The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 1 to 6.
Advanced biometric technologies and new market entries tackle fraud, chase digital ID billions
http://editors.cis-india.org/internet-governance/news/biometric-update-june-26-2021-chris-burt-advanced-biometric-technologies-and-new-market-entries-tackle-fraud-chase-digital-id-billions
<b>Amid forecasts of rapid growth and huge market potential, digital ID platforms launches by Techsign and Ping Identity, new services, features and even an investment fund have been launched.</b>
<p style="text-align: justify; ">The blog post by Chris Burt was <a class="external-link" href="https://www.biometricupdate.com/202106/advanced-biometric-technologies-and-new-market-entries-tackle-fraud-chase-digital-id-billions">published by Biometric Update</a> on June 26, 2021.</p>
<p style="text-align: justify; ">A new camera solution for under-display 3D face biometrics from Infineon and partners, and IPO filings by Clear and SenseTime show parallel investment activity in biometrics, meanwhile, and experts from Veridium and Intellicheck provide insight into the shifting technology and fraud landscapes, among the most widely-read stories this week on Biometric Update.</p>
<h2 style="text-align: justify; ">Top biometrics news of the week</h2>
<p style="text-align: justify; ">Several areas of the digital identity market continued to be very active, with a new investment fund launched to support startups in digital commerce and payments, Yoti joining a regulatory sandbox, Techsign launching a digital ID platform, and Mastercard and b.well reporting positive results from a recent pilot for their biometric healthcare platform. All this activity contributes to explaining Juniper Research’s <a href="https://www.biometricupdate.com/202106/digital-identity-verification-market-forecast-to-reach-16-7b-by-2026">forecast of rapid growth</a> in the sector to $16.7 billion in 2026, driven largely by spending on remote onboarding.</p>
<p style="text-align: justify; ">Okta CEO Todd McKinnon, meanwhile, told Barron’s that the total addressable market for identity and access management providers like Okta is something like <a href="https://www.biometricupdate.com/202106/okta-ceo-says-total-addressable-identity-and-access-management-market-near-80b">$80 billion</a>, as well as that effective integration is the key to solving biometrics challenges in the space. Entrust and Yubico formed an integration partnership, LoginRadius launched a new feature, Jamf launched a biometric tool for enterprises, and a certification program for IAM professionals was launched.</p>
<p style="text-align: justify; ">A list of goods for sale on the dark web includes a listing for <a href="https://www.biometricupdate.com/202106/biometric-selfies-and-forged-passports-identities-for-sale-on-the-dark-web">selfies holding an American ID credential</a>, which in theory could be used in a biometric spoofing attack. Cybersecurity researcher Luana Pascu helps guide readers through the report, and shares insights such as on the status of faked vaccination certificates on dark web marketplaces.</p>
<p style="text-align: justify; ">Ensuring the validity of the ID document a biometric identity verification process is based on, without adding too much friction, often means adopting <a href="https://www.biometricupdate.com/202106/intellicheck-ceo-on-building-the-foundations-for-biometric-verification-and-fraud-protection">layered risk profiling</a>, Intellicheck CEO Bryan Lewis tells <em>Biometric Update</em> in a sponsored post. The company has deep roots in detecting fraudulent documents and has found that even scanning the barcode on an identity document will not necessarily catch a fake if the unique security elements are not validated as part of the scan.</p>
<p style="text-align: justify; ">Fourthline Anti-Financial Crime Head Ro Paddock writes in a Biometric Update guest post about the ever-increasing sophistication of fraud attacks, which reached the level of computer-generated <a href="https://www.biometricupdate.com/202106/the-fraudsters-new-game-face">3D masks and deepfakes</a> during the pandemic,. In response, information-sharing between organizations will be necessary to understand the scope of these new threats, and how to defend against them.</p>
<p style="text-align: justify; ">Philippines’ election commission has launched an app to allow people to preregister for the <a href="https://www.biometricupdate.com/202106/philippines-launches-app-to-fast-track-biometric-voter-registration">voter roll online</a> before enrolling their biometrics in person, as the country continues digitizing its public services. Governments in Pakistan, Haiti and Nigeria are also making moves to improve the accessibility and trustworthiness of their electoral processes.</p>
<p style="text-align: justify; ">A partnership between Research ICT Africa and the Centre for Internet and Society, supported by the Omidyar Network, to explore the development of digital ID systems for the African context is explained in a <a href="https://researchictafrica.net/2021/06/21/why-digital-id-matters/" target="_blank">blog post</a>. The project will be based on an adaptation of the Evaluation Framework for Digital Identities which the CIS used to assess India’s Aadhaar system, with rule of law, rights and risk-based tests, and presented in a series of posts.</p>
<p style="text-align: justify; ">Details of Clear’s IPO plans emerged, including its intention to raise up to <a href="https://www.biometricupdate.com/202106/clear-ipo-could-raise-up-to-396m-in-hot-biometrics-investment-market">$396 million</a> on the NYSE. The $2.2 billion valuation aligns with some comparable companies, by revenue multiple, but the lower voting power of the shares on offer could be a restraining factor.</p>
<p style="text-align: justify; ">An even bigger IPO could be held by SenseTime later this year, with the Chinese AI firm looking to raise up to $2 billion <a href="https://www.biometricupdate.com/202106/not-smarting-from-us-sanctions-sensetime-says-its-ipo-is-on-again">on the Hong Kong exchange</a>. The company has been talking about a public stock launch since before the company was hit with restrictions to U.S. trade, which it indicates have had little impact.</p>
<p style="text-align: justify; ">The latest major funding round in digital identity is the largest yet, with <a href="https://www.biometricupdate.com/202106/transmit-security-raises-543m-to-grow-biometric-passwordless-authentication">Transmit Security raising $543 million</a> at a $2.2 billion valuation to expand the market reach of its passwordless biometric authentication technology. The company claims it is the highest ever Series A funding round in cybersecurity.</p>
<p style="text-align: justify; ">Bob Eckel, Aware CEO and International Biometrics + Identity Association (IBIA) Director and Board Member, discusses why people should own their own identity, identifying things and protecting supply chains, and his background in setting up air traffic control systems used all over the world with the Requis <a href="https://requis.com/podcasts/podcast-bob-eckel-biometrics-future-secured-identities/" target="_blank">Supply Chain Next podcast</a>. In the longer term Eckel sees biometric replacing passwords, and in the shorter term being used to make processes touchless.</p>
<p style="text-align: justify; ">Veridium CTO John Callahan guides Biometric Update through recent NIST guidance on the <a href="https://www.biometricupdate.com/202106/nist-touchless-fingerprint-biometrics-guidance-confirms-interoperability">interoperable use of contactless fingerprints</a> with contact-based back-end AFIS systems. The guidance, which changes definitions within the NIST ITL biometric container standard, but advises that the associated image quality metric does not apply to contactless prints, could spark further investment in the modality.</p>
<p style="text-align: justify; ">A new time-of-flight 3D imaging solution that could be used to implement facial authentication from <a href="https://www.biometricupdate.com/202106/under-display-camera-for-3d-face-biometrics-developed-by-infineon-pmd-arcsoft">under the display of mobile devices</a> without notches or bezels has been developed by partners Infineon, pmdtechnologies and ArcSoft. Based on the REAL3 sensor and ArcSoft’s computer vision algorithms, the solution is expected to reach availability in Q3 2021.</p>
<p style="text-align: justify; "><a href="https://www.biometricupdate.com/202106/ping-identity-adds-behavioral-biometrics-and-bot-detection-with-securedtouch-acquisition">Ping Identity has acquired SecuredTouch</a> in a deal with undisclosed financial details to integrate its behavioral biometrics-based continuous user authentication with the PingOne enterprise cloud platform. Ping also launched a consumer application for reusable credentials and added unified management features to its cloud platform at its Identiverse 2021 event.</p>
<p style="text-align: justify; ">Notre Dame-IBM Technology Ethics Lab Founding Director Elizabeth Renieris joins the MIT Sloan Management Review’s <a href="https://sloanreview.mit.edu/audio/starting-now-on-technology-ethics-elizabeth-renieris/" target="_blank">Me, Myself and AI podcast</a> to discuss the role of the lab, her path past and through some of the digital identity space’s key ethical developments, and the need to take the long view on technology to understand its ethical implications. Renieris makes a pitch for process-oriented regulations, based on the best understanding we have at the time.</p>
<p style="text-align: justify; ">ProctorU’s announcement that it will no longer sell fully-automated remote proctoring services is seen as a win in the battle against “the AI shell game” by the <a href="https://www.eff.org/deeplinks/2021/06/long-overdue-reckoning-online-proctoring-companies-may-finally-be-here" target="_blank">Electronic Frontier Foundation</a>. The descriptions of the balance between the automated and human decision-making by AI proctoring providers amount to doublespeak, the EFF says, before panning their human review processes, accuracy rates, and use of facial recognition.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/biometric-update-june-26-2021-chris-burt-advanced-biometric-technologies-and-new-market-entries-tackle-fraud-chase-digital-id-billions'>http://editors.cis-india.org/internet-governance/news/biometric-update-june-26-2021-chris-burt-advanced-biometric-technologies-and-new-market-entries-tackle-fraud-chase-digital-id-billions</a>
</p>
No publisherChris BurtPrivacyInternet GovernanceUIDAIBiometricsAadhaar2021-06-28T01:13:05ZNews ItemUIDAI goes after org that disclosed government departments were releasing Aadhaar data
http://editors.cis-india.org/internet-governance/news/medianama-nikhil-pahwa-may-19-2017-uidai-cis-india-aadhaar
<b>If there was ever a case of shoot the messenger, it is this. </b>
<p style="text-align: justify; ">The blog post by Nikhil Pahwa was published by <a class="external-link" href="http://www.medianama.com/2017/05/223-uidai-cis-india-aadhaar/">Medianama</a> on May 19, 2017. Pranesh Prakash was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The UIDAI, the body which runs the Aadhaar project in India, has written to the Centre for Internet & Society suggesting that <a href="http://www.medianama.com/2017/05/223-aadhaar-numbers-data-leak/">their disclosure of the fact that the data of 130 million Aadhaar users is being publicly disclosed on the Internet</a> is owed to a hack-attack, <a href="http://timesofindia.indiatimes.com/india/provide-hacker-details-outfit-that-claimed-data-leak-told/articleshow/58725132.cms?from=mdr" rel="noopener noreferrer">reports the Times of India</a>. On being contacted by MediaNama, Pranesh Prakash, Policy Director at CIS told MediaNama that “We are waiting for an official copy of the letter, and once we receive it we will decide on our future course of action.” The UIDAI told MediaNama that they’ll get back to us, and declined to share a copy of the letter with MediaNama.</p>
<p><a class="external-link" href="http://www.medianama.com/2017/05/223-uidai-cis-india-aadhaar/">Read the full story on Medianama</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/medianama-nikhil-pahwa-may-19-2017-uidai-cis-india-aadhaar'>http://editors.cis-india.org/internet-governance/news/medianama-nikhil-pahwa-may-19-2017-uidai-cis-india-aadhaar</a>
</p>
No publisherNikhil PahwaUIDAIAadhaarInternet GovernancePrivacy2017-05-20T10:46:36ZNews ItemUIDAI puts posers to CIS over Aadhaar data leak claim
http://editors.cis-india.org/internet-governance/news/financial-express-may-19-2017-pti-uidai-puts-posers-to-cis-over-aadhaar-data-leak-claim
<b>Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were "leaked" and provide details of servers where they are stored.</b>
<p style="text-align: justify; ">The article originally published by PTI was also <a class="external-link" href="http://www.financialexpress.com/economy/uidai-puts-posers-to-cis-over-aadhaar-data-leak-claim/675814/">published by the Financial Express</a> on May 19, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were “leaked” and provide details of servers where they are stored. In a precursor to initiating a probe into the matter, the Unique Identification Authority of India (UIDAI) also wants CIS to clarify just how much of such “sensitive data” are still with it or anyone else. The UIDAI — which has vehemently denied any breach of its database — shot off a letter to CIS yesterday asking for the details, including the servers where the downloaded “sensitive data” are residing and information about usage or sharing of such data.</p>
<p style="text-align: justify; ">Underscoring the importance of bringing to justice those involved in “hacking such sensitive information”, the UIDAI sought CIS’ “assistance” in this regard and has given it time till May 30 to revert on the issue. “Your report mentions 13 crore people’s data have been leaked. Please specify how much (of) this data have been downloaded by you or are in your possession, or in the possession of any other persons that you know,” the UIDAI said in its communication to CIS.</p>
<p style="text-align: justify; ">Interestingly, in what market watchers described as an apparent flip-flop, CIS has now clarified that there was no leak’ or ‘breach’ of Aadhaar numbers, but rather ‘public disclosure’. Meanwhile, the UIDAI has quoted sections of the Information Technology Act, 2000, and the Aadhaar Act to emphasise that violation of the clauses are punishable with rigorous imprisonment of up to 10 years. “While your report suggests that there is a need to strengthen IT security of the government websites, it is also important that persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law,” it said.</p>
<p style="text-align: justify; ">The UIDAI has also sought technical details on how access was gained for the National Social Assistance Programme (NSAP) site — one of the four portals where the alleged leak happened. When contacted, UIDAI CEO Ajay Bhushan Pandey said, “We do not comment on individual matters.” The UIDAI has also asked for details of systems that were involved in downloading and storing of the sensitive data so that forensic examination of such machines can be conducted to assess the quantum and extent of damage to privacy of data.</p>
<p style="text-align: justify; ">The UIDAI letter comes after a CIS’ report early this month which claimed that Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals due to lack of IT security practices. “Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report had said.</p>
<p style="text-align: justify; ">However, in a apparent course correction on May 16, a day before the UIDAI’s letter went out — CIS updated its report and clarified that although the term ‘leak’ was originally used 22 times in its report, it is “best characterised as an illegal data disclosure or publication and not a breach or a leak”. CIS has also claimed that some of its findings were “misunderstood or misinterpreted” by the media, and that it never suggested that the biometric database had been breached. “We completely agree with both Dr Pandey (UIDAI CEO) and Sharma (Trai Chairman R S Sharma) that CIDR (Aadhaar central repository) has not been breached, nor is it suggested anywhere in the report,” CIS said in its latest update.</p>
<div class="youmaylike" style="text-align: justify; "></div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/financial-express-may-19-2017-pti-uidai-puts-posers-to-cis-over-aadhaar-data-leak-claim'>http://editors.cis-india.org/internet-governance/news/financial-express-may-19-2017-pti-uidai-puts-posers-to-cis-over-aadhaar-data-leak-claim</a>
</p>
No publisherpraskrishnaUIDAIAadhaarInternet GovernancePrivacy2017-05-19T09:28:33ZNews Item135 million aadhaar details, 100 million bank accounts "leaked" from government websites: Researchers
http://editors.cis-india.org/internet-governance/news/counterview-may-5-2017-135-million-aadhaar-details-100-million
<b>This was published by Counterview on May 5, 2017.</b>
<p style="text-align: justify; ">A top <a href="http://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information/at_download/file" target="_blank">study</a> by the Centre for Internet and Society (CIS) has estimated that “estimated number of aadhaar numbers leaked” through top portals which handle aadhaar “could be around 130-135 million”. Worse, it says, the number of bank accounts numbers leaked would be “around 100 million”.</p>
<p style="text-align: justify; ">The study, carried out by researchers Amber Sinha and Srinivas Kodali, adds, “While these numbers are only from two major government programmes of pensions and rural employment schemes, other major schemes, who have also used aadhaar for direct bank transfer (DBT) could have leaked personally identifiable information (PII) similarly due to lack of information security practices.”</p>
<p style="text-align: justify; ">Pointing out that “over 23 crore beneficiaries have been brought under aadhaar programme for DBT”, the study, titled “Information Security Practices of Aadhaar (Or Lack Thereof)”, says, “Government schemes dashboard and portals demonstrate … dangers of ill-conceived data driven policies and transparency measures without proper consideration to data security measures.”</p>
<p style="text-align: justify; ">Claiming to have a closer look at the databases publicly available portals, the researchers identify four of them a pool of other government websites for examination:</p>
<div style="text-align: justify; "><ol style="text-align: left; ">
<li><a href="http://164.100.129.6/netnrega/MISreport4.aspx?fin_year=2013-2014&rpt=RP">http://164.100.129.6/netnrega/MISreport4.aspx?fin_year=2013-2014&rpt=RP</a> </li>
<li><a href="http://nsap.nic.in/">http://nsap.nic.in/</a> </li>
<li><a href="http://chandrannabima.ap.gov.in/Dashboard/Reports.aspx">http://chandrannabima.ap.gov.in/Dashboard/Reports.aspx</a>, and </li>
<li><a href="http://www.nrega.ap.gov.in/Nregs/">http://www.nrega.ap.gov.in/Nregs/</a>. </li>
</ol>
<p>A welfare programme by the Ministry of Rural Development, the National Social Assistance Programme (NSAP) portal, even as seeking to provide public assistance to its citizens in case of unemployment, old age, sickness and disablement, offers information about “job card number, bank account number, name, aadhaar number, account frozen status”, the researchers say.</p>
<p>Pointing out that “one of the url query parameters of website showing the masked personal details was modified from nologin to login”, they say, the “control access to login based pages were allowed providing unmasked details without the need for a password.”</p>
<p>In fact, they say, the Data Download Option feature “allows download of beneficiary details mentioned above such as Beneficiary No, Name, Father’s/Husband’s Name, Age, Gender, Bank or Post Office Account No for beneficiaries receiving disbursement via bank transfer and Aadhaar Numbers for each area, district and state.”<br />They add, “The NSAP portal lists 94,32,605 banks accounts linked with aadhaar numbers, and 14,98,919 post office accounts linked with aadhaar numbers. While the portal has 1,59,42,083 aadhaar numbers in total, not all of whom are linked to bank accounts.”</p>
<p>Also giving the example of the national rural job guarantee scheme, popularly called NREGA, the researchers say, its portal provides DBT reports containing “various sub-sections including one called ‘Dynamic Report on Worker Account Detail’,” with details like “Job card number, aadhaar number, bank/postal account number, number of days worked”, and so on.</p>
<p>“As per the NREGA portal, there were 78,74,315 post office accounts of individual workers seeded with aadhaar numbers, and 8,24,22,161 bank accounts of individual workers with aadhaar numbers. The total number of Aadhaar numbers stored by portal are at 10,96,41,502”, they add.</p>
<p>Providig similar instances form two other sources, the researchers insist, “The availability of large datasets of aadhaar numbers along with bank account numbers, phone numbers on the internet increases the risk of financial fraud.”</p>
<p>Underlining that “aadhaar data makes this process much easier for fraud and increases the risk around transactions”, they say, “In the US, the ease of getting Social Security Numbers from public databases has resulted in numerous cases of identity theft. These risks increase multifold in India due the proliferation of aadhaar numbers and other related data available.”</p>
<p>Click to read the original published by <a class="external-link" href="http://www.counterview.net/2017/05/135-million-aadhaar-details-100-million.html">Counterview</a> on May 5, 2017.</p>
<ol style="text-align: left; "> </ol></div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/counterview-may-5-2017-135-million-aadhaar-details-100-million'>http://editors.cis-india.org/internet-governance/news/counterview-may-5-2017-135-million-aadhaar-details-100-million</a>
</p>
No publisherpraskrishnaUIDAIAadhaarInternet GovernancePrivacy2017-05-20T06:19:12ZNews ItemAadhaar data leaks not from UIDAI: Centre
http://editors.cis-india.org/internet-governance/news/hindu-krishnadas-rajagopal-may-3-2017-aadhaar-data-leaks-not-from-uidai
<b>Aadhaar is foolproof, it tells SC </b>
<p style="text-align: justify; ">The article by Krishnadas Rajagopal was <a class="external-link" href="http://www.thehindu.com/news/national/aadhaar-data-leaks-not-from-uidai-centre/article18379074.ece">published in the Hindu </a>on May 3, 2017.</p>
<hr />
<p style="text-align: justify; ">Leaks of Aadhaar card details are not from the UIDAI, but at the State level, the Union government told the Supreme Court on Wednesday.<br /><br />“As of today, Aadhaar is foolproof. Biometric technology is the best system in 2016. There has not been a single leak from the UIDAI. The leaks of details may have been from the States... their offices and agencies,” advocate Arghya Sengupta, counsel for the Centre, submitted in the court.<br /><br />The Centre’s clarification comes in the midst of reports that data of over 130 million Aadhaar cardholders have been leaked from four government websites.<br /><br />Reports, based on a study conducted by the Centre for Internet and Society (CIS), a Bengaluru-based organisation, said Aadhaar numbers, names and other personal details of people have been leaked.<br /><br />The Centre was washing its hands of the alleged leaks for the second consecutive day in the Supreme Court.<br /><b><br />A-G’s assurance</b><br /><br />On Tuesday, Attorney-General Mukul Rohatgi had emphatically assured the Supreme Court that biometrics of Aadhaar cardholders were safe and had not fallen into other hands. He said the biometric details were kept in a central database run by the Centre.<br /><br /></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/hindu-krishnadas-rajagopal-may-3-2017-aadhaar-data-leaks-not-from-uidai'>http://editors.cis-india.org/internet-governance/news/hindu-krishnadas-rajagopal-may-3-2017-aadhaar-data-leaks-not-from-uidai</a>
</p>
No publisherpraskrishnaUIDPrivacyInternet GovernanceUIDAIAadhaar2017-05-20T08:27:28ZNews ItemAnalysis of Key Provisions of the Aadhaar Act Regulations
http://editors.cis-india.org/internet-governance/blog/analysis-of-key-provisions-of-aadhaar-act-regulations
<b>In exercise of their powers under of the powers conferred by Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016, (Aadhaar Act) the UIDAI has come out with a set of five regulations in late 2016 last year. In this policy brief, we look at the five regulations, their key provisions and highlight point out the unresolved, issues, unaddressed, and created issues as result of these regulations. </b>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">This blog post was edited by Elonnai Hickok</p>
<hr style="text-align: justify; " />
<h3 style="text-align: justify; ">Introduction</h3>
<p style="text-align: justify; ">At the outset it is important to note that a concerning feature of these regulations is that they intend to govern the processes of a body which has been in existence for over six years, and has engaged in all the activities sought to be governed by these policies at a massive scale, considering the claims of over one billion Aadhaar number holders. However, the regulation do not acknowledge, let alone address past processes, practices, enrollments, authentications, use of technology etc. this fact, and there are no provisions that effectively address the past operations of the UIDAI. Below is an analysis of the five regulations issued thus far by the UIDAI.</p>
<h3 style="text-align: justify; ">Unique Identification Authority of India (Transactions of Business at Meetings of the Authority) Regulations<a href="#_ftn1" name="_ftnref1"><sup><sup>[1]</sup></sup></a></h3>
<p style="text-align: justify; ">These regulations framed under clause (h) of sub-section (2) of section 54 read with sub-section (1) of section 19 of the Aadhaar Act, deal with the meetings of the UIDAI, the process following up to each meeting, and the manner in which all meetings are to be conducted.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 3.</h4>
<p style="text-align: justify; ">Meetings of the Authority– (1) There shall be no less than three meetings of the Authority in a financial year on such dates and at such places as the Chairperson may direct and the interval between any two meetings shall not in any case, be longer than five months</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">The number of times that UIDAI would meet in a year is far too less, taking in account the significance of the responsibilities of UIDAI as the sole body for policy making for all issues related to Aadhaar. In contrast, the Telecom Regulatory Authority of India is required to meet at least once a month. Other bodies such as SEBI and IRDAI are also required to meet at least four times<a href="#_ftn2" name="_ftnref2"><sup><sup>[2]</sup></sup></a> and six times<a href="#_ftn3" name="_ftnref3"><sup><sup>[3]</sup></sup></a> in a year respectively.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 8 (5)</h4>
<p style="text-align: justify; ">Decisions taken at every meeting of the Authority shall be published on the website of Authority unless the Chairperson determines otherwise on grounds of ensuring confidentiality.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">The Chairperson has the power to determine withholding publication of the decisions of the meeting on the broad grounds of ‘confidentiality’. Given the fact that the decisions taken by UIDAI as a public body can have very real implications for the rights of residents, the ground of confidentiality is not sufficient to warrant withholding publication. It is curious that instead of referring to the clearly defined exceptions laid down in other similar provisions such as the exceptions in Section 8 of the Right to Information Act, 2005, the rules merely refer to vague and undefined criteria of ‘confidentiality’.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 14 (4)</h4>
<p style="text-align: justify; ">Members of the Authority and invitees shall sign an initial Declaration at the first meeting of the Authority for maintaining the confidentiality of the business transacted at meetings of the Authority in Schedule II.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">The above provision, combined with the fact that there is no provision regarding publication of the minutes of the meetings of UIDAI raise serious questions about the transparency of its functioning.</p>
<h3 style="text-align: justify; ">Unique Identification Authority of India (Enrolment and Update) Regulations<a href="#_ftn4" name="_ftnref4"><sup><sup>[4]</sup></sup></a></h3>
<p style="text-align: justify; ">These regulations, framed under sub-section (1), and sub-clauses (a), (b), (d,) (e), (j), (k), (l), (n), (r), (s), and (v) of sub-section (2), of Section 54 of the Aadhaar Act deals with the enrolment process, the generation of an Aadhaar number, updation of information and governs the conduct of enrolment agencies and associated third parties.</p>
<h4 style="text-align: justify; ">Provisions:</h4>
<p style="text-align: justify; ">Sub-Regulation 8 (2), (3) and (4)</p>
<p style="text-align: justify; ">The standard enrolment/update software shall have the security features as may be specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">All equipment used in enrolment, such as computers, printers, biometric devices and other accessories shall be as per the specifications issued by the Authority for this purpose.</p>
<p style="text-align: justify; ">The biometric devices used for enrolment shall meet the specifications, and shall be certified as per the procedure, as may be specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">Sub-Regulation 3 (2)</p>
<p style="text-align: justify; ">The standards for collecting the biometric information shall be as specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">Sub-Regulation 4 (5)</p>
<p style="text-align: justify; ">The standards of the above demographic information shall be as may be specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">Sub-Regulation 6 (2)</p>
<p style="text-align: justify; ">For residents who are unable to provide any biometric information contemplated by these regulations, the Authority shall provide for handling of such exceptions in the enrolment and update software, and such enrolment shall be carried out as per the procedure as may be specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">Sub-Regulation 14 (2)</p>
<p style="text-align: justify; ">In case of rejection due to duplicate enrolment, resident may be informed about the enrolment against which his Aadhaar number has been generated in the manner as may be specified by the Authority.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">Though in February 2017, the UIDAI published technical specifications for registered devices<a href="#_ftn5" name="_ftnref5"><sup><sup>[5]</sup></sup></a>, the regulations leave unaddressed issues such as lack of appropriately defined security safeguards in the Aadhaar. There is a general trend of continued deferrals in the regulations by stating that matters would be specified later on important aspects such as rejection of applications, uploading of the enrolment packet to the CIDR, the procedure for enrolling residents with biometric exceptions, the procedure for informing residents about acceptance/rejection of enrolment application, specifying the convenience fee for updation of residents’ information, the procedure for authenticating individuals across services etc.c. There is a clear failure to exercise the mandate delegated to UIDAI, leaving key matters to determined at a future unspecified date. The delay and ambiguity around when regulations will be defined is all the more problematic in light of the fact that the project has been implemented since 2010 and the Aadhaar number is now mandatory for availing a number of services.</p>
<p style="text-align: justify; ">Further it is important to note that a number of policies put out by the UIDAI predate these regulations, on which the regulations are completely silent, thus neither endorsing previous policies nor suggesting that they may be revisited. Further, the regulations choose to not engage with the question of operation of the Aadhaar project, enrolment and storage of data etc prior to the notification of these regulations, or the policies which these regulations may regularise. For instance, the regulations do not specify any measures to deal with issues arising out of enrolment devices used prior to the development of the February 2017 specifications.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 32</h4>
<p style="text-align: justify; ">The Authority shall set up a contact centre to act as a central point of contact for resolution of queries and grievances of residents, accessible to residents through toll free number(s) and/ or e-mail, as may be specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">(2) The contact centre shall:</p>
<ol style="text-align: justify; ">
<li>Provide a mechanism to log queries or grievances and provide residents with a unique reference number for further tracking till closure of the matter;</li>
<li>Provide regional language support to the extent possible;</li>
<li>Ensure safety of any information received from residents in relation to their identity information;</li>
<li>Comply with the procedures and processes as may be specified by the Authority for this purpose.</li>
</ol>
<p style="text-align: justify; ">(3) Residents may also raise grievances by visiting the regional offices of the Authority or through any other officers or channels as may be specified by the Authority.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">While the setting up of a grievance redressal mechanism under the regulations is a welcome move, there is little clarity about the procedure to be followed, nor is a timeline for it specified. The chapter on grievance redressal is in fact one of the shortest chapters in the regulations. The only provision in this chapter deals with the setting up of a contact centre, a curious choice of term for what is supposed to be the primary quasi judicial grievance redressal body for the Aadhaar project. In line with the indifferent and insouciant terminology of ‘contact centre’, the chapter is restricted to the matters of the logging of queries and grievances by the contact centre, and does not address the matter of procedure or timelines, and even the substantive provisions about the nature of redress available. Furthermore, the obligation on the contact centre to protect information received is limited to ‘ensuring safety’ an ambiguous standard that does not speak to any other standards in Indian law.</p>
<h3 style="text-align: justify; ">Aadhaar (Authentication) Regulations, 2016<a href="#_ftn6" name="_ftnref6"><sup><sup>[6]</sup></sup></a></h3>
<p style="text-align: justify; ">These regulations, framed under sub-section (1), and sub-clauses (f) and (w) of sub-section (2) of Section 54 of the Aadhaar Act deals with the authentication framework for Aadhaar numbers, the governance of authentication agencies and the procedure for collection, storage of authentication data and records.</p>
<h4 style="text-align: justify; ">Provisions:</h4>
<p style="text-align: justify; ">Sub-Regulation 5 (1)</p>
<p style="text-align: justify; ">At the time of authentication, a requesting entity shall inform the Aadhaar number holder of the following details:—</p>
<p style="text-align: justify; ">(a) the nature of information that will be shared by the Authority upon authentication;</p>
<p style="text-align: justify; ">(b) the uses to which the information received during authentication may be put; and</p>
<p style="text-align: justify; ">(c) alternatives to submission of identity information</p>
<p style="text-align: justify; ">Sub-Regulation 6 (2)</p>
<p style="text-align: justify; ">A requesting entity shall obtain the consent referred to in sub-regulation (1) above in physical or preferably in electronic form and maintain logs or records of the consent obtained in the manner and form as may be specified by the Authority for this purpose.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">Sub-regulation 5 mentions that at the time of authentication, requesting entities shall inform the Aadhaar number holder of alternatives to submission of identity information for the purpose of authentication. Similarly, sub-regulation 6 mentions that requesting entity shall obtain the consent of the Aadhaar number holder for the authentication. However, in neither of the above circumstances do the regulations specify the clearly defined options that must be made available to the Aadhaar number holder in case they do not wish submit identity information, nor do the regulations specify the procedure to be followed in case the Aadhaar number holder does not provide consent.</p>
<p style="text-align: justify; ">Most significantly, this provision does little by way of allaying the fears raised by the language in Section 8 (4) of the Aadhaar Act which states that UIDAI “shall respond to an authentication query with a positive, negative or any other appropriate response sharing such identity information.” This section gives a very wide discretion to UIDAI to share personal identity information with third parties, and the regulations do not temper or qualify this power in any way.</p>
<h4 style="text-align: justify; ">Sub-Regulation 11 (1) and (4)</h4>
<p style="text-align: justify; ">The Authority may enable an Aadhaar number holder to permanently lock his biometrics and temporarily unlock it when needed for biometric authentication.</p>
<p style="text-align: justify; ">The Authority may make provisions for Aadhaar number holders to remove such permanent locks at any point in a secure manner.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">A welcome provision in the regulation is that of biometric locking which allows Aadhaar number holders to permanently lock his biometrics and temporarily unlock it only when needed for biometric authentication. However, in the same breath, the regulation also provides for the UIDAI to make provisions to remove such locking without any specified grounds for doing so.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 18 (2), (3) and (4)</h4>
<p style="text-align: justify; ">The logs of authentication transactions shall be maintained by the requesting entity for a period of 2 (two) years, during which period an Aadhaar number holder shall have the right to access such logs, in accordance with the procedure as may be specified.</p>
<p style="text-align: justify; ">Upon expiry of the period specified in sub-regulation (2), the logs shall be archived for a period of five years or the number of years as required by the laws or regulations governing the entity, whichever is later, and upon expiry of the said period, the logs shall be deleted except those records required to be retained by a court or required to be retained for any pending disputes.</p>
<p style="text-align: justify; ">The requesting entity shall not share the authentication logs with any person other than the concerned Aadhaar number holder upon his request or for grievance redressal and resolution of disputes or with the Authority for audit purposes. The authentication logs shall not be used for any purpose other than stated in this sub-regulation.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">While it is specified that the authentication logs collected by the requesting entities shall not be shared with any person other than the concerned Aadhaar number holder upon their request or for grievance redressal and resolution of disputes or with the Authority for audit purposes, and that the authentication logs may not be used for any other purpose, the maintenance of the logs for a period of seven years seems excessive. Similarly, the UIDAI is also supposed to store Authentication transaction data for over five years. This is in violation of the widely recognized data minimisation principles which seeks that data collectors and data processors delete personal data records when the purpose for which it has been collected if fulfilled. While retention of data for audit and dispute-resolution purpose is legitimate, the lack of specification of security standards and the overall lack of transparency and inadequate grievance redressal mechanism greatly exacerbate the risks associated with data retention.</p>
<h3 style="text-align: justify; ">Aadhaar (Sharing of Information) Regulations, 2016 and Aadhaar (Data security) Regulations, 2016<a href="#_ftn7" name="_ftnref7"><sup><sup>[7]</sup></sup></a></h3>
<p style="text-align: justify; ">Framed under the powers conferred by sub-section (1), and sub-clause (o) of sub-section (2), of Section 54 read with sub-clause (k) of sub-section (2) of Section 23, and sub-sections</p>
<p style="text-align: justify; ">(2) and (4) of Section 29, of the Aadhaar Act, the Sharing of Information regulations look at the restrictions on sharing of identity information collected by the UIDAI and requesting entities. The Data Security regulation, framed under powers conferred by clause (p) of subsection (2) of section 54 of the Aadhaar Act, looks at security obligations of all service providers engaged by the UIDAI.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 6 (1)</h4>
<p style="text-align: justify; ">All agencies, consultants, advisors and other service providers engaged by the Authority, and ecosystem partners such as registrars, requesting entities, Authentication User Agencies and Authentication Service Agencies shall get their operations audited by an information systems auditor certified by a recognised body under the Information Technology Act, 2000 and furnish certified audit reports to the Authority, upon request or at time periods specified by the Authority.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">The regulation states that audits shall be conducted by an information systems auditor certified by a recognised body under the Information Technology Act, 2000. However, there is no such certifying body under the Information Technology Act. This suggests a lack of diligence in framing the rules, and will inevitably to lead to inordinate delays, or alternately, a lack of a clear procedure in the appointment of an auditor. Further, instead of prescribing a regular and proactive process of audits, the regulation only limits audits to when requested or as deemed appropriate by UIDAI. This is another, in line of many provisions, whose implication is power being concentrated in the hands of UIDAI, with little scope for accountability and transparency.</p>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">In conclusion, it must be stated that the regulations promulgated by the UIDAI leave a lot to be desired. Some of the most important issues raised against the Aadhaar Act, which were delegated to the UIDAI’s rule making powers have not been addressed at all. Some of the most important issues such as data security policies, right to access records of Aadhaar number holders, procedure to be followed by the grievance redressal bodies, uploading of the enrolment packet to the CIDR, procedure for enrolling residents with biometric exceptions, procedure for informing residents about acceptance/rejection of enrolment application have left unaddressed and ‘may be specified’ at a later data. These failures leave a gaping hole especially in light of the absence of a comprehensive data protection legislation in India, as well the speed and haste with the enrolment and seeding has been done by the UIDAI, and the number of services, both private and public, which are using or planning to use the Aadhaar number and the authentication process as a primary identifier for residents.</p>
<p style="text-align: justify; "><a href="#_ftnref1" name="_ftn1"><sup><sup>[1]</sup></sup></a> Available at <a href="https://uidai.gov.in/legal-framework/acts/regulations.html">https://uidai.gov.in/legal-framework/acts/regulations.html</a></p>
<p style="text-align: justify; "><a href="#_ftnref2" name="_ftn2"><sup><sup>[2]</sup></sup></a> <a href="https://www.irda.gov.in/ADMINCMS/cms/frmGeneral_Layout.aspx?page=PageNo62&flag=1">https://www.irda.gov.in/ADMINCMS/cms/frmGeneral_Layout.aspx?page=PageNo62&flag=1</a></p>
<p style="text-align: justify; "><a href="#_ftnref3" name="_ftn3"><sup><sup>[3]</sup></sup></a> <a href="http://www.sebi.gov.in/acts/boardregu.html">http://www.sebi.gov.in/acts/boardregu.html</a></p>
<p style="text-align: justify; "><a href="#_ftnref4" name="_ftn4"><sup><sup>[4]</sup></sup></a> Available at <a href="https://uidai.gov.in/legal-framework/acts/regulations.html">https://uidai.gov.in/legal-framework/acts/regulations.html</a></p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "><a href="#_ftnref5" name="_ftn5"><sup><sup>[5]</sup></sup></a> Available at: https://uidai.gov.in/images/resource/aadhaar_registered_devices_2_0_09112016.pdf</p>
<p style="text-align: justify; "><a href="#_ftnref6" name="_ftn6"><sup><sup>[6]</sup></sup></a> Available at <a href="https://uidai.gov.in/legal-framework/acts/regulations.html">https://uidai.gov.in/legal-framework/acts/regulations.html</a></p>
<p style="text-align: justify; "><a href="#_ftnref7" name="_ftn7"><sup><sup>[7]</sup></sup></a> Available at <a href="https://uidai.gov.in/legal-framework/acts/regulations.html">https://uidai.gov.in/legal-framework/acts/regulations.html</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/analysis-of-key-provisions-of-aadhaar-act-regulations'>http://editors.cis-india.org/internet-governance/blog/analysis-of-key-provisions-of-aadhaar-act-regulations</a>
</p>
No publisheramberUIDPrivacyInternet GovernanceUIDAIBiometricsAadhaar2017-04-03T14:05:01ZBlog Entry