The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 1 to 15.
Aadhaar marks a fundamental shift in citizen-state relations: From ‘We the People’ to ‘We the Government’
http://editors.cis-india.org/internet-governance/blog/hindustan-times-pranesh-prakash-april-3-2017-aadhaar-marks-a-fundamental-shift-in-citizen-state-relations
<b>Your fingerprints, iris scans, details of where you shop. Compulsory Aadhaar means all this data is out there. And it’s still not clear who can view or use it.</b>
<p>The article was published in the <a class="external-link" href="http://www.hindustantimes.com/india-news/what-s-really-happening-when-you-swipe-your-aadhaar-card-to-make-a-payment/story-2fLTO5oNPhq1wyvZrwgNgJ.html">Hindustan Times</a> on April 3, 2017.</p>
<hr />
<p> </p>
<p style="text-align: center; "><img src="http://editors.cis-india.org/home-images/Aaadhaar.png" alt="Aadhaar" class="image-inline" title="Aadhaar" /><br />Until recently, people were allowed to opt out of Aadhaar and withdraw consent to have their data stored. This is no longer going to be an option.<br />(Siddhant Jumde / HT Illustration)</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Imagine you’re walking down the street and you point the camera on your phone at a crowd of people in front of you. An app superimposes on each person’s face a partially-redacted name, date of birth, address, whether she’s undergone police verification, and, of course, an obscured Aadhaar number.<br /><br />OnGrid, a company that bills itself as a “trust platform” and offers “to deliver verifications and background checks”, used that very imagery in an advertisement last month. Its website notes that “As per Government regulations, it is mandatory to take consent of the individual while using OnGrid”, but that is a legal requirement, not a technical one.<br /><br />Since every instance of use of Aadhaar for authentication or for financial transactions leaves behind logs in the Unique Identification Authority of India’s (UIDAI) databases, the government can potentially have very detailed information about everything from the your medical purchases to your use of video-chatting software. The space for digital identities as divorced from legal identities gets removed. Clearly, Aadhaar has immense potential for profiling and surveillance. Our only defence: law that is weak at best and non-existent at worst.</p>
<p style="text-align: justify; ">The Aadhaar Act and Rules don’t limit the information that can be gathered from you by the enrolling agency; it doesn’t limit how Aadhaar can be used by third parties (a process called ‘seeding’) if they haven’t gathered their data from UIDAI; it doesn’t require your consent before third parties use your Aadhaar number to collate records about you (eg, a drug manufacturer buying data from various pharmacies, and creating profiles using Aadhaar).<br /><br />It even allows your biometrics to be shared if it is “in the interest of national security”. The law offers provisions for UIDAI to file cases (eg, for multiple enrollments), but it doesn’t allow citizens to file a case against private parties or the government for misuse of Aadhaar or identity fraud, or data breach.<br /><br />It is also clear that the government opposes any privacy-related improvements to the law. After debating the Aadhaar Bill in March 2016, the Rajya Sabha passed an amendment by MP Jairam Ramesh that allowed people to opt out of Aadhaar, and withdraw their consent to UIDAI storing their data, if they had other means of proving their identity (thus allowing Aadhaar to remain an enabler).</p>
<p style="text-align: justify; ">But that amendment, as with all amendments passed in the Rajya Sabha, was rejected by the Lok Sabha, allowing the government to make Aadhaar mandatory, and depriving citizens of consent. While the Aadhaar Act requires a person’s consent before collecting or using Aadhaar-provided details, it doesn’t allow for the revocation of that consent.<br /><br />In other countries, data security laws require that a person be notified if her data has been breached. In response to an RTI application asking whether UIDAI systems had ever been breached, the Authority responded that the information could not be disclosed for reasons of “national security”.<br /><br />The citizen must be transparent to the state, while the state will become more opaque to the citizen.</p>
<h2 style="text-align: justify; ">How Did Aadhaar Change?</h2>
<table class="invisible">
<tbody>
<tr>
<td style="text-align: justify; ">
<p> </p>
<p>How did Aadhaar become the behemoth it is today, with it being mandatory for hundreds of government programmes, and even software like Skype enabling support for it?</p>
<p>The first detailed look one had at the UID project was through an internal UIDAI document marked ‘Confidential’ that was leaked through WikiLeaks in November 2009. That 41-page dossier is markedly different from the 170-page ‘Technology and Architecture’ document that UIDAI has on its website now, but also similar in some ways.</p>
</td>
<td><img src="http://www.hindustantimes.com/rf/image_size_960x540/HT/p2/2017/04/01/Pictures/_36723476-16e4-11e7-85c6-0f0e633c038c.jpg" /></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">In neither of those is the need for Aadhaar properly established. Only in November 2012 — after scholars like Reetika Khera pointed out UIDAI’s fundamental misunderstanding of leakages in the welfare delivery system — was the first cost-benefit analysis commissioned, by when UIDAI had already spent ₹28 billion. That same month, Justice KS Puttaswamy, a retired High Court judge, filed a PIL in the Supreme Court challenging Aadhaar’s constitutionality, wherein the government has argued privacy isn’t a fundamental right.</p>
<blockquote class="pullquote" style="text-align: justify; ">Every time you use Aadhaar, you leave behind logs in the UIDAI databases. This means that the government can potentially have very detailed information about everything from the your medical purchases to your use of video-chatting software.</blockquote>
<p style="text-align: justify; ">Even today, whether the ‘deduplication’ process — using biometrics to ensure the same person can’t register twice — works properly is a mystery, since UIDAI hasn’t published data on this since 2012. Instead of welcoming researchers to try to find flaws in the system, UIDAI recently filed an FIR against a journalist doing so.</p>
<p style="text-align: justify; ">At least in 2009, UIDAI stated it sought to prevent anyone from “[e]ngaging in or facilitating profiling of any nature for anyone or providing information for profiling of any nature for anyone”, whereas the 2014 document doesn’t. As OnGrid’s services show, the very profiling that the UIDAI said it would prohibit is now seen as a feature that all, including private companies, may exploit.</p>
<p style="text-align: justify; ">UID has changed in other ways too. In 2009, it was as a system that never sent out any information other than ‘Yes’ or ‘No’, which it did in response to queries like ‘Is Pranesh Prakash the name attached to this UID number’ or ‘Is April 1, 1990 his date of birth’, or ‘Does this fingerprint match this UID number’.</p>
<p style="text-align: justify; ">With the addition of e-KYC (wherein UIDAI provides your demographic details to the requester) and Aadhaar-enabled payments to the plan in 2012, the fundamentals of Aadhaar changed. This has made Aadhaar less secure.</p>
<h3 style="text-align: justify; ">Security Concerns</h3>
<p style="text-align: justify; ">With Aadhaar Pay, due to be launched on April 14, a merchant will ask you to enter your Aadhaar number into her device, and then for your biometrics — typically a fingerprint, which will serve as your ‘password’, resulting in money transfer from your Aadhaar-linked bank account.</p>
<p style="text-align: justify; ">Basic information security theory requires that even if the identifier (username, Aadhaar number etc) is publicly known — millions of people names and Aadhaar numbers have been published on dozens of government portals — the password must be secret. That’s how most logins works, that’s how debit and credit cards work. How are you or UIDAI going to keep your biometrics secret?</p>
<p style="text-align: justify; ">In 2015, researchers in Carnegie Mellon captured the iris scans of a driver using car’s side-view mirror from distances of up to 40 feet. In 2013, German hackers fooled Apple iOS’s fingerprint sensors by replicating a fingerprint from a photo taken off a glass held by an individual. They even replicated the German Defence Minister’s fingerprints from photographs she herself had put online. Your biometrics can’t be kept secret.</p>
<blockquote class="pullquote" style="text-align: justify; ">Typically, even if your username (in this case, Aadhaar number) is publicly known, your password must be secret. That’s how most logins works, that’s how debit and credit cards work. How are you or UIDAI going to keep your biometrics secret?</blockquote>
<p style="text-align: justify; ">In the US, in a security breach of 21.5 million government employees’ personnel records in 2015, 5.2 million employees’ fingerprints were copied. If that breach had happened in India, those fingerprints could be used in conjunction with Aadhaar numbers not only for large-scale identity fraud, but also to steal money from people’s bank accounts.</p>
<p style="text-align: justify; ">All ‘passwords’ should be replaceable. If your credit card gets stolen, you can block it and get a new card. If your Aadhaar number and fingerprint are leaked, you can’t change it, you can’t block it.</p>
<p style="text-align: justify; ">The answer for Aadhaar too is to choose not to use biometrics alone for authentication and authorisation, and to remove the centralised biometrics database. And this requires a fundamental overhaul of the UID project.</p>
<p style="text-align: justify; ">Aadhaar marks a fundamental shift in citizen-state relations: from ‘We the People’ to ‘We the Government’. If the rampant misuse of electronic surveillance powers and wilful ignorance of the law by the state is any precedent, the future looks bleak. The only way to protect against us devolving into a total surveillance state is to improve rule of law, to strengthen our democratic institutions, and to fundamentally alter Aadhaar. Sadly, the political currents are not only not favourable, but dragging us in the opposite direction.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/hindustan-times-pranesh-prakash-april-3-2017-aadhaar-marks-a-fundamental-shift-in-citizen-state-relations'>http://editors.cis-india.org/internet-governance/blog/hindustan-times-pranesh-prakash-april-3-2017-aadhaar-marks-a-fundamental-shift-in-citizen-state-relations</a>
</p>
No publisherpraneshBiometricsAadhaarInternet GovernancePrivacy2017-04-04T16:10:06ZBlog EntryIt’s the technology, stupid
http://editors.cis-india.org/internet-governance/blog/the-hindu-businessline-march-31-2017-sunil-abraham-its-the-technology-stupid
<b>Eleven reasons why the Aadhaar is not just non-smart but also insecure.</b>
<p style="text-align: justify; ">The article was <a class="external-link" href="http://www.thehindubusinessline.com/blink/cover/11-reasons-why-aadhaar-is-not-just-nonsmart-but-also-insecure/article9608225.ece">published in Hindu Businessline</a> on March 31, 2017.</p>
<hr />
<p style="text-align: justify; ">Aadhaar is insecure because it is based on biometrics. Biometrics is surveillance technology, a necessity for any State. However, surveillance is much like salt in cooking: essential in tiny quantities, but counterproductive even if slightly in excess. Biometrics should be used for targeted surveillance, but this technology should not be used in e-governance for the following reasons:<br /><br />One, biometrics is becoming a remote technology. High-resolution cameras allow malicious actors to steal fingerprints and iris images from unsuspecting people. In a couple of years, governments will be able to identify citizens more accurately in a crowd with iris recognition than the current generation of facial recognition technology.<br /><br />Two, biometrics is covert technology. Thanks to sophisticated remote sensors, biometrics can be harvested without the knowledge of the citizen. This increases effectiveness from a surveillance perspective, but diminishes it from an e-governance perspective.<br /><br />Three, biometrics is non-consensual technology. There is a big difference between the State identifying citizens and citizens identifying themselves to the state. With biometrics, the State can identify citizens without seeking their consent. With a smart card, the citizen has to allow the State to identify them. Once you discard your smart card the State cannot easily identify you, but you cannot discard your biometrics.<br /><br />Four, biometrics is very similar to symmetric cryptography. Modern cryptography is asymmetric. Where there is both a public and a private key, the user always has the private key, which is never in transit and, therefore, intermediaries cannot intercept it. Biometrics, on the other hand, needs to be secured during transit. The UIDAI’s (Unique Identification Authority of India overseeing the rollout of Aadhaar) current fix for its erroneous choice of technology is the use of “registered devices”; but, unfortunately, the encryption is only at the software layer and cannot prevent hardware interception.<br /><br />Five, biometrics requires a centralised network; in contrast, cryptography for smart cards does not require a centralised store for all private keys. All centralised stores are honey pots — targeted by criminals, foreign States and terrorists.<br /><br />Six, biometrics is irrevocable. Once compromised, it cannot be secured again. Smart cards are based on asymmetric cryptography, which even the UIDAI uses to secure its servers from attacks. If cryptography is good for the State, then surely it is good for the citizen too.<br /><br />Seven, biometrics is based on probability. Cryptography in smart cards, on the other hand, allows for exact matching. Every biometric device comes with ratios for false positives and false negatives. These ratios are determined in near-perfect lab conditions. Going by press reports and even UIDAI’s claims, the field reality is unsurprisingly different from the lab. Imagine going to an ATM and not being sure if your debit card will match your bank’s records.<br /><br />Eight, biometric technology is proprietary and opaque. You cannot independently audit the proprietary technology used by the UIDAI for effectiveness and security. On the other hand, open smart card standards like SCOSTA (Smart Card Operating System for Transport Applications) are based on globally accepted cryptographic standards and allow researchers, scientists and mathematicians to independently confirm the claims of the government.<br /><br />Nine, biometrics is cheap and easy to defeat. Any Indian citizen, even children, can make gummy fingers at home using Fevicol and wax. You can buy fingerprint lifting kits from a toystore. To clone a smart card, on the other hand, you need a skimmer, a printer and knowledge of cryptography.<br /><br />Ten, biometrics undermines human dignity. In many media photographs — even on the @UIDAI’s Twitter stream — you can see the biometric device operator pressing the applicant’s fingers, especially in the case of underprivileged citizens, against the reader. Imagine service providers — say, a shopkeeper or a restaurant waiter — having to touch you every time you want to pay. Smart cards offer a more dignified user experience.<br /><br />Eleven, biometrics enables the shirking of responsibility, while cryptography requires a chain of trust.<br /><br />Each legitimate transaction has repudiable signatures of all parties responsible. With biometrics, the buck will be passed to an inscrutable black box every time things go wrong. The citizens or courts will have nobody to hold to account.</p>
<p style="text-align: justify; ">The precursor to Aadhaar was called MNIC (Multipurpose National Identification Card). Initiated by the NDA government headed by Atal Bihari Vajpayee, it was based on the open SCOSTA standard. This was the correct technological choice.<br /><br />Unfortunately, the promoters of Aadhaar chose biometrics in their belief that newer, costlier and complex technology is superior to an older, cheaper and simpler alternative.<br /><br />This erroneous technological choice is not a glitch or teething problem that can be dealt with legislative fixes such as an improved Aadhaar Act or an omnibus Privacy Act. It can only be fixed by destroying the centralised biometric database, like the UK did, and shifting to smart cards.<br /><br />In other words, you cannot fix using the law what you have broken using technology.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-hindu-businessline-march-31-2017-sunil-abraham-its-the-technology-stupid'>http://editors.cis-india.org/internet-governance/blog/the-hindu-businessline-march-31-2017-sunil-abraham-its-the-technology-stupid</a>
</p>
No publishersunilBiometricsAadhaarInternet GovernancePrivacy2017-04-07T12:53:21ZBlog EntryReliance Jio data leaked on website : report
http://editors.cis-india.org/internet-governance/news/livemint-july-10-2017-reliance-jio-data-leaked-on-website-report
<b>Reliance Jio customer data was leaked on independent website magicapk.com, including details such as names, mobile numbers and email IDs , said a report.</b>
<p style="text-align: justify; ">The article was <a class="external-link" href="http://www.livemint.com/Industry/ucK2SJDM4Ws8k36ovZVj6H/Reliance-Jio-customer-data-allegedly-compromised-report.html">published by Livemint</a> on July 10, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Reliance Jio Infocomm Ltd’s customer data was allegedly leaked on an independent website, magicapk.com, a report said. Jio, which crossed the 100 million mark in February, barely six months after it was launched, ended the financial year with <b><a href="http://www.livemint.com/Industry/wVDwB0wKqaXxqVFqEWp4kK/Reliance-Jio-crosses-108-million-subscribers-claims-to-be-l.html" target="_blank">108.9 million subscribers </a></b>as of 31 March.</p>
<p style="text-align: justify; ">The report, published first in a late-night article on Sunday on <b><a href="http://www.fonearena.com/blog/224741/jio-customer-database-of-over-120-million-users-leaked-could-be-biggest-data-breach-in-india.html#more-224741" target="_blank">Fonearena.com</a></b>, alleged that “several sensitive details” were exposed, including customers’ first and last names, mobile numbers, email IDs, circles, SIM activation dates and even the Aadhaar numbers. The Aadhaar numbers, however, were redacted on magicapk.</p>
<p style="text-align: justify; ">“To my disbelief I found my own details in the database and also couple of my colleagues are affected too,” wrote Varun Krish, the author of the article. However, if you now click on Magicapk.com, it reads: “This Account has been <a href="http://magicapk.com/cgi-sys/suspendedpage.cgi" target="_blank">suspended</a> .” The Registrar of the site, according to the <b><a href="https://www.whois.com/whois/magicapk.com">whois database</a></b>, is Godaddy.com, LLC.</p>
<p style="text-align: justify; ">When contacted, a Reliance Jio spokesperson said, “We have come across the unverified and unsubstantiated claims of the website and are investigating it. Prima facie, the data appears to be unauthentic. We want to assure our subscribers that their data is safe and maintained with highest security. Data is only shared with authorities as per their requirement. We have informed law enforcement agencies about the claims of the website and will follow through to ensure strict action is taken.”</p>
<p style="text-align: justify; ">Fonearena.com, on its site, has responded with a: “We still stand by our story.”</p>
<p style="text-align: justify; ">The report assumes significance because the site exposed redacted Aadhaar card details. There are nearly 1.2 billion Aadhaar number holders in the country. Aadhaar aims to plug leakages in the delivery of state benefits, such as subsidized grains to the poor, and aid in generating a savings of about Rs70,000 crore a year for the government. But data breaches have rattled citizens, especially since India does not have a Privacy Act.</p>
<p style="text-align: justify; ">In March, the Unique Identification Authority of India (UIDAI) blacklisted a common services centre for 10 years after it shared the Aadhaar details of former cricket captain Mahendra Singh Dhoni. On 25 April, <i>Mint </i>reported that many government departments, including the ministry of drinking water and sanitation, the Jharkhand Directorate of Social Security, and the Kerala government’s pension department, had published Aadhaar numbers of beneficiaries of the schemes they run in <b><a href="http://www.livemint.com/Politics/bM6xWCw8rt6Si4seV43C2H/Govt-departments-breach-Aadhaar-Act-leak-details-of-benefic.html" target="_blank">violation of the Aadhaar Act</a></b> .</p>
<p style="text-align: justify; ">On 1 May, Bengaluru-based think tank Centre for Internet and Society (CIS) reported that a Central government ministry and a state government may have <b><a href="https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1">made public up to 135 million Aadhaar numbers</a></b> .</p>
<p style="text-align: justify; ">Under the Aadhaar (Targeted Delivery of Financial Subsidies, Benefits and Services) Act, 2016, the unique identity number is mandatory only to receive social welfare benefits. However, tagging of the Aadhaar number is being made mandatory by the government for various schemes including PAN (permanent account number) accounts for taxation. On 7 July, the Supreme Court refused to pass any interim order against the mandatory use of Aadhaar for various government schemes. It, instead, suggested that petitioners call for<a href="http://www.livemint.com/Politics/5bZrxjf4FpfbxZFhc9inbI/Aadhaarlinked-issues-to-be-decided-by-constitution-bench-S.html" target="_blank"> immediate formation of a Constitution bench </a>to decide on the case .</p>
<p style="text-align: justify; ">News of the alleged data leak also comes at a time when there have been a spate of cyber hacks.</p>
<p style="text-align: justify; ">For instance, just when companies started believing that WannaCry—the malware that held over 200,000 individuals across 10,000 organizations in nearly 100 countries to ransom—was on the wane, a virus christened GoldenEye (a variant of the Petya ransomware) by security firm Bitdefender Labs attacked companies, mostly in Ukraine. And while the target primarily appeared to be European countries, the <b><a href="http://www.livemint.com/Technology/IUkweIPadyeIHRW7lFTysI/GoldenEye-ransomware-follows-in-WannaCrys-footsteps.html" target="_blank">ransomware was also reported</a></b> to be making inroads in countries like India.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-july-10-2017-reliance-jio-data-leaked-on-website-report'>http://editors.cis-india.org/internet-governance/news/livemint-july-10-2017-reliance-jio-data-leaked-on-website-report</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-07-10T14:53:42ZNews ItemSocial Activist Alleges Threat By Police Officer Over Possession of Aadhaar
http://editors.cis-india.org/internet-governance/news/the-wire-gaurav-vivek-bhatnagar-july-16-2017-social-activist-alleges-threat-by-police-officer-over-possession-of-aadhaar
<b>Social activist Shabnam Hashmi recorded a policeman telling her those without address proof and Aadhaar could be “eliminated”.</b>
<p style="text-align: justify; ">The article by Gaurav Vivek Bhatnagar was published in the <a class="external-link" href="https://thewire.in/158107/fear-around-misuse-of-aadhar/">Wire</a> on July 16, 2017. Pranesh Prakash was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Well-known social activist Shabnam Hashmi held a press conference to say she was threatened on the telephone by a police officer at the Lajpat Nagar police station warning her that the government had launched a ‘surround and eliminate’ campaign against people whose addresses are not known and who do not possess Aadhaar numbers or cards. This is now a standing instruction to all police stations, Hashmi was told. Moreover, the officer – accused of threatening and abusing Hashmi when she called him on the night of July 14 to know why the husband of a woman, who learns stitching at a training centre run by the NGO Pehchan at Jaitpur in south-east Delhi, had been summoned at a late hour – insisted that police personnel were well within their rights to act in this way.</p>
<p style="text-align: justify; ">The police may brush aside this assertion as the concerned officer’s personal opinion, or they may deny the veracity of the conversation, <a href="https://www.youtube.com/watch?v=Az2WR54QWTE" rel="external nofollow" target="_blank" title="which Hashmi recorded and shared with the media">which Hashmi recorded and shared with the media</a>; but she and other anti-Aadhaar activists say the interaction raises questions about the consequences – intended or unintended – of the Centre’s stress on making Aadhaar mandatory for the personal liberty and civil rights of ordinary residents.</p>
<p style="text-align: justify; ">Many Aadhaar critics have, in the past, expressed the fear that the irresponsible use or misuse of Aadhaar could lead to India becoming a ‘surveillance state’ or ‘police state’ by placing enormous discretionary powers in the hands of unscrupulous state officials.</p>
<p style="text-align: justify; "><b>Petitioners in SC had cautioned against misuse of Aadhaar</b></p>
<p style="text-align: justify; ">Earlier this year, Communist Party of India leader Binoy Viswam had filed a petition in the Supreme Court questioning the introduction of Section 139 AA of the IT Act to link Aadhaar cards with PAN cards. Subsequently, <a href="http://www.rediff.com/news/interview/aadhaar-is-very-dangerous-for-the-indian-nation/20170425.htm" rel="external nofollow" target="_blank" title="in an interview">in an interview</a> in April this year, he had noted that “the citizens are becoming instruments in the hands of the state” as “by taking fingerprints, iris scans and other details of the citizens of the country, the state is becoming the custodian of its people.” He had also expressed the fear that “the state can use this data according to its whims and fancies”.</p>
<p style="text-align: justify; ">Viswam could not have been more correct. Much before the use of data, “elements” of the state have started using the ruse of creation of data itself as a convenient tool to threaten and intimidate people and this is precisely what happened in the case of Hashmi.</p>
<p style="text-align: justify; ">Recalling the incident, Hashmi, who is the founding trustee of Pehchan, said the NGO runs a small centre in Jaitpur extension where it teaches school dropouts to appear for class 10 and 12 examinations and also runs sewing classes for women.</p>
<p style="text-align: justify; ">Hashmi said that at around 9 pm on July 14, Haseen, the husband of Mubina, one of the trainees, was summoned by a sub-inspector to the Lajpat Nagar police station regarding a complaint. When Hashmi called up the police station to find out what the summons was about, the policeman allegedly “hurled abuses”, and used “highly derogatory and uncivilised language” during the conversation.</p>
<p style="text-align: justify; ">Though Hashmi did not have a recorder in her phone at the time of the first call, she subsequently downloaded one and later recorded her conversation with the same officer.</p>
<p style="text-align: justify; ">In this conversation, the policeman is heard reasoning with Hashmi that he had not summoned Haseen at a late hour. He claimed that he used harsh language in the first conversation since she had not identified herself and had only proclaimed herself to be a social worker. It also comes across in the conversation that Hashmi had told the man in the earlier conversation that he was drunk while being on duty and that this had irked him. It emerged that the cop had got an inkling that she was recording the later conversation, because of which he apparently mellowed down.</p>
<p style="text-align: justify; ">The issue assumes significance as after declaring twice in the past that Aadhaar cannot be made mandatory for delivering services, the <a href="http://www.thehindu.com/news/national/supreme-court-upholds-aadhaar-pan-linkage/article18903048.ece" rel="external nofollow" target="_blank" title="Supreme Court had recently upheld">Supreme Court had recently upheld</a> the validity of an Income Tax law amendment linking PAN with Aadhaar for filing tax returns.</p>
<p style="text-align: justify; ">Former Attorney General Mukul Rohatgi had argued that the government was “entitled to have identification” and that “as constituents of society people can’t claim immunity from identification.” Rohatgi had insisted that “no right is absolute, right to body is not absolute. Under extreme cases even right to life can be taken away, under due process.”</p>
<p style="text-align: justify; "><b>Experts have often cautioned against Aadhaar misuse</b></p>
<p style="text-align: justify; ">According to legal experts, the illegalities related to Aadhaar do not just end with such arguments. Writing for <i>The Wire</i>, Prashant Reddy T., a research associate at the School of Law, Singapore Management University, <a href="https://thewire.in/148687/mandatory-aadhaar-bank-accounts-legality/" rel="noopener noreferrer" target="_blank" title="had noted that">had noted that</a> in the past couple of months the “Modi government has increasingly used its rule-making powers under various laws in a manner which is contrary to the law of the land.” He was referring to the Centre’s announcement to mandatorily link Aadhaar numbers to all non-small bank accounts, failing which, access to the bank accounts would be disabled after December 31.</p>
<p style="text-align: justify; ">“As is often the case with this government, the question now is whether this new mandatory Aadhaar requirement (and the threatened punishment) is legal,” the expert had asked.</p>
<p style="text-align: justify; ">Earlier this year, writing for the <i>Hindustan Times</i>, Pranesh Prakash, policy director at the Centre for Internet and Society, and an affiliated fellow at Yale Law School’s Information Society Project, <a href="http://www.hindustantimes.com/india-news/what-s-really-happening-when-you-swipe-your-aadhaar-card-to-make-a-payment/story-2fLTO5oNPhq1wyvZrwgNgJ.html" rel="external nofollow" target="_blank" title="had referred">had referred</a> to the immense potential of Aadhaar for profiling and surveillance. He had called for fundamentally altering Aadhaar, saying that if the rampant misuse of surveillance and wilful ignorance of the law by the state were anything to go by, the future looked bleak.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-wire-gaurav-vivek-bhatnagar-july-16-2017-social-activist-alleges-threat-by-police-officer-over-possession-of-aadhaar'>http://editors.cis-india.org/internet-governance/news/the-wire-gaurav-vivek-bhatnagar-july-16-2017-social-activist-alleges-threat-by-police-officer-over-possession-of-aadhaar</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2017-07-20T14:31:12ZNews ItemPrivacy is not a unidimensional concept
http://editors.cis-india.org/internet-governance/privacy-is-not-a-unidimensional-concept
<b>Right to privacy is important not only for our negotiations with the information age but also to counter the transgressions of a welfare state. A robust right to privacy is essential for all citizens in India to defend their individual autonomy in the face of invasive state actions purportedly for the public good. The ruling of this nine-judge bench will have far-reaching impact on the extent and scope of rights available to us all.</b>
<div>This article, written by Amber Sinha was published in the <a class="external-link" href="http://economictimes.indiatimes.com/news/politics-and-nation/aadhar-privacy-is-not-a-unidimensional-concept/articleshow/59716562.cms">Economic Times</a> on July 23, 2017. </div>
<div>
<br /></div>
<div>In a disappointing case of judicial evasion by the apex court,
it has taken over 600 days since a reference order passed in
August 11, 2015, for this bench to be constituted. Over two days
of arguments, the counsels for the petitioners have presented
before the court why the right to privacy, despite not finding a
mention in the Constitution of India, is a fundamental right
essential to a person’s dignity and liberty, and must be read into
not one but multiple articles of the Constitution. The government
will make its arguments in the coming week.</div>
<div>One must wonder why we are debating the contours of the right
to privacy, which 40 years of jurisprudence had lulled us into
believing we already had. The answer to that can be found in a
series of hearings in the Aadhaar case that began in 2012. Justice
KS Puttaswamy, a former Karnataka High Court judge, filed a
petition before the Supreme Court, questioning the validity of the
Aadhaar project due its lack of legislative basis (since then the
Aadhaar Act was passed in 2016) and its transgressions on our
fundamental rights. Over time, a number of other petitions also
made their way to the apex court, challenging different aspects of
the Aadhaar project. Since then, five different interim orders by
the Supreme Court have stated that no person should suffer because
they do not have an Aadhaar number. Aadhaar, according to the
court, could not be made mandatory to avail benefits and services
from government schemes. Further, the court has limited the use of
Aadhaar to specific schemes: LPG, PDS, MGNREGA, National Social
Assistance Programme, the Pradhan Mantri Jan Dhan Yojna and EPFO.<br />
<br /></div>
<div>The real spanner in the works in the progress of this case was
the stand taken by Mukul Rohatgi, then attorney general of India
who, in a hearing before the court in July 2015, stated that there
is no constitutionally guaranteed right to privacy. His reliance
was on two Supreme Court judgments in MP Sharma v Satish Chandra
(1954) and Kharak Singh v State of Uttar Pradesh (1962): both
cases, decided by eight- and six-judge benches respectively,
denied the existence of a constitutional right to privacy. As the
subsequent judgments which upheld the right to privacy were by
smaller benches, Rohatgi claimed that MP Sharma and Kharak Singh
still prevailed over them, until they were overruled by a larger
bench.</div>
<div>The reference to a larger bench has since delayed the entire
matter, even as a number of government schemes have made Aadhaar
mandatory. This reading of privacy as a unidimensional concept by
the courts is, with due respect, erroneous. Privacy, as a concept,
includes within its scope, spatial, familial, informational and
decisional aspects. We all have a legitimate expectation of
privacy in our private spaces, such as our homes, and in our
personal relationships. Similarly, we must be able to exercise
some control over how personal data, like our financial
information, are disseminated. Most importantly, privacy gives us
the space to make autonomous choices and decisions without
external interference. All these dimensions of privacy must stand
as distinct rights. In MP Sharma, the court rejected a certain
aspect of the right of privacy by refusing to acknowledge a right
against search and seizure. This, in no way prevented the court,
even in the form of a smaller bench, from ruling on any other
aspects of privacy, including those that are relevant to the
Aadhaar case.</div>
<div> </div>
<div>The limited referral to this bench means that the court will
have to rule on the status of privacy and its possible limitations
in isolation, without even going into the details of the Aadhaar
case (based on the nature of protection that this bench accords to
privacy, the petitioners and defendants in the Aadhaar case will
have to argue afresh on whether the project does impede on this
most fundamental right). There are no facts of the case to ground
the legal principles in, and defining the contours of a right can
be a difficult exercise. The court must be wary of how any limits
they put on the right may be used in future. Equally, it is
important to articulate that any limitations on the right to
privacy due to competing interests such as national security and
public interest must be imposed only when necessary and always be
proportionate. <br />
<br /></div>
<p>
It will not be enough for the court to merely state that we have a
constitutional right to privacy. They would be well advised to cut
through the muddle of existing privacy jurisprudence, and
unequivocally establish the various facets of the right. Without
that, we may not be able to withstand the modern dangers of
surveillance, denial of bodily integrity and self-determination
through forcible collection of information. The nine judges, in
their collective wisdom, must not only ensure that we have a right
to privacy, but also clearly articulate a robust reading of this
right capable of withstanding the growing interferences with our
autonomy.</p>
<div> </div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/privacy-is-not-a-unidimensional-concept'>http://editors.cis-india.org/internet-governance/privacy-is-not-a-unidimensional-concept</a>
</p>
No publisheramberInternet GovernanceAadhaarData ProtectionPrivacy2017-08-07T08:02:20ZBlog EntryWill Only Legal Backing For Aadhaar Suffice?
http://editors.cis-india.org/internet-governance/new-indian-express-march-14-2016-will-only-legal-backing-for-aadhaar-suffice
<b>Aadhaar is set to become mandatory, but the opponents of the scheme are not amused. Concerns about privacy of the Aadhaar number and the authenticity of the biometric data being collected have been expressed by people right from the beginning. But the government has not done much to address these issues.</b>
<p>The article was published in <a class="external-link" href="http://www.newindianexpress.com/nation/Will-Only-Legal-Backing-For-Aadhaar-Suffice/2016/03/14/article3326144.ece">New Indian Express </a>on March 14, 2016. Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; ">“It does not matter what legislative backing they give it, it is still a surveillance programme. How can you have a privacy Bill for a surveillance programme? Legislative backing would be band-aid. I do not agree with it,” says Sunil Abraham, Executive Director of The Centre for Internet and Society. The society is a Bengaluru-based organisation looking at multi-disciplinary research and advocacy.</p>
<p style="text-align: justify; ">Abraham says that ever since the Aadhaar scheme was implemented, there was a massive degradation of civil liberties. “It is an opaque technology. Why should the government have such a database?” he asks.</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Aadhaar1.jpg" alt="Aadhaar" class="image-inline" title="Aadhaar" /></p>
<p style="text-align: justify; ">Abraham says that the keys to the data should not have rested with the government where it is vulnerable. Instead, the government should have explored the concept of introducing smart cards issued to the citizen with the data stored on it.</p>
<p style="text-align: justify; ">Access to this data could not be had without the permission of the citizen, he says. At present, if something goes wrong or if the data is compromised, the government can always blame a lapse in technology, Abraham adds.</p>
<p style="text-align: justify; ">He questions the government’s logic where it assumes that only the poor section of society can misuse the benefits and says that it is well known that the problem exists in the supply chain and that the government has done nothing to address this.</p>
<p style="text-align: justify; ">Mathew Thomas of The Fifth Estate, an NGO, wonders what advantage the BJP suddenly found that they decided to pursue Aadhaar rather than send it to the trash bin as they had promised before the general elections.</p>
<p style="text-align: justify; ">Thomas says Aadhaar is flawed and is a fraud on the Constitution and the government has taken the money bill route simply to avoid a debate on it.</p>
<p style="text-align: justify; ">“Just passing a Bill is meaningless. This is radically wrong and we all know that protection of privacy is nonsense. How do they plan to plug the leakages? Have they even conducted a study, because there is no evidence of it. The correct beneficiary can get an LPG cylinder, but what is stopping the person from using it for an auto or for his car? That the government can lie to its own people is terrible,” he says.</p>
<p style="text-align: justify; ">A five-judge bench of the Supreme Court, which is hearing the matter on privacy concerns about Aadhaar, is expected to have a hearing by the end of this month.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/new-indian-express-march-14-2016-will-only-legal-backing-for-aadhaar-suffice'>http://editors.cis-india.org/internet-governance/new-indian-express-march-14-2016-will-only-legal-backing-for-aadhaar-suffice</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-03-16T02:31:52ZNews ItemPress Release, March 11, 2016: The Law cannot Fix what Technology has Broken!
http://editors.cis-india.org/internet-governance/blog/press-release-aadhaar-11032016-the-law-cannot-fix-what-technology-has-broken
<b>We published and circulated the following press release on March 11, 2016, as the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. This Bill was proposed by finance minister, Mr. Arun Jaitley to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).</b>
<p> </p>
<p>The Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 today. This Bill was proposed by finance minister, Mr. Arun Jaitley to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).</p>
<p>The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. The Bill has made it compulsory for an individual to enrol under Aadhaar in order to receive any subsidy,
benefit or service from the Government. Biometric information that is required for the purpose of enrolment has been deemed "sensitive personal information" and restrictions have been imposed on use, disclosure and sharing of such information for purposes other than authentication, disclosure made pursuant to a court order or in the interest of national security. Here, the Bill has acknowledged the standards of protection of sensitive personal information established under Section 43A of the Information Technology Act, 2000. The Bill has also laid down several penal provisions for acts that include impersonation at the time of enrolment, unauthorised access to the
Central Identities Data Repository, unauthorised use by requesting entity, noncompliance with intimation requirements, etc.</p>
<h3>Key Issues</h3>
<h4>1. Identification without Consent</h4>
<p>Before the Aadhaar project it was not possible for the Indian government to identify citizens without their consent. But once the government has created a national centralized biometric database it will be possible for the government to identify any citizen without their consent. Hi-resolution photography and videography make it trivial for governments and also any other actor to harvest biometrics remotely. In other words, the technology makes consent irrelevant. A German ministers fingerprints were captured by hackers as she spoke using hand gesture at at conference. In a similar manner the government can now identify us both as individuals and also as groups without requiring our cooperation. This has direct implications for the right to privacy as we will be under constant government surveillance in the future as CCTV camera resolutions improve and there will be chilling effects on the
right to free speech and the freedom of association. The only way to fix this is to change the technology configuration and architecture of the project. The law cannot be used as band-aid on really badly designed technology.</p>
<h4>2. Fallible Technology</h4>
<p>The technology used for collection and authentication as been said to be fallible. It is understood that the technology has been feasible for a population of 200 million. The Biometrics Standards Committee of UIDAI has acknowledged the lack of data on how a biometric authentication technology will scale up where the population is about 1.2 billion. Further, a report by 4G Identity Solutions estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population.</p>
<p>We know that the Aadhaar number has been issued to dogs, trees (with the Aadhaar letter containing the photo of a tree). There have been slip-ups in the Aadhaar card enrolment process, some cards have ended up with
pictures of an empty chair, a tree or a dog instead of the actual applicants. An RTI application has revealed that the Unique Identification Authority of India (UIDAI) has identified more than 25,000 duplicate Aadhaar numbers in the country till August 2015.</p>
<p>At the stage of authentication, the accuracy of biometric identification depends on the chance of a false positive— the probability that the identifiers of two persons will match. For the current population of 1.2 billion the expected proportion of duplicates is 1/121, a ratio which is far too high. In a recent paper in EPW by Hans Mathews, a mathematician with CIS, shows that as per UIDAI's own statistics on failure rates, the programme would badly fail to uniquely identify individuals in India. <strong>[1]</strong></p>
<h3>Endnote</h3>
<p><strong>[1]</strong> See: <a href="http://cis-india.org/internet-governance/blog/epw-27-february-2016-hans-varghese-mathews-flaws-in-uidai-process">http://cis-india.org/internet-governance/blog/epw-27-february-2016-hans-varghese-mathews-flaws-in-uidai-process</a></p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/press-release-aadhaar-11032016-the-law-cannot-fix-what-technology-has-broken'>http://editors.cis-india.org/internet-governance/blog/press-release-aadhaar-11032016-the-law-cannot-fix-what-technology-has-broken</a>
</p>
No publisherJapreet Grewal and Sunil AbrahamUIDBig DataPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-03-16T10:10:40ZBlog EntryList of Recommendations on the Aadhaar Bill, 2016 - Letter Submitted to the Members of Parliament
http://editors.cis-india.org/internet-governance/blog/list-of-recommendations-on-the-aadhaar-bill-2016
<b>On Friday, March 11, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and
Assembly. Based on these concerns, and numerous others, we submitted an initial list of recommendations to the Members of Parliaments to highlight the aspects of the Bill that require immediate attention.</b>
<p> </p>
<h4>Download the submission letter: <a href="https://github.com/cis-india/website/raw/master/docs/CIS_Aadhaar-Bill-2016_List-of-Recommendations_2016.03.16.pdf">PDF</a>.</h4>
<p> </p>
<h3>Text of the Submission</h3>
<p>On Friday, March 11, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. The Bill has made it compulsory for all Indian to enroll for Aadhaar in order to receive any subsidy, benefit, or service from the Government whose expenditure is incurred from the Consolidate Fund of India. Apart from the issue of centralisation of the national biometric database leading to a deep national vulnerability, the Bill also keeps unaddressed two serious concerns regarding the technological framework concerned:</p>
<ul><li><strong>Identification without Consent:</strong> Before the Aadhaar project it was not possible for the Indian government or any private entity to identify citizens (and all residents) without their consent. But biometrics allow for non-consensual and covert identification and authentication. The only way to fix this is to change the technology configuration and architecture of the project. The law cannot be used to correct the problems in the technological design of the project.<br /><br /></li>
<li><strong>Fallible Technology:</strong> The Biometrics Standards Committee of UIDAI has acknowledged the lack of data on how a biometric authentication technology will scale up where the population is about 1.2 billion. The technology has been tested and found feasible only for a population of 200 million. Further, a report by 4G Identity Solutions estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population. For the current Indian population of 1.2 billion the expected proportion of duplicates is 1/121, a ratio which is far too high. <strong>[1]</strong></li></ul>
<p>Based on these concerns, and numerous others, we sincerely request you to ensure that the Bill is rigorously discussed in Rajya Sabha, in public, and, if needed, also by a Parliamentary Standing Committee, before considering its approval and implementation. Towards this, we humbly submit an initial list of recommendations to highlight the aspects of the Bill that require immediate attention:</p>
<ol><li><strong>Implement the Recommendations of the Shah and Sinha Committees:</strong> The report by the Group of Experts on Privacy chaired by the Former Chief Justice A P Shah <strong>[2]</strong> and the report by the Parliamentary Standing Committee on Finance (2011-2012) chaired by Shri Yashwant Sinha <strong>[3]</strong> have suggested a rigorous and extensive range of recommendations on the Aadhaar / UIDAI / NIAI project and the National Identification Authority of India Bill, 2010 from which the majority sections of the Aadhaar Bill, 2016, are drawn. We request that these recommendations are seriously considered and incorporated into the Aadhaar Bill, 2016.<br /><br /></li>
<li><strong>Authentication using the Aadhaar number for receiving government subsidies, benefits, and services cannot be made mandatory:</strong> Section 7 of the Aadhaar Bill, 2016, states that authentication of the person using her/his Aadhaar number can be made mandatory for the purpose of disbursement of government subsidies, benefits, and services; and in case the person does not have an Aadhaar number, s/he will have to apply for Aadhaar enrolment. This sharply contradicts the claims made by UIDAI earlier that the Aadhaar number is “optional, and not mandatory”, and more importantly the directive given by the Supreme Court (via order dated August 11, 2015). The Bill must explicitly state that the Aadhaar number is only optional, and not mandatory, and a person without an Aadhaar number cannot be denied any democratic rights, and public subsidies, benefits, and services, and any private services.<br /><br /></li>
<li><strong>Vulnerabilities in the Enrolment Process:</strong> The Bill does not address already documented issues in the enrolment process. In the absence of an exhaustive list of information to be collected, some Registrars are permitted to collect extra and unnecessary information. Also, storage of data for elongated periods with Enrollment agencies creates security risks. These vulnerabilities need to be prevented through specific provisions. It should also be mandated for all entities including the Enrolment Agencies, Registrars, CIDR and the requesting entities to shift to secure system like PKI based cryptography to ensure secure method of data transfer.<br /><br /></li>
<li><strong>Precisely Define and Provide Legal Framework for Collection and Sharing of Biometric Data of Citizens:</strong> The Bill defines “biometric information” is defined to include within its scope “photograph, fingerprint, iris scan, or other such biological attributes of an individual.” This definition gives broad and sweeping discretionary power to the UIDAI / Central Government to increase the scope of the term. The definition should be exhaustive in its scope so that a legislative act is required to modify it in any way.<br /><br /></li>
<li><strong>Prohibit Central Storage of Biometrics Data:</strong> The presence of central storage of sensitive personal information of all residents in one place creates a grave security risk. Even with the most enhanced security measures in place, the quantum of damage in case of a breach is extremely high. Therefore, storage of biometrics must be allowed only on the smart cards that are issued to the residents.<br /><br /></li>
<li><strong>Chain of Trust Model and Audit Trail:</strong> As one of the objects of the legislation is to provide targeted services to beneficiaries and reduce corruption, there should be more accountability measures in place. A chain of trust model must be incorporated in the process of enrolment where individuals and organisations vouch for individuals so that when a ghost is introduced someone has can be held accountable blame is not placed simply on the technology. This is especially important in light of the questions already raised about the deduplication technology. Further, there should be a transparent audit trail made available that allows public access to use of Aadhaar for combating corruption in the supply chain.<br /><br /></li>
<li><strong>Rights of Residents:</strong> There should be specific provisions dealing with cases where an individual is not issued an Aadhaar number or denied access to benefits due to any other factor. Additionally, the Bill should make provisions for residents to access and correct information collected from them, to be notified of data breaches and legal access to information by the Government or its agencies, as matter of right. Further, along with the obligations in Section 8, it should also be mandatory for all requesting entities to notify the individuals of any changes in privacy policy, and providing a mechanism to opt-out.<br /><br /></li>
<li><strong>Establish Appropriate Oversight Mechanisms:</strong> Section 33 currently specifies a procedure for oversight by a committee, however, there are no substantive provisions laid down that shall act as the guiding principles for such oversight mechanisms. The provision should include data minimisation, and “necessity and proportionality” principles as guiding principles for any exceptions to Section 29.<br /><br /></li>
<li><strong>Establish Grievance Redressal and Review Mechanisms:</strong> Currently, there are no grievance redressal mechanism created under the Bill. The power to set up such a mechanism is delegated to the UIDAI under Section 23 (2) (s) of the Bill. However, making the entity administering a project, also responsible for providing for the frameworks to address the grievances arising from the project, severely compromises the independence of the grievance redressal body. An independent national grievance redressal body with state and district level bodies under it, should be set up. Further, the NIAI Bill, 2010, provided for establishing an Identity Review Committee to monitor the usage pattern of Aadhaar numbers. This has been removed in the Aadhaar Bill 2016, and must be restored.</li></ol>
<p> </p>
<h3>Endnotes</h3>
<p><strong>[1]</strong> See: <a href="http://cis-india.org/internet-governance/blog/Flaws_in_the_UIDAI_Process_0.pdf.">http://cis-india.org/internet-governance/blog/Flaws_in_the_UIDAI_Process_0.pdf</a>.</p>
<p><strong>[2]</strong> See: <a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf</a>.</p>
<p><strong>[3]</strong> See: <a href="http://164.100.47.134/lsscommittee/Finance/15_Finance_42.pdf">http://164.100.47.134/lsscommittee/Finance/15_Finance_42.pdf</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/list-of-recommendations-on-the-aadhaar-bill-2016'>http://editors.cis-india.org/internet-governance/blog/list-of-recommendations-on-the-aadhaar-bill-2016</a>
</p>
No publisherAmber Sinha, Sumandro Chattapadhyay, Sunil Abraham, and Vanya RakeshUIDBig DataPrivacyInternet GovernanceFeaturedDigital IndiaAadhaarBiometricsHomepage2016-03-21T08:50:09ZBlog EntryA scheme in India to help the poor raises privacy concerns
http://editors.cis-india.org/internet-governance/news/a-scheme-in-india-to-help-the-poor-raises-privacy-concerns
<b>India’s legislators are on Wednesday debating a law that would allow the government to collect biometric and demographic information from people in return for distributing to them government benefits and subsidies. </b>
<p style="text-align: justify; ">The article by John Ribeiro published by IDG News Service on March 16, 2016 was also mirrored on <a class="external-link" href="http://www.csoonline.com/article/3044722/security/a-scheme-in-india-to-help-the-poor-raises-privacy-concerns.html">CSO</a>.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">A number of legislators and civil rights activists are concerned about the absence of strong privacy safeguards in the legislation and a provision in the law that allows the government to access the data collected for national security reasons. There is also concern that such a large centralized database of personal information could be hacked and critical information leaked.</p>
<p style="text-align: justify; ">Biometric information, once leaked cannot be 'revoked,' and identity fraud may in fact become harder to detect if Aadhaar is used for authentication of transactions, said Pranesh Prakash, policy director at the Centre for Internet and Society in Bangalore, in an email.</p>
<p style="text-align: justify; ">Activists are also wary that the program could be extended by the government to make it a mandatory digital ID card for people in the country. Already some telecommunications services and financial services companies use the biometric identity as an optional way for verifying customers. Currently, people can keep their personal information in silos, as for example their insurance company can't combine their database with that of a hospital, Prakash said. "However, with Aadhaar as a unique linking factor, they could, even without the person's consent," he added.</p>
<p style="text-align: justify; ">The biometric ID, which assigns a person a 12-digit number called the Aadhaar number, requires the collection of photos, fingerprints, iris scans and other information such as the name, date of birth and address of the individual. Every time a person has to be verified, he has to present the Aadhaar number, and his biometric information has to match the data stored in a centralized repository.</p>
<p style="text-align: justify; ">The digital identity is expected to provide proof of identification to the large number of poor Indians who do not have house addresses, school certificates, birth certificates or other documents that are usually used to prove identity in India.</p>
<p style="text-align: justify; ">The traditional paper ration books used in the country are notoriously stuffed with people who are nonexistent or who do not typically qualify for benefits, so the government hopes to save some money by linking the benefits to a digital identity. But the new scheme addresses only end-user fraud and not the large-scale theft prevalent in the entire supply chain, according to analysts.</p>
<p style="text-align: justify; ">Rajeev Chandrasekhar, a member of India’s Parliament, has proposed amendments to the bill that would ensure that Aadhaar numbers should not be used as proof of identity for purposes other than subsidies and benefits. Chandrasekhar also wants the Unique Identification Authority of India that manages the project to be responsible for ensuring the security and privacy of the biometric and demographic information of the account holder, with liability for damages in a civil court in the case of a breach.</p>
<p style="text-align: justify; ">The Aadhaar program has been allotting IDs for a number of years, even under a previous government, but the program was the offshoot of an executive order and had no legal sanction. The country’s Supreme Court <a href="http://www.pcworld.com/article/2049364/indian-biometric-id-project-faces-court-hurdle.html"><span>ruled in 2013</span></a> in an interim order that people cannot be required to have Aadhaar identification to collect state subsidies. Aware of the legal minefield it was treading on, the government had said the scheme was voluntary.</p>
<p style="text-align: justify; ">The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 passed recently in the Lok Sabha, one of the houses of India’s parliament, now aims to make the scheme mandatory. The bill sailed through the Lok Sabha where the government has a majority, but will likely meet with strong opposition from the other house, the Rajya Sabha. But the government has classified the bill as a money bill and the Rajya Sabha does not have the final say on such bills. So the legislation is likely to be passed in any case despite its limitations.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/a-scheme-in-india-to-help-the-poor-raises-privacy-concerns'>http://editors.cis-india.org/internet-governance/news/a-scheme-in-india-to-help-the-poor-raises-privacy-concerns</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-03-17T03:08:33ZNews ItemVulnerabilities in the UIDAI Implementation Not Addressed by the Aadhaar Bill, 2016
http://editors.cis-india.org/internet-governance/blog/vulnerabilities-in-the-uidai-implementation-not-addressed-by-the-aadhaar-bill-2016
<b>In this infographic, we document the various issues in the Aadhaar enrolment process implemented by the UIDAI, and highlight the vulnerabilities that the Aadhaar Bill, 2016 does not address. The infographic is based on Vidushi Marda’s article 'Data Flow in the Unique Identification Scheme of India,' and is designed by Pooja Saxena, with inputs from Amber Sinha.</b>
<p> </p>
<h4>Download the infographic: <a href="https://github.com/cis-india/website/raw/master/infographics/CIS_Aadhaar-2016-Enrolment-Vulnerabilities_v.1.0.pdf">PDF</a> and <a href="https://github.com/cis-india/website/raw/master/infographics/CIS_Aadhaar-2016-Enrolment-Vulnerabilities_v.1.0.png">PNG</a>.</h4>
<p> </p>
<p><strong>Credits:</strong> The illustration uses the following icons from The Noun Project - <a href="https://thenounproject.com/term/fingerprint/231547/">Thumpbrint</a> created by Daouna Jeong, Duplicate created by Pham Thi Dieu Linh, <a href="https://thenounproject.com/term/copy/377777/">Copy</a> created by Mahdi Ehsaei.</p>
<p><strong>License:</strong> It is shared under Creative Commons <a href="https://creativecommons.org/licenses/by/4.0/">Attribution 4.0 International</a> License.</p>
<p> </p>
<img src="https://github.com/cis-india/website/raw/master/infographics/CIS_Aadhaar-2016-Enrolment-Vulnerabilities_v.1.0.png" alt="Vulnerabilities in the UIDAI Implementation Not Addressed by the Aadhaar Bill, 2016" />
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/vulnerabilities-in-the-uidai-implementation-not-addressed-by-the-aadhaar-bill-2016'>http://editors.cis-india.org/internet-governance/blog/vulnerabilities-in-the-uidai-implementation-not-addressed-by-the-aadhaar-bill-2016</a>
</p>
No publisherPooja Saxena and Amber SinhaUIDBig DataPrivacyInternet GovernanceInfographicDigital IndiaAadhaarBiometrics2016-03-21T08:33:53ZBlog EntryAadhaar: Govt will not compromise on national security
http://editors.cis-india.org/internet-governance/news/livemint-march-9-2016-shreeja-sen-aadhaar-govt-will-not-compromise-on-national-security
<b>The government is confident that the Aadhaar Bill will be passed.</b>
<p style="text-align: justify; ">The article by Shreeja Sen was <a class="external-link" href="http://www.livemint.com/Politics/dt7ODlffwvbWvKH93jfR3K/Aadhaar-Govt-will-not-compromise-on-national-security.html">published by Livemint</a> on March 9, 2016. Pranesh Prakash gave inputs.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">In what could raise concerns of privacy activists questioning India’s unique identification project Aadhaar, the government on Tuesday said national security will not be compromised at all.</p>
<p style="text-align: justify; ">“We will not compromise on national security; certainly we will not compromise. The Supreme Court has already highlighted certain areas for consideration. We are going ahead taking into consideration all the suggestions of the Supreme Court,” law minister D.V. Sadananda Gowda said at a press conference, when asked how the Aadhaar bill tabled in Parliament last week will balance the protection of core biometrics and national security concerns.</p>
<p style="text-align: justify; ">Under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, there are measures to protect core biometric information like fingerprints and iris scans of the unique identification number holders.</p>
<p style="text-align: justify; ">However, Section 33 says for the purposes of national security, officials at the joint secretary level and above can access this information. The section has caused some worry to experts. In this <b><a href="http://www.livemint.com/Opinion/VSqpBps7Y5YrUhvS5mGgSO/Aadhaar-still-too-many-problems.html" target="_blank"><span style="text-decoration: underline;">analysis</span></a> </b> , policy director of the Centre for Internet and Society Pranesh Prakash says that the national security clause is worrisome. Adding to their concerns, the bill does not define what national security means.</p>
<p style="text-align: justify; ">The government is, however, confident that the bill will be passed. “Certainly it will be passed. The benefits that go from the exchequer to the beneficiaries will be taken care of by this bill,” Gowda said.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-march-9-2016-shreeja-sen-aadhaar-govt-will-not-compromise-on-national-security'>http://editors.cis-india.org/internet-governance/news/livemint-march-9-2016-shreeja-sen-aadhaar-govt-will-not-compromise-on-national-security</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-03-22T15:51:13ZNews ItemIndia Still Trying To Turn Optional Aadhaar Identification Number Into A Mandatory National Identity System
http://editors.cis-india.org/internet-governance/news/tech-dirt-march-22-2016-india-still-trying-to-turn-optional-aadhaar-identification-number-into-mandatory-national-identity-system
<b>from the sliding-down-the-slippery-slope-to-disaster dept</b>
<p style="text-align: justify; ">The blog post was published by <a class="external-link" href="https://www.techdirt.com/articles/20160314/10271433902/india-still-trying-to-turn-optional-aadhaar-identification-number-into-mandatory-national-identity-system.shtml"><span style="text-decoration: underline;">Tech Dirt</span></a> on March 22, 2016. CIS research on Aadhaar was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Last year, we wrote about India's attempt to turn the use of its <a href="https://www.techdirt.com/articles/20150704/06313831544/aadhaar-soon-india-everyone-will-be-number.shtml"><span style="text-decoration: underline;">Aadhaar</span></a> system, which assigns a unique 12-digit number to all Indian citizens, into a <a href="https://www.techdirt.com/articles/20150819/07244632004/indias-attorney-general-privacy-not-fundamental-right.shtml"><span style="text-decoration: underline;">requirement</span></a> for accessing government schemes. An article in the Hindustan Times shows that the Indian government is still <a href="http://www.hindustantimes.com/india/privacy-concerns-overshadow-monetary-benefits-of-aadhaar-scheme/story-E3o0HRwc6XOdlgjqgmmyAM.html"><span style="text-decoration: underline;">pushing to turn Aadhaar into a mandatory national identity system</span></a>. A Bill has just been passed by both houses of the country's parliament, which seeks to give statutory backing to the scheme -- in the teeth of opposition from India's Supreme Court: <i> </i></p>
<blockquote style="text-align: justify; "><i>There have been orders passed by the Supreme Court that prohibit the government from making Aadhaar mandatory for availing government services whereas this Bill seeks to do precisely that, contrary to the government's argument that Aadhaar is voluntary.</i></blockquote>
<p style="text-align: justify; ">The article notes that in some respects, the new Bill brings improvements over a previous version: <i> </i></p>
<blockquote style="text-align: justify; "><i>It places stringent restrictions on when and how the UID [Unique Identification] Authority (UIDAI) can share the data, noting that biometric information -- fingerprint and iris scans -- will not be shared with anyone. It seeks prior consent for sharing data with third party. These are very welcome provisions.</i></blockquote>
<p style="text-align: justify; "><i> </i> But it also contains some huge loopholes: <i> </i></p>
<blockquote style="text-align: justify; "><i>The government will get sweeping power to access the data collected, ostensibly for "efficient, transparent, and targeted delivery of subsidies, benefits and services" as it pleases "in the interests of national security", thus confirming the suspicions that the UID database is a surveillance programme masquerading as a project to aid service delivery.</i></blockquote>
<p style="text-align: justify; ">The fact that an optional national numbering system now seems to be morphing into a way to monitor what people are doing will hardly come as a surprise to Techdirt readers, but this continued slide down the slippery slope is still troubling, as are other aspects of the new legislation. For example, it was introduced as a "Money Bill," which is normally reserved for matters related to taxation, not privacy. That suggests a desire to push it through without real scrutiny. What makes this attempt to give the Aadhaar number a much larger role in Indian society even more dangerous is the possibility that it won't work: <i> </i></p>
<blockquote><i>A recent paper in the Economic and Political Weekly by Hans Mathews, a mathematician with the [Centre for Internet and Society], shows the programme would fail to uniquely identify individuals in a country of 1.2 billion.</i></blockquote>
<p><i> </i> A mandatory national identity system that can't even uniquely identify people: sounds like a recipe for disaster.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/tech-dirt-march-22-2016-india-still-trying-to-turn-optional-aadhaar-identification-number-into-mandatory-national-identity-system'>http://editors.cis-india.org/internet-governance/news/tech-dirt-march-22-2016-india-still-trying-to-turn-optional-aadhaar-identification-number-into-mandatory-national-identity-system</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-03-24T06:34:21ZNews ItemSurveillance Enabling Identity Systems in Africa: Tracing the Fingerprints of Aadhaar
http://editors.cis-india.org/internet-governance/blog/surveillance-enabling-identity-systems-in-africa-tracing-the-fingerprints-of-aadhaar
<b>Biometric identity systems are being introduced around the world with a focus on promoting human development and social and economic inclusion, rather than previous goals of security. As a result, these systems being encouraged in developing countries, particularly in Africa and Asia, sometimes with disastrous consequences.</b>
<p style="text-align: justify; ">In this report, we identify the different external actors that influencing this “developmental” agenda. These range from philanthropic organisations, private companies, and technology vendors, to state and international institutions. Most notable among these is the World Bank, whose influence we investigated in the form of case studies of Nigeria and Kenya. We also explored the role played by the “success” of the Aadhaar programme in India on these new ID systems. A key characteristic of the growing “digital identity for development” trend is the consolidation of different databases that record beneficiary data for government programmes into one unified platform, accessed by a unique biometric ID. This “Aadhaar model” has emerged as a default model to be adopted in developing countries, with little concern for the risks it introduces. Read and download the full report <a href="http://editors.cis-india.org/internet-governance/surveillance-enabling-identity-systems-in-africa" class="internal-link">here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/surveillance-enabling-identity-systems-in-africa-tracing-the-fingerprints-of-aadhaar'>http://editors.cis-india.org/internet-governance/blog/surveillance-enabling-identity-systems-in-africa-tracing-the-fingerprints-of-aadhaar</a>
</p>
No publisherShruti Trikanad and Vrinda BhandariSurveillanceAadhaarInternet GovernancePrivacy2022-08-09T08:17:32ZBlog EntryA judicial overreach into matters of regulation
http://editors.cis-india.org/internet-governance/blog/the-hindu-august-27-2019-a-judicial-overreach-into-matters-of-regulation
<b>A PIL on Aadhaar sheds light on some problematic trends</b>
<p style="text-align: justify; ">The article by Gurshabad Grover was <a class="external-link" href="https://www.thehindu.com/opinion/op-ed/a-judicial-overreach-into-matters-of-regulation/article29262148.ece">published in the Hindu</a> on August 27, 2019.</p>
<hr />
<p style="text-align: justify; ">The Madras High Court has been hearing a PIL petition since 2018 that initially asked the court to declare the linking of Aadhaar with a government identity proof as mandatory for registering email and social media accounts. The petitioners, victims of online bullying, went to the court because they found that law enforcement agencies were inefficient at investigating cybercrimes, especially when it came to gathering information about pseudonymous accounts on major online platforms. This case brings out some of the most odious trends in policymaking in India.</p>
<p style="text-align: justify; ">The first issue is how the courts, as Anuj Bhuwania has argued in the book <em>Courting the People</em>, have continually expanded the scope of issues considered in PILs. In this case, it is absolutely clear that the court is not pondering about any question of law. In what could be considered as abrogation of the separation of powers provision in the Constitution, the Madras High Court started to deliberate on a policy question with a wide-ranging impact: Should Aadhaar be linked with social media accounts?</p>
<p style="text-align: justify; ">After ruling out this possibility, it went on to consider a question that is even further out of its purview: Should platforms like WhatsApp that provide encrypted services allow forms of “traceability” to enable finding the originator of content? In essence, the court is now trying to regulate one particular platform on a very specific technical question, ignoring legal frameworks entirely. It is worrying that the judiciary is finding itself increasingly at ease with deliberations on policy and regulatory measures, and its recent actions remind us that the powers of the court also deserve critical questioning.</p>
<h2 style="text-align: justify; ">Government’s support</h2>
<p style="text-align: justify; ">Second, not only are governments failing to assert their own powers of regulation in response to the courts’ actions, they are on the contrary encouraging such PILs. The Attorney General, K.K. Venugopal, who is representing the State of Tamil Nadu in the case, could have argued for the case’s dismissal by referring to the fact that the Ministry of Electronics and Information Technology has already published draft regulations that aim to introduce “traceability” and to increase obligations on social media platforms. Instead, he has largely urged the court to pass regulatory orders.</p>
<p style="text-align: justify; ">Third, ‘Aadhaar linking’ is becoming increasingly a refrain whenever any matter even loosely related to identification or investigation of crime is brought up. While the Madras High Court has ruled out such linking for social media platforms, other High Courts are still hearing petitions to formulate such rules. The processes that law enforcement agencies use to get information from platforms based in foreign jurisdictions rely on international agreements. Linking Aadhaar with social media accounts will have no bearing on these processes. Hence, the proposed ‘solution’ misses the problem entirely, and comes with its own threats of infringing privacy.</p>
<h2 style="text-align: justify; ">Problems of investigation</h2>
<p style="text-align: justify; ">That said, investigating cybercrime is a serious problem for law enforcement agencies. However, the proceedings before the court indicate that the cause of the issues have not been correctly identified. While legal provisions that allow agencies to seek information from online platforms already exist in the Code of Criminal Procedure and the Information Technology Act, getting this information from platforms based in foreign jurisdictions can be a long and cumbersome process. For instance, the hurdles posed by the mutual legal assistance treaty between India and the U.S. effectively mean that it might take months to receive a response to information requests sent to U.S.-based platforms, if a response is received at all.</p>
<p style="text-align: justify; ">To make cybercrime investigation easier, the Indian government has various options. India should push for fairer executive agreements possible under instruments like the United States’ CLOUD Act, for which we need to first bring our surveillance laws in line with international human rights standards through reforms such as judicial oversight. India could use the threat of data localisation as a leverage to negotiate bilateral agreements with other countries to ensure that agencies have recourse to quicker procedures. As a first step, however, Indian courts must wash their hands of such questions. For its part, the Centre must engage in consultative policymaking around these important issues, rather than support ad-hoc regulation through court orders in PILs.</p>
<p style="text-align: justify; "><span>(</span><em>Disclosure: The CIS is a recipient of research grants from Facebook.</em><span>)</span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-hindu-august-27-2019-a-judicial-overreach-into-matters-of-regulation'>http://editors.cis-india.org/internet-governance/blog/the-hindu-august-27-2019-a-judicial-overreach-into-matters-of-regulation</a>
</p>
No publishergurshabadAadhaarInternet GovernancePrivacy2019-08-28T01:28:52ZBlog EntryNew regulations in place; Aadhaar Card records to be preserved for 7 yrs by Centre
http://editors.cis-india.org/internet-governance/news/financial-express-october-17-2016-new-regulations-in-place-aadhaar-card-records-to-be-preserved-for-7-yrs-by-centre
<b>UIDAI chief executive office ABP Pandey said that the concerns regarding Aadhar card-related benefits were "exaggerated" and that the agency will keep the records in case any disputes arise in the future.</b>
<p style="text-align: justify; ">The article was published in the <a href="http://www.financialexpress.com/economy/new-regulations-in-place-aadhaar-card-records-to-be-preserved-for-7-yrs-by-centre/420633/">Financial Express</a> on October 17, 2016. Sunil Abraham was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">As per new regulations, the government will now keep a record for seven years of all services and benefits that are availed using Aadhaar number. Fearing that the database might be used for surveillance, the Unique Identification Authority of India (UIDAI) will preserve the records.</p>
<p style="text-align: justify; ">UIDAI chief executive office ABP Pandey said that the concerns regarding Aadhar card-related benefits were “exaggerated” and that the agency will keep the records in case any disputes arise in the future.</p>
<p style="text-align: justify; ">Pandey added that the information will be available online for two years and shall be shifted to the offline archives for the next five years. In that case, users will be able to check the records only for two years. However, the rules won’t apply for security agencies and that they will need a district judge’s permission to access the data.</p>
<p style="text-align: justify; ">According to <i>HT</i>, the rules allow designated joint secretary-level officers at the Centre to order access to information on the grounds of national security.</p>
<p style="text-align: justify; ">Talking about this Sunil Abraham, director of the Bengaluru-based think tank, Centre for Internet and Society said that once Aadhar becomes mandatory, it can be misused to conduct a 360-degree surveillance on any person.</p>
<p style="text-align: justify; ">Every time a person fingerprints and quotes the Aadhaar number, the agency concerned sends the data to UIDAI to crosscheck the particulars.<br /> The UIDAI authenticates about five million Aadhaar numbers, which are quoted to avail <a href="http://www.financialexpress.com/tag/lpg-subsidy/">LPG subsidy</a>, cheap ration and even passport, a day against a capacity to verify 100 million requests daily, reports <i>HT.</i></p>
<p style="text-align: justify; ">Meanwhile, The Unique Identification Authority of India (UIDAI) has launched a drive to enrol any leftover population for Aadhaar in 22 states and UTs that have “statistically” hit 100 per cent coverage for adults.</p>
<p style="text-align: justify; ">The ‘Challenge drive’ starts from October 15 for a month, a UIDAI statement said, adding that as of today, over 106.69 crore Aadhaar numbers have been generated across the country.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/financial-express-october-17-2016-new-regulations-in-place-aadhaar-card-records-to-be-preserved-for-7-yrs-by-centre'>http://editors.cis-india.org/internet-governance/news/financial-express-october-17-2016-new-regulations-in-place-aadhaar-card-records-to-be-preserved-for-7-yrs-by-centre</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-10-17T14:46:31ZNews Item