justify; ">Kamlesh Bajaj, former CEO of the Data Security Council of India said by limiting access to only those agencies mandated by law, the UIDAI has ensured that "someone will not be able to combine database. It's a positive development in my view and technologically feasible," he said</p>
<h3 style="text-align: justify; ">Expert Views</h3>
<p style="text-align: justify; ">Privacy experts and activists were of the view that more needs to be done to ensure foolproof security for critical personal information.</p>
<p style="text-align: justify; ">The Bengaluru-based research organisation Centre for Internet and Society has suggested that all the Aadhaar seeding with all the existing databases should be revoked. "Until then, it is one step ahead and but not enough," said Sunil Abraham, executive director of CIS.</p>
<p style="text-align: justify; ">To enable a speedy rollout of the new safety standards, the UIDAI plans to release the required technical updates by March 1, 2018 and all the Authentication agencies using the Aadhaar database will need to upgrade their systems latest by June 1, 2018.</p>
<p style="text-align: justify; ">In its circular, UIDAI has also said that agencies not allowed to use or store the Aadhaar number should make changes inside their systems to replace Aadhaar number within their databases with UID Token.</p>
<p style="text-align: justify; ">"Unless there is complete revocation, some database with Aadhaar numbers will still float around and secondly there is no reason why some data controllers should be trusted, the tokenisation should be implemented for everyone," said CIS's Abraham.</p>
<p style="text-align: justify; ">The circular said that authentication using virtual ID will be performed in the same manner as the Aadhaar number and people can generate or retrieve their virtual numbers (in case they forget) at the UIDAI's resident portal, Aadhaar Enrolment Centers, or through the Aadhaar mobile application.</p>
<p style="text-align: justify; ">In addition to the virtual numbers, UIDAI will also provide "unique tokens" to each agency against an Aadhaar number to ensure that they are to establish the uniqueness of beneficiaries in their database such as for distributing government subsidies under cooking gas or scholarships.</p>
<p style="text-align: justify; ">Activists argue that most service providers — even digital ones — work with a paper ID card system. "They don't cross-check it with the UIDAI database. UIDAI is not issuing virtual ids for paper cards, and a new category of so called Global AUAs are exempted from using the virtual ids, so citizens are not protected almost anywhere that they need to use Aadhaar," said Kiran Jonnalagadda, co-founder of the Internet Freedom Foundation, who said the change doesn't help enough to secure the ecosystem.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/economic-times-january-11-2018-uidai-introduces-new-two-layer-security-system-to-improve-aadhaar-privacy'>http://editors.cis-india.org/internet-governance/news/economic-times-january-11-2018-uidai-introduces-new-two-layer-security-system-to-improve-aadhaar-privacy</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-16T23:08:34ZNews ItemIs your personal information under lock and key?
http://editors.cis-india.org/internet-governance/news/hindu-businessline-january-16-2018-sravanthi-challapalli-is-your-personal-information-under-lock-and-key
<b>Customers, be more careful about how you log in and log off!</b>
<p style="text-align: justify; ">The article by Sravanthi Challapalli was published by <a class="external-link" href="http://www.thehindubusinessline.com/catalyst/is-your-personal-information-under-lock-and-key/article10026720.ece">Hindu Businessline</a> on January 16, 2018.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">We’re coming off a year that was highlighted by several data breaches around the world. In India, the Aadhaar debate continues to make headlines, with allegations about its data theft and Big Brother potential for surveillance. And for quite a while now, the marketing world has been suffused with mention of artificial intelligence, chatbots, big data, data-driven analytics, and other such buzzwords. The ultimate, stated aim is to make life simpler for the citizen/customer. But how secure is our data, which we put out there both voluntarily and by mandate, and what can we do to protect it?</p>
<h3 style="text-align: justify; ">Laziness will hurt</h3>
<p style="text-align: justify; ">A study by security services provider Gemalto found that retailers (76 per cent), banks (74 per cent) and social media sites (71 per cent) operating in India have a lot of work to do on this front. Consumers would leave if their personal information suffered a breach, it said. Even as the majority of customers said businesses don’t treat their data with due respect, they did not take enough precautions themselves, it observed. Fifty-one per cent of the study’s respondents used the same password across several online accounts and many did not use even available solutions such as two-factor authentication to protect social media accounts, making them susceptible to data breaches. They also believed the onus of protecting data lay on the business.</p>
<h3 style="text-align: justify; ">Caveats of little help</h3>
<div id="_mcePaste" style="text-align: justify; ">So, caveat emptor? “Caveat emptor has meaning only when the customer has enough knowledge to protect himself,” says Sunil Abraham, Executive Director of the Bangalore-based Centre for Internet and Society. Using the sausage factory analogy (no one knew what went into the products and how clean they were), he says few know how big data is used. Regulation can help in this regard. He expects India to have data protection rules in place in a couple of years.</div>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">The Government has set up a committee of experts headed by Justice BN Srikrishna to look into the issue, invite comments and propose a draft law. The objective is to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.” As of now, there is no law that exclusively deals with data protection though there are some provisions in the Information Technology Act of 2011.</p>
<p style="text-align: justify; ">So, caveat emptor? “Caveat emptor has meaning only when the customer has enough knowledge to protect himself,” says Sunil Abraham, Executive Director of the Bangalore-based Centre for Internet and Society. Using the sausage factory analogy (no one knew what went into the products and how clean they were), he says few know how big data is used. Regulation can help in this regard. He expects India to have data protection rules in place in a couple of years.<br />The Government has set up a committee of experts headed by Justice BN Srikrishna to look into the issue, invite comments and propose a draft law. The objective is to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.” As of now, there is no law that exclusively deals with data protection though there are some provisions in the Information Technology Act of 2011.</p>
<h3 style="text-align: justify; ">Efficiency all round</h3>
<p style="text-align: justify; ">ICICI Prudential Life Insurance Executive Director Puneet Nanda says digital data storage has catalysed efficiency on several fronts. “Technology helps us swiftly identify the nominee and facilitates faster payouts as compared to the times when the information was stored physically. It has improved turnaround times and enabled delivery of superior service leading to higher customer satisfaction. Corporations can provide customers instant gratification. Today, we can issue a policy in minutes. Proliferation of technology has enabled corporations to identify customer needs and make offers best suited to their requirements.”</p>
<p style="text-align: justify; ">CIS will offer comments to the Srikrishna Committee. Abraham says such laws in other countries define what personal information is, establish the office of the regulator, have powers to receive and investigate complaints and ensure marketers fall in line. Regulators have punitive powers as well. In 2014, telecom major Verizon had to pay $7.4 million in the US to settle a Federal Communications Commission complaint about advertising to customers without letting them know they had an opt-out option. The privacy conditions one routinely “agrees” to online does not give the data controller a free ticket to do what they want with the information, he says.</p>
<h3 style="text-align: justify; ">Not much one can do</h3>
<p style="text-align: justify; ">Abraham says there is very little the customer can do, other than “acts of civil disobedience, tell lies, fill out false information” when there’s little protection. Rana Gupta, Vice President – APAC, Identity and Data Protection, Gemalto, says one is not left with many choices in an increasingly digital world, not to mention the social pressure. Imagine asking for time off from work to withdraw some cash from your bank because you are suspicious of ATMs? “Users have to rely on organisations doing the right thing,” he says. Regulation making data encryption and second-factor authentication mandatory will help. Customers have begun to ask how data is being secured, and whether it is encrypted. Addressing such concerns would help businesses such as e-commerce and banks, which are increasingly dependent on an online presence.</p>
<p style="text-align: justify; ">Even though they’re painful to remember and key in, long passwords that include a capital letter, a special character and a number are deterrents to misuse, as are one-time passwords and messages that alert/ confirm users logging in to an account or transacting a deal. Rohan Bhargava, Co-founder of cashback and coupons site CashKaro.com, says businesses have to design the best methods to thwart the worst intentions. “Companies are vulnerable when they take short cuts at basic processes.”</p>
<p style="text-align: justify; ">Bhargava says his company prefers to build most of the technical products it needs, itself, rather than resort to third-party builders/providers. Marketers, he says, experiment with a lot of untested products and the scripts they use can be the root of the problem.</p>
<p style="text-align: justify; ">Checks and balances at every stage, running security reviews whenever something changes, effectively managing the life cycle of the encryption keys and limiting access to customer data are vital. The responsibility for securing data lies with both customer and marketer but the latter’s is the larger responsibility as it is they who implement and have the infrastructure that the user does not, says Gemalto’s Gupta.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/hindu-businessline-january-16-2018-sravanthi-challapalli-is-your-personal-information-under-lock-and-key'>http://editors.cis-india.org/internet-governance/news/hindu-businessline-january-16-2018-sravanthi-challapalli-is-your-personal-information-under-lock-and-key</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-16T16:54:33ZNews ItemFixing Aadhaar: Security developers' task is to trim chances of data breach
http://editors.cis-india.org/internet-governance/blog/business-standard-sunil-abraham-january-10-fixing-aadhaar
<b>The task before a security developer is not only to reduce the probability of identity breach but to eliminate certain occurrences.</b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="http://www.business-standard.com/article/opinion/fixing-aadhaar-security-developers-task-is-to-trim-chances-of-data-breach-118010901281_1.html">Business Standard</a> on January 10, 2017</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; "><span>I feel no joy when my prophecies about digital identity systems come true. This is because from a Popperian perspective these are low-risk prophecies. I had said that that all centralised identity databases will be breached in the future. That may or may not happen within my lifetime so I can go to my grave without worries about being proven wrong. Therefore, the task before a security developer is not only to reduce the probability but more importantly to eliminate the possibility of certain occurrences.</span></p>
<p style="text-align: justify; "><span>The blame for fragility in digital identity systems today can be partially laid on a World Bank document titled “Ten Principles on Identification for Sustainable Development” which has contributed to the harmonisation of approaches across jurisdictions. Principle three says, “Establishing a robust — unique, secure, and accurate — identity”. The keyword here is “a”. Like The Lord of the Rings, the World Bank wants “one digital ID to rule them all”. For Indians, this approach must be epistemologically repugnant as ours is a land which has recognised the multiplicity of truth since ancient times.</span></p>
<p style="text-align: justify; "><span>In “Identities Research Project: Final Report” funded by Omidyar Network and published by Caribou Digital — the number one finding is “people have always had, and managed, multiple personal identities”. And the fourth finding is “people select and combine identity elements for transactions during the course of everyday life”. As researchers they have employed indirect language, for layman the key takeaway is a single national ID for all persons and all purposes is an ahistorical and unworkable solution.</span></p>
<table class="plain">
<tbody>
<tr>
<td>
<p><img src="http://editors.cis-india.org/home-images/AadhaarBS.png" style="text-align: justify; " title="Aadhaar BS" class="image-inline" alt="Aadhaar BS" /></p>
<div style="text-align: justify; "><span style="float: left; "><span style="float: left; "><i>Revoke all <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>numbers that have been compromised, breached, leaked, illegally published or inadvertently disclosed and regenerate new global identifiers. Photo: Reuters</i></span></span></div>
<div style="text-align: justify; "><span style="float: left; "><br /></span></div>
</td>
</tr>
</tbody>
</table>
<div style="text-align: justify; "><span>monoculture can be prevented. The traditional approach is followed in the US - you could have multiple documents that are accepted as valid ID. Or you could have multiple identity providers providing ID artifacts using an interoperable framework as they do in the UK. Another approach is tokenisation. The first time tokenisation was suggested in the Aadhaar context was in an academic paper published in August 2016 by Shweta Agrawal, Subhashis Banerjee and Subodh Sharma from IIT Delhi titled “Privacy and Security of Aadhaar: A Computer Science Perspective”.</span></div>
<p style="text-align: justify; "><span>The paper in its fourth key recommendation says “cryptographically embed Aadhaar ID into Authentication User Agency (AUAs) and KYC User Agency (aka KUAs) — specific IDs making correlation impossible”. The paper considers several designs for such local identifier where — 1) no linking is possible, 2) only unidirectional linking is possible, and 3) bidirectional linking is possible referring to a similar scheme in the LSE identity report.</span></p>
<p id="_mcePaste" style="text-align: justify; ">Though I had spoken about tokenisation as a fix for Aadhaar earlier, I wrote about it for the first time on the 31st of March, 2017, in The Hindu. The steps would be required are as follows. First, revoke all Aadhaar numbers that have been compromised, breached, leaked, illegally published or inadvertently disclosed and regenerate new global identifiers aka Aadhaar Numbers. Second, reduce the number of KYC transactions by eliminating all use cases that don’t result in corresponding transparency or security benefits. For example, most developed economies don’t have KYC for mobile phone connections. Three, the UIDAI should issue only tokens to those government entities and private sector service providers that absolutely must have KYC. When the NATGRID wants to combine subsets of 20 different databases for up to 12 different intelligence/law enforcement agencies they will have to approach the UIDAI with the token or Aadhaar number of the suspect. The UIDAI will then be able to release corresponding tokens and/or the Aadhaar number to the NATGRID. Implementing tokenisation introduces both technical and institutional checks and balances in our surveillance systems.</p>
<p id="_mcePaste" style="text-align: justify; ">On 25th of July 2017, UIDAI published the first document providing implementation details for tokenisation wherein KUAs and AUAs were asked to generate the tokens. But this approach assumed that KYC user agencies could be trusted. This is because the digital identity solution for the nation as conceived by Aadhaar architects is based on the problem statement of digital identity within a firm. Within a firm all internal entities can be trusted. But in a nation state you cannot make this assumption. Airtel, a KUA, diverted 190 crores of LPG subsidy to more than 30 lakh payment bank accounts that were opened without informed consent. Axis Bank Limited, Suvidha Infoserve (a business correspondent) and eMudhra (an e-sign provider or AUA) have been accused of using replay attacks to perform unauthorised transactions. In November last year, the UIDAI indicated to the media that they were working on the next version of tokenisation — this time called dummy numbers or virtual numbers. This work needs to be accelerated to mitigate some of the risks in the current system.</p>
<p style="text-align: justify; ">The paper in its fourth key recommendation says “cryptographically embed Aadhaar ID into Authentication User Agency (AUAs) and KYC User Agency (aka KUAs) — specific IDs making correlation impossible”. The paper considers several designs for such local identifier where — 1) no linking is possible, 2) only unidirectional linking is possible, and 3) bidirectional linking is possible referring to a similar scheme in the LSE identity report.Though I had spoken about tokenisation as a fix for Aadhaar earlier, I wrote about it for the first time on the 31st of March, 2017, in The Hindu. The steps would be required are as follows. First, revoke all Aadhaar numbers that have been compromised, breached, leaked, illegally published or inadvertently disclosed and regenerate new global identifiers aka Aadhaar Numbers. Second, reduce the number of KYC transactions by eliminating all use cases that don’t result in corresponding transparency or security benefits. For example, most developed economies don’t have KYC for mobile phone connections. Three, the UIDAI should issue only tokens to those government entities and private sector service providers that absolutely must have KYC. When the NATGRID wants to combine subsets of 20 different databases for up to 12 different intelligence/law enforcement agencies they will have to approach the UIDAI with the token or Aadhaar number of the suspect. The UIDAI will then be able to release corresponding tokens and/or the Aadhaar number to the NATGRID. Implementing tokenisation introduces both technical and institutional checks and balances in our surveillance systems.On 25th of July 2017, UIDAI published the first document providing implementation details for tokenisation wherein KUAs and AUAs were asked to generate the tokens. But this approach assumed that KYC user agencies could be trusted. This is because the digital identity solution for the nation as conceived by Aadhaar architects is based on the problem statement of digital identity within a firm. Within a firm all internal entities can be trusted. But in a nation state you cannot make this assumption. Airtel, a KUA, diverted 190 crores of LPG subsidy to more than 30 lakh payment bank accounts that were opened without informed consent. Axis Bank Limited, Suvidha Infoserve (a business correspondent) and eMudhra (an e-sign provider or AUA) have been accused of using replay attacks to perform unauthorised transactions. In November last year, the UIDAI indicated to the media that they were working on the next version of tokenisation — this time called dummy numbers or virtual numbers. This work needs to be accelerated to mitigate some of the risks in the current system.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/business-standard-sunil-abraham-january-10-fixing-aadhaar'>http://editors.cis-india.org/internet-governance/blog/business-standard-sunil-abraham-january-10-fixing-aadhaar</a>
</p>
No publishersunilAadhaarInternet GovernancePrivacy2018-01-10T16:47:59ZBlog EntryUIDAI denies any breach of Aadhaar database
http://editors.cis-india.org/internet-governance/news/livemint-komal-gupta-january-7-2018-uidai-denies-any-breach-of-aadhaar-database
<b>Personal data, including biometric information, of citizens safe and secure, says UIDAI on Aadhaar data breach.
</b>
<p style="text-align: justify; ">The article by Komal Gupta was published by <a class="external-link" href="http://www.livemint.com/Politics/bw5gRWcZoFYOjixGVVSqiP/UIDAI-says-Aadhaar-misuse-traceable-system-secure.html">Livemint</a> on January 7, 2018</p>
<hr />
<p style="text-align: justify; ">The Unique Identification Authority of India (UIDAI) on Thursday clarified that there has not been any breach in the Aadhaar database and the personal data of citizens, including biometric information, is safe and secure.</p>
<p style="text-align: justify; ">The clarification comes in response to a news report titled ‘Rs 500, 10 minutes, and you have access to a billion Aadhaar details’ published in The Tribune on Thursday. The report claims that a WhatsApp group sold all Aadhaar data available with UIDAI for a sum of Rs. 500.</p>
<p id="_mcePaste" style="text-align: justify; ">UIDAI maintained that the reported case appeared to be an instance of misuse of the grievance redressal search facility. As UIDAI maintains complete logs and traceability of the facility, legal action including lodging of FIR against the persons involved in the case is being undertaken.</p>
<div style="text-align: justify; "></div>
<div style="text-align: justify; "></div>
<div style="text-align: justify; "></div>
<div id="_mcePaste" style="text-align: justify; "></div>
<p style="text-align: justify; ">UIDAI maintained that the reported case appeared to be an instance of misuse of the grievance redressal search facility. As UIDAI maintains complete logs and traceability of the facility, legal action including lodging of FIR against the persons involved in the case is being undertaken. UIDAI maintained that the reported case appeared to be an instance of misuse of the grievance redressal search facility. As UIDAI maintains complete logs and traceability of the facility, legal action including lodging of FIR against the persons involved in the case is being undertaken. UIDAI clarified in a press statement that displayed demographic information cannot be misused; it would need to be paired with an individual’s biometrics.</p>
<p style="text-align: justify; ">There are more than 1.19 billion Aadhaar card holders in the country.</p>
<p style="text-align: justify; "><span>“If it is not a data breach, then this means that some people who have legitimate access to the data are selling it illegitimately. This poses a greater problem,” said Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank.</span></p>
<h2></h2>
<h2></h2>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-komal-gupta-january-7-2018-uidai-denies-any-breach-of-aadhaar-database'>http://editors.cis-india.org/internet-governance/news/livemint-komal-gupta-january-7-2018-uidai-denies-any-breach-of-aadhaar-database</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-07T12:03:13ZNews ItemShould Aadhaar be mandatory?
http://editors.cis-india.org/internet-governance/blog/should-aadhaar-be-mandatory
<b>This week, a constitutional bench of the Supreme Court will adjudicate on limited questions of stay orders in the Aadhaar case. After numerous attempts by the petitioners in the Aadhaar case, the court has agreed to hear this matter, just shy of the looming deadline of December 31 for the linking of Aadhaar numbers to avail government services and benefits. </b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="http://www.deccanherald.com/content/647320/should-aadhaar-mandatory.html">Deccan Herald</a> on December 9, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Getting their day in the court to hear interim matters is but a small victory in what has been a long and frustrating fight for the petitioners. In 2012, Justice K S Puttaswamy, a former Karnataka High Court judge, filed a petition before the Supreme Court questioning the validity of the Aadhaar project due its lack of legislative basis (the Aadhaar Act was passed by Parliament in 2016) and its transgressions on our fundamental rights.</p>
<p style="text-align: justify; ">Over time, a number of other petitions also made their way to the apex court challenging different aspects of the Aadhaar project. Since then, five different interim orders of the Supreme Court have stated that no person should suffer because they do not have an Aadhaar number.<br /><br />Aadhaar, according to the Supreme Court, could not be made mandatory to avail benefits and services from government schemes. Further, the court has limited the use of Aadhaar to only specific schemes, namely LPG, PDS, MNREGA, National Social Assistance Program, the Pradhan Mantri Jan Dhan Yojna and EPFO.<br /><br />The then Attorney General, Mukul Rohatgi, in a hearing before the court in July 2015 stated that there is no constitutionally guaranteed right to privacy. But the judgement by the nine-judge bench earlier this year was an emphatic endorsement of the constitutional right to privacy.<br /><br />In the course of a 547-page judgement, the bench affirmed the fundamental nature of the right to privacy, reading it into the values of dignity and liberty.<br /><br />Yet months after the judgement, the Supreme Court has failed to hear arguments in the Aadhaar matter. The reference to a larger bench and subsequent deferrals have since delayed the entire matter, even as the government has moved to make Aadhaar mandatory for a number of government schemes.<br /><br />At this point, up to 140 government services have made linking with Aadhaar mandatory to avail these services. Chief Justice of India Dipak Misra has promised a constitution bench this week, likely to look only into interim matters of stay on the deadline of Aadhaar-linking. It is likely that the hearings for the final arguments are still some months away. The refusal of the court to adjudicate on this issue has been extremely disappointing, and a grave disservice to the court's intended role as the champion of individual rights.<br /><br />It is worth noting that the interim orders by the Supreme Court that no person should suffer because they do not have an Aadhaar number, and limiting its use only to specified schemes, still stand.<br /><br />However, since the passage of the Aadhaar Act, which allows the use of Aadhaar by both private and public parties, permits making it mandatory for availing any benefits, subsidies and services funded by the Consolidated Fund of India, the spate of services for which Aadhaar has been made mandatory suggests that as per the government, the Aadhaar Act has, in effect, nullified the orders by the Supreme Court.<br /><br />This was stated in so many words by Union Law Minister Ravi Shankar Prasad in the Rajya Sabha in April. This view is an erroneous one. While acts of Parliament can supersede previous judicial orders, they must do so either through an express statement in the objects of the Act, or implied when the two are mutually incompatible. In this case, the Aadhaar Act, while permitting the government authorities to make Aadhaar mandatory, does not impose a clear duty to do so.<br /><br />Therefore, reading the orders and the legislation together leads one to the conclusion that all instances of Aadhaar being made mandatory under the Aadhaar Act are void.<br /><br />The question may be more complicated for cases where Aadhaar has been made mandatory through other legislations, such as Prevention of Money Laundering Act, as they clearly mandate the linking of Aadhaar numbers, rather than merely allowing it. However, despite repeated appeals of the petitioners, the court has so far refused to engage with the question of the legality of such instances. <br /><br />How may the issues finally be resolved? When the court deigns to hear final arguments, the Aadhaar case will be instructive in how the court defines the contours of the right to privacy. The right to privacy judgement, while instructive in its exposition of the different aspects of privacy, does not delve deeply into the question of what may be legitimate limitations on this right.<br /><br />In one of the passages of the judgement, "ensuring that scarce public resources are not dissipated by the diversion of resources to persons who do not qualify as recipients" is mentioned as an example of a legitimate incursion into the right to privacy. However, it must be remembered that none of the opinions in the privacy judgement were majority judgements.<br /><br />Therefore, in future cases, lawyers and judges must parse through the various opinions to arrive at an understanding of the majority opinion, supported by five or more judges. While the privacy judgement was a landmark one, its actual impact on the rights discourse and on matters like Aadhaar will depend extensively on the how the judges choose to interpret it.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/should-aadhaar-be-mandatory'>http://editors.cis-india.org/internet-governance/blog/should-aadhaar-be-mandatory</a>
</p>
No publisheramberAadhaarInternet GovernancePrivacy2017-12-18T15:54:39ZBlog EntryChecks and balances needed for mass surveillance of citizens, say experts
http://editors.cis-india.org/internet-governance/news/the-hindu-peerzada-abrar-december-9-2017-checks-and-balances-needed-to-mass-surveillance-of-citizens-say-experts
<b>A number of measures are required to protect law-abiding citizens from mass surveillance and misuse of their personal data, according to top technology and legal experts. </b>
<p style="text-align: justify; ">The article by Peerzada Abrar was <a class="external-link" href="http://www.thehindu.com/business/Industry/checks-and-balances-needed-for-mass-surveillance-of-citizens-say-experts/article21381478.ece">published in the Hindu</a> on December 9, 2017</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The measures include issuing of tokens by the Unique Identification Authority of India (UIDAI) instead of Aadhaar numbers and having an official in the judiciary give permission to vigilance.</p>
<p style="text-align: justify; ">The experts were participating in a panel discussion on ‘Navigating Big Data Challenges’ at Carnegie India’s Global Technology Summit here. They also said there was a need to implement ‘de-identification of data’ or preventing a person’s identity from being connected with information.</p>
<p style="text-align: justify; ">The moderator of the discussion was Justice B.N. Srikrishna, a former Supreme Court judge, who was also heading a government-appointed committee of experts to identify “key <a href="http://www.thehindu.com/tag/1401-1400-1349/data-protection/?utm=bodytag"><b>data protection </b></a>issues” and recommend methods to address them. Justice Srikrishna told the panellists that Aadhaar or the unique identification number had empowered the people. But in situations where the State wants all the information about citizens from different service providers because of its suspicions related to terrorism or criminal activity, he asked, what is the method to create a balance?</p>
<p style="text-align: justify; ">“Surveillance is like salt in cooking which is essential in tiny quantities, but counterproductive even if slightly in excess,” responded Sunil Abraham, executive director of Bengaluru-based think tank, Centre for Internet and Society. He said there was a need to make a surveillance system which had privacy by design built into it.</p>
<p style="text-align: justify; ">Mr. Abraham said that his organisation had proposed to the UIDAI that it used ‘tokenisation,’ which meant that whenever there was a ‘know your customer’ requirement, the Aadhaar number was not accessed by organisations like telecom firms or the banks. Instead, when the citizens used various services via smart cards or pins, a token got generated, which was controlled by the UIDAI. Organisations like banks and telecom firms can store those token numbers in their database. He said this would make it harder for unauthorised parties to combine databases. But at the same time would enable law enforcement agencies to combine database using the appropriate authorizations and infrastructure.</p>
<p style="text-align: justify; ">“UIDAI is considering this, they call it the dummy Aadhaar numbers. We need technical as well as institutional checks and balances,” said Mr. Abraham.</p>
<p style="text-align: justify; ">Countries like the U.S also have processes like Foreign Intelligence Surveillance Court (FISA court) which entertains applications made by the U.S Government for approval of electronic surveillance, physical search, and certain other forms of investigative actions for foreign intelligence purposes.</p>
<p style="text-align: justify; ">“My concern is that in the current system, surveillance can be done by the State machinery. I don’t necessarily suggest FISA court.... but some kind of mechanism where (one can’t) be held at the mercy of incestuous State machinery,” said Rahul Matthan, a partner at law firm Trilegal. “But have some second person who is outside the influence of this system (and) who actually says ‘yes this is a terrorist which requires us to do mass surveillance,” he said.</p>
<p style="text-align: justify; "><b>Artificial Intelligence</b></p>
<p style="text-align: justify; ">A large amount of information or Big data ranging from financial, health to political insights of people is being collected by different organisations and service providers which is sitting in different silos. All of this is likely going to be linked through Aadhaar. Mr. Srikrishna asked what if a situation arises where all of this data is aggregated and using artificial intelligence and machine learning, one is able to analyse it and profile individuals. He said “would that be not a terrifying scenario” where the State can act super-monitor for citizens. He asked how can citizens be guarded against it?</p>
<p style="text-align: justify; ">Mr.Srikrishna was referring to the ‘Social Credit System’ proposed by the Chinese government for creating a national reputation system to rate the trustworthiness of its citizens including their economic and social status. It works as a mass surveillance tool and uses big data analysis technology.</p>
<p style="text-align: justify; ">“It is a possibility. What stands in the way of it becoming a reality (in India) is a robust law,” said Mr.Matthan. “Technology is so powerful that it could equally be used for good as well as bad.”</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-hindu-peerzada-abrar-december-9-2017-checks-and-balances-needed-to-mass-surveillance-of-citizens-say-experts'>http://editors.cis-india.org/internet-governance/news/the-hindu-peerzada-abrar-december-9-2017-checks-and-balances-needed-to-mass-surveillance-of-citizens-say-experts</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2017-12-16T14:32:23ZNews Item