The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 61 to 75.
Report on Understanding Aadhaar and its New Challenges
http://editors.cis-india.org/internet-governance/blog/report-on-understanding-aadhaar-and-its-new-challenges
<b>The Trans-disciplinary Research Cluster on Sustainability Studies at Jawaharlal Nehru University collaborated with the Centre for Internet and Society, and other individuals and organisations to organise a two day workshop on “Understanding Aadhaar and its New Challenges” at the Centre for Studies in Science Policy, JNU on May 26 and 27, 2016. The objective of the workshop was to bring together experts from various fields, who have been rigorously following the developments in the Unique Identification (UID) Project and align their perspectives and develop a shared understanding of the status of the UID Project and its impact. Through this exercise, it was also sought to develop a plan of action to address the welfare exclusion issues that have arisen due to implementation of the UID Project.</b>
<p> </p>
<h4>Report: <a href="http://editors.cis-india.org/internet-governance/files/report-on-understanding-aadhaar-and-its-new-challenges/at_download/file">Download</a> (PDF)</h4>
<hr />
<p style="text-align: justify;">This Report is a compilation of the observations made by participants at the workshop relating to myriad issues under the UID Project and various strategies that could be pursued to address these issues. In this Report we have classified the observations and discussions into following themes:</p>
<p><strong>1.</strong> <a href="#1">Brief Background of the UID Project</a></p>
<p><strong>2.</strong> <a href="#2">Legal Status of the UIDAI Project</a></p>
<ul>
<li><a href="#21">Procedural issues with passage of the Act</a></li>
<li><a href="#22">Status of related litigation</a></li></ul>
<p><strong>3.</strong> <a href="#3">National Identity Projects in Other Jurisdictions</a></p>
<ul>
<li><a href="#31">Pakistan</a></li>
<li><a href="#32">United Kingdom</a></li>
<li><a href="#33">Estonia</a></li>
<li><a href="#34">France</a></li>
<li><a href="#35">Argentina</a></li></ul>
<p><strong>4.</strong> <a href="#4">Technologies of Identification and Authentication</a></p>
<ul>
<li><a href="#41">Use of Biometric Information for Identification and Authentication</a></li>
<li><a href="#42">Architectures of Identification</a></li>
<li><a href="#43">Security Infrastructure of CIDR</a></li></ul>
<p><strong>5.</strong> <a href="#5">Aadhaar for Welfare?</a></p>
<ul>
<li><a href="#51">Social Welfare: Modes of Access and Exclusion</a></li>
<li><a href="#52">Financial Inclusion and Direct Benefits Transfer</a></li></ul>
<p><strong>6.</strong> <a href="#6">Surveillance and UIDAI</a></p>
<p><strong>7.</strong> <a href="#7">Strategies for Future Action</a></p>
<p><strong>Annexure A</strong> <a href="#AA">Workshop Agenda</a></p>
<p><strong>Annexure B</strong> <a href="#AB">Workshop Participants</a></p>
<hr />
<h3 id="1" style="text-align: justify;"><strong>1. Brief Background of the UID Project</strong></h3>
<p style="text-align: justify;">In the year 2009, the UIDAI was established and the UID project was conceived by the Planning Commission under the UPA government to provide unique identification for each resident in India and to be used for delivery of welfare government services in an efficient and transparent manner, along with using it as a tool to monitor government schemes. The objective of the scheme has been to issue a unique identification number by the Unique Identification Authority of India, which can be authenticated and verified online. It was conceptualized and implemented as a platform to facilitate identification and avoid fake identity issues and delivery of government benefits based on the demographic and biometric data available with the Authority.</p>
<p style="text-align: justify;">The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “<strong>Act</strong>”) was passed as a money bill on March 16, 2016 and was notified in the gazette March 25, 2016 upon receiving the assent of the President. However, the enforceability date has not been mentioned due to which the bill has not come into force.</p>
<p style="text-align: justify;">The Act provides that the Aadhaar number can be used to validate a person’s identity, but it cannot be used as a proof of citizenship. Also, the government can make it mandatory for a person to authenticate her/his identity using Aadhaar number before receiving any government subsidy, benefit, or service. At the time of enrolment, the enrolling agency is required to provide notice to the individual regarding how the information will be used, the type of entities the information will be shared with and their right to access their information. Consent of an individual would be obtained for using his/her identity information during enrolment as well as authentication, and would be informed of the nature of information that may be shared. The Act clearly lays that the identity information of a resident shall not be sued for any purpose other than specified at the time of authentication and disclosure of information can be made only pursuant to an order of a court not inferior to that of a District Judge and/or disclosure made in the interest of national security.</p>
<h3 id="2" style="text-align: justify;"><strong>2. Legal Status of the UIDAI Project</strong></h3>
<p style="text-align: justify;">In this section, we have summarised the discussions on the procedural issues with the passage of the Act. The participants had criticised the passage of the Act as a money bill in the Parliament. The participants also assessed the litigation pending in the Supreme Court of India that would be affected by this law. These discussions took place in the session titled, ‘Current Status of Aadhaar’ and have been summarised below.</p>
<h3 id="21" style="text-align: justify;">Procedural Issues with Passage of the Act</h3>
<p style="text-align: justify;">The participants contested the introduction of the Act in the form of a money bill. The rationale behind this was explained at the session and is briefly explained here. Article 110 (1) of the Constitution of India defines a money bill as one containing provisions only regarding the matters enumerated or any matters incidental to the following: a) imposition, regulation and abolition of any tax, b) borrowing or other financial obligations of the Government of India, c) custody, withdrawal from or payment into the Consolidated Fund of India (CFI) or Contingent Fund of India, d) appropriation of money out of CFI, e) expenditure charged on the CFI or f) receipt or custody or audit of money into CFI or public account of India. The Act makes references to benefits, subsidies and services which are funded by the Consolidated Fund of India (CFI), however the main objectives of the Act is to create a right to obtain a unique identification number and provide for a statutory mechanism to regulate this process. The Act only establishes an identification mechanism which facilitates distribution of benefits and subsidies funded by the CFI and this identification mechanism (Aadhaar number) does not give it the character of a money bill. Further, money bills can be introduced only in the Lok Sabha, and the Rajya Sabha cannot make amendments to such bills passed by the Lok Sabha. The Rajya Sabha can suggest amendments, but it is the Lok Sabha’s choice to accept or reject them. This leaves the Rajya Sabha with no effective role to play in the passage of the bill.</p>
<p style="text-align: justify;">The participants also briefly examined the writ petition that has been filed by former Union minister Jairam Ramesh challenging the constitutionality and legality of the treatment of this Act as a money bill which has raised the question of judiciary’s power to review the decisions of the speaker. Article 122 of the Constitution of India provides that this power of judicial review can be exercised to look into procedural irregularities. The question remains whether the Supreme Court will rule that it can determine the constitutionality of the decision made by the speaker relating to the manner in which the Act was introduced in the Lok Sabha. A few participants mentioned that similar circumstances had arisen in the case of Mohd. Saeed Siddiqui v. State of U.P. <a href="#ftn1">[1]</a>.</p>
<p style="text-align: justify;">where the Supreme Court refused to interfere with the decision of the Uttar Pradesh legislative assembly speaker certifying an amendment bill to increase the tenure of the Lokayukta as a money bill, despite the fact that the bill amended the Uttar Pradesh Lokayukta and Up-Lokayuktas Act, 1975, which was passed as an ordinary bill by both houses. The Court in this case held that the decision of the speaker was final and that the proceedings of the legislature being important legislative privilege could not be inquired into by courts. The Court added, “the question whether a bill is a money bill or not can be raised only in the state legislative assembly by a member thereof when the bill is pending in the state legislature and before it becomes an Act.”</p>
<p style="text-align: justify;">However, it is necessary to carve a distinction between Rajya Sabha and State Legislature. Unlike the State Legislature, constitution of Rajya Sabha is not optional therefore significance of the two bodies in the parliamentary process cannot be considered the same. Participants also made another significant observation about a similar bill on the UID project (National Identification Authority of India (NIDAI) Bill) that was introduced before by the UPA government in 2010 and was deemed unacceptable by the standing committee on finance, headed by Yashwant Sinha. This bill was subsequently withdrawn.</p>
<h3 id="22" style="text-align: justify;">Status of Related Litigation</h3>
<p style="text-align: justify;">A panellist in this session briefly summarised all the litigation that was related to or would be affected by the Act. The panellist also highlighted several Supreme Court orders in the case of <em>KS Puttuswamy v. Union of India</em> <a href="#ftn2">[2]</a> which limited the use of Aadhaar. We have reproduced the presentation below.</p>
<ul>
<li style="text-align: justify;"><em>KS Puttuswamy v. Union of India</em> - This petition was filed in 2012 with primary concern about providing Aadhaar numbers to illegal immigrants in India. It was contended that this could not be done without a law establishing the UIDAI and amendment to the Citizenship laws. The petitioner raised concerns about privacy and fallibility of biometrics.</li>
<li style="text-align: justify;"> Sudhir Vombatkere & Bezwada Wilson <a href="#ftn3">[3]</a> - This petition was filed in 2013 on grounds of infringement of right to privacy guaranteed under Article 21 of the Constitution of India and the security threat on account of data convergence.</li>
<li style="text-align: justify;">Aruna Roy & Nikhil Dey <a href="#ftn4">[4]</a> - This petition was filed in 2013 on the grounds of large scale exclusion of people from access to basic welfare services caused by UID. After their petition, no. of intervention applications were filed. These were the following:</li>
<li style="text-align: justify;">Col. Mathew Thomas <a href="#ftn5">[5]</a> - This petition was filed on the grounds of threat to national security posed by the UID project particularly in relation to arrangements for data sharing with foreign companies (with links to foreign intelligence agencies).</li>
<li style="text-align: justify;">Nagrik Chetna Manch <a href="#ftn6">[6]</a> - This petition was filed in 2013 and led by Dr. Anupam Saraph on the grounds that the UID project was detrimental to financial service regulation and financial <em>inclusion.</em></li>
<li style="text-align: justify;">S. Raju <a href="#ftn7">[7] </a> - This petition was filed on the grounds that the UID project had implications on the federal structure of the State and was detrimental to financial inclusion.</li>
<li style="text-align: justify;"><em>Beghar Foundation</em> - This petition was filed in 2013 in the Delhi High Court on the grounds invasion of privacy and exclusion specifically in relation to the homeless. It subsequently joined the petition filed by Aruna Roy and Nikhil Dey as an intervener.</li>
<li style="text-align: justify;">Vickram Crishna – This petition was originally filed in the Bombay High Court in 2013 on the grounds of surveillance and invasion of privacy. It was later transferred to the Supreme Court.</li>
<li style="text-align: justify;">Somasekhar – This petition was filed on the grounds of procedural unreasonableness of the UID project and also exclusion & privacy. The petitioner later intervened in the petition filed by Aruna Roy and Nikhil Dey in 2013.</li>
<li style="text-align: justify;">Rajeev Chandrashekhar– This petition was filed on the ground of lack of legal sanction for the UID project. He later intervened in the petition filed by Aruna Roy and Nikhil Dey in 2013. His position has changed now.</li>
<li style="text-align: justify;">Further, a petition was filed by Mr. Jairam Ramesh initially challenging the passage of the Act as a money bill but subsequently, it has been amended to include issues of violation of right to privacy and exclusion of the poor and has advocated for five amendments that were suggested to the Aadhaar Bill by the Rajya Sabha.</li></ul>
<h3 id="23" style="text-align: justify;">Relevant Orders of the Supreme Court</h3>
<p>There are six orders of the Supreme Court which are noteworthy.</p>
<ul>
<li style="text-align: justify;">Order of Sept. 23, 2013 - The Supreme court directed that: 1) no person shall suffer for not having an aadhaar number despite the fact that a circular by an authority makes it mandatory; 2) it should be checked if a person applying for aadhaar number voluntarily is entitled to it under the law; and 3) precaution should be taken that it is not be issued to illegal immigrants.</li>
<li style="text-align: justify;">Order of 26th November, 2013 – Applications were filed by UIDAI, Ministry of Petroleum & Natural Gas, Govt of India, Indian Oil Corporation, BPCL and HPCL for modifying the September 23rd order and sought permission from the Supreme Court to make aadhaar number mandatory. The Supreme Court held that the order of September 23rd would continue to be effective.</li>
<li style="text-align: justify;">Order of 24th March, 2014 – This order was passed by the Supreme Court in a special leave petition filed in the case of <em>UIDAI v CBI</em> <a href="#ftn8">[8] </a> wherein UIDAI was asked to UIDAI to share biometric information of all residents of a particular place in Goa to facilitate a criminal investigation involving charges of rape and sexual assault. The Supreme Court restrained UIDAI from transferring any biometric information of an individual without to any other agency without his consent in writing. The Supreme Court also directed all the authorities to modify their forms/circulars/likes so as to not make aadhaar number mandatory.</li>
<li style="text-align: justify;">Order of 16th March, 2015 - The SC took notice of widespread violations of the order passed on September 23rd, 2013 and directed the Centre and the states to adhere to these orders to not make aadhaar compulsory.</li>
<li style="text-align: justify;">Orders of August 11, 2015 – In the first order, the Central Government was directed to publicise the fact that aadhaar was voluntary. The Supreme Court further held that provision of benefits due to a citizen of India would not be made conditional upon obtaining an aadhaar number and restricted the use of aadhaar to the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene and the LPG Distribution Scheme. The Supreme Court also held that information of an individual that was collected in order to issue an aadhaar number would not be used for any purpose except when directed by the Court for criminal investigations. Separately, the status of fundamental right to privacy was contested and accordingly the Supreme Court directed that the issue be taken up before the Chief Justice of India.</li>
<li style="text-align: justify;">Orders of October 16, 2015 – The Union of India, the states of Gujarat, Maharashtra, Himachal Pradesh and Rajasthan, and authorities including SEBI, TRAI, CBDT, IRDA , RBI applied for a hearing before the Constitution Bench for modification of the order passed by the Supreme Court on August 11 and allow use of aadhaar number schemes like The Mahatma Gandhi National Rural Employment Guarantee Scheme MGNREGS), National Social Assistance Programme (Old Age Pensions, Widow Pensions, Disability Pensions) Prime Minister's Jan Dhan Yojana (PMJDY) and Employees' Providend Fund Organisation (EPFO). The Bench allowed the use of aadhaar number for these schemes but stressed upon the need to keep aadhaar scheme voluntary until the matter was finally decided.</li></ul>
<p style="text-align: justify;">Status of these orders<br />The participants discussed the possible impact of the law on the operation of these orders. A participant pointed out that matters in the Supreme Court had not become infructuous because fundamental issues that were being heard in the Supreme Court had not been resolved by the passage of the Act. Several participants believed that the aforementioned orders were effective because the law had not come into force. Therefore, aadhaar number could only be used for purposes specified by the Supreme Court and it could not be made mandatory. Participants also highlighted that when the Act was implemented, it would not nullify the orders of the Supreme Court unless Union of India asked the Supreme Court for it specifically and the Supreme Court sanctioned that.</p>
<h3 id="3" style="text-align: justify;"><strong>3. National Identity Projects in Other Jurisdictions</strong></h3>
<p style="text-align: justify;">A panellist had provided a brief overview of similar programs on identification that have been launched in other jurisdictions including Pakistan, United Kingdom, France, Estonia and Argentina in the recent past in the session titled ‘Aadhaar - International Dimensions’. This presentation mainly sought to assess the incentives that drove the governments in these jurisdictions to formulate these projects, mandatory nature of their adoption and their popularity. The Report has reproduced the presentation here.</p>
<h3 id="31" style="text-align: justify;">Pakistan</h3>
<p style="text-align: justify;">The Second Amendment to the Constitution of Pakistan in 2000 established the National Database and Regulation Authority in the country, which regulates government databases and statistically manages the sensitive registration database of the citizens of Pakistan. It is also responsible for issuing national identity cards to the citizens of Pakistan. Although the card is not legally compulsory for a Pakistani citizen, it is mandatory for:</p>
<ul>
<li>Voting</li>
<li>Obtaining a passport</li>
<li>Purchasing vehicles and land</li>
<li>Obtaining a driver licence</li>
<li>Purchasing a plane or train ticket</li>
<li>Obtaining a mobile phone SIM card</li>
<li>Obtaining electricity, gas, and water</li>
<li>Securing admission to college and other post-graduate institutes</li>
<li>Conducting major financial transactions</li></ul>
<p style="text-align: justify;">Therefore, it is pretty much necessary for basic civic life in the country. In 2012, NADRA introduced the Smart National Identity Card, an electronic identity card, which implements 36 security features. The following information can be found on the card and subsequently the central database: Legal Name, Gender (male, female, or transgender), Father's name (Husband's name for married females), Identification Mark, Date of Birth, National Identity Card Number, Family Tree ID Number, Current Address, Permanent Address, Date of Issue, Date of Expiry, Signature, Photo, and Fingerprint (Thumbprint). NADRA also records the applicant's religion, but this is not noted on the card itself. (This system has not been removed yet and is still operational in Pakistan.)</p>
<h3 id="32" style="text-align: justify;">United Kingdom</h3>
<p style="text-align: justify;">The Identity Cards Act was introduced in the wake of the terrorist attacks on 11th September, 2001, amidst rising concerns about identity theft and the misuse of public services. The card was to be used to obtain social security services, but the ability to properly identify a person to their true identity was central to the proposal, with wider implications for prevention of crime and terrorism. The cards were linked to a central database (the National Identity Register), which would store information about all of the holders of the cards. The concerns raised by human rights lawyers, activists, security professionals and IT experts, as well as politicians were not to do with the cards as much as with the NIR. The Act specified 50 categories of information that the NIR could hold, including up to 10 fingerprints, digitised facial scan and iris scan, current and past UK and overseas places of residence of all residents of the UK throughout their lives. The central database was purported to be a prime target for cyber attacks, and was also said to be a violation of the right to privacy of UK citizens. The Act was passed by the Labour Government in 2006, and repealed by the Conservative-Liberal Democrat Coalition Government as part of their measures to “reverse the substantial erosion of civil liberties under the Labour Government and roll back state intrusion.”</p>
<h3 id="33" style="text-align: justify;">Estonia</h3>
<p style="text-align: justify;">The Estonian i-card is a smart card issued to Estonian citizens by the Police and Border Guard Board. All Estonian citizens and permanent residents are legally obliged to possess this card from the age of 15. The card stores data such as the user's full name, gender, national identification number, and cryptographic keys and public key certificates. The cryptographic signature in the card is legally equivalent to a manual signature, since 15 December 2000. The following are a few examples of what the card is used for:</p>
<ul>
<li>As a national ID card for legal travel within the EU for Estonian citizens</li>
<li>As the national health insurance card</li>
<li>As proof of identification when logging into bank accounts from a home computer</li>
<li>For digital signatures</li>
<li>For i-voting</li>
<li>For accessing government databases to check one’s medical records, file taxes, etc.</li>
<li>For picking up e-Prescriptions</li>
<li>(This system is also operational in the country and has not been removed)</li></ul>
<h3 id="34" style="text-align: justify;">France</h3>
<p style="text-align: justify;">The biometric ID card was to include a compulsory chip containing personal information, such as fingerprints, a photograph, home address, height, and eye colour. A second, optional chip was to be implemented for online authentication and electronic signatures, to be used for e-government services and e-commerce. The law was passed with the purpose of combating “identity fraud”. It was referred to the Constitutional Council by more than 200 members of the French Parliament, who challenged the compatibility of the bill with the citizens’ fundamental rights, including the right to privacy and the presumption of innocence. The Council struck down the law, citing the issue of proportionality. “Regarding the nature of the recorded data, the range of the treatment, the technical characteristics and conditions of the consultation, the provisions of article 5 touch the right to privacy in a way that cannot be considered as proportional to the meant purpose”.</p>
<h3 id="35" style="text-align: justify;">Argentina</h3>
<p style="text-align: justify;">Documento Nacional de Identidad or DNI (which means National Identity Document) is the main identity document for Argentine citizens, as well as temporary or permanent resident aliens. It is issued at a person's birth, and updated at 8 and 14 years of age simultaneously in one format: a card (DNI tarjeta); it's valid if identification is required, and is required for voting. The front side of the card states the name, sex, nationality, specimen issue, date of birth, date of issue, date of expiry, and transaction number along with the DNI number and portrait and signature of the card's bearer. The back side of the card shows the address of the card's bearer along with their right thumb fingerprint. The front side of the DNI also shows a barcode while the back shows machine-readable information. The DNI is a valid travel document for entering Argentina, Bolivia, Brazil, Chile, Colombia, Ecuador, Paraguay, Peru, Uruguay, and Venezuela. (System still operational in the country)</p>
<h3 id="4" style="text-align: justify;"><strong>4. Technologies of Identification and Authentication</strong></h3>
<p style="text-align: justify;">The panel in the session titled ‘Aadhaar: Science, Technology, and Security’ explained the technical aspects of use of biometrics and privacy concerns, technology architecture for identification and inadequacy of infrastructure for information security. In this section, we have summarised the presentation and the ensuing discussions on these issues.</p>
<h3 id="41" style="text-align: justify;">Use of Biometric Information for Identification and Authentication</h3>
<p style="text-align: justify;">The panelists explained with examples that identification and authentication were different things. Identity provides an answer to the question “who are you?” while authentication is a challenge-response process that provides a proof of the claim of identity. Common examples of identity are User ID (Login ID), cryptographic public keys and ATM or Smart cards while common authenticators are passwords (including OTPs), PINs and cryptographic private keys. Identity is public information but an authenticator must be private and known only to the user. Authentication must necessarily be a conscious process and active participation by the user is a must. It should also always be possible to revoke an authenticator. After providing this understanding of the two processes the panellist then explained if biometric information could be used for identification or authentication under the UID Project. Biometric information is clearly public information and it is questionable if it can be revoked. Therefore it should never be used for authentication, but only for identity verification. There is a possibility of authentication by fingerprints under the UID Project, without conscious participation of the user. One could trace the fingerprints of an individual from any place the individual has been in contact with. Therefore, authentication must certainly be done by other means. The panellist pointed out that there were five kinds of authentication under the UID Project, out of which two-factor authentication and one time password were considered suitable but use of biometric information and demographic information was extremely threatening and must be withdrawn.</p>
<h3 id="42" style="text-align: justify;">Architectures of Identification</h3>
<p style="text-align: justify;">The panelists explained the architecture of the UID Project that has been designed for identification purposes, highlighted its limitations and suggested alternatives. His explanations are reproduced below.</p>
<p style="text-align: justify;">Under the UID Project, there is a centralised means of identification i.e. the aadhaar number and biometric information stored in one place, Central Identification Data Repository (CIDR). It is better to have multiple means of identification than one (as contemplated under the UID Project) for preservation of our civil liberties. The question is what the available alternatives are. Web of trust is a way for operationalizing distributed identification but the challenge is how one brings people from all social levels to participate in it. There is a need for registrars who will sign keys and public databases for this purpose.</p>
<p style="text-align: justify;">The aadhaar number functions as a common index and facilitates correlation of data across Government databases. While this is tremendously attractive it raises several privacy concerns as more and more information relating to an individual is available to others and is likely to be abused.</p>
<p style="text-align: justify;">The aadhaar number is available in human readable form. This raises the risk of identification without consent and unauthorised profiling. It cannot be revoked. Potential for damage in case of identity theft increases manifold.</p>
<p style="text-align: justify;">Under the UID Project, for the purpose of information security, Authentication User Agencies (“<strong>AUA</strong>”) are required to use local identifiers instead of aadhaar numbers but they are also required to map these local identifiers to the aadhaar numbers. Aadhaar numbers are not cryptographically secured; in fact they are publicly available. Hence this exercise for securing information is useless. An alternative would be to issue different identifiers for different domains and cryptographically embed a “master identifier” (in this case, equivalent of aadhaar number) into each local identifier.</p>
<p style="text-align: justify;">All field devices (for example POS machines) should be registered and must communicate directly with UIDAI. In fact, UIDAI must verify the authenticity (tamper proof) of the field device during run time and a UIDAI approved authenticity certificate must be issued for field devices. This certificate must be made available to users on demand. Further, the security and privacy frameworks within which AUAs work must be appropriately defined by legal and technical means.</p>
<h3 id="43" style="text-align: justify;">Security Infrastructure of CIDR</h3>
<p style="text-align: justify;">The panelists also enumerated the security features of the UID Project and highlighted the flaws in these features. These have been summarised below.</p>
<p>The security and privacy infrastructure of UIDAI has the following main features:</p>
<ul>
<li>2048 bit PKI encryption of biometric data in transit</li>
<li>End-to-end encryption from enrolment/POS to CIDR</li>
<li>HMAC based tamper detection of PID blocks</li>
<li>Registration and authentication of AUAs</li>
<li>Within CIDR only a SHA 1 Hash of Aadhaar number is stored</li>
<li>Audit trails are stored SHA 1 encrypted. Tamper detection?</li>
<li>Only hashes of passwords and PINs are stored. (biometric data stored in original form though!)</li>
<li>Authentication requests have unique session keys and HMAC</li>
<li>Resident data stored using 100 way sharding (vertical partitioning). First two digits of Aadhaar number as shard keys</li>
<li>All enrolment and update requests link to partitioned databases using Ref IDs (coded indices)</li>
<li>All accesses through a hardware security module</li>
<li>All analytics carried out on anonymised data</li></ul>
<p style="text-align: justify;">The panellists pointed out the concerns about information security on account of design flaws, lack of procedural safeguards, openness of the system and too much trust imposed on multiple players. All symmetric and private keys and hashes are stored somewhere within UIDAI. This indicates that trust is implicitly assumed which is a glaring design flaw. There is no well-defined approval procedure for data inspection, whether it is for the purpose of investigation or for data analytics. There is a likelihood of system hacks, insider leaks, and tampering of authentication records and audit trails. The ensuing discussions highlighted that the UIDAI had admitted to these security risks. The enrolment agencies and the enrolment devices cannot be trusted. AUAs cannot be trusted with biometric and demographic data; neither can they be trusted with sensitive user data of private nature. There is a need for an independent third party auditor for distributed key management, auditing and approving UIDAI programs, including those for data inspection and analytics, whitebox cryptographic compilation of critical parts of the UIDAI programs, issue of cryptographic keys to UIDAI programs for functional encryption, challenge-response for run-time authentication and certification of UIDAI programs. The panellist recommended that there was a need to to put a suitable legal framework to execute this.</p>
<p style="text-align: justify;">The participants also discussed that information infrastructure must not be made of proprietary software (possibility for backdoors for US) and there must be a third party audit with a non-negotiable clause for public audit.</p>
<h3 id="5" style="text-align: justify;"><strong>5. Aadhaar for Welfare?</strong></h3>
<p style="text-align: justify;">The Report has summarised the discussions that took place in the sessions on ‘Direct Benefits Transfers’ and ‘Aadhaar: Broad Issues - II’ where the panellists critically analysed the claims of benefits and inclusion of Aadhaar made by the government in light of the ground realities in states where Aadhaar has been adopted for social welfare schemes.</p>
<h3 id="51" style="text-align: justify;">Social Welfare: Modes of Access and Exclusion</h3>
<p style="text-align: justify;">Under the Act, a person may be required to authenticate or give proof of the aadhaar number in order to receive subsidy from the government (Section 7). A person is required to punch their fingerprints on POS machines in order to receive their entitlement under the social welfare schemes such as LPG and PDS. It was pointed out in the discussions that various states including Rajasthan and Delhi had witnessed fingerprint errors while doling out benefits at ration shops under the PDS scheme. People have failed to receive their entitled benefits because of these fingerprint errors thus resulting in exclusion of beneficiaries <a href="#ftn9">[9]</a>. A panellist pointed out that in Rajasthan, dysfunctional biometrics had led to further corruption in ration shops. Ration shop owners often lied to the beneficiaries about functioning of the biometric machines (POS Machines) and kept the ration for sale in the market therefore making a lot of money at the expense of uninformed beneficiaries and depriving them of their entitlements.</p>
<p style="text-align: justify;">Another participant organisation also pointed out similar circumstances in the ration shops in Patparganj and New Delhi constituencies. Here, the dealers had maintained the records of beneficiaries who had been categorized as follows: beneficiaries whose biometrics did not match, beneficiaries whose biometrics matched and entitlements were provided, beneficiaries who never visited the ration shop. It had been observed that there were no entries in the category of beneficiaries whose biometrics did not match however, the beneficiaries had a different story to tell. They complained that their biometrics did not match despite trying several times and there was no mechanism for a manual override. Consequently, they had not been able to receive any entitlements for months. The discussions also pointed out that the food authorities had placed complete reliance on authenticity of the POS machines and claim that this system would weed out families who were not entitled to the benefits. The MIS was also running technical glitches as a result there was a problem with registering information about these transactions hence, no records had been created with the State authority about these problems. A participant also discussed the plight of 30,000 widows in Delhi, who were entitled to pension and used to collect their entitlement from post offices, faced exclusion due to transition problems under the Jan Dhan Yojana (after the Jandhan was launched the money was transferred to their bank accounts in order to resolve the problem of misappropriation of money at the hands of post office officials). These widows were asked to open bank accounts to receive their entitlements and those who did not open these accounts and did not inform the post office were considered bogus.</p>
<p style="text-align: justify;">In the discussions, the participants also noted that this unreliability of fingerprints as a means of authentication of an individual’s identity was highlighted at the meeting of Empowered Group of Ministers in 2011 by J Dsouza, a biometrics scientist. He used his wife’s fingerprints to demonstrate that fingerprints may change overtime and in such an event, one would not be able to use the POS machine anymore as the machine would continue to identify the impressions collected initially.</p>
<p style="text-align: justify;">The participants who had been working in the field had contributed to the discussions by busting the myth that the UID Project helped to identify who was poor and resolve the problem of exclusion due to leakages in the social welfare programs. These discussions have been summarised below.</p>
<ul>
<li style="text-align: justify;">It is important to understand that the UID Project is merely an identification and authentication system. It only helps in verifying if an individual is entitled to benefits under a social security scheme. It does not ensure plugging of leakages and reducing corruption in social security schemes as has been claimed by the Government. The reduction in leakage of PDS, for instance, should be attributed to digitization and not UID. The Government claims, that it has saved INR 15000 crore in provision of LPG on identification of 3.34 crore inactive accounts on account of the UID Project. This is untrue because the accounts were weeded by using mechanisms completely unrelated to the UID Project. Consequently, the savings on account of UID are only of INR 120 crore and not 15000 crore.</li>
<li style="text-align: justify;">The UID Project has resulted in exclusion of people either because they do not have an aadhaar number, or they have a wrong identification, or there are errors of classification or wilful misclassification. About 99.7% people who were given aadhaar numbers already had an identification document. In fact, during enrolment a person is required to produce one of 14 identification documents listed under the law in order to get an aadhaar number which makes it very difficult for a person with no identity to become entitled to a social welfare scheme.</li></ul>
<p style="text-align: justify;">A participant condemned the Government’s claim that the UID Project had helped in removing fake, bogus and duplicate cards and said that these terms could not be used synonymously and the authorities had no clarity about the difference between the meanings of these terms. The UID Project had only helped in removal of duplicate cards but had not helped in combating the use of fake and bogus cards.</p>
<h3 id="52" style="text-align: justify;">Financial Inclusion and Direct Benefits Transfer</h3>
<p style="text-align: justify;">The participants also engaged in the discussions about the impact of the UID project on financial inclusion in India in the sessions titled ‘Aadhaar: Broad Issues - I & II’. We have summarised these discussions below.</p>
<p style="text-align: justify;">The UID Project seeks to directly transfer money to a bank account in order to combat corruption. The discussions highlighted that this was nothing but introducing a neo liberal thrust in social policy and that it was not feasible for various reasons. First, 95% of rural India did not have functioning banks and banks are quite far away. Second, in order to combat this dearth of banks the idea of business correspondents, who handled banking transactions and helped in opening of bank accounts, had been introduced which had created various problems. The Reserve Bank of India reported that there was dearth of business correspondents as there was very little incentive to become one; their salary is merely INR 4000. Third, there were concerns about how an aadhaar number was considered a valid document for Know Your Customer (KYC) checks. There was a requirement for scrutiny and auditing of documents submitted during the time of enrolment which, in the present scheme of things, could not be verified. Fourth, there were no restrictions on number of bank accounts that could be opened with a single aadhaar number which gave rise to a possibility of opening multiple and shell accounts on a single aadhaar number. Therefore, records only showed transactions when money was transferred from an aadhaar number to another aadhaar number as opposed to an account-to-account transfer. The discussion relied on NPCI data which shows which bank an aadhaar number is associated with but does not show if a transaction by an aadhaar number is overwritten by another bank account belonging to the same aadhaar number.</p>
<h3 id="6" style="text-align: justify;"><strong>6. Surveillance and UIDAI</strong></h3>
<p style="text-align: justify;">The participants had discussed the possibility of an alternative purpose for enrolling Aadhaar in the session titled ‘Privacy, Surveillance, and Ethical Dimensions of Aadhaar’. The discussion traced the history of this project to gain insight on this issue. We have summarised below the key take aways from this discussion.</p>
<p style="text-align: justify;">There are claims that the main objective of launching the UID Project is not to facilitate implementation of social security schemes but to collect personal (financial and non-financial) information of the citizens and residents of the country to build a data monopoly. For this purpose, PDS was chosen as a suitable social security scheme as it has the largest coverage. Several participants suggested that numerous reports authored by FICCI, KPMG and ASSOCHAM contained proposals for establishing a national identity authority which threw some light on the commercial intentions behind information collection under the UID Project.</p>
<p style="text-align: justify;">It was also pointed out that there was documented proof that information collected under the UID Project might have been shared with foreign companies. There are suggestions about links established between proponents of the UID Project and companies backed by CIA or the French Government which run security projects and deal in data sharing in several jurisdictions.</p>
<h3 id="7" style="text-align: justify;"><strong>7. Strategies for Future Action</strong></h3>
<p>The participants laid down a list of measures that must be taken to take the discussions forward. We have enumerated these recommendations below.</p>
<ul>
<li>Prepare and compile an anthology of articles as an output of this workshop. </li>
<li>Prepare position papers on specific issues related to the UID Project </li>
<li>Prepare pamphlets/brochures on issues with the UID Project for public consumption </li>
<li>Prepare counter-advertisements for Aadhaar</li>
<li>Publish existing empirical evidence on the flaws in Aadhaar.</li>
<li>Set up an online portal dedicated to providing updates on the UID Project and allows discussions on specific issues related to Aadhaar.</li>
<li>Use Social Media to reach out to the public. Regularly track and comment on social media pages of relevant departments of the government.</li>
<li>Create groups dedicated to research and advocacy of specific aspects of the UID Project. </li>
<li>Create a Coordination Committee preferably based in Delhi which would be responsible for regularly holding meetings and for preparing a coordinated plan of action. Employ permanent to staff to run the Committee.</li>
<li>Organise an advocacy campaign against use of Aadhaar in collaboration with other organisations and build public domain acceptance. </li>
<li>The campaign must specifically focus on the unfettered scope of UID and expanse, misrepresentation of the success of Aadhaar by highlighting real savings, technological flaws, status of pilot programs and increasing corruption on account of the UID Project</li>
<li>Prepare a statement of public concern regarding the UID Project and collect signatures from eminent persons including academics, technical experts, civil society groups and members of parliament.</li>
<li>Organise events and discussions on issues relating to Aadhaar and invite members og government departments to speak and discuss the issues. </li>
<li style="text-align: justify;">Write to Members of Parliament and Members of Legislative Assemblies raising questions on their or their parties’ support for Aadhaar and silence on the problems created by the UID Project. </li>
<li style="text-align: justify;">Organise public hearings in states like Rajasthan to observe and document ground realities of the UID Project and share these outcomes with the state government and media. </li>
<li>Plan a national social audit and public hearing on the working of UID Project in the country. </li>
<li style="text-align: justify;">File Contempt Petitions in the Supreme Court and High Courts against mandatory use of Aadhaar number for services not allowed by the Supreme Court. </li>
<li style="text-align: justify;">Reach out to and engage with various foreign citizens and organisations that have been fighting on similar issues. The organisations and individuals who could be approached would include EPIC, Electronic Frontier foundation, David Moss, UK, Roger Clarke, Australia, Prof. Ian Angel, Snowden, Assange and Chomsky.</li>
<li style="text-align: justify;">Work towards increasing awareness about the UID Project and gaining support from the student and research community, student organisations, trade unions, and other associations and networks in the unorganised sector.</li></ul>
<h3 id="AA" style="text-align: justify;"><strong>Annexure A – Workshop Agenda</strong></h3>
<h4>May 26, 2016</h4>
<table>
<tbody>
<tr>
<td>
<p>9:00-9:30</p>
</td>
<td>
<p><strong>Registration</strong></p>
</td>
</tr>
<tr>
<td>
<p>9:30-10:00</p>
</td>
<td>
<p>Prof. Dinesh Abrol - <em>Welcome</em><br />
<em>Self-introduction and expectations of participants</em><br />
Dr. Usha Ramanathan - <em>Overview of the Workshop</em></p>
</td>
</tr>
<tr>
<td>
<p>10:00-11:00</p>
</td>
<td>
<p><strong>Session 1: Current Status of Aadhaar</strong><br />
Dr. Usha Ramanathan, Legal Researcher, New Delhi - <em>What the 2016 Law Says, and How it Came into Being</em><br />
S. Prasanna, Advocate, New Delhi - <em>Status and Force of Supreme Court Orders on Aadhaar</em><br /> <em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>11:00-11:30</p>
</td>
<td>
<p><strong>Tea Break</strong></p>
</td>
</tr>
<tr>
<td>
<p>11:30-13:30</p>
</td>
<td>
<p><strong>Session 2: Direct Benefits Transfers</strong><br />
Prof. Reetika Khera, Indian Institute of Technology, Delhi - <em>Welfare Needs Aadhaar like a Fish Needs a Bicycle</em><br />
Prof. R. Ramakumar, Tata Institute of Social Sciences, Mumbai - <em>Aadhaar and the Social Sector: A critical analysis of the claims of benefits and inclusion</em><br />
Ashok Rao, Delhi Science Forum - <em>Cash Transfers Study</em><br />
<em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>13:30-14:30</p>
</td>
<td>
<p><strong>Lunch</strong></p>
</td>
</tr>
<tr>
<td>
<p>14:30-16:00</p>
</td>
<td>
<p><strong>Session 3: Aadhaar: Science, Technology, and Security</strong><br />
Prof. Subashis Banerjee, Dept of Computer Science & Engineering, IIT, Delhi - <em>Privacy and Security Issues Related to the Aadhaar Act</em><br />
Pukhraj Singh, Former National Cyber Security Manager, Aadhaar, New Delhi - <em>Aadhaar: Security and Surveillance Dimensions</em><br />
<em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>16:00-16:30</p>
</td>
<td>
<p><strong>Tea Break</strong></p>
</td>
</tr>
<tr>
<td>
<p>16:30-17:30</p>
</td>
<td>
<p><strong>Session 4: Aadhaar - International Dimensions</strong><br />
Joshita Pai, Center for Communication Governance, National Law University, Delhi - <em>Biometrics and Mandatory IDs in Other Parts of the World</em><br />
Dr. Gopal Krishna, Citizens Forum for Civil Liberties - <em>International Dimensions of Aadhaar</em><br />
<em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>17:30-18:00</p>
</td>
<td>
<p><strong>High Tea</strong></p>
</td>
</tr>
</tbody>
</table>
<h4>May 27, 2016</h4>
<table>
<tbody>
<tr>
<td>
<p>9:30-11:00</p>
</td>
<td>
<p><strong>Session 5: Privacy, Surveillance and Ethical Dimensions of Aadhaar</strong><br />
Prabir Purkayastha, Free Software Movement of India, New Delhi - <em>Surveillance Capitalism and the Commodification of Personal Data</em><br />
Arjun Jayakumar, SFLC - <em>Surveillance Projects Amalgamated</em><br />
Col Mathew Thomas, Bengaluru - <em>The Deceit of Aadhaar<em></em><br />
<em>Discussion</em></em></p>
<em>
</em></td>
</tr>
<tr>
<td>
<p>11:00-11:30</p>
</td>
<td>
<p><strong>Tea Break</strong></p>
</td>
</tr>
<tr>
<td>
<p><em>11:30-13:00</em></p>
</td>
<td>
<p><strong>Session 6: Aadhaar - Broad Issues I</strong><br />
Prof. G Nagarjuna, Homi Bhabha Center for Science Education, Tata Institute of Fundamental Research, Mumbai - <em>How to prevent linked data in the context of Aadhaar</em><br />
Dr. Anupam Saraph, Pune - <em>Aadhaar and Moneylaundering</em><br />
<em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>13:00-14:00</p>
</td>
<td>
<p><strong>Lunch</strong></p>
</td>
</tr>
<tr>
<td>
<p>14:00-15:30</p>
</td>
<td>
<p><strong>Session 7: Aadhaar - Broad Issues II</strong><br />
Prof. MS Sriram, Visiting Faculty, Indian Institute of Management, Bangalore - <em>Financial lnclusion</em><br />
Nikhil Dey, MKSS, Rajasthan - <em>Field witness: Technology on the Ground</em><br />
Prof. Himanshu, Centre for Economic Studies & Planning, JNU - <em>UID Process and Financial Inclusion</em><br />
<em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>15:30-16:00</p>
</td>
<td>
<p><strong>Session 8: Conclusion</strong></p>
</td>
</tr>
<tr>
<td>
<p>16:00-18:00</p>
</td>
<td>
<p><strong>Informal Meetings</strong></p>
</td>
</tr>
</tbody>
</table>
<h3 id="AB" style="text-align: justify;"><strong>Annexure B – Workshop Participants</strong></h3>
<p>Anjali Bhardwaj, Satark Nagrik Sangathan</p>
<p>Dr. Anupam Saraph</p>
<p>Arjun Jayakumar, Software Freedom Law Centre</p>
<p>Ashok Rao, Delhi Science Forum</p>
<p>Prof. Chinmayi Arun, National Law University, Delhi</p>
<p>Prof. Dinesh Abrol, Jawaharlal Nehru University</p>
<p>Prof. G Nagarjuna, Homi Bhabha Center for Science Education, Tata Institute of Fundamental Research, Mumbai</p>
<p>Dr. Gopal Krishna, Citizens Forum for Civil Liberties</p>
<p>Prof. Himanshu, Jawaharlal Nehru University</p>
<p>Japreet Grewal, the Centre for Internet and Society</p>
<p>Joshita Pai, National Law University, Delhi</p>
<p>Malini Chakravarty, Centre for Budget and Governance Accountability</p>
<p>Col. Mathew Thomas</p>
<p>Prof. MS Sriram, Indian Institute of Management, Bangalore</p>
<p>Nikhil Dey, Mazdoor Kisan Shakti Sangathan</p>
<p>Prabir Purkayastha, Knowledge Commons and Free Software Movement of India</p>
<p>Pukhraj Singh, Bhujang</p>
<p>Rajiv Mishra, Jawaharlal Nehru University</p>
<p>Prof. R Ramakumar, Tata Institute of Social Sciences, Mumbai</p>
<p>Dr. Reetika Khera, Indian Institute of Technology, Delhi</p>
<p>Dr. Ritajyoti Bandyopadhyay, Indian Institute of Science Education and Research, Mohali</p>
<p>S. Prasanna, Advocate</p>
<p>Sanjay Kumar, Science Journalist</p>
<p>Sharath, Software Freedom Law Centre</p>
<p>Shivangi Narayan, Jawaharlal Nehru University</p>
<p>Prof. Subhashis Banerjee, Indian Institute of Technology, Delhi</p>
<p>Sumandro Chattapadhyay, the Centre for Internet and Society</p>
<p>Dr. Usha Ramanathan, Legal Researcher</p>
<p><em>Note: This list is only indicative, and not exhaustive.</em></p>
<hr />
<p><a name="ftn1"><strong>[1]</strong></a> Civil Appeal No. 4853 of 2014</p>
<p><a name="ftn2"><strong>[2]</strong></a> WP(C) 494/2012</p>
<p><a name="ftn3"><strong>[3]</strong> </a>. WP(C) 829/2013</p>
<p><a name="ftn4"><strong>[4]</strong></a> WP(C) 833/2013</p>
<p><a name="ftn5"><strong>[5]</strong></a> WP (C) 37/2015; (Earlier intervened in the Aruna Roy petition in 2013)</p>
<p><a name="ftn6"><strong>[6]</strong></a> WP (C) 932/2015</p>
<p><a name="ftn7"><strong>[7]</strong></a> Transferred from Madras HC 2013.</p>
<p style="text-align: justify;"><a name="ftn8"><strong>[8]</strong></a> SLP (Crl) 2524/2014 filed against the order of the Goa Bench of the Bombay HC in CRLWP 10/2014 wherein the High Court had directed UIDAI to share biometric information held by them of all residents of a particular place in Goa to help with a criminal investigation in a case involving charges of rape and sexual assault.</p>
<p><a name="ftn9"><strong>[9]</strong></a> See :http://scroll.in/article/806243/rajasthan-presses-on-with-aadhaar-after-fingerprint-readers-fail-well-buy-iris-scanners</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/report-on-understanding-aadhaar-and-its-new-challenges'>http://editors.cis-india.org/internet-governance/blog/report-on-understanding-aadhaar-and-its-new-challenges</a>
</p>
No publisherJapreet Grewal, Vanya Rakesh, Sumandro Chattapadhyay, and Elonnai HickockBig DataData SystemsPrivacyResearchers at WorkInternet GovernanceAadhaarWelfare GovernanceBiometricsBig Data for DevelopmentUID2019-03-16T04:42:52ZBlog EntryReply to RTI Application under RTI Act of 2005 from Vanya Rakesh
http://editors.cis-india.org/internet-governance/blog/reply-to-rti-application-under-rti-act-of-2005-from-vanya-rakesh
<b>Unique Identification Authority of India replied to the RTI application filed by Vanya Rakesh. </b>
<p style="text-align: justify; ">Madam,</p>
<ol style="text-align: justify; ">
<li>Please refer to your RTI application dated 3.12.2015 received in the Division on 10.12.2015 on the subject mentioned above requesting to provide the information in electronic form via the email address vanya@cis-india.org, copies of the artwork in print media released by UIDAI to create awareness about use of Aadhaar not being mandatory.</li>
<li>I am directed to furnish herewith in electronic form, copy of the artwork in print media released / published in the epapers edition of the Times of India and Dainik Jagran in their respective editions of dated 29.8.2015 in a soft copy, about obtaining of Aadhaar not being mandatory for a citizen, as desired.</li>
<li>In case, you want to go for an appeal in connection with the information provided, you may appeal to the Appellate Authority indicated below within thirty days from the date of receipt of this letter.<br />Shri Harish Lal Verma,<br />Deputy Director (Media),<br />Unique Identification Authority of India<br />3nd Floor, Tower – II, Jeevan Bharati Building,<br />New Delhi – 110001.</li>
</ol>
<p style="text-align: justify; "><br />Yours faithfully,<br /><br />(T Gou Khangin)<br />Section Officer & CPIO Media Division<br /><br />Copy for information to: Deputy Director (Establishment) & Nodal CPIO</p>
<hr />
<p>Below scanned copies:</p>
<table class="plain">
<tbody>
<tr>
<th>RTI Reply</th>
</tr>
<tr>
<td><img src="http://editors.cis-india.org/home-images/RTIReplytoSh.VanyaRakesh.jpg" alt="RTI Reply" class="image-inline" title="RTI Reply" /></td>
</tr>
</tbody>
</table>
<table class="plain">
<tbody>
<tr>
<th>Coverage in Dainik Jagran<br /></th>
</tr>
<tr>
<td><img src="http://editors.cis-india.org/home-images/DainikJagran29.08.2015.png" alt="Dainik Jagran" class="image-inline" title="Dainik Jagran" /></td>
</tr>
</tbody>
</table>
<p><b><a href="http://editors.cis-india.org/internet-governance/blog/uid-ad" class="internal-link">Download the coverage in the Times of India here</a></b>. Read the earlier blog entry <a class="external-link" href="http://cis-india.org/internet-governance/blog/rti-response-regarding-the-uidai">here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/reply-to-rti-application-under-rti-act-of-2005-from-vanya-rakesh'>http://editors.cis-india.org/internet-governance/blog/reply-to-rti-application-under-rti-act-of-2005-from-vanya-rakesh</a>
</p>
No publishervanyaAadhaarInternet GovernancePrivacy2016-01-13T02:40:57ZBlog EntryReliance Jio data leaked on website : report
http://editors.cis-india.org/internet-governance/news/livemint-july-10-2017-reliance-jio-data-leaked-on-website-report
<b>Reliance Jio customer data was leaked on independent website magicapk.com, including details such as names, mobile numbers and email IDs , said a report.</b>
<p style="text-align: justify; ">The article was <a class="external-link" href="http://www.livemint.com/Industry/ucK2SJDM4Ws8k36ovZVj6H/Reliance-Jio-customer-data-allegedly-compromised-report.html">published by Livemint</a> on July 10, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Reliance Jio Infocomm Ltd’s customer data was allegedly leaked on an independent website, magicapk.com, a report said. Jio, which crossed the 100 million mark in February, barely six months after it was launched, ended the financial year with <b><a href="http://www.livemint.com/Industry/wVDwB0wKqaXxqVFqEWp4kK/Reliance-Jio-crosses-108-million-subscribers-claims-to-be-l.html" target="_blank">108.9 million subscribers </a></b>as of 31 March.</p>
<p style="text-align: justify; ">The report, published first in a late-night article on Sunday on <b><a href="http://www.fonearena.com/blog/224741/jio-customer-database-of-over-120-million-users-leaked-could-be-biggest-data-breach-in-india.html#more-224741" target="_blank">Fonearena.com</a></b>, alleged that “several sensitive details” were exposed, including customers’ first and last names, mobile numbers, email IDs, circles, SIM activation dates and even the Aadhaar numbers. The Aadhaar numbers, however, were redacted on magicapk.</p>
<p style="text-align: justify; ">“To my disbelief I found my own details in the database and also couple of my colleagues are affected too,” wrote Varun Krish, the author of the article. However, if you now click on Magicapk.com, it reads: “This Account has been <a href="http://magicapk.com/cgi-sys/suspendedpage.cgi" target="_blank">suspended</a> .” The Registrar of the site, according to the <b><a href="https://www.whois.com/whois/magicapk.com">whois database</a></b>, is Godaddy.com, LLC.</p>
<p style="text-align: justify; ">When contacted, a Reliance Jio spokesperson said, “We have come across the unverified and unsubstantiated claims of the website and are investigating it. Prima facie, the data appears to be unauthentic. We want to assure our subscribers that their data is safe and maintained with highest security. Data is only shared with authorities as per their requirement. We have informed law enforcement agencies about the claims of the website and will follow through to ensure strict action is taken.”</p>
<p style="text-align: justify; ">Fonearena.com, on its site, has responded with a: “We still stand by our story.”</p>
<p style="text-align: justify; ">The report assumes significance because the site exposed redacted Aadhaar card details. There are nearly 1.2 billion Aadhaar number holders in the country. Aadhaar aims to plug leakages in the delivery of state benefits, such as subsidized grains to the poor, and aid in generating a savings of about Rs70,000 crore a year for the government. But data breaches have rattled citizens, especially since India does not have a Privacy Act.</p>
<p style="text-align: justify; ">In March, the Unique Identification Authority of India (UIDAI) blacklisted a common services centre for 10 years after it shared the Aadhaar details of former cricket captain Mahendra Singh Dhoni. On 25 April, <i>Mint </i>reported that many government departments, including the ministry of drinking water and sanitation, the Jharkhand Directorate of Social Security, and the Kerala government’s pension department, had published Aadhaar numbers of beneficiaries of the schemes they run in <b><a href="http://www.livemint.com/Politics/bM6xWCw8rt6Si4seV43C2H/Govt-departments-breach-Aadhaar-Act-leak-details-of-benefic.html" target="_blank">violation of the Aadhaar Act</a></b> .</p>
<p style="text-align: justify; ">On 1 May, Bengaluru-based think tank Centre for Internet and Society (CIS) reported that a Central government ministry and a state government may have <b><a href="https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1">made public up to 135 million Aadhaar numbers</a></b> .</p>
<p style="text-align: justify; ">Under the Aadhaar (Targeted Delivery of Financial Subsidies, Benefits and Services) Act, 2016, the unique identity number is mandatory only to receive social welfare benefits. However, tagging of the Aadhaar number is being made mandatory by the government for various schemes including PAN (permanent account number) accounts for taxation. On 7 July, the Supreme Court refused to pass any interim order against the mandatory use of Aadhaar for various government schemes. It, instead, suggested that petitioners call for<a href="http://www.livemint.com/Politics/5bZrxjf4FpfbxZFhc9inbI/Aadhaarlinked-issues-to-be-decided-by-constitution-bench-S.html" target="_blank"> immediate formation of a Constitution bench </a>to decide on the case .</p>
<p style="text-align: justify; ">News of the alleged data leak also comes at a time when there have been a spate of cyber hacks.</p>
<p style="text-align: justify; ">For instance, just when companies started believing that WannaCry—the malware that held over 200,000 individuals across 10,000 organizations in nearly 100 countries to ransom—was on the wane, a virus christened GoldenEye (a variant of the Petya ransomware) by security firm Bitdefender Labs attacked companies, mostly in Ukraine. And while the target primarily appeared to be European countries, the <b><a href="http://www.livemint.com/Technology/IUkweIPadyeIHRW7lFTysI/GoldenEye-ransomware-follows-in-WannaCrys-footsteps.html" target="_blank">ransomware was also reported</a></b> to be making inroads in countries like India.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-july-10-2017-reliance-jio-data-leaked-on-website-report'>http://editors.cis-india.org/internet-governance/news/livemint-july-10-2017-reliance-jio-data-leaked-on-website-report</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-07-10T14:53:42ZNews ItemRegistering for Aadhaar in 2019
http://editors.cis-india.org/internet-governance/blog/business-standard-january-2-2019-registering-for-aadhaar-in-2019
<b>It is a lot less scary registering for Aadhaar in 2019 than it was in 2010, given how the authentication modalities have since evolved.</b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="https://www.business-standard.com/article/opinion/registering-for-aadhaar-in-2019-119010201018_1.html">Business Standard</a> on January 2, 2019.</p>
<hr />
<p style="text-align: justify; ">Last November, a global committee of lawmakers from nine countries the UK, Canada, Ireland, Brazil, Argentina, Singapore, Belgium, France and Latvia summoned Mark Zuckerberg to what they called an “international grand committee” in London. Mr. Zuckerberg was too spooked to show up, but Ashkan Soltani, former CTO of the FTC was among those who testified against Facebook. He said “in the US, a lot of the reticence to pass strong policy has been about killing the golden goose” referring to the innovative technology sector. Mr. Soltani went on to argue that “smart legislation will incentivise innovation”. This could be done either intentionally or unintentionally by governments. For example, a poorly thought through blocking of pornography can result in innovative censorship circumvention technologies. On other occasions, this can happen intentionally. I hope to use my inaugural column in these pages to provide an Indian example of such intentional regulatory innovation.<br /><br />Eight years ago, almost to this date, my colleague Elonnai Hickok wrote an open letter to the Parliamentary Finance Committee on what was then called the UID or Unique Identity. She compared Aadhaar to the digital identity project started by the National Democratic Alliance (NDA) government in 2001. Like the Vajpayee administration which was working in response to the Kargil War, she advocated a decentralised authentication architecture using smart cards based on public key cryptography. Last year, even before the five-judge constitutional bench struck down Section 57 of the Aadhaar Act, the UIDAI preemptively responded to this regulatory development by launching offline Aadhaar cards. This was to be expected especially since from the A.P. Shah Committee report, the Puttaswamy Judgment, the B.N. Srikrishna Committee consultation paper, report and bill, the principle of “privacy by design” was emerging as a key Indian regulatory principle in the domain of data protection.<br /><br />The introduction of the offline Aadhaar mechanism eliminates the need for biometrics during authentication. I have previously provided 11 reasons why biometrics is inappropriate technology for e-governance applications by democratic governments, and this comes as a massive relief for both human rights activists and security researchers. Second, it decentralises authentication, meaning that there is a no longer a central database that holds a 360-degree view of all incidents of identification and authentication. Third, it dramatically reduces the attack surface for Aadhaar numbers, since only the last four digits remain unmasked on the card. Each data controller using Aadhaar will have to generate his/her own series of unique identifiers to distinguish between residents. If those databases leak or get breached, it won’t tarnish the credibility of Aadhaar or the UIDAI to the same degree. Fourth, it increases the probability of attribution in case a data breach were to occur; if the breached or leaked data contains identifiers issued by a particular data controller, it would become easier to hold them accountable and liable for the associated harms. Fifth, unlike the previous iteration of the Aadhaar “card”, on which the QR code was easy to forge and alter, this mechanism provides for integrity and tamper detection because the demographic information contained within the QR code is digitally signed by the UIDAI. Finally, it retains the earlier benefit of being very cheap to issue, unlike smart cards.<br /><br />Thanks to the UIDAI, the private sector is also being forced to implement privacy by design. Previously, since everyone was responsible for protecting Aadhaar numbers, nobody was. Data controllers would gladly share the Aadhaar number with their contractors, that is, data processors, since nobody could be held responsible. Now, since their own unique identifiers could be used to trace liability back to them, data controllers will start using tokenisation when they outsource any work that involves processing of the collected data. Skin in the game immediately breeds more responsible behaviour in the ecosystem.<br /><br />The fintech sector has been rightfully complaining about regulatory and technological uncertainty from last year’s developments. This should be addressed by developing open standards and free software to allow for rapid yet secure implementation of these changes. The QR code standard itself should be an open standard developed by the UIDAI using some of the best practices common to international standard setting organisations like the World Wide Web Consortium, Internet Engineers Task Force and the Institute of Electrical and Electronics Engineers. While the UIDAI might still choose to take the final decision when it comes to various technological choices, it should allow stakeholders to make contributions through comments, mailing lists, wikis and face-to-face meetings. Once a standard has been approved, a reference implementation must be developed by the UIDAI under liberal licences, like the BSD licence that allows for both free software and proprietary software derivative works. For example, a software that can read the QR code as well as send and receive the OTP to authenticate the resident. This would ensure that smaller fintech companies with limited resources can develop secure systems.<br /><br />Since Justice Dhananjaya Y. Chandrachud’s excellent dissent had no other takers on the bench, holdouts like me must finally register for an Aadhaar number since we cannot delay filing taxes any further. While I would still have preferred a physical digital artefact like a smart card (built on an open standard), I must say it is a lot less scary registering for Aadhaar in 2019 than it was in 2010, given how the authentication modalities have since evolved.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/business-standard-january-2-2019-registering-for-aadhaar-in-2019'>http://editors.cis-india.org/internet-governance/blog/business-standard-january-2-2019-registering-for-aadhaar-in-2019</a>
</p>
No publishersunilAadhaarInternet GovernancePrivacy2019-01-03T14:59:04ZBlog EntryProvide hacker details, outfit that claimed data leak told
http://editors.cis-india.org/internet-governance/news/the-times-of-india-mahendra-singh-may-18-2017-provide-hacker-details-outfit-that-claimed-data-leak-told
<b>The Unique Identification Authority of India (UIDAI), the regulatory authority for Aadhaar, has written to a Bengaluru-based research organisation, Centre for Internet & Society (CIS), seeking details about a suspected hack attack on government websites that led to the leak of information about 13 crore users.</b>
<p style="text-align: justify; ">The article by Mahendra Singh was <a class="external-link" href="http://timesofindia.indiatimes.com/india/provide-hacker-details-outfit-that-claimed-data-leak-told/articleshow/58725132.cms">published in the Times of India</a> on May 18, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">In a recent report, CIS had highlighted that websites run by various government departments, owing to a poor security framework, had publicly displayed sensitive personal financial information and Aadhaar numbers of beneficiaries of certainprojects. <br /> <br /> In its letter, UIDAI argued that the data downloaded from one of the websites could not have been accessed unless the website was hacked. As hacking is a grave offence under the law, the UIDAI has asked CIS to provide details of the persons involved in the data theft. <br /> <br /> According to a source, the UIDAI said that access to data on the website for the 'National Social Assistance Program' was only possible for someone in possession of authorised login details, or if the site (http://nsap.nic.in) was hacked or breached. The UIDAI said in its letter that such illegal access was against the provisions of the Aadhaar Act, 2016, and the IT Act, 2000, and that the persons involved had committed a grave offence.</p>
<p style="text-align: justify; ">Asking the CIS to reply before May 30, the UIDAI also said, "Aadhaar system is a protected system under Section 70 of the IT Act, 2000, the violation of which is punishable with rigorous imprisonment for a period up to 10 years." It added that the penalty clauses for violations are also provided in Section 36, Section 38 and Section 39 of the Aadhaar Act.</p>
<p style="text-align: justify; ">The UIDAI, however, maintained that even if the Aadhaar details were known to someone it did not pose a real threat to the people whose information was publicly available because the Aadhaar number could not be misused without biometrics.</p>
<p style="text-align: justify; ">The UIDAI letter said, "While, as your report suggests, there is a need to strengthen IT security of government websites, it is also important that the persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law."</p>
<p style="text-align: justify; ">"Your report mentions 13 crore people's data has been 'leaked'. Please specify how much of this data had been downloaded by you or are in your possession or in the possession of any other persons that you know. Please provide the details," the UIDAI added in its letter. The UIDAI also urged CIS to provide the details of the persons/organisations with whom it shared the data, if it did.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-times-of-india-mahendra-singh-may-18-2017-provide-hacker-details-outfit-that-claimed-data-leak-told'>http://editors.cis-india.org/internet-governance/news/the-times-of-india-mahendra-singh-may-18-2017-provide-hacker-details-outfit-that-claimed-data-leak-told</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-06-07T12:14:13ZNews ItemPrivacy vs. Transparency: An Attempt at Resolving the Dichotomy
http://editors.cis-india.org/openness/blog-old/privacy-v-transparency
<b>The right to privacy has been articulated in international law and in some national laws. In a few countries where the constitution does not explicitly guarantee such a right, courts have read the right to privacy into other rights (e.g., the right to life, the right to equal treatment under law and also the right to freedom of speech and expression).</b>
<hr />
<p><i>With feedback and inputs from Sumandro Chattapadhyay, Elonnai Hickok, Bhairav Acharya and Geetha Hariharan</i>. I would like to apologize for not providing proper citation to Julian Assange when the first version of this blog entry was published. I would also like to thank Micah Sifry for drawing this failure to his attention. The blog post originally published by Omidyar Network <a class="external-link" href="http://www.openup2014.org/privacy-vs-transparency-attempt-resolving-dichotomy/">can be read here</a>. Also see <a class="external-link" href="http://newint.org/features/2015/01/01/privacy-transparency/">http://newint.org/features/2015/01/01/privacy-transparency/</a></p>
<hr />
<p style="text-align: justify; ">In other countries where privacy is not yet an explicit or implicit right, harm to the individual is mitigated using older confidentiality or secrecy law. After the Snowden affair, the rise of social media and the sharing economy, some corporations and governments would like us to believe that “privacy is dead”. Privacy should not and cannot be dead, because that would mean that security is also dead. This is indeed the most dangerous consequence of total surveillance as it is technically impossible to architect a secure information system without privacy as a precondition. And conversely, it is impossible to guarantee privacy without security as a precondition.</p>
<p style="text-align: justify; ">The right to transparency [also known as the right to information or access to information] – while unavailable in international law – is increasingly available in national law. Over the last twenty years this right has become encoded in national laws – and across the world it is being used to hold government accountable and to balance the power asymmetry between states and citizens. Independent and autonomous offices of transparency regulators have been established. Apart from increasing government transparency, corporations are also increasingly required to be transparent as part of generic or industry specific regulation in the public interest. For instance, India’s Companies Act, 2013, requires greater transparency from the private sector. Other areas of human endeavor such as science and development are also becoming increasingly transparent though here it is still left up to self-regulation and there isn’t as much established law. Within science and research more generally, the rise of open data accompanied the growth of the Open Access and citizen science movement.</p>
<p style="text-align: justify; ">So the question before us is: Are these two rights – the right to transparency and the right to privacy – compatible? Is it a zero-sum game? Do we have to sacrifice one right to enforce the other? Unfortunately, many privacy and transparency activists think this is the case and this has resulted in some conflict. I suggest that these rights are completely compatible when it comes to addressing the question of power. These rights do not have to be balanced against one another. There is no need to settle for a sub-optimal solution. <b>Rather this is an optimization problem and the solution is as follows: privacy protections must be inversely proportionate to power and as Julian Assange says transparency requirements should be directly proportionate to power.</b><a href="#fn*" name="fr*">[*] </a></p>
<p style="text-align: justify; ">In most privacy laws, the public interest is an exception to privacy. If public interest is being undermined, then an individual privacy can be infringed upon by the state, by researchers, by the media, etc. And in transparency law, privacy is the exception. If the privacy of an individual can be infringed, transparency is not required unless it is in the public interest. In other words, the “public interest” test allows us to use privacy law and transparency law to address power asymmetries rather than exacerbate them. What constitutes “public interest” is of course left to courts, privacy regulators, and transparency regulators to decide. Like privacy, there are many other exceptions in any given transparency regime including confidentiality and secrecy. Given uneven quality of case law there will be a temptation by the corrupt to conflate exceptions. Here the old common-law principle of “there is no confidence as to the disclosure of iniquity” – which prevents confidentiality law from being used to cover malfeasance or illegality – can be adopted in appropriate jurisdictions.</p>
<p style="text-align: justify; ">Around 10 years ago, the transparency movement gave birth to yet another movement – the open government data movement. The tension between privacy and transparency is most clearly seen in the open government data movement. The open government data movement in some parts of the world is dominated by ahistorical and apolitical technologists, and some of them seem intent on reinventing the wheel. In India, ever since the enactment of the Right to Information Act, 2003, 30 transparency activists are either killed, beaten or criminally intimidated every year. This is the statistic from media coverage alone. Many more silently suffer. RTI or transparency is without a doubt one of the most dangerous sectors within civil society that you could choose to work in. In contrast, not a single open data activist has ever been killed, beaten or criminally intimidated. I suspect this is because open data activists do not sufficiently challenge power hierarchies. Let us look a little bit closely at their work cycle. When a traditional transparency activist asks a question, that is usually enough to get them into trouble. When an open data activist publishes an answer [a dataset nicely scrubbed and machine readable, or a visualization, or a tool] they are often frustrated because nobody seems interested in using it. Often even the activist is unclear what the question is. This is because open data activist works where data is available. Open data activists are obsessed with big datasets, which are easier to find at the bottom of the pyramid. They contribute to growing surveillance practices [the nexus between Internet giants, states, and the security establishment] rather that focusing on sousveillance [citizen surveillance of the state, also referred to as citizen undersight or inverse surveillance]. They seem to be obsessed only with tools and technologies, rather than power asymmetries and injustices.</p>
<p style="text-align: justify; ">Finally, a case study to make my argument easier to understand – Aadhaar or UID, India’s ambitious centralized biometric identity and authentication management system. There are many serious issues with its centralized topology, proprietary technology, and dependence on biometrics as authentication factors – all of which I have written about in the past. In this article, I will explain how my optimization solution can be applied to the project to make it more effective in addressing its primary problem statement that corruption is a necessary outcome of power asymmetries in India.</p>
<p style="text-align: justify; ">In its current avatar – the Aadhaar project hopes to assign biometric-based identities to all citizens. The hope is that, by doing authentication in the last mile, corruption within India’s massive subsidy programmes will be reduced. This, in my view, might marginally reduce retail corruption at the bottom of the pyramid. It will do nothing to address wholesale corruption that occurs as subsidies travel from the top to the bottom of the pyramid. I have advocated over the last two years that we should abandon trying to issue biometric identities to all citizens, thereby making them more transparent to the state. Let us instead issue Aadhaar numbers to all politicians and bureaucrats and instead make the state more transparent to citizens. There is no public interest in reducing privacy for ordinary citizens – the powerless – but there are definitely huge public interest benefits to be secured by increasing transparency of politicians and bureaucrats, who are the powerful.</p>
<p style="text-align: justify; ">The Indian government has recently introduced a biometric-based attendance system for all bureaucrats and has created a portal that allows Indian citizens to track if their bureaucrats are arriving late or leaving early. This unfortunately is just bean counting [for being corrupt and being punctual are not mutually exclusive] and public access to the national portal was turned off because of legitimate protests from some of the bureaucrats. What bureaucrats do in office, who they meet, and which documents they process is more important than when they arrive at or depart from work. The increased transparency or reduced privacy was not contributing to the public interest.</p>
<p style="text-align: justify; ">Instead of first going after small-ticket corruption at the bottom of the pyramid, maximization of public interest requires us to focus on the top, for there is much greater ROI for the anti-corruption rupee. For example: constructing a digital signature based on audit trails that track all funds and subsidies as they move up and down the pyramid. These audit trails must be made public so that ordinary villagers can be supported by open data activists, journalists, social entrepreneurs, and traditional civil society in verification and course correction.</p>
<p style="text-align: justify; ">I hope open data activists, data scientists, and big data experts will draw inspiration from the giants of the transparency movement in India. I hope they will turn their attention to power, examine power asymmetries and then ask how the Aadhaar project can be leveraged to make India more rather than less equal.</p>
<h3 style="text-align: justify; ">Videos</h3>
<table class="plain">
<tbody>
<tr>
<th>
<p style="text-align: justify; ">Open Up? 2014: Risky Business: Transparency, Technology, Security, and Human Rights</p>
</th>
</tr>
<tr>
<td><iframe frameborder="0" height="315" src="http://www.youtube.com/embed/tDf8TFjxqiQ" width="560"></iframe></td>
</tr>
<tr>
<td><b>Open Up? 2014: Data Collection and Sharing: Transparency and the Private Sector</b></td>
</tr>
<tr>
<td><iframe frameborder="0" height="315" src="http://www.youtube.com/embed/lPHWkYZjqzo" width="560"></iframe></td>
</tr>
</tbody>
</table>
<p>The videos can also be watched on Vimeo:</p>
<ol>
<li><a class="external-link" href="http://vimeo.com/111729069">Open Up? 2014: Risky Business: Transparency, Technology, Security, and Human Rights </a></li>
<li><a class="external-link" href="http://vimeo.com/111748146">Open Up? 2014: Data Collection and Sharing: Transparency and the Private Sector </a></li>
</ol>
<hr />
<p>[<a href="#fr*" name="fn*">*</a>].<a class="external-link" href="http://prospect.org/article/real-significance-wikileaks">http://prospect.org/article/real-significance-wikileaks</a> “Transparency should be proportional to the power that one has.”</p>
<p>Read the presentation on Risky Business: Transparency, Technology, Security and Privacy made at the Pecha Kucha session <a href="http://editors.cis-india.org/openness/blog-old/risky-business.odp" class="internal-link">here</a>. (ODP File, 35 kb)</p>
<p style="text-align: justify; "><i>Disclaimer: The views, opinions, and positions expressed by the author(s) of this blog are theirs alone, and do not necessarily reflect the views, opinions, or positions of Omidyar Network. We make no representations as to accuracy, completeness, timeliness, suitability or validity of any information presented by individual authors of the blogs and will not be liable for any errors, omissions, or delays in this information or any losses, injuries or damages arising from its display or use.</i></p>
<p>
For more details visit <a href='http://editors.cis-india.org/openness/blog-old/privacy-v-transparency'>http://editors.cis-india.org/openness/blog-old/privacy-v-transparency</a>
</p>
No publishersunilPrivacyFeaturedVideoAadhaarOpennessOpen Access2015-03-08T06:26:21ZBlog EntryPrivacy issues exist even without Aadhaar
http://editors.cis-india.org/internet-governance/news/livemint-november-23-2017-ronald-abraham-privacy-issues-exist-even-without-aadhaar
<b>There is a critical need for a data privacy regulator to penalize unauthorized disclosure of personal information.</b>
<p class="S3l" id="U201037011049bCI" style="text-align: justify; ">The article by Ronald Abraham was <a class="external-link" href="http://www.livemint.com/Opinion/EXF3WVKLQPW2h0740hiI0K/Privacy-issues-exist-even-without-Aadhaar.html">published by Livemint</a> on November 15, 2017.</p>
<hr />
<p class="S3l" style="text-align: justify; ">In part I, I argued that while Aadhaar can be a tool to infringe upon our right to privacy, it is merely one such; there exist other tools that can be similarly exploited. This becomes evident when you analyse each privacy issue related to Aadhaar using the National Privacy Principles framework, and compare Aadhaar’s data privacy risks to other national ID systems. We need an independent data privacy regulator, backed by a robust law, to safeguard against the risks.</p>
<p id="U201037011049J0E" style="text-align: justify; ">Here, we explore two such data privacy issues: data disclosure and voluntariness (database linking was analysed in part I).</p>
<p id="U201037011049BBC" style="text-align: justify; "><b>Data disclosure</b></p>
<p id="U201042241798niD" style="text-align: justify; ">According to the National Privacy Principle on data disclosure, “a data controller shall not disclose personal information to third parties, except after providing notice and seeking informed consent from the individual for such disclosure”.</p>
<p id="U201037011049oa" style="text-align: justify; ">On paper, the Aadhaar Act appears compliant with this principle as Section 29 prohibits the disclosure of personal information. Exceptions exist for courts to request demographic data, and for joint secretaries and higher ranks to request biometric data; the latter on the grounds of “national security”. However, greater clarity is required on whether individuals will be informed of data disclosures.</p>
<p id="U20103701104959D" style="text-align: justify; ">In practice, however, data disclosures well beyond these exceptions have taken place. A study by the Centre for Internet and Society found that nearly 130 million Aadhaar numbers had been published online by four government departments. In many cases, these were published along with information on “caste, religion, address, photographs and financial information”. If someone manages to steal these individuals’ fingerprints as well (which is becoming less difficult), one possibility is that Aadhaar-linked bank accounts can be cleaned out using micro-ATMs.</p>
<p id="U201037011049b9D" style="text-align: justify; ">Demographic data disclosure, however, is not limited to Aadhaar. For transparency reasons, state election commission websites disclose the personal information of every person registered to vote online. Agencies scrape these databases and sell them.</p>
<p id="U201037011049qmE" style="text-align: justify; ">Like database linking, the onus of abiding by the principle of data disclosure is on the “data controller”. The four government agencies that disclosed Aadhaar data—not the Unique Identification Authority of India (UIDAI)—are the relevant data controllers in this case. However, UIDAI has not pressed charges against them; under the Aadhaar Act, it is solely authorized to do so. Given UIDAI’s role of working with the government to enable and encourage the use of Aadhaar, it should not also be responsible for regulating them. Additionally, the Election Commission’s data disclosure norms demonstrate that the issue is bigger than Aadhaar.</p>
<p id="U201037011049aJG" style="text-align: justify; ">This, therefore, points to the critical need for a data privacy regulator to investigate and penalize unauthorized disclosure of sensitive personal information. A strong regulator, with a clear law, will also serve as an effective deterrent for negligent disclosure practices.</p>
<p id="U20103701104940E" style="text-align: justify; "><b>Voluntariness</b></p>
<p id="U201042241798x6G" style="text-align: justify; ">The ability to voluntarily opt in and out of data systems, based on informed consent, is central to the National Privacy Principle of “Choice and Consent”. Once an individual opts in, the principle clarifies that they “also have an option to withdraw (their) consent given earlier to the data controller”.</p>
<p id="U2010370110497V" style="text-align: justify; ">With regard to opting in, UIDAI has maintained that Aadhaar enrolment is voluntary. However, Section 7 of the Aadhaar Act and various orders by government agencies require Aadhaar to access basic services. Though exceptions are allowed, in practice they are implemented inconsistently, making Aadhaar near-mandatory.</p>
<p id="U201037011049aIB" style="text-align: justify; ">To be sure, the choice principle states that data controllers can choose not to provide services if an individual doesn’t consent to provide data, “if such information is necessary for providing the goods or services”. However, we need more explicit guidelines on what features satisfy this condition, something that can be defined in a data privacy law.</p>
<p id="U2010370110492NG" style="text-align: justify; ">With regard to opting out, no such UIDAI provision exists. One argument is that more data increases UIDAI’s capability to establish the uniqueness of new enrollees. However, it is unclear why this is the case because even if millions opt out of Aadhaar, UIDAI’s ability to guarantee the uniqueness of new enrollees compared to existing enrollees doesn’t diminish.</p>
<p id="U2010370110497iF" style="text-align: justify; ">While voluntariness is actively discussed with Aadhaar, the same is not true for other IDs and data initiatives. For example, fingerprints are collected to issue Indian passports, but the use of this is not clear—raising concerns around voluntariness as well as purpose limitation.</p>
<p id="U201037011049iuF" style="text-align: justify; ">Through this analysis, it becomes clear that data privacy issues exist even without Aadhaar. To tackle the risks to privacy, India requires a strong, competent and independent data privacy regulator, backed by a robust law.</p>
<p id="U2010370110496aE" style="text-align: justify; ">With the recent Supreme Court judgement and upcoming hearings, we have a unique opportunity to strengthen our institutional ability to manage future risks. We must seize this opportunity to try and secure a privacy-protected future.</p>
<p id="U201042241798wAI" style="text-align: justify; "><i>Ronald Abraham is a partner at IDinsight and co-author of </i>‘State of Aadhaar’ report 2016-17.</p>
<p id="U2010370110495sF" style="text-align: justify; "><i>Research contributions from Shreya Dubey and Akash Pattanayak.</i></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-november-23-2017-ronald-abraham-privacy-issues-exist-even-without-aadhaar'>http://editors.cis-india.org/internet-governance/news/livemint-november-23-2017-ronald-abraham-privacy-issues-exist-even-without-aadhaar</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2017-11-23T16:12:11ZNews ItemPrivacy is not a unidimensional concept
http://editors.cis-india.org/internet-governance/privacy-is-not-a-unidimensional-concept
<b>Right to privacy is important not only for our negotiations with the information age but also to counter the transgressions of a welfare state. A robust right to privacy is essential for all citizens in India to defend their individual autonomy in the face of invasive state actions purportedly for the public good. The ruling of this nine-judge bench will have far-reaching impact on the extent and scope of rights available to us all.</b>
<div>This article, written by Amber Sinha was published in the <a class="external-link" href="http://economictimes.indiatimes.com/news/politics-and-nation/aadhar-privacy-is-not-a-unidimensional-concept/articleshow/59716562.cms">Economic Times</a> on July 23, 2017. </div>
<div>
<br /></div>
<div>In a disappointing case of judicial evasion by the apex court,
it has taken over 600 days since a reference order passed in
August 11, 2015, for this bench to be constituted. Over two days
of arguments, the counsels for the petitioners have presented
before the court why the right to privacy, despite not finding a
mention in the Constitution of India, is a fundamental right
essential to a person’s dignity and liberty, and must be read into
not one but multiple articles of the Constitution. The government
will make its arguments in the coming week.</div>
<div>One must wonder why we are debating the contours of the right
to privacy, which 40 years of jurisprudence had lulled us into
believing we already had. The answer to that can be found in a
series of hearings in the Aadhaar case that began in 2012. Justice
KS Puttaswamy, a former Karnataka High Court judge, filed a
petition before the Supreme Court, questioning the validity of the
Aadhaar project due its lack of legislative basis (since then the
Aadhaar Act was passed in 2016) and its transgressions on our
fundamental rights. Over time, a number of other petitions also
made their way to the apex court, challenging different aspects of
the Aadhaar project. Since then, five different interim orders by
the Supreme Court have stated that no person should suffer because
they do not have an Aadhaar number. Aadhaar, according to the
court, could not be made mandatory to avail benefits and services
from government schemes. Further, the court has limited the use of
Aadhaar to specific schemes: LPG, PDS, MGNREGA, National Social
Assistance Programme, the Pradhan Mantri Jan Dhan Yojna and EPFO.<br />
<br /></div>
<div>The real spanner in the works in the progress of this case was
the stand taken by Mukul Rohatgi, then attorney general of India
who, in a hearing before the court in July 2015, stated that there
is no constitutionally guaranteed right to privacy. His reliance
was on two Supreme Court judgments in MP Sharma v Satish Chandra
(1954) and Kharak Singh v State of Uttar Pradesh (1962): both
cases, decided by eight- and six-judge benches respectively,
denied the existence of a constitutional right to privacy. As the
subsequent judgments which upheld the right to privacy were by
smaller benches, Rohatgi claimed that MP Sharma and Kharak Singh
still prevailed over them, until they were overruled by a larger
bench.</div>
<div>The reference to a larger bench has since delayed the entire
matter, even as a number of government schemes have made Aadhaar
mandatory. This reading of privacy as a unidimensional concept by
the courts is, with due respect, erroneous. Privacy, as a concept,
includes within its scope, spatial, familial, informational and
decisional aspects. We all have a legitimate expectation of
privacy in our private spaces, such as our homes, and in our
personal relationships. Similarly, we must be able to exercise
some control over how personal data, like our financial
information, are disseminated. Most importantly, privacy gives us
the space to make autonomous choices and decisions without
external interference. All these dimensions of privacy must stand
as distinct rights. In MP Sharma, the court rejected a certain
aspect of the right of privacy by refusing to acknowledge a right
against search and seizure. This, in no way prevented the court,
even in the form of a smaller bench, from ruling on any other
aspects of privacy, including those that are relevant to the
Aadhaar case.</div>
<div> </div>
<div>The limited referral to this bench means that the court will
have to rule on the status of privacy and its possible limitations
in isolation, without even going into the details of the Aadhaar
case (based on the nature of protection that this bench accords to
privacy, the petitioners and defendants in the Aadhaar case will
have to argue afresh on whether the project does impede on this
most fundamental right). There are no facts of the case to ground
the legal principles in, and defining the contours of a right can
be a difficult exercise. The court must be wary of how any limits
they put on the right may be used in future. Equally, it is
important to articulate that any limitations on the right to
privacy due to competing interests such as national security and
public interest must be imposed only when necessary and always be
proportionate. <br />
<br /></div>
<p>
It will not be enough for the court to merely state that we have a
constitutional right to privacy. They would be well advised to cut
through the muddle of existing privacy jurisprudence, and
unequivocally establish the various facets of the right. Without
that, we may not be able to withstand the modern dangers of
surveillance, denial of bodily integrity and self-determination
through forcible collection of information. The nine judges, in
their collective wisdom, must not only ensure that we have a right
to privacy, but also clearly articulate a robust reading of this
right capable of withstanding the growing interferences with our
autonomy.</p>
<div> </div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/privacy-is-not-a-unidimensional-concept'>http://editors.cis-india.org/internet-governance/privacy-is-not-a-unidimensional-concept</a>
</p>
No publisheramberInternet GovernanceAadhaarData ProtectionPrivacy2017-08-07T08:02:20ZBlog EntryPrivacy is culture specific, MNCs hit by Aadhaar, says TRAI chief
http://editors.cis-india.org/internet-governance/news/indian-express-june-1-2017-pranav-mukul-privacy-is-culture-specific-mncs-hit-by-aadhaar-says-trai-chief
<b>A clutch of petitions filed by those opposing what they call the unchecked use of Aadhaar is currently in the Supreme Court. </b>
<p style="text-align: justify; ">The article by Pranav Mukul was published in the <a href="http://indianexpress.com/article/india/privacy-is-culture-specific-mncs-hit-by-aadhaar-says-trai-chief-4683613/">Indian Express</a> on June 1, 2017.</p>
<hr />
<p style="text-align: justify; ">Questioning the anti-Aadhaar campaigns by non-governmental organisations and civil society groups, Telecom Regulatory Authority of India’s (TRAI) Chairman R S Sharma, who is also the former Director General of Unique Identification Authority of India (UIDAI), said that various multinational companies were being affected by Aadhaar as it was in conflict with their attempts to create their own database of users.</p>
<p style="text-align: justify; ">“It’s making a mountain out of a molehill. There are motivated campaigns being launched. Various multinationals are getting affected. There are companies, which are creating their own identities. Someone has called it digital colonisation. The fingerprint scanners on smartphones can be easily used for authenticating Aadhaar but they don’t allow it. A lot of fraudulent or benami transactions can go down because of Aadhaar,” Sharma told The Indian Express. While he refused to elaborate on these multinationals, the remarks are an apparent reference to Silicon Valley giants such as <a href="http://indianexpress.com/about/facebook/">Facebook</a> and <a href="http://indianexpress.com/about/google/">Google</a>.</p>
<p style="text-align: justify; ">Sharma’s remarks come at a time when civil society groups have flagged serious concerns on issues such as privacy and accountability that arise from the Centre’s increasing use of Aadhaar. A clutch of petitions filed by those opposing what they call the unchecked use of Aadhaar is currently in the Supreme Court.</p>
<p style="text-align: justify; ">Recently, a Bengaluru-based NGO — Centre for Internet & Society (CIS) — released a report suggesting 130 million Aadhaar numbers were leaked on government portals. CIS later updated its report to say that there were no “leaks” or “leakages” but a “public disclosure”. The UIDAI served a show-cause notice to CIS, asking it to explain its claims.</p>
<p style="text-align: justify; ">The TRAI chairman defended UIDAI’s decision to send the notice to CIS and said that there were no leakages from Aadhaar, or decryption of of biometric data from the UIDAI server. At the same time, Sharma made a case for having a comprehensive data protection law in the country. “There is a need for a larger data protection law. In today’s digitally connected world, data protection law is a must. Data security, its protocols, rules, responsibilities, accountabilities, damage, payments, compensations, all these issues must come in that law,” he said.</p>
<p style="text-align: justify; ">“Aadhaar Act, itself, is very self-contained, which takes into account all data protection and privacy issues,” Sharma said, adding that privacy was a cultural concept. “Privacy is a culture specific concept, which they are trying to import here. Except for NGOs, has any individual or poor person complained, or filed a case about privacy?” he asked.</p>
<p style="text-align: justify; ">In a recent interview to The Indian Express, Minister of Law & Justice and Electronics & Information Technology Ravi Shankar Prasad had tried to allay fears of any loopholes in the Aadhaar security system and said “this systematic campaign against Aadhaar comes as a surprise for me”. He said that the voter ID information was also in public domain, but “I don’t see any campaign there”.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/indian-express-june-1-2017-pranav-mukul-privacy-is-culture-specific-mncs-hit-by-aadhaar-says-trai-chief'>http://editors.cis-india.org/internet-governance/news/indian-express-june-1-2017-pranav-mukul-privacy-is-culture-specific-mncs-hit-by-aadhaar-says-trai-chief</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-06-07T13:57:08ZNews ItemPrivacy in the Age of Big Data
http://editors.cis-india.org/internet-governance/blog/asian-age-amber-sinha-april-10-2017-privacy-in-the-age-of-big-data
<b>Personal data is freely accessible, shared and even sold, and those to whom this information belongs have little control over its flow.</b>
<p style="text-align: justify; ">The article was published in the <a class="external-link" href="http://www.asianage.com/india/all-india/100417/privacy-in-the-age-of-big-data.html">Asian Age</a> on April 10, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">In 2011 it was estimated that the quantity of data produced globally surpassed 1.8 zettabyte. By 2013, it had increased to 4 zettabytes. This is a result of digital services which involve constant data trails left behind by human activity. This expansion in the volume, velocity, and variety of data available, together with the development of innovative forms of statistical analytics on the data collected, is generally referred to as “Big Data”. Despite significant (though largely unrealised) promises about Big Data, which range from improved decision-making, increased efficiency and productivity to greater personalisation of services, concerns remain about the impact of such datafication of all human activity on an individual’s privacy. Privacy has evolved into a sweeping concept, including within its scope matters pertaining to control over one’s body, physical space in one’s home, protection from surveillance, and from search and seizure, protection of one’s reputation as well as one’s thoughts. This generalised and vague conception of privacy not only comes with great judicial discretion, it also thwarts a fair understanding of the subject. Robert Post called privacy a concept so complex and “entangled in competing and contradictory dimensions, so engorged with various and distinct meanings”, that he sometimes “despairs whether it can be usefully addressed at all”.</p>
<p style="text-align: justify; ">This also leaves the idea of privacy vulnerable to considerable suspicion and ridicule. However, while there is a lack of clarity over the exact contours of what constitutes privacy, there is general agreement over its fundamental importance to our ability to lead whole lives. In order to understand the impact of datafied societies on privacy, it is important to first delve into the manner in which we exercise our privacy. The ideas of privacy and data management that are prevalent can be traced to the Fair Information Practice Principles (FIPP). These principles are the forerunners of most privacy regimes internationally, such as the OECD Privacy Guidelines, APEC Framework, or the nine National Privacy Principles articulated by the Justice A.P. Shah Committee Report. All of these frameworks have rights to notice, consent and correction, and how the data may be used, as their fundamental principles. It makes the data subject to the decision-making agent about where and when her/his personal data may be used, by whom, and in what way. The individual needs to be notified and his consent obtained before his personal data is used. If the scope of usage extends beyond what he has agreed to, his consent will be required for the increased scope.</p>
<p style="text-align: justify; ">In theory, this system sounds fair. Privacy is a value tied to the personal liberty and dignity of an individual. It is only appropriate that the individual should be the one holding the reins and taking the large decisions about the use of his personal data. This makes the individual empowered and allows him to weigh his own interests in exercising his consent. The allure of this paradigm is that in one elegant stroke, it seeks to ensure that consent is informed and free and also to implement an acceptable trade-off between privacy and competing concerns. This approach worked well when the number of data collectors were less and the uses of data was narrower and more defined. Today’s infinitely complex and labyrinthine data ecosystem is beyond the comprehension of most ordinary users. Despite a growing willingness to share information online, most people have no understanding of what happens to their data.</p>
<p style="text-align: justify; ">The quantity of data being generated is expanding at an exponential rate. From smartphones and televisions, trains and airplanes, sensor-equipped buildings and even the infrastructures of our cities, data now streams constantly from almost every sector and function of daily life, “creating countless new digital puddles, lakes, tributaries and oceans of information”. The inadequacy of the regulatory approaches and the absence of a comprehensive data protection regulation is exacerbated by the emergence of data-driven business models in the private sector and the adoption of data-driven governance approach by the government. The Aadhaar project, with over a billion registrants, is intended to act as a platform for a number of digital services, all of which produce enormous troves of data. The original press release by the Central Government reporting the approval by the Cabinet of Ministers of the Digital India programme, speaks of “cradle to grave” digital identity as one of its vision areas.</p>
<p style="text-align: justify; ">While the very idea of the government wanting to track its citizens’ lives from cradle to grave is creepy enough in itself, let us examine for a minute what this form of datafied surveillance will entail. A host of schemes under Digital India shall collect and store information through the life cycle of an individual. The result, as we can see, is building databases on individuals, which when combined, will provide a 360 degree view into the lives of individuals. Alongside the emergence of India Stack, a set of APIs built on top of the Aadhaar, conceptualised by iSPIRT, a consortium of select IT companies from India, to be deployed and managed by several agencies, including the National Payments Corporation of India, promises to provide a platform over which different private players can build their applications.</p>
<p style="text-align: justify; ">The sum of these interconnected parts will lead to a complete loss of anonymity, greater surveillance and impact free speech and individual choice. The move towards a cashless economy — with sharp nudges from the government — could lead to lack of financial agencies in case of technological failures as has been the case in experiments with digital payments in Africa. Lack of regulation in emerging data driven sectors such as Fintech can enable predatory practices where right to remotely deny financial services can be granted to private sector companies. An architecture such as IndiaStack enables datafication of financial transactions in a way that enables linked and structured data that allows continued use of the transaction data collected. It is important to recognise that at the stage of giving consent, there are too many unknowns for us to make informed decisions about the future uses of our personal data. Despite blanket approvals allowing any kind of use granted contractually through terms of use and privacy policies, there should be legal obligations overriding this consent for certain kinds of uses that may require renewed consent.</p>
<p style="text-align: justify; "><b>Biometrics-based identification in UK: </b>In 2005, researchers from London School of Economics and Political Science came out with a detailed report on the UK Identity Cards Bill (‘UK Bill’) — the proposed legislation for a national identification system based on biometrics. The project also envisaged a centralised database (like India) that would store personal information along with the entire transaction history of every individual. The report pointed strongly against the centralising storage of information and suggested other alternatives such as a system based on smartcards (where biometrics are stored on the card itself) or offline biometric-reader terminals.</p>
<p style="text-align: justify; ">As per the report, the alternatives would also have been cheaper as neither required real-time online connectivity. In India, online authentication is a far greater challenge. According to Network Readiness Index, 2016, India ranks 91, whereas UK is placed eight. Poor Internet connectivity can raise a lot of problems in the future including paralysis of transactions. The UK identification project was subsequently discarded as a result of the privacy and cost considerations raised in this report.</p>
<h3 style="text-align: justify; ">Aadhaar: Privacy concerns</h3>
<ol style="text-align: justify; ">
<li>Once the data is collected through National Information Utilities, it will be privatised and controlled by private utilities.</li>
<li>Once an individual’s data is entered in the system, it cannot be deleted. That individual will have no control over it.</li>
<li>Aadhaar Data (Demographic details along with photographs) are shared/transferred with the private entities including telecom companies as per the Aadhaar (Targeted delivery of Financial and other subsidies, benefits and services) Act, 2016 with the consent of Aadhaar number holder to fulfil their e-KYC requirements. The data is shared in encrypted form through secured channel.</li>
<li>Aadhaar Enabled Payment System (AEPS) on which 119 banks are live.</li>
<li>More than 33.87 crore transactions have taken place through AEPS, which was only 46 lakhs in May 2014.</li>
<li>As on 30-9-2016, 78 government schemes were linked to Aadhaar.</li>
<li>The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, provides that no core-biometric information (fingerprints, iris scan) shall be shared with anyone for any reason whatsoever (Sec 29) and that the biometric information shall not be used for any purpose other than generation of Aadhaar and authentication.</li>
<li>Access to the data repository of UIDAI, called the Central Identities Data Repository(CIDR), is provided to third parties or private companies.</li>
</ol>
<p style="text-align: justify; "><b>Central Monitoring System</b> (CMS) is already live in Delhi, New Delhi and Mumbai. Union minister Ravi Shankar Prasad revealed this in one of his replies in the Lok Sabha last year. CMS has been set up to automate the process of Lawful Interception & Monitoring of telecommunications.</p>
<p style="text-align: justify; "><b>Central Monitoring System</b> (CMS) is already live in Delhi, New Delhi and Mumbai. Union minister Ravi Shankar Prasad revealed this in one of his replies in the Lok Sabha last year. CMS has been set up to automate the process of Lawful Interception & Monitoring of telecommunications.</p>
<p style="text-align: justify; "><b>Lawful Intercept </b>and Monitoring (LIM) systems are used by the Indian Government to intercept records of voice, SMSes, GPRS data, details of a subscriber’s application and recharge history and call detail record (CDR) and monitor Internet traffic, emails, web-browsing, Skype and any other Internet activity of Indian users.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/asian-age-amber-sinha-april-10-2017-privacy-in-the-age-of-big-data'>http://editors.cis-india.org/internet-governance/blog/asian-age-amber-sinha-april-10-2017-privacy-in-the-age-of-big-data</a>
</p>
No publisheramberInternet GovernanceAadhaarBig DataPrivacy2017-04-11T14:43:59ZBlog EntryPrivacy Concerns Overshadow Monetary Benefits of Aadhaar Scheme
http://editors.cis-india.org/internet-governance/blog/hindustan-times-amber-sinha-pranesh-prakash-march-12-2016-privacy-concerns-overshadow-monetary-benefits-of-aadhaar-scheme
<b>Since its inception in 2009, the Aadhaar system has been shrouded in controversy over issues of privacy, security and viability. It has been implemented without a legislative mandate and has resulted in a PIL in the Supreme Court, which referred it to a Constitution bench. On Friday, it kicked up more dust when the Lok Sabha passed a Bill to give statutory backing to the unique identity number scheme.</b>
<p style="text-align: justify; ">The article was published in the <a class="external-link" href="http://www.hindustantimes.com/india/privacy-concerns-overshadow-monetary-benefits-of-aadhaar-scheme/story-E3o0HRwc6XOdlgjqgmmyAM.html">Hindustan Times </a>on March 12, 2016.</p>
<hr />
<p style="text-align: justify; ">There was an earlier attempt to give legislative backing to this project by the UPA government, but a parliamentary standing committee, led by BJP leader Yashwant Sinha, had rejected the bill in 2011 on multiple grounds. In an about-turn, the BJP-led NDA government decided to continue with Aadhaar despite most of those grounds still remaining.</p>
<p style="text-align: justify; ">Separately, there have been orders passed by the Supreme Court that prohibit the government from making Aadhaar mandatory for availing government services whereas this Bill seeks to do precisely that, contrary to the government’s argument that Aadhaar is voluntary.</p>
<p style="text-align: justify; ">In some respects, the new Aadhaar Bill is a significant improvement over the previous version. It places stringent restrictions on when and how the UID Authority (UIDAI) can share the data, noting that biometric information — fingerprint and iris scans — will not be shared with anyone. It seeks prior consent for sharing data with third party. These are very welcome provisions.</p>
<p style="text-align: justify; ">But a second reading reveals the loopholes.</p>
<p style="text-align: justify; ">The government will get sweeping power to access the data collected, ostensibly for “efficient, transparent, and targeted delivery of subsidies, benefits and services” as it pleases “in the interests of national security”, thus confirming the suspicions that the UID database is a surveillance programme masquerading as a project to aid service delivery.</p>
<p style="text-align: justify; ">The safeguards related to accessing the identification information can be overridden by a district judge. Even the core biometric information may be disclosed in the interest of national security on directions of a joint secretary-level officer. Such loopholes nullify the privacy-protecting provisions.</p>
<p style="text-align: justify; ">Amongst the privacy concerns raised by the Aadhaar system are the powers it provides private third parties to use one’s UID number. This concern, which wouldn’t exist without a national ID squarely relates to Aadhaar and needs a more comprehensive data protection law to fix it. The supposed data protection under the Information Technology Act is laughable and inadequate.</p>
<p style="text-align: justify; ">The Bill was introduced as a Money Bill, normally reserved for matters related to taxation, borrowing and the Consolidated Fund of India (CFI), and it would be fair to question whether this was done to circumvent the Rajya Sabha.</p>
<p style="text-align: justify; ">None of the above arguments even get to the question of implementation.</p>
<p style="text-align: justify; ">Aadhaar hasn’t been working. When looking into reasons why 22% of PDS cardholders in Andhra Pradesh didn’t collect their rations it was found that there was fingerprint authentication failure in 290 of the 790 cardholders, and in 93 instances there was an ID mismatch. A recent paper in the Economic and Political Weekly by Hans Mathews, a mathematician with the CIS, shows the programme would fail to uniquely identify individuals in a country of 1.2 billion.</p>
<p style="text-align: justify; ">The debate shouldn’t be only about the Aadhaar Bill being passed off as a Money Bill and about the robustness of its privacy provisions, but about whether the Aadhaar project can actually meet its stated goals.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/hindustan-times-amber-sinha-pranesh-prakash-march-12-2016-privacy-concerns-overshadow-monetary-benefits-of-aadhaar-scheme'>http://editors.cis-india.org/internet-governance/blog/hindustan-times-amber-sinha-pranesh-prakash-march-12-2016-privacy-concerns-overshadow-monetary-benefits-of-aadhaar-scheme</a>
</p>
No publisherPranesh Prakash and Amber SinhaAadhaarInternet GovernancePrivacy2016-03-17T16:12:26ZBlog EntryPrivacy concerns multiply for Aadhaar, India’s national biometric identity registry
http://editors.cis-india.org/internet-governance/news/one-world-indentity-kaelyn-lowmaster-march-17-2017-privacy-concerns-multiply-for-aadhaar-indias-national-biometric-identity-registry
<b>The largest and most sophisticated biometric identity system of any country in the world, India’s Aadhaar, is sparking new fears that the personal data it stores on more than 1.1 billion people could be vulnerable to exploitation.</b>
<p style="text-align: justify; ">The article by Kaelyn Lowmaster was published by <a class="external-link" href="https://oneworldidentity.com/2017/03/17/privacy-concerns-multiply-aadhaar-indias-national-biometric-identity-registry/">One World Identity</a> on March 17, 2017, Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; ">Aadhaar, which translates to “foundation” in Hindi, is a unique 12-digit code tied to citizens’ <a href="https://oneworldidentity.com/2017/02/02/indias-aadhaar-id-program-improve-biometric-security-new-bionetra-iris-partnership/">biometric data</a> and personal information. The system was launched in 2009 in an effort to extend social services to India’s millions of unregistered citizens, and to cut down on welfare benefit “leakage” resulting from an opaque and often corrupt bureaucracy.</p>
<blockquote class="td_box_right td_quote_box" style="text-align: justify; ">
<h5>Constructing a centralized repository of biometric data on nearly a fifth of the world’s population has raised serious concerns among privacy advocates.</h5>
<p> </p>
</blockquote>
<p style="text-align: justify; ">The government has also looked to Aadhaar data to underpin mobile payment transfer platforms, which have become crucial for cashless transactions during the country’s <a href="https://www.forbes.com/sites/wadeshepard/2016/12/14/inside-indias-cashless-revolution/#d38bb294d124">demonetization push</a> over past year.</p>
<blockquote class="pullquote" style="text-align: justify; ">But constructing a centralized repository of biometric data on nearly a fifth of the world’s population has raised serious concerns among privacy advocates, who cite several vulnerabilities both with the Aadhaar system and the Modi administration’s planned expansion.</blockquote>
<p style="text-align: justify; ">Despite this, recent metrics indicate that Aadhaar has been enormously successful in achieving those goals. Though the program is theoretically voluntary, <a href="http://timesofindia.indiatimes.com/india/99-of-indians-over-18-now-have-aadhaar/articleshow/56820818.cms">more than 99%</a> of Indian adults are now enrolled. Over <a href="http://www.economist.com/news/business/21712160-nearly-all-indias-13bn-citizens-are-now-enrolled-indian-business-prepares-tap">three billion</a> individual identity verifications have been conducted, and some reports indicate that the Indian government is saving <a href="http://economictimes.indiatimes.com/news/economy/finance/aadhaar-id-saving-indian-govt-about-1-billion-per-annum-world-bank/articleshow/50575112.cms">a billion dollars per year</a> now that welfare subsidies can be paid to citizens directly through Aadhaar-verified fund transfers.</p>
<p style="text-align: justify; ">Prime Minister Narendra Modi has ambitions to broaden the system even further, seeking to use Aadhaar as the gateway for accessing government programs ranging from public education to subsidized cooking gas, as well as partnering with private companies to offer services facilitated by the Aadhaar database.</p>
<p style="text-align: justify; ">Concerns, however, remain. One primary worry is that India’s legal framework for information security is still weak and fragmented, despite government <a href="http://pib.nic.in/newsite/mberel.aspx?relid=158849">assurances</a> that Aadhaar biometrics have never been misused or stolen.</p>
<p style="text-align: justify; ">Despite this, recent metrics indicate that Aadhaar has been enormously successful in achieving those goals. Though the program is theoretically voluntary, <a href="http://timesofindia.indiatimes.com/india/99-of-indians-over-18-now-have-aadhaar/articleshow/56820818.cms">more than 99%</a> of Indian adults are now enrolled. Over <a href="http://www.economist.com/news/business/21712160-nearly-all-indias-13bn-citizens-are-now-enrolled-indian-business-prepares-tap">three billion</a> individual identity verifications have been conducted, and some reports indicate that the Indian government is saving <a href="http://economictimes.indiatimes.com/news/economy/finance/aadhaar-id-saving-indian-govt-about-1-billion-per-annum-world-bank/articleshow/50575112.cms">a billion dollars per year</a> now that welfare subsidies can be paid to citizens directly through Aadhaar-verified fund transfers.</p>
<p style="text-align: justify; ">Prime Minister Narendra Modi has ambitions to broaden the system even further, seeking to use Aadhaar as the gateway for accessing government programs ranging from public education to subsidized cooking gas, as well as partnering with private companies to offer services facilitated by the Aadhaar database.</p>
<p style="text-align: justify; ">Concerns, however, remain. One primary worry is that India’s legal framework for information security is still weak and fragmented, despite government <a href="http://pib.nic.in/newsite/mberel.aspx?relid=158849">assurances</a> that Aadhaar biometrics have never been misused or stolen.</p>
<p style="text-align: justify; "><img class="td-animation-stack-type0-1 aligncenter wp-image-30798" height="447" src="https://oneworldidentity.com/wp-content/uploads/2017/03/Adhar_DSCN4543-1024x768-2-300x225.jpg" width="596" /></p>
<p style="text-align: justify; ">“There are no regulations in India on safeguards over and procedures for the collection, processing, storage, retention, access, disclosure, destruction, and anonymization of sensitive personal information by any service provider,” according to a 2016 <a href="http://pubdocs.worldbank.org/en/655801461250682317/WDR16-BP-Aadhaar-Paper-Banerjee.pdf">World Bank report</a>.</p>
<p style="text-align: justify; ">A <a href="http://www.livemint.com/Opinion/C4NOYNosPTZuRGjgH7UMLP/Indias-privacy-nonlaw.html">patchwork of rules</a> outlining “reasonable security practices and procedures” for personal data has accumulated since Aadhaar was launched, but there is no codified law outlining how data in the system must be secured, or what penalties exist for potential leaks, fraud or misuse.</p>
<blockquote class="pullquote" style="text-align: justify; ">“Imagine a situation where the police (are) secretly capturing the iris data of protesters and then identifying them through their biometric records” – Sunil Abraham, executive director of the Centre for Internet and Society in Bangalore</blockquote>
<p style="text-align: justify; ">This regulatory gap poses a particularly acute risk now that the government has begun offering companies and app developers support for starting new businesses that use Aadhaar data. Through a new initiative called <a href="https://indiastack.org/about/">IndiaStack</a>, the administration is providing open program interfaces for companies in fintech, healthcare, and other areas to integrate Aadhaar-based transactions into their business platforms. While IndiaStack’s terms of use explicitly state that user consent is required for any information sharing between service providers and the Aadhaar database, doubts remain about the integrity of the network infrastructure and the lack of clarity surrounding acceptable information sharing and storing protocols.</p>
<p style="text-align: justify; ">Another source of concern is the risk that Aadhaar information could be leveraged by the government itself for political purposes.</p>
<p style="text-align: justify; ">“Maintaining a central database is akin to getting the keys of every house in Delhi and storing them at a central police station,” Sunil Abraham, executive director of the Centre for Internet and Society in Bangalore, <a href="http://in.reuters.com/article/india-aadhaar-privacy-fears-idINKCN0WI2JW">told</a> Reuters. “It is very easy to capture iris data of any individual with the use of next generation cameras. Imagine a situation where the police (are) secretly capturing the iris data of protesters and then identifying them through their biometric records.”</p>
<p style="text-align: justify; ">Further stoking fears of federal overreach, the Modi administration has <a href="http://www.thehindu.com/news/national/Supreme-Court-finds-govt.-defying-its-order-on-Aadhaar/article14999391.ece">attempted</a> to make Aadhaar registration mandatory in certain sectors, violating a Supreme Court ruling from October 2015 that enrollment must remain voluntary.</p>
<p style="text-align: justify; ">Still, the benefits of building on the Aadhaar identity system appear to be outweighing the risks for now, and the system is gathering momentum worldwide. The World Bank is <a href="http://www.livemint.com/Politics/UEQ9o8Eo8RiaAaNNMyLbEK/Aadhaar-goes-global-finds-takers-in-Russia-and-Africa.html">helping market</a> the Aadhaar model abroad, and Russia, Morocco, Tunisia, and Algeria have all expressed interest in instituting national biometric identity programs of their own. Microsoft is already <a href="http://economictimes.indiatimes.com/industry/tech/software/microsoft-to-launch-skype-with-aadhaar-seeding-for-banking/articleshow/57299071.cms">on board</a>, and Google is <a href="http://economictimes.indiatimes.com/opinion/interviews/google-in-talks-with-government-to-partner-for-aadhaar-upi-caesar-sengupta-vice-president-next-billion-users-at-google/articleshow/54556320.cms">negotiating</a> ways to get involved.</p>
<p style="text-align: justify; ">Aadhaar may indeed live up to is potential and become the global standard for universal legal identity, but until India can manage to create more robust mechanisms to protect citizens’ personal data, their security could remain uncertain.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/one-world-indentity-kaelyn-lowmaster-march-17-2017-privacy-concerns-multiply-for-aadhaar-indias-national-biometric-identity-registry'>http://editors.cis-india.org/internet-governance/news/one-world-indentity-kaelyn-lowmaster-march-17-2017-privacy-concerns-multiply-for-aadhaar-indias-national-biometric-identity-registry</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-03-22T14:38:52ZNews ItemPress Release, March 15, 2016: The New Bill Makes Aadhaar Compulsory!
http://editors.cis-india.org/internet-governance/blog/press-release-aadhaar-15032016-the-new-bill-makes-aadhaar-compulsory
<b>We published and circulated the following press release on March 15, 2016, to highlight the fact that the Section 7 of the Aadhaar Bill, 2016 states that authentication of the person using her/his Aadhaar number can be made mandatory for the
purpose of disbursement of government subsidies, benefits, and services; and in case the person does not have an Aadhaar number, s/he will have to apply for Aadhaar enrolment. </b>
<p> </p>
<p>Nandan Nilekani, the former chairperson of the Unique Identification Authority of India had repeatedly stated that Aadhaar is not mandatory. However, in the last few years various agencies and departments of the government, both at the central and state level, had made it mandatory in order to be able to avail beneficiary schemes or for the arrangement of salary, provident fund disbursals, promotion, scholarship, opening bank account, marriages and property registrations. In August 2015, the Supreme Court passed an order mandating that the Aadhaar number shall
remain optional for welfare schemes, stating that no person should be denied any benefit for reason of not having an Aadhaar number, barring a few specified services.</p>
<p>The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, however, has not followed this mandate. Section 7 of the Bill states that “a person should be authenticated or give proof of the Aadhaar number to establish his/her identity” “as a condition for receiving subsidy, benefit or service”. Further, it reads, “In the case a person does not have an Aadhaar number, he/she should make an application for enrollment.” The language of the provision is very clear in making enrollment in Aadhaar mandatory, in order to be entitled for welfare services. Section 7 also says that “the person will be offered viable and alternate means of identification for receiving the subsidy, benefit or service. However, these unspecified alternate means will be made available in the event “an Aadhaar number is not assigned”. This language is vague and it is not clear whether it mandates alternate means of identification for those who choose not to apply for an Aadhaar number for any reason. The fact that it does make it mandatory to apply for an Aadhaar number for persons without it, may lead to the presumption that the alternate means are to be made available for those who may have applied for an Aadhaar number but it has not been assigned for any reason. It is also noteworthy that draft legislation is silent on what the “viable and
alternate means of identification” could be. There are a number of means of identification, which are recognised by the state, and a schedule with an inclusive list could have gone a long way in reducing the ambiguity in this provision.</p>
<p>Another aspect of Section 7 which is at odds with the Supreme Court order is that it allows making an Aadhaar number mandatory for “for receipt of a subsidy, benefit or service for which the expenditure is incurred” from the Consolidated Fund of India. The Supreme Court had been very specific in articulating that having an Aadhaar number could not be made compulsory except for “any purpose other than the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene” or for the purpose of the LPG scheme. The restriction in the Supreme Court order was with respect to the welfare schemes, however, instead of specifying the schemes, Section 7 specified the source of expenditure from which subsidies, benefits and services can be funded, making the scope much broader. Section 7, in effect, allows the Central Government to circumvent the Supreme Court
order if they choose to tie more subsidies, benefits and services to the Consolidated Fund of India.</p>
<p>These provisions run counter to the repeated claims of the government for the last six years that Aadhaar is not compulsory, nor is the specification by the Supreme Court for restricting use of Aadhaar to a few services only, reflected anywhere in the Bill. The “viable and alternate means” clause is too vague and inadequate to prevent denial of benefits to those without an Aadhaar number. The sum effect of these factors is to give the Central Government powers to make Aadhaar mandatory, for all practical purposes.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/press-release-aadhaar-15032016-the-new-bill-makes-aadhaar-compulsory'>http://editors.cis-india.org/internet-governance/blog/press-release-aadhaar-15032016-the-new-bill-makes-aadhaar-compulsory</a>
</p>
No publisherAmber SinhaUIDBig DataPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-03-16T10:11:32ZBlog EntryPress Release, March 11, 2016: The Law cannot Fix what Technology has Broken!
http://editors.cis-india.org/internet-governance/blog/press-release-aadhaar-11032016-the-law-cannot-fix-what-technology-has-broken
<b>We published and circulated the following press release on March 11, 2016, as the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. This Bill was proposed by finance minister, Mr. Arun Jaitley to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).</b>
<p> </p>
<p>The Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 today. This Bill was proposed by finance minister, Mr. Arun Jaitley to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).</p>
<p>The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. The Bill has made it compulsory for an individual to enrol under Aadhaar in order to receive any subsidy,
benefit or service from the Government. Biometric information that is required for the purpose of enrolment has been deemed "sensitive personal information" and restrictions have been imposed on use, disclosure and sharing of such information for purposes other than authentication, disclosure made pursuant to a court order or in the interest of national security. Here, the Bill has acknowledged the standards of protection of sensitive personal information established under Section 43A of the Information Technology Act, 2000. The Bill has also laid down several penal provisions for acts that include impersonation at the time of enrolment, unauthorised access to the
Central Identities Data Repository, unauthorised use by requesting entity, noncompliance with intimation requirements, etc.</p>
<h3>Key Issues</h3>
<h4>1. Identification without Consent</h4>
<p>Before the Aadhaar project it was not possible for the Indian government to identify citizens without their consent. But once the government has created a national centralized biometric database it will be possible for the government to identify any citizen without their consent. Hi-resolution photography and videography make it trivial for governments and also any other actor to harvest biometrics remotely. In other words, the technology makes consent irrelevant. A German ministers fingerprints were captured by hackers as she spoke using hand gesture at at conference. In a similar manner the government can now identify us both as individuals and also as groups without requiring our cooperation. This has direct implications for the right to privacy as we will be under constant government surveillance in the future as CCTV camera resolutions improve and there will be chilling effects on the
right to free speech and the freedom of association. The only way to fix this is to change the technology configuration and architecture of the project. The law cannot be used as band-aid on really badly designed technology.</p>
<h4>2. Fallible Technology</h4>
<p>The technology used for collection and authentication as been said to be fallible. It is understood that the technology has been feasible for a population of 200 million. The Biometrics Standards Committee of UIDAI has acknowledged the lack of data on how a biometric authentication technology will scale up where the population is about 1.2 billion. Further, a report by 4G Identity Solutions estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population.</p>
<p>We know that the Aadhaar number has been issued to dogs, trees (with the Aadhaar letter containing the photo of a tree). There have been slip-ups in the Aadhaar card enrolment process, some cards have ended up with
pictures of an empty chair, a tree or a dog instead of the actual applicants. An RTI application has revealed that the Unique Identification Authority of India (UIDAI) has identified more than 25,000 duplicate Aadhaar numbers in the country till August 2015.</p>
<p>At the stage of authentication, the accuracy of biometric identification depends on the chance of a false positive— the probability that the identifiers of two persons will match. For the current population of 1.2 billion the expected proportion of duplicates is 1/121, a ratio which is far too high. In a recent paper in EPW by Hans Mathews, a mathematician with CIS, shows that as per UIDAI's own statistics on failure rates, the programme would badly fail to uniquely identify individuals in India. <strong>[1]</strong></p>
<h3>Endnote</h3>
<p><strong>[1]</strong> See: <a href="http://cis-india.org/internet-governance/blog/epw-27-february-2016-hans-varghese-mathews-flaws-in-uidai-process">http://cis-india.org/internet-governance/blog/epw-27-february-2016-hans-varghese-mathews-flaws-in-uidai-process</a></p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/press-release-aadhaar-11032016-the-law-cannot-fix-what-technology-has-broken'>http://editors.cis-india.org/internet-governance/blog/press-release-aadhaar-11032016-the-law-cannot-fix-what-technology-has-broken</a>
</p>
No publisherJapreet Grewal and Sunil AbrahamUIDBig DataPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-03-16T10:10:40ZBlog EntryPratap Vikram Singh - Why Aadhaar is Baseless?
http://editors.cis-india.org/internet-governance/news/gov-now-pratap-vikram-singh-17032016-why-aadhaar-is-baseless
<b>This article by Pratap Vikram Singh, Governance Now, discusses the problems emerging out of the UIDAI project due to its lack of mechanisms for informed and granular consent, and for seeking recourse in the case of denial of service. The article quotes Sumandro Chattapadhyay and mentions Hans Varghese Mathew's work on the biometric basis of UIDAI. It was written before the Aadhaar bill was passed in Lok Sabha.</b>
<p> </p>
<p><em>Cross-posted from <a class="external-link" href="http://www.governancenow.com/news/regular-story/baseless-aadhaar">Governance Now</a>.</em></p>
<hr />
<p style="text-align: justify;">It was no less than a roller-coaster ride for Aadhaar, a programme formulated by the UPA government to assign a 12-digit unique number to every Indian resident. From the time it came into being in 2009, Aadhaar drew a volley of criticism, thanks to the misgivings and apprehensions that various critics and civil society organisations had. It was criticised for lack of a clear purpose, degree of effectiveness and absence of a privacy law and was virtually thrown into the bin by a parliamentary panel headed by BJP’s Yashwant Sinha in December 2011.</p>
<p style="text-align: justify;">When the finance minister Arun Jaitley, in his budget speech, announced that the government would introduce the Aadhaar bill during the budget session, expectations were already set high. The bill, giving statutory backing to the unique identification authority of India (UIDAI), the implementing authority, was passed by the Lok Sabha on March 11. While the privacy and voluntary versus mandatory provisions are under the consideration of the supreme court, the bill makes way for linking Aadhaar with all government subsidies, benefits and services. The law on Aadhaar, former UIIDAI chairman Nandan Nilekani wrote in the Indian Express, will help the government in going paperless, presence-less and cashless. The legislation, however, fails to deliver on several counts.</p>
<p style="text-align: justify;">However, prior to evaluating the bill (yet to be passed by the Rajya Sabha at the time of this writing though it is a money bill), let us take a look at its major aspects. For those, who always wondered whether Aadhaar is mandatory or voluntary, the bill 2016 makes it mandatory to avail subsidy, benefit or a service from the government.</p>
<p style="text-align: justify;">The bill has provisions related to information security and confidentiality (section 28) which not only extend to employees of the UIDAI but also consultants and external agencies working with the authority.</p>
<p style="text-align: justify;">The proposed law restricts information sharing. It bars UIDAI from sharing core biometric information – the bill defines it as fingerprints and iris scan – with “anyone for any reason whatsoever” or “used for any purpose other than generation of Aadhaar numbers and authentication under this Act”. The section 32 of the bill entitles Aadhaar number holders to access her or his authentication record. It also bars the authority from collecting, keeping or maintaining information about the purpose of authentication.</p>
<h3>Odd Drives the Bill</h3>
<p style="text-align: justify;">While the intent is clear and is aimed at streamlining welfare schemes to ensure it reaches the bottom of the pyramid, cutting through the long chain of pilferage and subversion, the bill, however, has several shortcomings. To begin with, the government should not have taken the money bill route to pass the legislation – tactfully avoiding any conclusive discussion and debate in the Rajya Sabha, where it is in minority.</p>
<p style="text-align: justify;">The bill assumes that the technology and the biometric system used by the UIDAI are flawless and it doesn’t provide any recourse in case of denial of a service. “If your fingerprint is not matching and you lose out on service, then what is the alternative mechanism you have,” asks Sumandro Chattapadhyay, research director, centre for internet and society (CIS). The bill doesn’t provide for recourse. “What if the scanning machine fails? What if the identifiers of two people match?”</p>
<p style="text-align: justify;">Based on experiments conducted in the initial days of the Aadhaar programme, Hans Verghese Mathews, another CIS researcher, did a study on the probability of matching of identifiers of two persons. “For the current population of 1.2 billion the expected proportion of duplicands (users whose identifiers match) is 1/121, a ratio which is far too high,” Mathews wrote in the Economic and Political Weekly in February.</p>
<p style="text-align: justify;">“It is like putting the technology in a black box – which can’t be reviewed,” says Chattapadhyay. The bill doesn’t talk about setting up an independent body to review the logs and keep an eye on wrong and duplicate matches.</p>
<h3>Who Defines National Security?</h3>
<p style="text-align: justify;">According to public policy experts, it is an attempt to seek “minimal legitimacy” from parliament and further adds to the unbridled power of the executive.</p>
<p style="text-align: justify;">Although the bill restricts information sharing in section 29, sections 33 and 48 provide exemption in cases of national security and public emergency, respectively. The legislation, nevertheless, doesn’t elaborate on what constitutes national security and public emergency, leaving it to the executives. The section 33 reads: “Nothing contained in… shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security….”</p>
<p style="text-align: justify;">Similarly, section 48 states that if, at any time, the central government is of the opinion that a public emergency exists, “the central government may, by notification, supersede the Authority for such period, not exceeding six months, as may be specified in the notification and appoint a person or persons as the president may direct to exercise powers and discharge functions under this Act”.</p>
<p style="text-align: justify;">Says Jayati Ghosh, professor, centre for economic studies and planning, Jawaharlal Nehru University, “National security is a very opaque term. Who decides what national security is? Today, the whole JNU is being projected as a threat to national security.” Swagato Sarkar, associate professor and executive director, Jindal school of government and public policy, OP Jindal Global University, says, “The bill has provisions for oversight on the use of Aadhaar, but then it suspends those provisions in case of emergency in the later sections, giving the state the power to use biometric information for whatever it deems fit.”</p>
<p style="text-align: justify;">Sarkar adds, “It seems the bill is simply an instrument for seeking minimum legitimacy from parliament. The bill tries to address the concern of privacy minimally and it hardly serves any purpose.” He believes that there is a need to define the broader contours of democratic control of the state and reassess the changing state-citizen relationship, instead of rejecting the whole idea on the basis of surveillance and privacy. In other words, there is a need for strong parliamentary oversight, and that the Aadhaar related matters shouldn’t be completely delegated to the executive.</p>
<p style="text-align: justify;">In its recommendations on formulating Privacy Act, the justice AP Shah committee in 2012 provided for establishing the office of privacy commissioner at the regional and central levels, defining the role of self-regulating organisations and co-regulation, and creating a system of complaints and redressal for aggrieved individuals. Since the country still doesn’t have any legislation on privacy, people are left on their own in case of an infringement or violation of privacy. Moreover, section 47 states, “No court shall take cognizance of any offence punishable under this Act, save on a complaint made by the Authority or any officer or person authorised by it.”</p>
<p style="text-align: justify;">In its report, the parliamentary committee headed by Yashwant Sinha notes that “enactment of national data protection law… is a prerequisite for any law that deals with large scale collection of information from individuals and its linkages across separate databases”. The committee notes that in absence of data protection legislation, it would be difficult to deal with issues of access, misuse of personal information, surveillance, profiling, linking and matching of databases and securing confidentiality of information.</p>
<h3>Subsidy-Aadhaar Linkage</h3>
<p style="text-align: justify;">The Sinha committee also takes a cautious view of the role of Aadhaar in curbing leakages in subsidy distribution, as beneficiary identification is done by states. It notes, “Even if the Aadhaar number links entitlements to targeted beneficiaries, it may not even ensure that beneficiaries have been correctly identified. Thus, the present problem of proper identification would persist.”</p>
<p style="text-align: justify;">According to Ghosh, the biggest danger in using Aadhaar for social welfare programmes is that the fingerprints of the rural working class is not always in good shape and hence Aadhaar will not be the best way of identification. “If I am misidentified, I can go to so many places for recourse. But what if a labourer in a remote Jharkhand village is misidentified? Where and whether he would go?” the economist asks. Besides, the bill doesn’t limit the use of Aadhaar and defines areas where it can be used. Section 57 says that the law will not prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, “whether by the state or anybody corporate or person, pursuant to any law, for the time being in force or any contract to this effect.”</p>
<p style="text-align: justify;">According to a PRS Legislative review, since the bill also allows private persons to use Aadhaar as a proof of identity for any purpose, the provision will open a floodgate and enable private entities such as airlines, telecom, insurance and real estate companies to mandate Aadhaar as a proof of identity for availing their services.</p>
<p style="text-align: justify;">Since the bill doesn’t restrict its application, people will not have a choice to identify themselves other than using Aadhaar when corporate organisations make it mandatory, says Chattapadhyay of the CIS. Adds Sarkar, “The bill should clearly mention sectors or services where Aadhaar will be potentially used (or made mandatory). Every time a new sector or service is added to the list, it is done after parliamentary approval.”</p>
<p style="text-align: justify;">So far, 98 crore people have been assigned Aadhaar number. So far the project has costed Rs 8,000 crore.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/gov-now-pratap-vikram-singh-17032016-why-aadhaar-is-baseless'>http://editors.cis-india.org/internet-governance/news/gov-now-pratap-vikram-singh-17032016-why-aadhaar-is-baseless</a>
</p>
No publisherpraskrishnaUIDPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-04-02T05:31:30ZNews Item