The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 141 to 155.
Can the Judiciary Upturn the Lok Sabha Speaker’s Decision on Aadhaar?
http://editors.cis-india.org/internet-governance/blog/the-wire-amber-sinha-february-21-2017-can-the-judiciary-upturn-the-lok-sabha-speakers-decision-on-aadhaar
<b>When ruling on the petition filed by Jairam Ramesh challenging passing the Aadhaar Act as a money Bill, the court has differing precedents to look at.</b>
<p>The article was <a class="external-link" href="https://thewire.in/110795/aadhaar-money-bill-judiciary/">published in the Wire</a> on February 21, 2017.</p>
<hr />
<p style="text-align: justify; ">In <a href="http://thewire.in/2016/04/24/the-aadhaar-act-is-not-a-money-bill-31297/" target="_blank" title="an earlier article">an earlier article</a>, I had argued that the characterisation of the <a href="https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&cad=rja&uact=8&ved=0ahUKEwj0xo6U_KDSAhVHLo8KHcygCVEQFggvMAQ&url=https%3A%2F%2Fuidai.gov.in%2Fimages%2Fthe_aadhaar_act_2016.pdf&usg=AFQjCNHDmJKdO8jdfGZJKLKRJQpHdf1Frw&sig2=B_YbWncu6eyZHJ1MFTD0NA" rel="external nofollow" target="_blank" title="Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act">Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act</a>, as a money Bill by Sumitra Mahajan, speaker of the Lok Sabha, was erroneous. Specifically, I had argued that upon perusal of Article 110 (1) of the constitution, the Aadhaar Act does not satisfy the conditions required of a money Bill. For a legislation to be classified as a money Bill, it must comprise of ‘only’ provisions dealing with the following matters: (a) imposition, regulation and abolition of any tax, (b) borrowing or other financial obligations of the government of India, (c) custody, withdrawal from or payment into the Consolidated Fund of India (CFI) or Contingent Fund of India, (d) appropriation of money out of CFI, (e) expenditure charged on the CFI or (f) receipt or custody or audit of money into CFI or public account of India; or (g) any matter incidental to any of the matters specified in sub-clauses (a) to (f).</p>
<p style="text-align: justify; ">Article 110 is modelled on Section 1(2) of the UK’s Parliament Act, 1911, which also defines money Bills as those only dealing with certain enumerated matters. The use of the word ‘only’ was brought up by Ghanshyam Singh Gupta during the constituent assembly debates. He pointed out that the use of the word ‘only’ limits the scope money Bills to only those legislations which did not deal with other matters. His amendment to delete the word ‘only’ was rejected, clearly establishing the intent of the framers of the constitution to keep the ambit of money Bills extremely narrow. G.V. Mavalankar, the first speaker of Lok Sabha, had stated that the word ‘only’ must not be construed so as to give an overly restrictive meaning. For instance, a Bill which deals with taxation could have provisions which deal with the administration of the tax. The finance minister, Arun Jaitley, referred to these words by Mavalankar, justifying the classification of the Aadhaar Act as a money Bill.</p>
<p style="text-align: justify; ">While the Aadhaar Bill does makes references to benefits, subsidies and services funded by the CFI, even a cursory reading of the Bill reveals its main objectives as creating a right to obtain a unique identification number and providing for a statutory apparatus to regulate the entire process. Any reasonable reading of the legislation would be hard pressed to view all provisions in the Aadhaar Act, aside from the one creating a charge on the CFI, as merely administrative provisions incidental to the creation such charge. The mere fact of establishing the Aadhaar number as the identification mechanism for benefits and subsidies funded by the CFI does not give it the character of a money Bill. The Bill merely speaks of facilitating access to unspecified subsidies and benefits rather than their creation and provision being the primary object of the legislation. Erskine May’s seminal textbook, Parliamentary Practice, is instructive in this respect and makes it clear that a legislation which simply makes a charge on the consolidated fund does not becomes a money Bill if otherwise its character is not that of one. Further, the subordinate regulations notified under the Aadhaar Act deal almost entirely with matters to do with enrolment, updation, authentication of the Aadhaar number and related matters such as data security regulations and sharing of information collected, rather than the provision of benefits or subsidies or disbursal of funds otherwise from the CFI.</p>
<p style="text-align: justify; ">However, in the context of the petition filed by former Union minister Jairam Ramesh challenging the passage of the law on Aadhaar as a money Bill, the more important question is whether the judiciary has a right to question the speaker’s decision in such a matter. If not, any other questions about whether the legislation is a money Bill will remain merely academic in nature.</p>
<h3 style="text-align: justify; ">Irregularity vs illegality</h3>
<p style="text-align: justify; ">Article 110 (3) clearly states that with regard to the question whether a legislation is a money Bill or not, the decision of the speaker is final and binding. The question is whether such a clause completely excludes any judicial review. Further, Article 122 prohibits the courts from questioning the validity of any proceedings in parliament on the ground of any alleged irregularity of procedure.</p>
<p style="text-align: justify; ">During the arguments in the court, the attorney general questioned the locus standi of Ramesh. The petition has been made under Article 32 of the constitution and the government argued that no fundamental rights of Ramesh were violated. However, the court has asked Ramesh to make his submission and adjourned the hearing to July. The petition by Ramesh would hinge largely on the powers of the judiciary to question the decision of the speaker of the Lok Sabha.</p>
<p style="text-align: justify; ">The powers of privilege that parliamentarians enjoy are integral to the principle of separation of powers. The rationale behind parliamentary privilege is to prevent interference in the lawmakers’ powers to perform essential functions. The ability to speak and vote inside the legislature without the fear of punishment is certainly essential to the role of a lawmaker. However, the extent of this protection lies at the centre of this discussion. During the constituent assembly debates, H.V. Kamath and others had argued for a schedule to exhaustively codify the existing privileges. However, B.R. Ambedkar pointed to the difficulty of doing so and parliamentary privilege on the lines of the British parliamentary practice was retained in the constitution. In the last few decades, a judicial position has emerged that courts could exercise a limited degree of scrutiny over privileges, as they are primarily responsible for interpreting the constitution.</p>
<p style="text-align: justify; ">In the matter of <a href="https://indiankanoon.org/doc/1757390/" rel="external nofollow" target="_blank" title="Raja Ram Pal vs The Hon’ble Speaker, Lok Sabha"><i>Raja Ram Pal vs The Hon’ble Speaker, Lok Sabh</i>a</a>, it had been clarified that proceedings of the legislature were immune from questioning by courts in the case of procedural irregularity but not in the case of illegality. In this case, the Supreme Court while dealing with Article 122 stated that it does not oust review by the judiciary in cases of “gross illegality, irrationality, violation of constitutional mandate, mala fides, non-compliance with rules of natural justice and perversity.”</p>
<p style="text-align: justify; ">In 1968, the speaker of the Punjab legislative assembly adjourned the proceedings for a period of two months following rowdy behaviour. Subsequently, an ordinance preventing such a suspension was promulgated and the legislature was summoned by the governor to consider some expedient financial matters. The speaker disagreed with the decision and after some confusion, the deputy speaker passed a few Bills as money Bills. While looking into the question of what was protected from judicial review, the <a href="https://indiankanoon.org/doc/36589/" rel="external nofollow" target="_blank" title="court stated">court stated</a> that the protection did not extend to breaches of mandatory provisions of the constitution, only to directory provisions. By that logic, if Article 110 (1) is seen as a mandatory provision, a breach of its provisions could lead to an interpretation that the Supreme Court may well question an erroneous decision by the speaker of the Lok Sabha to certify a legislation as a money Bill. The use of the word “shall” in Article 110 (1), the nature and design of the provision, its overriding impact on the other constitutional provisions granting the Rajya Sabha powers are ample evidence of its mandatory nature. Based on the above, Anup Surendranath has <a href="http://ccgdelhi.org/doc/%28CCG-NLU%29%20Aadhaar%20Money%20Bill.pdf" rel="external nofollow" target="_blank" title="argued">argued</a> that the passage of the Aadhaar Act as a money Bill when it does not satisfy the constitutional conditions for it does amount to a gross illegality.</p>
<p style="text-align: justify; ">The judicial precedent in <i><a href="https://indiankanoon.org/doc/60568976/" rel="external nofollow" target="_blank" title="Mohd. Saeed Siddiqui vs State of Uttar Pradesh">Mohd. Saeed Siddiqui vs State of Uttar Pradesh</a></i> where the matter of the court’s power to question the decision of a speaker was considered, though, leans in the other direction. In 2012, the <a href="https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwiRtov_iKHSAhVLuo8KHYhsClcQFggbMAA&url=http%3A%2F%2Fwww.lawsofindia.org%2Fdownloadfile.php%3Flawid%3D7834%26file%3Duttar_pradesh%2F1981%2F1981UP7.pdf%26pageurl%3D%252Fsingle%252Falpha%252F7.html&usg=AFQjCNGRW8-NChXALunaUbjZRrlM4IvCkA&sig2=rg6YCMf7qRqNw08NnctuhQ" rel="external nofollow" target="_blank" title="Uttar Pradesh Lokayukta and Up-Lokayuktas (Amendment) Act">Uttar Pradesh Lokayukta and Up-Lokayuktas (Amendment) Act</a>, 2012 was passed as money Bill by the Uttar Pradesh state legislature. Subsequently, a writ petition was filed challenging its constitutional validity. A three-judge bench of the Supreme Court looked into the application of Article 212. It is the provision corresponding to Article 122, dealing with the power of the courts to inquire into the proceedings of the state legislature. The court held that Article 212 makes “it clear that the finality of the decision of the Speaker and the proceedings of the State Legislature being important privilege of the State Legislature, viz., freedom of speech, debate and proceedings are not to be inquired by the Courts.” Importantly, ‘proceedings of the legislature’ were deemed to include within its scope everything done in transacting parliamentary business, including the passage of the Bill. While the court did acknowledge the limitations of parliamentary privilege as established in the <i>Raja Ram Pal</i> case, it did not adequately take into account the reasoning in it.</p>
<p style="text-align: justify; ">The Aadhaar Act is a legislation which makes it mandatory of all residents to enrol for a biometric identification system in order to avail certain subsidies, benefits and services. It has huge potential risks for individual privacy and national security and has been the subject of an extremely high profile Public Interest Litigation. Its passage as a money Bill, without any oversight from the Rajya Sabha and an opportunity for substantial debate and discussion, is a fraud on the Constitution. Whether or not the court chooses to see it that way remains to be seen.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-wire-amber-sinha-february-21-2017-can-the-judiciary-upturn-the-lok-sabha-speakers-decision-on-aadhaar'>http://editors.cis-india.org/internet-governance/blog/the-wire-amber-sinha-february-21-2017-can-the-judiciary-upturn-the-lok-sabha-speakers-decision-on-aadhaar</a>
</p>
No publisheramberAadhaarInternet GovernancePrivacy2017-02-27T15:44:56ZBlog EntryIs Your Aadhar Biometrics Safe? Firms Accused Of Storing Biometrics And Using Them Illegally
http://editors.cis-india.org/internet-governance/news/outlook-february-24-2017-is-your-aadhar-biometrics-safe-firms-accused-of-storing-biometrics-and-using-them-illegally
<b>Fears of Aadhar biometric security have been compounded as the government is sprinting towards the next phase of ‘cashless India’ and digitization</b>
<p style="text-align: justify; ">Pranesh Prakash and Sunil Abraham have been quoted in this article <a class="external-link" href="http://www.outlookindia.com/website/story/is-your-aadhar-biometrics-safe-firms-accused-of-storing-biometrics-and-using-the/298048">published by Outlook</a> on February 24, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The biggest fear regarding misuse of Aadhar biometrics and security loopholes are becoming real.</p>
<p style="text-align: justify; ">Three firms are being probed for attempting unauthorised authentication and impersonation by using stored Aadhaar biometrics, reported <i>The Times of India.</i></p>
<p style="text-align: justify; ">The paper reported that the Unique Identification Authority of India (UIDAI) has lodged a criminal complaint with the cyber cell of Delhi Police, saying it is a clear violation of the law.</p>
<p style="text-align: justify; ">“The firms are Axis Bank, Suvidhaa Infoserve and eMudhra. They have been served a “notice for action“ under Aadhaar regulations”.</p>
<p style="text-align: justify; ">The firms have been accused of storing biometrics and using them illegally.</p>
<p style="text-align: justify; ">The fears of biometric security have been compounded as the government is sprinting towards the next phase of ‘cashless India’ and digitization. They are preparing to launch Aadhaar Pay, an initiative that will supersede the need to use credit cards, debit cards, smartphones and PINs to make payments or transfer money.</p>
<p style="text-align: justify; ">The proposed system of payments will use a person’s biometric data and fingerprints to make payments through Aadhaar-linked bank accounts.</p>
<p style="text-align: justify; "><i>Outlook</i>’s Senior Associate Editor Arindam Mukherjee had in a clairvoyant <a href="http://www.outlookindia.com/magazine/story/no-genie-at-your-fingertips/298449" target="_blank">article</a> for the magazine raised the fears of biometrics being manipulated.</p>
<p style="text-align: justify; ">In the <a href="http://www.outlookindia.com/magazine/story/no-genie-at-your-fingertips/298449" target="_blank">article</a>, critics of Aadhaar and Aadhaar-based services raised the issue of privacy and security of biometric and personal data.</p>
<p style="text-align: justify; ">Pranesh Prakash, policy director with the Centre for Internet and Society (CIS), recently tweeted, “As long as Aadhar-Enabled Payment Services encourages biometric authorisation of transactions, it is bound to be a security nightmare, with widespread fraud.” Would you tell a shopkeeper your debit card’s PIN? No. Then why share your fingerprint? A fingerprint, in this system, becomes a kind of unchangeable Aadhaar Enabled Payment System PIN, he asks.</p>
<p style="text-align: justify; ">Pointing out a possible danger, Usha Ramanathan, an independent law researcher who has been following Aadhaar since its inception, says, “In many payments, biometric data is authenticated and then it remains in the system where there are leakages. Intermediaries then have access to the data, which is thus made insecure.”</p>
<p style="text-align: justify; ">According to the UIDAI, however, once biometric data is provided by the consumer while making Aadhaar-based payments, it gets encrypted and a merchant doesn’t get access to that data. The Aadhaar Act also prohibits any storing of biometric data in local devices.</p>
<p style="text-align: justify; ">And yet, there are many like CIS executive director Sunil Abraham who believe it is a mistake to use biometrics for authentication, especially when payments are concerned.</p>
<p style="text-align: justify; ">“Our concern with Aadhaar Pay is about the biometric component of the project,” says Abraham. “Biometrics is an identification technology. Unfortunately, it is being presented as an authentication technology. It is not a secure authentication technology as biometric data can be stolen easily. It is also irrevocable; once biometric data is stolen, it cannot be re-issued like a smart card.”</p>
<p style="text-align: justify; ">Then there is the problem of availability of fingerprints. In the case of many people from rural areas and the working class, fingerprints get affected due to the manual nature of their work. This makes it difficult for this target group of UIDAI to conduct transactions properly through Aadhaar Pay. “In Rajasthan, 30 per cent of the households are not even able to procure ration using fingerprints,” says Ramanathan.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/outlook-february-24-2017-is-your-aadhar-biometrics-safe-firms-accused-of-storing-biometrics-and-using-them-illegally'>http://editors.cis-india.org/internet-governance/news/outlook-february-24-2017-is-your-aadhar-biometrics-safe-firms-accused-of-storing-biometrics-and-using-them-illegally</a>
</p>
No publisherpraskrishnaBiometricsAadhaarInternet GovernancePrivacy2017-02-27T01:56:28ZNews ItemNo Genie At Your Fingertips
http://editors.cis-india.org/internet-governance/news/outlook-arindam-mukherjee-february-20-2017-no-genie-at-your-fingertips
<b>Aadhaar biometrics will now enable cashless shopping sans card and smartphone. A look at the hopes and fears.</b>
<p style="text-align: justify; ">The article by Arindam Mukherjee was <a class="external-link" href="http://www.outlookindia.com/magazine/story/no-genie-at-your-fingertips/298449">published in the Outlook</a> on February 20, 2017. Pranesh Prakash and Sunil Abraham were quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Soon, you will be able to pay for your groceries and other purchased goods by using just your fingerprints and biometric data. You won’t need debit or credit cards, smartphones or e-wallets. You won’t need to sign or even remember your PIN.<br /><br />In a bid to increase digitisation and move to the next phase of ‘cashless India’, the government is preparing to launch Aadhaar Pay, an initiative that will supersede the need to use credit cards, debit cards, smartphones and PINs to make payments or transfer money. The proposed system of payments will use a person’s biometric data and fingerprints to make payments through Aadhaar-linked bank accounts.</p>
<p style="text-align: justify; ">The initiative, which has been running as a pilot project in fair price shops in Andhra Pradesh, is expected to be launched in a month’s time. According to officials of the Unique Identification Authority of India (UIDAI), the system has been getting a positive response in these trials and is ready for a nationwide launch.<br /><br />In Aadhaar Pay, all a person needs to carry to a shop are his fingerprints as merchant establishments will authenticate his or her identity through fingerprints, which will give them access to a person’s Aadhaar data. The only essential requirement for this new mode of payments is that bank accounts have to be linked with the account-holder’s Aadhaar number.<br /><br />Unlike the post-demonetisation limits imposed on ATM and bank account withdrawals, no limits are proposed to be put on Aadhaar Pay transactions as of now. The proposal is to leave the fixing of limits to the discretion of banks. However, the government hopes Aadhaar Pay will be used mostly for small-value transactions rather than large deals.</p>
<p style="text-align: justify; ">The system will work through an app in the merchant establishment’s smartphone—with a fingerprint scanner device—eliminating the requirement of a Point of Sale (POS) terminal, which is required for credit card and debit card transactions. The scanner will be priced at around Rs 2,000, considerably cheaper than POS terminals that cost Rs 8,000-10,000.</p>
<p style="text-align: justify; ">Aadhaar Pay is the next step of the government’s successful run of Aadhaar Enabled Payment System (AEPS), under which transactions are made through ‘banking correspondents’, mostly in rural areas. These transactions are done through POS machines and micro-ATMs. Like Aadhaar Pay, AEPS disburses money without a signature or a debit or credit card, and without the need to visit a bank branch. But unlike AEPS, which works through banking correspondents, Aadhaar Pay will be available through merchant establishments much the same way as debit or credit cards work.<br /><br />The biggest task before the government to ensure the success of Aadhaar Pay is to develop a network of merchant establishments that will accept Aadhaar Pay just the way they accept credit or debit cards or e-wallet payments like Paytm. To do this, the government said in this year’s budget that banks would be encouraged to put 20 lakh Aadhaar Pay access machines across the country. “We have asked every bank to select 35 merchants for this. These merchants will have a smartphone and a biometric device attachment to carry out Aadhaar Pay transactions,” UIDAI CEO Ajay Bhushan Pandey tells Outlook.</p>
<p style="text-align: justify; ">This won’t be easy. Even in case of debit or credit cards, the biggest limiting factor is the relatively small number of POS terminals that accept them. According to data from the National Payment Corporation of India (NPCI), there are only 14 lakh POS terminals in India, which has over 3.5-4 crore merchant establishments and 80 crore cards (77 crore debit cards and three crore credit cards). The bulk of these terminals are in tier I and tier II cities and almost none in tier III and IV towns. To improve the situation, the government is already working towards bringing in 10 lakh new terminals by March, most of which will be put in tier III and tier IV towns, bringing them deeper within the ambit of the digitised, cashless economy.</p>
<p style="text-align: justify; ">Though a starting target of 20 lakh terminals for Aadhaar Pay may seem quite ambitious, according to the latest data, 111.51 crore adults have already obtained their Aadhaar numbers and 50 crore bank accounts (of a total 110 crore savings accounts in the country) of 40 crore people have been linked to Aadhaar and, according to UIDAI, nearly two crore people are linking their bank accounts with Aadhaar every month, brightening up the prospects of Aadhaar Pay. A majority of these numbers are from rural areas and smaller cities.</p>
<p style="text-align: justify; ">The government and UIDAI aim to roll out Aadhaar Pay primarily in rural areas and tier III and tier IV cities to begin with, as these areas do not have proper debit or credit card coverage and the people living there are not big users of plastic cards or smartphones. “We need to provide a solution for every segment of the population,” says Pandey. “We have to take care of the people who cannot use smartphones or other mobile phones and debit or credit cards, and those who cannot remember their PIN for authentication. The only tool with them is their fingerprint. Approximately 30 crore people are not comfortable with cards or phone. We had to get them into the mode of digital payments.”<br /><br />Not surprisingly, critics of Aadhaar and Aadhaar-based services have attacked Aadhaar Pay and AEPS on issues of privacy and security of biometric and personal data. Pranesh Prakash, policy director with the Centre for Internet and Society (CIS), recently tweeted, “As long as AEPS encourages biometric authorisation of transactions, it is bound to be a security nightmare, with widespread fraud.” Would you tell a shopkeeper your debit card’s PIN? No. Then why share your fingerprint? A fingerprint, in this system, becomes a kind of unchangeable PIN, he asks.</p>
<p style="text-align: justify; ">Pointing out a possible danger, Usha Ramanathan, an independent law researcher who has been following Aadhaar since its inception, says, “In many payments, biometric data is authenticated and then it remains in the system where there are leakages. Intermediaries then have access to the data, which is thus made insecure.”<br /><br />According to the UIDAI, however, once biometric data is provided by the consumer while making Aadhaar-based payments, it gets encrypted and a merchant doesn’t get access to that data. The Aadhaar Act also prohibits any storing of biometric data in local devices. And yet, there are many like CIS executive director Sunil Abraham who believe it is a mistake to use biometrics for authentication, especially when payments are concerned. “Our concern with Aadhaar Pay is about the biometric component of the project,” says Abraham. “Biometrics is an identification technology. Unfortunately, it is being presented as an authentication technology. It is not a secure authentication technology as biometric data can be stolen easily. It is also irrevocable; once biometric data is stolen, it cannot be re-issued like a smart card.”<br /><br />Then there is the problem of availability of fingerprints. In the case of many people from rural areas and the working class, fingerprints get affected due to the manual nature of their work. This makes it difficult for this target group of UIDAI to conduct transactions properly through Aadhaar Pay. “In Rajasthan, 30 per cent of the households are not even able to procure ration using fingerprints,” says Ramanathan.</p>
<p style="text-align: justify; ">The launch of Aadhar Pay at this time becomes more challenging as there has been a decline in digital payments this January. According to RBI data, digital payments, including transactions made by using credit cards, debit cards, electronic fund transfers, digital wallets and mobile banking transactions, were 10.2 per cent lower by volume and 7 per cent lower by value in January 2017 as compared to December 2016. Also, digital transactions fell from 1,027.7 million (worth Rs 105.4 lakh crore) to 922.9 million (worth Rs 98 lakh crore). This could get worse as the RBI raised the cash withdrawal limits from Rs 24,000 to Rs 50,000 from February 20 and aims to remove all limits by mid-March.</p>
<p style="text-align: justify; ">Within digital transactions, debit and credit transactions at POS terminals declined 18.6 per cent month-on-month in January, while mobile banking transactions declined by 7.6 per cent, showing that people still prefer to deal in cash. According to NPCI data, however, IMPS transactions rose by 18 per cent in January and UPI-based transactions went up from 2 million transactions (worth Rs 700 crore) in December to 4.2 million transactions (worth Rs 1,666 crore) in January.<br /><br />Clearly, considering India’s demography and its problems, when it comes to the security of personal and biometric data, the government and the UIDAI have many issues to clear before Aadhaar Pay can achieve any success. Moreover, there are over 100 crore mobile phones in India today, with even the lowest strata of the population having access to one. Yet mobile-based payments and m-wallets are yet to hit that critical mass. To make Aadhaar Pay a bigger success than that could be a gigantic task.<br /><br /></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/outlook-arindam-mukherjee-february-20-2017-no-genie-at-your-fingertips'>http://editors.cis-india.org/internet-governance/news/outlook-arindam-mukherjee-february-20-2017-no-genie-at-your-fingertips</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-02-16T16:02:31ZNews ItemDigital illusions
http://editors.cis-india.org/internet-governance/news/frontline-v-sridhar-march-3-2017-digital-illusions
<b>The Watal Committee’s report presents the government with an impossible road map to a cashless nirvana. </b>
<p style="text-align: justify; ">The article by V. Sridhar was <a class="external-link" href="http://www.frontline.in/the-nation/digital-illusions/article9541506.ece?homepage=true">published in Frontline</a>, Print edition: March 3, 2017</p>
<hr />
<p style="text-align: justify; ">MORE than two months after demonetising an overwhelming proportion of the currency in circulation, the Narendra Modi government now appears to have settled on its key objective for setting out on the unprecedented economic adventure. After shifting the goalposts several times—initially it was a means of combating terrorism and fake currency, later it was a war on black money and still later it was to forcibly march the country towards a “cashless” future, which was then modified to a more reasonable “less cash” society—the government now ostensibly has the road map to undertake the hazardous journey to an age when cash will no longer be king.</p>
<p style="text-align: justify; ">There is no better and time-tested means for a government bent on carrying out its whims than to appoint a committee headed by a former bureaucrat to give it the report that would justify what it has already decided to do. In August 2016, months before demonetisation, it constituted the Committee on Digital Payments, chaired by Ratan P. Watal, Principal Adviser, NITI Aayog, and former Secretary, Ministry of Finance. The committee dutifully submitted its report in double quick time on December 9, which was approved by the Finance Ministry on December 27.</p>
<p style="text-align: justify; ">The haste with which the committee has gone about its business is evident throughout the report. The committee’s slant is also evident in its approach, especially the reverence with which it welcomes the demonetisation move, even though it was commissioned before November 8, and its recourse to suspect data from private industry and multinational companies even when better quality data were available from official sources such as the Reserve Bank of India (RBI). The report’s lack of rigour, especially in tackling the substantive issues pertaining to monetary policy, was also hindered by the fact that not a single economist of worth, not even a specialist in monetary economics, was present in the committee.</p>
<h3 style="text-align: justify; ">Reckless rush</h3>
<p style="text-align: justify; ">However, to blame the committee alone would be futile. The government, by pursuing an ambitious and reckless push towards “less cash” before setting out a regulatory framework governing digital payments, in effect, placed the cart before the horse.</p>
<p style="text-align: justify; ">The report reveals not just the haste with which the Watal Committee has pursued its mission with evangelical zeal but its utter lack of respect for conceptual issues. Nowhere is this more evident than in its recommendation that the regulatory responsibilities for governing the digital payments system be distanced from the RBI. This not only is out of tune with global practices, but it reveals the committee’s sheer inability to understand the fact that although payments account for just a small fraction of what a banking system does, they impinge on modern banking and monetary policy in crucial ways.</p>
<p style="text-align: justify; ">In a modern economy, currency creation by the central bank through fiat money is not the only means by which money is created. Deposits with banks, for instance, which provide the base for credit creation, are a means by which banks “create” money. From this perspective, a mobile wallet service provider also acts like a bank; even the users’ monies are held only for a brief period until transactions happen.<br /><br />Thus, it appears fit and proper that such services are also governed by the central bank. However, the Watal Committee has recommended that they be supervised by an entity that has a measure of independence from the RBI. This suggestion is dangerous because such entities can potentially pose a systemic risk, which is a key responsibility of a central bank. There is also the risk of regulatory capture of the suggested body, the Payments Regulatory Board (PRB), if sections of the payments industry exercise their newly acquired clout.<br /><br />The committee’s enthusiastic acceptance of the “go cashless” mantra is also evident in the data it has sourced. A good example of how it cherry-picked data is its use of a highly dubious (or at the very least, utterly misplaced) dataset to make the point that India is far too dependent on cash. It points to data sourced from the International Monetary Fund (IMF) and other sources to claim that India’s cash-GDP (gross domestic product) ratio is 12.04 per cent, much higher than countries such as Brazil, Mexico and South Africa.<br /><br />However, this much-abused dataset, quoted widely by advocates of demonetisation, is an inaccurate measure because it only captures the extent of physical currency in circulation and ignores short-term deposits, which are defined as “broad money”. Logically, these deposits must be included because they are virtually on call by depositors and are, therefore, liquid. Secondly, the fact that such deposits have been increasing as a proportion of the currency in circulation, aided by the spread of banking in India, makes them particularly relevant in the Indian context. The committee, in its bid to justify sending the nation on a cashless path, proceeds to evaluate the “high” costs that cash imposes on the Indian economy. It quotes from McKinsey and Visa, both of which may have a vested interest in India’s mission to go cashless, to drive home the point that going digital would result in huge savings. It quotes McKinsey to claim that “transitioning to an electronic platform for government payments itself could save approximately Rs.100,000 crore annually, with the cost of the transition being estimated at Rs.60,000-70,000 crore” and a Visa report that claims a total investment of Rs.60,000 crore over five years towards creating a digital payments ecosystem could reduce the country’s cost of cash from 1.7 per cent of the GDP to 1.3 per cent.<br /><br />Even while pushing the benefits of going cashless, the committee does admit that the transition to digital payments “cannot be agnostic to the actual costs incurred by the end customers, the reasons for preferring cash, and the factors inhibiting the uptake of existent channels of digital payments”.<br /><br />A large part of the Indian economy is its “black” counterpart, estimated at about 60 per cent of the legitimate part of India’s national income. Since a significant portion of the currency in circulation caters to the demand from the shadow economy, apart from the huge segment that is engaged in legitimate but informal economic activity, these estimates miss a significant chunk of the economy and its need for cash. Conceptually, to that extent, they significantly overstate the extent of cash relative to real GDP, including the portion missing from official data.<br /><br />The naive assumption that digitalised financial transactions are scale-neutral and costless, painless and efficient lies at the heart of the Watal Committee’s report. This has obvious implications for India’s large informal economy, which the Modi government is pushing, under pain of death, towards formality through digital channels. For instance, basic data on the usage of debit cards show how skewed the demand for cards is in India. In August 2016, cash withdrawals at ATMs accounted for 92.28 per cent of the value of all debit card transactions in the country. Thus, less than 8 per cent of the total value was made at point-of-sale (PoS) terminals.<br /><br />This statistic is a clear indication of a divide that mirrors the income and consumption divide in Indian society. When banks issue cards (debit, credit or any other), card payment system companies such as Mastercard and Visa provide an interface with the customer for which the issuer pays a fee, which is, in any case, recovered from customers. According to a recent study by Visa, the penetration of PoS terminals has slowed down significantly since 2012, when the RBI set limits on what the card companies could charge as merchant discount rate (MDR), the amount charged from sellers. This reveals that card companies may have been slowing down penetration in order to bargain for a bigger slice of the transaction fee. Although the rates apply not just to card-based purchases but to cash withdrawals too (and have been waived or lowered in the wake of demonetisation on a purely temporary basis), there is no guarantee that they will not increase once the situation returns to normal. This is aggravated by the fact that the government may have little or no control, or the will, to prevent banks and card issuers from charging higher rates later. This has been demonstrated in the past with, for example, ATM-based withdrawals, for which customers have to pay a fee after a minimum number of transactions.<br /><br />The flat fee (as a percentage) is regressive, especially because it punishes smaller sellers. It is in this sense that finance, digital or otherwise, is never scale-neutral. The fact that the immediate victims of demonetisation are small-scale producers and retailers implies that the balance has been tilted against them and in favour of larger producers and retailers after November 8. By skewing the field against small and tiny enterprises, demonetisation has been the vehicle for a massive and unprecedented transfer of incomes and wealth from the poor to the rich.<br /><br />There is also a fundamental asymmetry in the use of technology in the financial services industry. ATMs, which have been around for decades, were originally touted as a technology that increases efficiency in the use of cash; you only need to withdraw as much as you need, so there is no motive to hoard cash. But that was not the motive for introducing ATMs; the real reason was that they enabled banks to reduce their workforce to cut costs. As ATMs became more ubiquitous, banks started moving from cost cutting to profit-seeking by levying a fee for every transaction above a minimum threshold. In effect, the gains from technology are boosting the profitability of banks while the wider systemic benefits made possible by the same technology have been sacrificed, as the imposition of fees above a minimum threshold actually drives people to hoard cash.<br /><br />A study by Visa in October 2016, titled Accelerating The Growth of Digital Payments in India: A Five-Year Outlook, reveals that a one percentage point reduction in cash in circulation as percentage of GDP would require digital transactions of personal consumption expenditure to multiply ninefold. In other words, Visa suggested that digital transactions as a percentage of personal consumption expenditure would need to increase from 4 per cent to 36 per cent if the cash-GDP ratio has to reduce from 11 per cent to 10 per cent.</p>
<h3 style="text-align: justify; ">Security concerns</h3>
<p style="text-align: justify; ">Apart from these weighty economic issues, which are central to the move towards digital financial transactions, there are other critically important issues that the committee has either ignored or swept under the carpet. The question of privacy and security was a central issue at a recent conference on digital payments organised by HasGeek, a platform for software developers, in Bengaluru. Several experts, including some from the payments industry, pointed out the serious security and privacy issues that are being ignored in the rush to go digital. For example, an expert on data security warned that the mindless rush to mobile-based transactions was especially scary because most Android phones are vulnerable because they leak data. In fact, he noted that it may be safer for Android mobile users to perform digital transactions using desktop browsers.<br /><br />But what is more scary is the manner in which Aadhaar is being touted by the committee as the magic wand by which the digital era can be ushered in quickly. It recommends that mobile number-based and Aadhaar-based “fully interoperable payments” be prioritised within 60 days and that the National Payments Corporation of India (NPCI) be responsible for ensuring this.<br /><br />There has been significant resistance to the idea of an Aadhaar-enabled service for digital transactions, primarily because of security and privacy concerns. Entities such as the Centre for Internet and Society have warned against linking Aadhaar to the financial inclusion project because it violates the Supreme Court stricture against making Aadhaar mandatory. Kiran Jonnalagadda of HasGeek pointed out that the Aadhaar system offered only “single factor authorisation”. He said in a recent tweet that Aadhaar involved only a permanent login ID without “a changeable password”, which, from a systemic point of view, made it open to abuse.<br /><br />Longstanding critics of the Aadhaar project have pointed out the launch of such a countrywide programme at a time when a regulatory regime is not even in place, and when India does not have privacy protection laws, is dangerously misplaced. They have pointed to the fact that unlike in the case of a debit or credit card, which can be replaced when its integrity has been compromised, the theft of biometric characteristics of a user implies that they are compromised forever. This is not science fiction but a very real possibility as has been demonstrated across the world.<br /><br />There are also serious worries that the high failure rate of biometric verification would hurt the poor, supposedly the main target group of the Aadhaar project; the large-scale denial of services such as access to the public distribution system has already been documented across the country. Extending a failed system to real-time financial transactions, thus, appears to be dangerously misplaced. The fundamental issue is this: can a digital mode of payment effectively provide the same level of trust between the transacting parties that is central to a cash-based transaction? The answer to that depends critically on whether the digital mode provides the same level of convenience, cost, predictability and certainty.<br /><br />The Watal Committee has produced a report that the political masters sought. Its lack of appreciation of the economic issues underpinning financial transactions and of the wider economic processes in the Indian economy are obvious. Effectively, it has delivered what the Modi government asked for—an impossible road map to a cashless nirvana for a people already suffering the effects of demonetisation.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/frontline-v-sridhar-march-3-2017-digital-illusions'>http://editors.cis-india.org/internet-governance/news/frontline-v-sridhar-march-3-2017-digital-illusions</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-02-16T14:53:39ZNews ItemIndia's Aadhaar with biometric details of its billion citizens is making experts uncomfortable
http://editors.cis-india.org/internet-governance/news/mashable-india-february-14-2017-india-aadhaar-uidai-privacy-security-debate
<b>"Indians in general have yet to understand the meaning and essence of privacy," says Member of Parliament, Tathagata Satpathy. </b>
<p style="text-align: justify; ">The blog post was published by <a class="external-link" href="http://mashable.com/2017/02/14/india-aadhaar-uidai-privacy-security-debate/#RYHiC8REkmqz">Mashable India</a> on February 14, 2017. Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; ">But on Feb. 3, privacy was the hot topic of debate among many in India, thanks to a <a href="https://twitter.com/beastoftraal/status/827387794045571072" target="_blank">tweet</a> that showed random people being identified on the street via Aadhaar, India's ubiquitous database that has biometric information of more than a billion Indians.</p>
<p style="text-align: justify; ">That's how India Stack, the infrastructure built by the Unique Identification Authority of India (UIDAI), welcomed OnGrid, a privately owned company that is going to tap on the world's largest biometrics system, conjuring images of <i>Minority Report</i> style surveillance.</p>
<p style="text-align: justify; ">But how did India get here?</p>
<div class="fb_iframe_widget fb-quote" style="text-align: justify; "><span> </span></div>
<h2 style="text-align: justify; ">Aadhaar's foundation</h2>
<p style="text-align: justify; ">Not long ago, there were more people in India without a birth or school certificate <a href="http://unstats.un.org/unsd/vitalstatkb/Attachment480.aspx?AttachmentType=1" target="_blank">than those with one</a> (PDF). They had no means to prove their identity. This also contributed to what is more popularly known as “leakage” in the government subsidy fundings. The funds weren’t reaching the right people, in some instances, and much of it was being siphoned off by middlemen.</p>
<p style="text-align: justify; ">Nearly a decade ago, the government began scrambling for ways to tackle these issues. Could technology come to the rescue? The government dialled techies, people like Nandan Nilekani, a founder of India's mammoth IT firm Infosys, for help.</p>
<p style="text-align: justify; ">In 2008, they <a href="https://uidai.gov.in/images/notification_28_jan_2009.pdf" target="_blank">formulated</a> Aadhaar, an audacious project "destined" to change the prospects of Indians. It was similar to Social Security number that US residents are assigned, but its implications were further reaching.</p>
<p style="text-align: justify; ">At the time, the government <a href="http://blogs.wsj.com/indiarealtime/2012/11/28/india-prepares-for-launch-of-worlds-biggest-cash-to-the-poor-program/" target="_blank">said</a> it will primarily use this optional program to help the poor who are in need of services such as grocery and other household items at subsidized rates.</p>
<div class="fb_iframe_widget fb-quote" style="text-align: justify; "><span> </span></div>
<p style="text-align: justify; ">Eight years later, Aadhar, which stores identity information such as a photo, name, address, fingerprints and iris scans of its citizens and also assigns them with a unique 12-digit number, has become the world's largest biometrics based identity system.</p>
<p style="text-align: justify; ">According to the Indian government, over 1.11 billion people of the country's roughly 1.3 billion citizens have enrolled themselves in the biometrics system. About 99 percent of all adults in India have an Aadhaar card, it <a href="http://pib.nic.in/newsite/PrintRelease.aspx?relid=157709" target="_blank">said last month</a>.</p>
<p style="text-align: justify; ">Today, the significance of Aadhaar, which on paper remains an optional program, is undeniable in the country. The government says Aadhaar has already saved it <a href="http://www.economist.com/news/business/21712160-nearly-all-indias-13bn-citizens-are-now-enrolled-indian-business-prepares-tap" target="_blank">as much as $5 billion</a>.</p>
<p style="text-align: justify; ">But that's not it.</p>
<h2 style="text-align: justify; ">There's a bit of Aadhaar in everyone's life
<div class="fb_iframe_widget fb-quote"><span> </span></div>
</h2>
<p style="text-align: justify; ">Aadhaar (Hindi for foundation) has long moved beyond helping the poor. The UPI (Unified Payment Interface), another project by the Indian government that uses Aadhaar, is helping the<a href="http://mashable.com/2016/08/30/india-upi-payments-system/"><ins> country's much unbanked population to avail financial services</ins></a> for the first time. Nilekani calls it a "<a href="http://indianexpress.com/article/opinion/columns/the-coming-revolution-in-indian-banking-2924534/" target="_blank">WhatsApp moment</a>" in the Indian financial sector.</p>
<p style="text-align: justify; ">In December last year, Prime Minister Narendra Modi <a href="http://mashable.com/2016/12/30/bhim-app-india-narendra-modi/">launched BHIM</a>, a UPI-based payments app that aims to get millions of Indians to do online money transactions for the first time, irrespective of which bank they had their accounts with. With BHIM, transferring money is as simple as sending a text message. People can also scan QR codes and pay merchants for their purchases.</p>
<p style="text-align: justify; ">"This app is destined to replace all cash transactions," Modi said at the launch event. "BHIM app will revolutionize India and force people worldwide to take notice," he added.</p>
<p style="text-align: justify; ">The next phase, called Aadhaar Enabled Payments System will <a href="http://www.businesstoday.in/current/economy-politics/govt-to-roll-out-aadhar-pay-for-cashless-transactions/story/245059.html" target="_blank">do away</a> with smartphones. People will be able to make payments by swiping their finger on special terminals equipped with fingerprint sensors rather than swiping cards.</p>
<p style="text-align: justify; ">Last year, the government said people could <a href="http://mashable.com/2017/02/14/india-aadhaar-uidai-privacy-security-debate/mashable.com/2016/09/07/driver-license-india-digilocker-smartphone-app/#s3eNxAzZLjqB">store their driver license documents in an app called DigiLocker</a>, should they want to be relieved from the burden of carrying paper documents. DigiLocker is a digital cloud service that any citizen in India can avail using their Aadhaar information.</p>
<p style="text-align: justify; ">The government also plans to <a href="http://mashable.com/2017/02/01/aadhaar-smart-health-card-senior-citizen-india/">hand out "health cards" to senior citizens</a>, mapped to their Aadhaar number, which will store their medical records, which doctors will be able to access.</p>
<p style="text-align: justify; ">“Aadhaar is an instrument for good governance. Aadhaar is the mode to reach the poor without the middlemen,” Ravi Shankar Prasad, India’s IT minister said in a press conference last year.</p>
<p style="text-align: justify; ">But despite all the ways Aadhaar is making meaningful impact in millions of lives, some people are very skeptical about it. And for them, the scale at which Aadhaar operates now is only making things worse.</p>
<h2 style="text-align: justify; ">A security nightmare</h2>
<p style="text-align: justify; ">There have been multiple reports suggesting bogus and fake entries in Aadhaar database. Instances of animals such as dogs and cows having their own Aadhaar identification numbers have been widely reported. In one instance, even Hindu god Hanuman <a href="http://www.thehindu.com/news/national/lord-hanuman-gets-aadhaar-card/article6401288.ece" target="_blank">was found to have an Aadhaar card</a>.</p>
<p style="text-align: justify; ">The problem, it appears, is Aadhaar database has never been verified or audited, according to multiple security experts, privacy advocates, lawyers, and politicians who spoke to <i>Mashable India</i> this month.</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/aadhaar.jpg" alt="Aadhaar" class="image-inline" title="Aadhaar" /></p>
<p style="text-align: justify; ">“There are two fundamental flaws in Aadhaar: it is poorly designed, and it is being poorly verified,” Member of Parliament and privacy advocate, Rajeev Chandrasekhar told <i>Mashable India</i>. “Aadhaar isn’t foolproof, and this has resulted in fake data get into the system. This in turn opens new gateways for money launderers,” he added.</p>
<div class="fb_iframe_widget fb-quote" style="text-align: justify; "><span> </span></div>
<p style="text-align: justify; ">Another issue with Aadhaar is, Chandrasekhar explains, there is no firm legislation to safeguard the privacy and rights of the billion people who have enrolled into the system. There’s little a person whose Aadhaar data has been compromised could do. “Citizens who have voluntarily given their data to Aadhaar authority, as of result of this, are at risk,” he added.</p>
<p style="text-align: justify; ">Rahul Narayan, a lawyer who is counselling several petitioners challenging the Aadhaar project, echoed similar sentiments. “There’s no concrete regulation in place,” he told <i>Mashable India</i>. “The scope for abuses in Aadhaar is very vast,” he added.</p>
<p style="text-align: justify; ">But regulation — or its lack thereof — is only one of the many challenges, experts say. Sunil Abraham, the executive director of Bangalore-based research organisation the Centre for Internet and Society (CIS), says the security concerns around Aadhaar are alarming.</p>
<p style="text-align: justify; ">“Aadhaar is remote, covert, and non-consensual,” he told <i>Mashable India</i>, adding the existence of a central database of any kind, but especially in the context of the Aadhaar, and at the scale it is working is appalling.</p>
<p style="text-align: justify; ">Abraham said fingerprint and iris data of a person can be stolen with little effort — a “gummy bear” which sells for a few cents, can store one’s fingerprint, while a high resolution camera can capture one’s iris data.</p>
<p style="text-align: justify; "><a name="aadhaar-doesnt-use-basic"></a></p>
<blockquote class="pullquote microcontent-wrapper" style="text-align: justify; ">
<div class="microcontent-shares"></div>
<span class="microcontent"> Aadhaar doesn’t use basic principles of cryptography, and much of its security is not known. </span></blockquote>
<p style="text-align: justify; ">Aadhaar is also irrevocable, which strands a person, whose data has been compromised, with no choice but to get on with life, Abraham said, adding that these vulnerabilities could have been averted had the government chosen smart cards instead of biometrics.</p>
<p style="text-align: justify; ">On top of this, he added, that Aadhaar doesn’t use basic principles of cryptography, and much of the security defences it uses are not known.</p>
<p style="text-align: justify; ">Had the government open sourced Aadhaar code to the public (a common practice in the tech community), security analysts could have evaluated the strengths of Aadhaar. But this too isn’t happening.</p>
<p style="text-align: justify; ">At CIS, Sunil and his colleagues have <a href="http://cis-india.org/internet-governance/front-page/blog/privacy/letter-to-finance-committee" target="_blank">written</a> over half-a-dozen open letters to the UIDAI (the authority that governs Aadhaar project) raising questions and pointing holes in the system. But much of their feedback has not returned any response, Abraham told <i>Mashable India</i>.</p>
<h2 style="text-align: justify; ">India Stack: A goldmine for everyone</h2>
<p style="text-align: justify; ">As part of its push to make Aadhaar more useful, the UIDAI created what is called India Stack, an infrastructure through which government bodies as well as private entities could leverage Aadhaar's database of individual identities. This is what sparked the initial debate about privacy when India Stack tweeted the controversial photo.</p>
<p style="text-align: justify; ">Speaking to <i>Mashable India</i>, Piyush Peshwani, a founder of OnGrid, however dismissed the concerns, clarifying that the picture was for representation purposes only. He said OnGrid is building a trust platform, through which it aims to make it easier for recruiters to do background check on their potential employees after getting their consent.</p>
<p style="text-align: justify; ">India Stack and OnGrid have since taken down the picture from their Twitter accounts. "OnGrid, much like other 200 companies working with UIDAI, can only retrieve information of users after receiving their prior consent," he said.</p>
<p style="text-align: justify; ">The lack of information from the UIDAI and India Stack is becoming a real challenge for citizens, many feel. There also appears to be a conflict of interest between the privately held companies and those who helped design the framework of Aadhaar.</p>
<p style="text-align: justify; ">As Rohin Dharmakumar, a Bangalore-based journalist <a href="https://twitter.com/r0h1n/status/827407936980783104" target="_blank">pointed out</a>, Peshwani was part of the core team member of Aadhaar project. A lawyer, who requested to be not identified, told <i>Mashable India</i> that there is a chance that these people could be familiar with Aadhaar’s roadmap and use the information for business advantage, to say the least.</p>
<p style="text-align: justify; ">Most people <i>Mashable India</i> spoke to are questioning the way these third-party companies are handling Aadhaar data. There is no regulation in place to prevent these companies from storing people’s data or even creating a parallel database of their own — a view echoed by Abraham, Narayan, and Chandrasekhar.</p>
<h2 style="text-align: justify; ">Not mandatory only on paper</h2>
<p style="text-align: justify; ">But for many, the biggest concern with Aadhaar remains just how aggressively it is being implemented into various systems. For instance, in the past one month alone, students in most Indians states who want to apply for NEET, a national level medical entrance test, were told by the education board CBSE that they will have to<a href="http://www.ndtv.com/india-news/10-point-guide-to-neet-controversy-1655351" target="_blank"><ins> provide their Aadhaar number</ins></a>.</p>
<div class="fb_iframe_widget fb-quote" style="text-align: justify; "><span> </span></div>
<p style="text-align: justify; ">A few months ago, Aadhaar was also <a href="http://www.hindustantimes.com/mumbai-news/aadhaar-card-will-be-a-must-for-iit-jee-from-2017/story-iRwu40hEKn9ol21h1FGn9K.html" target="_blank">made mandatory</a> for students who wanted to appear in JEE, an all India common engineering entrance examination conducted for admission to various engineering colleges in the country.</p>
<p style="text-align: justify; ">The apex Supreme Court of India recently <a href="http://www.bgr.in/news/supreme-court-asks-centre-to-register-id-details-of-all-mobile-subscribers/" target="_blank">asked</a> the central government to register the phone number of all mobile subscribers in India (there are about one billion of those in India) to their respective Aadhaar cards. Telecom carriers are already enabling new connections to get activated by verifying users with Aadhaar database.</p>
<p style="text-align: justify; ">A prominent journalist who focuses on privacy and laws in India questioned the motive. “When they kickstarted UIDAI, people were told that this an optional biometrics system. But since then the government has been rather tight-lipped on why it is aggressively pushing Aadhaar into so many areas,” he told <i>Mashable India</i>, requesting not to be identified.</p>
<p style="text-align: justify; "><a name="it-is-especially-difficult"></a></p>
<blockquote class="pullquote microcontent-wrapper" style="text-align: justify; ">
<div class="microcontent-shares"></div>
<span class="microcontent"> "It is especially difficult to explain why privacy is necessary for a society to advance when taken in the context of Aadhaar." </span></blockquote>
<p style="text-align: justify; ">“It is especially difficult to explain why privacy is necessary for a society to advance when taken in the context of Aadhaar. The Aadhaar card is being offered to people in need, especially the poor, by making them believe that services and subsidies provided by the government will be held back from them unless they register,” Satpathy told <i>Mashable India</i>.</p>
<p style="text-align: justify; ">The central government said last week Aadhaar number would be mandatory for availing food grains through the Public Distribution System under the National Food Security Act. In October last year, the government <a href="http://timesofindia.indiatimes.com/india/Aadhaar-card-must-for-LPG-subsidy-after-November/articleshow/54680322.cms" target="_blank">made Aadhaar mandatory</a> for those who wanted to avail cooking gas at subsidized prices.</p>
<p style="text-align: justify; ">“No matter how many laws are made about not making Aadhaar mandatory, ultimately it depends on the last mile person who is offering any service to inform citizens about their rights,” Satpathy added.</p>
<p style="text-align: justify; ">“These last-mile service providers are companies who would benefit from collecting and bartering big data for profit. They would be least interested to inform citizens about their rights and about the not mandatory status of Aadhaar.</p>
<p style="text-align: justify; ">“As Aadhaar percolates more and is used by more government and private services, the citizen will start assuming it's a part of their life. This card is already being misunderstood as if it is essential like a passport,” he added.</p>
<p style="text-align: justify; ">“My worry is that this data will be used by government for mass surveillance, ethnic cleansing and other insidious purposes,” Satpathy said. “Once you have information about every citizen, the powerful will not refrain from misusing it and for retention of power. The use of big data for psycho-profiling is not unknown to the world anymore.”</p>
<p style="text-align: justify; "><i>Mashable India</i> reached out to UIDAI on Feb. 8 for comment on the privacy and security concerns made in this report. At the time of publication, the authority hadn't responded to our queries.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/mashable-india-february-14-2017-india-aadhaar-uidai-privacy-security-debate'>http://editors.cis-india.org/internet-governance/news/mashable-india-february-14-2017-india-aadhaar-uidai-privacy-security-debate</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-02-14T14:57:33ZNews ItemVidhi Doshi - Fingerprint Payments Prompt Privacy Fears in India (The Guardian)
http://editors.cis-india.org/internet-governance/news/vidhi-doshi-fingerprint-payments-prompt-privacy-fears-in-india-the-guardian
<b>This article by Vidhi Doshi on the use of Aadhaar-based payments by private companies in India was published by The Guardian on February 09, 2017. Sumandro Chattapadhyay is quoted in the article.</b>
<p>Originally published by <a href="https://www.theguardian.com/sustainable-business/2017/feb/09/fingerprint-payments-privacy-fears-india-banknotes">The Guardian</a>.</p>
<hr />
<p style="text-align: justify;">For two years, Indian officials have been trawling the country, from city slums to unelectrified villages, zapping eyeballs, scanning fingerprints and taking photographs.</p>
<p style="text-align: justify;">Last month, Indian shoppers started to see the results. With the launch of a government-backed fingerprint payment system, tied to India’s growing biometric data bank, registered citizens can – in theory at least – now pay for things with the touch of a finger.</p>
<p style="text-align: justify;">India’s extraordinary biometric database, named Aadhaar after a Hindi word for ‘foundation’, is the biggest of its kind in the world. It was initially sold to the public as a welfare delivery mechanism that would ensure the country’s 1.25bn citizens were each receiving the right quantity of subsidised rice or cooking fuel, while weeding out fraudsters.</p>
<p>But now this pool of more than a billion people’s biometric data is being used by banks, credit checking firms and other private companies to identify customers, raising questions about privacy and security.</p>
<p style="text-align: justify;">As one of his flagship policies, prime minister Narendra Modi pledged to create a “digital India” in which the country’s cash-centric economy would switch to credit and debit cards, squeezing the parallel economy of untaxed cash transactions and giving more citizens access to digital financial services.</p>
<p style="text-align: justify;">In a surprise television announcement last November, Modi announced the demonetisation of 500 and 1,000 rupee notes (around £6 and £12), wiping out 85% of the country’s circulating currency overnight.</p>
<p style="text-align: justify;">Two days later, when the banks reopened, long queues snaked around almost every branch, with millions lining up to open bank accounts for the first time. Many used their 12-digit Aadhaar number, linked to their biometric profile, to sign up. Within three weeks, 3m bank accounts had been opened using fingerprint verification, according to estimates.</p>
<p style="text-align: justify;">The moment marked a radical change for India’s banking system, under which applicants were traditionally required to file photocopies of passports or voter IDs. Banks could take weeks, sometimes months, to verify them. Now applicants’ encrypted biometric data can be sent to the Unique Identification Authority of India (UIDAI), a government agency, to be matched against their Aadhaar data, re-encrypted and sent back to the bank.</p>
<p style="text-align: justify;">Despite technical teething problems, the system is designed to allow very fast authorisation. “All this happens in a matter or two or three seconds,” explains Ajay Bhushan Pandey, UIDAI’s director general.</p>
<p style="text-align: justify;">For Pandey, the benefits are clear: paper documents are easy to forge and hard to verify, especially in India where until recently thousands of people still used handwritten passports. Not so biometric data.</p>
<h4>Privacy fears</h4>
<p style="text-align: justify;">Pandey emphasises that private banks and companies aren’t able to access the entire Aadhaar database, only to use the government interface, which allows them to verify identities.</p>
<p style="text-align: justify;">Nonetheless, many Indians are worried about the privacy implications. Sumandro Chattapadhyay, a director at the Centre for Internet and Society thinktank, is one of them.</p>
<p style="text-align: justify;">For starters, says Chattapadhyay, the law governing use of the biometric database, fast-tracked through parliament last year, is flimsy when it comes to the private sector. Since India lacks a general privacy or data protection law, this leaves corporate use of Aadhaar services effectively unregulated, he says.</p>
<p style="text-align: justify;">This is particularly worrying, says Chattapadhyay, because of the data-sharing possibilities opened up by Aadhaar. It makes it easier for companies not only to share information on individuals’ consumption and mobility habits, but also to link this data up with public records like the electoral register, he says. “Both lead to significant threats to privacy of individuals.”</p>
<p style="text-align: justify;">Chattapadhyay’s fear is that private companies could eventually gain access to government-held personal data, such as income or medical records, while the government could use company data like phone records to target specific individuals in political campaigns.</p>
<p style="text-align: justify;">Already companies are linking Aadhaar numbers with collected metadata. Credit-checking startup CreditVidya, for example, identifies clients using their biometric ID in combination with their internet browsing history and other data, to assign credit scores for users who have no record of loan repayments. Banks then store this processed metadata, for example whether or not someone’s Facebook name is consistent with the name on their bank account.</p>
<p style="text-align: justify;">Its founder Abhishek Agarwal admits there are risks for users: “[I]f someone managed to hack the bank’s security system, as well as the Aadhaar database, they could potentially be able to link your Facebook or LinkedIn data with your biometric information.” But he says this would be hard to do.</p>
<p style="text-align: justify;">Pandey insists the companies are carefully vetted before they can use Aadhaar authentication. But, like Agarwal, he acknowledges the system can never be 100% secure: ““I wouldn’t say it is impossible to break the system, but it is very, very difficult.”</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/vidhi-doshi-fingerprint-payments-prompt-privacy-fears-in-india-the-guardian'>http://editors.cis-india.org/internet-governance/news/vidhi-doshi-fingerprint-payments-prompt-privacy-fears-in-india-the-guardian</a>
</p>
No publisherVidhi DoshiDemonetisationDigital PaymentBig DataPrivacyInternet GovernanceAadhaarBiometrics2017-02-13T09:21:42ZBlog EntrySeminar on Understanding Financial Technology, Cashless India, and Forced Digitalisation (Delhi, January 24)
http://editors.cis-india.org/internet-governance/news/seminar-on-understanding-financial-technology-cashless-india-and-forced-digitalisation-delhi-jan-24-2017
<b>The Centre for Financial Accountability is organising a seminar on "Understanding Financial Technology, Cashless India, and Forced Digitalisation" on Tuesday, January 24, at YWCA, Ashoka Road, New Delhi. Sumandro Chattapadhyay will participate in the seminar and speak on the emerging architecture of FinTech in India, as being developed and deployed by UIDAI and NPCI.</b>
<p> </p>
<p><em>Cross-posted from <a href="https://letstalkfinancialaccountability.wordpress.com/2017/01/20/understanding-financial-technology-cashless-india-forced-digitalisation/">Centre for Financial Accountability</a>.</em></p>
<hr />
<h2>Programme Schedule</h2>
<h4>09.30 - Registration</h4>
<h4>10:00 - Introduction to the Seminar & Setting the Context</h4>
<p>Madhuresh Kumar, National Alliance of People’s Movements</p>
<h4>10:15–11:30 - Session 1 - Understanding the Political Context of FinTech</h4>
<p>B P Mathur, Former Dy CAG</p>
<p>Prabir Purkayastha, Free Software Movement of India and Knowledge Commons</p>
<p>C P Chandrasekhar, Centre for Economic Studies and Planning, JNU</p>
<h4>11:30-11:45 – Tea / Coffee break</h4>
<h4>11:45-13:15 - Session 2 - How will FinTech Impact the Poor, and Labour and Banking Sector?</h4>
<p>Ashim Roy, New Trade Union of India</p>
<p>Nikhil Dey, Mazdoor Kisan Shakti Sangathan</p>
<p>Ravinder Gupta, General Secretary, State Bank of India Officers Association</p>
<h4>13:15-14:00 – Lunch</h4>
<h4>14:00-15:30 - Session 3 - Understanding the Economic Context of FinTech</h4>
<p>Indira Rajaraman, Former Director, RBI</p>
<p>Tony Joseph, Sr. Journalist</p>
<h4>15:30-17:00 - Session 4 - Understanding the Architecture of FinTech: Linkages to Aadhaar, IndiaStack etc</h4>
<p>Sumandro Chattapadhyay, the Centre for Internet and Society</p>
<p>Gopal Krishna, ToxicsWatch</p>
<h4>17:00 – Tea</h4>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/seminar-on-understanding-financial-technology-cashless-india-and-forced-digitalisation-delhi-jan-24-2017'>http://editors.cis-india.org/internet-governance/news/seminar-on-understanding-financial-technology-cashless-india-and-forced-digitalisation-delhi-jan-24-2017</a>
</p>
No publishersumandroUnified Payments InterfaceFinancial TechnologyDigital IDBig DataDigital EconomyUIDInternet GovernanceDigital IndiaAadhaarFinancial InclusionBiometricsDigital Payment2017-01-23T13:17:19ZBlog EntrySunil Abraham on Aadhaar's misuse during demonetisation
http://editors.cis-india.org/internet-governance/news/economic-times-january-14-2017-sunil-abraham-on-aadhaar-misuse-during-demonetisation
<b>Sunil Abraham spoke to Economic Times on the misuse of Aadhaar during demonetisation. </b>
<p style="text-align: justify; ">Sunil Abraham said:</p>
<p style="text-align: justify; ">"We saw Aadhaar being misused at large-scale during the demonetization, criminals had created a black market in Aadhaar identity cards and photocopies of Aadhaar. Those interested in converting black money were purchasing these photocopies from the black market and giving them to bank officials so that they could maintain fake records that tried to prove that ordinary people came in photos' cash transactions.</p>
<p style="text-align: justify; ">Whenever we try to introduce technological measures we must always think of the human systems that are at work and the human procedures that are at work. Another example is today telcos giving sim cards based on Aadhaar authentication to meet their sales targets some of these telcos are giving multiple sim cards for a single Aadhaar based KYC. Those sim cards are often resold into black market or given to persons that are not familiar with the aadhaar number holder and this has only makes the security situation in the country worse. It has not improved." Watch the <b><a class="external-link" href="http://economictimes.indiatimes.com/et-now/experts/sunil-abraham-on-aadhaars-misuse-during-demonetisation/videoshow/56544492.cms">Video</a></b></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/economic-times-january-14-2017-sunil-abraham-on-aadhaar-misuse-during-demonetisation'>http://editors.cis-india.org/internet-governance/news/economic-times-january-14-2017-sunil-abraham-on-aadhaar-misuse-during-demonetisation</a>
</p>
No publisherpraskrishnaDemonetisationAadhaarInternet GovernancePrivacy2017-01-19T01:35:02ZNews ItemIndia’s Digital ID Rollout Collides With Rickety Reality
http://editors.cis-india.org/internet-governance/news/wall-street-journal-gabriele-parussini-january-13-2017-indias-digital-id-rollout-collides-with-rickety-reality
<b>India’s new digital identification system, years in the making and now being put into widespread use, has yet to deliver the new era of modern efficiency it promised for shop owner Om Prakash and customer Daya Chand.</b>
<p style="text-align: justify; ">The article by Gabriele Parussini was published in the <a class="external-link" href="http://www.wsj.com/articles/snags-multiply-in-indias-digital-id-rollout-1484237128?mod=e2fb">Wall Street Journal</a> on January 13, 2017. Hans Varghese Mathews was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">At first, it drove both men up a tree.<br /><br />The system, which relies on fingerprints and eye scans to eventually provide IDs to all 1.25 billion Indians, is also expected to improve the distribution of state food and fuel rations and eventually facilitate daily needs such as banking and buying train tickets.<br /><br />But Mr. Prakash couldn’t confirm his customers’ identities until he dragged them to a Java plum tree in a corner of his village near New Delhi’s international airport. That was the only place to get the phone signal needed to tap into the government database.</p>
<p style="text-align: justify; ">“I hopped on a chair and put my finger in the machine,” said Mr. Chand, a 60-year-old taxi driver. Getting his state food ration “used to be much easier,” he said.</p>
<p style="text-align: justify; ">In <a class="none icon" href="http://blogs.wsj.com/briefly/2017/01/13/indias-massive-aadhaar-biometric-identification-program-the-numbers/">a system so vast</a>, even small glitches can leave millions of people empty-handed.</p>
<p style="text-align: justify; "><a class="none icon" href="http://blogs.wsj.com/indiarealtime/2012/10/03/getting-indias-id-project-back-on-track/">The government began building the system</a>, called Aadhaar, or “foundation,” with great fanfare in 2009, led by a team of pioneering technology entrepreneurs. Since then, almost 90% of India’s population has been enrolled in what is now the world’s largest biometric data set.</p>
<p style="text-align: justify; ">Prime Minister Narendra Modi, who set aside early skepticism about the Aadhaar project after taking power in 2014, is betting that it can help India address critical problems such as poverty and corruption, while also saving money for the government.</p>
<p style="text-align: justify; ">But the technology is colliding with the rickety reality of India, where many people live off the grid or have fingerprints compromised by manual labor or age.</p>
<p style="text-align: justify; ">Panna Singh, a 55-year-old day laborer in the northwestern state of Rajasthan who breaks stones used to build walls, says the machine recognized his scuffed-up fingerprints only a couple of times.</p>
<p style="text-align: justify; ">“I’ve come twice today,” he said at a ration shop in the village of Devdungri. “That’s a full day of work, gone.”</p>
<p style="text-align: justify; ">Iris scans are meant to resolve situations where fingerprints don’t work, but shops don’t yet have iris scanners.</p>
<p style="text-align: justify; ">Ajay Bhushan Pandey, chief executive of the government agency that oversees Aadhaar, said kinks will be ironed out as the system is used, as is the case with software rollouts. It works 92% of the time, and that will rise to 95%, he said.</p>
<p style="text-align: justify; ">“On the scale of what [Aadhaar] has achieved, the rollout has been remarkably smooth,” said Nandan Nilekani, the Infosys co-founder who spearheaded the project. “I don’t see any issues that are disproportionate to the size of project.”</p>
<p style="text-align: justify; ">An Aadhaar ID is intended to be a great convenience, replacing the multitude of paperwork required by banks, merchants and government agencies. The benefits are only just beginning, backers say, as the biometric IDs are linked to programs and services.</p>
<p style="text-align: justify; ">But in rural areas, home to hundreds of millions of impoverished Indians dependent on subsidies, the impact of technical disruptions has already been evident.</p>
<p style="text-align: justify; ">After walking for two hours across rough underbrush in Rajasthan to get kerosene for the month, Hanja Devi left empty-handed because the machine couldn’t match her fingerprint with her Aadhaar number.</p>
<p style="text-align: justify; ">“It’s always so difficult” using the system, said Ms. Devi, who lives with her husband and a nephew on 1,500 rupees ($22) a month.</p>
<p style="text-align: justify; ">Ranjit Singh, who operates the shop, said five of the 37 customers before Ms. Devi also left the shop empty-handed, a failure rate of over 15%.</p>
<p style="text-align: justify; ">A shop manager in a neighboring village said identification had failed for a similar portion of his 500 customers.</p>
<p style="text-align: justify; ">Any biometric recognition system of Aadhaar’s size is bound to show duplicates, meaning some people’s biometric identifiers will match someone else’s when they try to enroll.The new system hasn’t eliminated attempts at fraud. In August, police in Rajasthan accused two shop managers of linking their fingerprints to a multitude of cards and stealing for months the rations of dozens of clients.</p>
<p style="text-align: justify; ">Hans Varghese Mathews, a mathematician at the Bangalore-based Center for Internet and Society, used the results of a test run by Aadhaar officials on a sample of 84 million people to extrapolate the figure for India’s total population. The error level is less than 1%, but in the world’s second-most populous country, the snag would still affect about 11 million people, he said.</p>
<p style="text-align: justify; ">Government officials disputed the calculation, saying the number of duplicates would be much smaller—and that it would take only seven analysts to manage the error caseload.</p>
<p style="text-align: justify; ">As for trouble connecting to the registry, better infrastructure, including steadier internet connections, will eventually also help, Mr. Pandey said.</p>
<p style="text-align: justify; ">For now, Mr. Prakash has found a way to cope without climbing trees. After scouring the village, he set up a shack in a spot with enough bandwidth for his fingerprint scanner to work. It is hardly efficient. He issues receipts in the morning at the shack, then goes back to his shop to hand out the grains. Customers have to line up twice, sometimes for hours.</p>
<p style="text-align: justify; ">Mr. Prakash has applied to the government to operate without biometric identification, but his request was turned down, he said. “They said: ‘You have to keep trying.’ ”</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/wall-street-journal-gabriele-parussini-january-13-2017-indias-digital-id-rollout-collides-with-rickety-reality'>http://editors.cis-india.org/internet-governance/news/wall-street-journal-gabriele-parussini-january-13-2017-indias-digital-id-rollout-collides-with-rickety-reality</a>
</p>
No publisherpraskrishnaBiometricsAadhaarInternet GovernancePrivacy2017-01-17T15:35:04ZNews ItemThe Dangers Of Aadhaar-Based Payments That No One Is Talking About
http://editors.cis-india.org/internet-governance/news/bloomberg-mayank-jain-january-17-2017-dangers-of-aadhaar-based-payments-that-no-one-is-talking-about
<b>Less than three months ago, India’s banking sector was hit by a data breach which compromised 32 lakh debit cards and led to fraudulent transactions worth Rs 1.3 crore.</b>
<p style="text-align: justify; ">The article by Mayank Jain was <a class="external-link" href="http://www.bloombergquint.com/business/2017/01/17/the-dangers-of-aadhaar-based-payments-that-no-one-is-talking-about">published by Bloomberg</a> on January 17, 2017. Sunil Abraham was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The incident started a debate around security of payment systems. But the debate had just about begun when the government’s demonetisation decision dragged attention away from it. Now as the dust settles and as the government starts to push newer means of digital payments, the focus is back on the security of systems being seen as an alternative to cash.</p>
<p style="text-align: justify; ">One such system is Aadhaar-based payments which could potentially allow citizens to pay anytime anywhere with the tap of a finger.<br /><br />In theory, it sounds simple.<br /><br />The Aadhaar-based payment system runs on the existing Aadhaar infrastructure through which a person’s biometrics are used to authenticate the user. Once authenticated, the user can transfer funds directly from one bank account to another without going through a mobile wallet or a card.<br /><br />The payment system requires a smartphone, a working internet connection and a biometric authentication device with the merchant. The customer needn’t have a card or a phone as long as he or she has an Aadhaar-seeded bank account.<br /><br />National Payments Corporation of India has developed this payments infrastructure over the existing Aadhaar-Enabled Payments System, the railroad on which the public distribution system has been functioning for years now.<br /><br />Amitabh Kant, chief executive officer of the government policy think tank NITI Aayog said, earlier this month, that all cards and point-of-sale machines will become redundant in the country in the next two-and-a-half years as Aadhaar-based payments become popular.</p>
<p style="text-align: justify; "><img class="lazy" src="http://images.assettype.com/bloombergquint%2F2017-01%2Ff3e25ea3-f10b-4059-a95d-412cd4f32caf%2FKey%20Facts%20About%20Aadhaar%20Payments%20Payments%20Payments01.png?auto=format&q=60&w=1024&fm=pjpeg" /></p>
<h3 style="text-align: justify; ">A Double-Edged Sword</h3>
<p style="text-align: justify; ">While payments authenticated by biometrics sound like a good idea in a country where less than one in three people actually own a smartphone, there are fears that integrating biometrics with digital payments could prove to be a security headache.<br /><br />The first part of the problem is that Aadhaar, while effective, is not a fool-proof method of authentication and identification failures are not uncommon. Building a payment system atop the Aadhaar system will simply transfer some of these vulnerabilities.</p>
<p style="text-align: justify; "><img class="lazy" src="http://images.assettype.com/bloombergquint%2F2017-01%2F12a47aa6-10f1-4687-a471-a463f876e6d2%2FHow%20Aadhaar%20Payment%20Works.png?auto=format&q=60&w=1024&fm=pjpeg" /></p>
<p style="text-align: justify; ">The possibility of transaction failures due to a biometric mismatch are real, admitted a former high-ranking official from the Unique Identification Authority of India (UIDAI) who spoke to BloombergQuint on the condition of anonymity.<br /><br />Officially, the false reject rate – rejection of a biometric when it’s actually correct – is set at a maximum of 2 percent for devices that get certified from the UIDAI. On the ground, however, failure rates vary widely, said the official quoted above.<br /><br />According to the official statistics on UIDAI, more than 16 lakh Aadhaar-authentication requests failed in the past week. The type of errors encountered ranged from the biometric data not matching the database to demographic details not checking out.<br /><br />The failure rates on Aadhaar Enabled Payment System for interbank transactions (which is a part of all Aadhaar authentication requests) were found to be as high as 60 percent by the Watal Committee on digital payments which published its report in December.<br /><br />Additionally, newer security threats may also emerge if the scope of Aadhaar is widened. These include identity theft if a person’s biometrics are compromised from the payment system, phishing attempts, and the difficulty in revoking access once biometric information is compromised.<br /><br />Biometrics aren’t an exact science, the official quoted above said, while adding that possible glitches have to be weighed against the benefits of offering a widely accessible non-cash mode of payment to citizens.</p>
<h3 style="text-align: justify; ">How Easy Is It To Beat The System?</h3>
<p style="text-align: justify; ">Sunil Abraham, executive director of Bangalore based research organisation Center for Internet and Society (CIS) said that one way to assess how secure a system is to understand the cost and effort that goes into breaching it.<br /><br />In the case of Aadhaar-based payment systems, the costs may not be high.<br /><br />“There’s the gummy finger method which essentially requires some Fevicol or gum to duplicate someone’s fingerprint which can be enough to transact on someone’s behalf without them being there,” said Abraham in a phone conversation with BloombergQuint. “An average person can’t clone a smart card. Just fevicol and glue can help you make a gummy finger. The biometric lobby will say that advanced scanners defeat the gummy finger attack but more advanced scanners are also more expensive.”<br /><br />Also, using more sensitive devices could push up the instance of false rejection of transactions, said Abraham.<br /><br />There are other concerns. Like the fact that devices used for Aadhaar identification could store personal information, which, in turn, could be susceptible to a breach.</p>
<blockquote class="quoted" style="text-align: justify; ">There are five main components in an Aadhaar app transaction – the customer, the vendor, the app, the back-end validation software, and the Aadhaar system itself. There are also two main external concerns – the security of the data at rest on the phone and the security of the data in transit. At all seven points, the customer’s data is vulnerable to attack. <br />Bhairav Acharya, Program Fellow, New America</blockquote>
<p style="text-align: justify; ">Acharya, who works at a U.S.-based think tank called New America and focuses on cyber-law, said the key concern is that Aadhaar data can be stolen and misused.</p>
<p style="text-align: justify; ">“The app and validation software are insecure, the Aadhaar system itself is insecure, the network infrastructure is insecure, and the laws are inadequate.”</p>
<p style="text-align: justify; ">The biometric data collected on the authentication device at a merchant location can potentially be stored on the device as well as the smartphone of a merchant for a long time. Abraham added that there is a possibility that non-certified devices will enter the market, which can store data and use it in the future to do fraudulent transactions.</p>
<p style="text-align: justify; ">The concerns over potential misuse of biometric data by private agencies has also been highlighted by the Supreme Court of India. Earlier this month, the apex court refused to expedite the hearing on a petition regarding Aadhaar being utilised for multiple use cases by private companies. It, however, <a href="http://economictimes.indiatimes.com/articleshow/56352843.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst" target="_blank"><ins>observed</ins></a> that private agencies collecting biometric data “is not a great idea”.</p>
<h3 style="text-align: justify; ">Deficient Privacy Laws</h3>
<p style="text-align: justify; ">Apar Gupta, a Delhi-based lawyer working on cyber security, says that the lack of strong privacy protecting provisions is another concern that should be kept in mind while moving towards an Aadhaar-based payment system.</p>
<p style="text-align: justify; ">“The data stays for a long time with the stakeholders in the system. The requesting agency can keep it for seven years and the UIDAI can store it for five years. There are insufficient safeguards and there’s an absence of privacy law and an independent privacy regulator,” he said.</p>
<p style="text-align: justify; ">Acharya agreed.</p>
<p style="text-align: justify; ">India does not have the necessary laws to deal with a decentralised, biometrically-authenticated, mobile payments system, according to Acharya.</p>
<p style="text-align: justify; ">“Moreover, current laws and policies regarding the Aadhaar project, particularly the centralised database, are inadequate from the point of view of data security and end-user privacy,” he said.</p>
<p style="text-align: justify; ">Abraham of CIS said the issue is wider than Aadhaar. The problem is the lack of a strong data security law.</p>
<blockquote class="quoted" style="text-align: justify; ">We only have a minimal data security law under the Section 43A of the Information and Technology Act which only applies to the private sector. There’s no law that applies to the government. Even 43A has not been applied consistently. There’s no place for you to go and complain if your identity has been compromised.<br />Sunil Abraham, Executive Director, Centre for Internet & Society</blockquote>
<p style="text-align: justify; ">Gupta noted that, in the event of an identity threat, avenues of recourse are also limited. He said the best option is an appeal in the civil court, which is a long drawn out process.</p>
<p style="text-align: justify; ">In final analysis, according to Abraham, credit and debit cards are easier to secure as access can be revoked quickly.</p>
<p style="text-align: justify; ">“The trouble with biometrics is that the chain of trust is harder to establish because too many people can get access to biometrics and then you need to devise these convoluted solutions like hardware secure zones,” Abraham said.</p>
<p style="text-align: justify; ">“So the advantage of going with a smart card is that it can be easily re-secured, but with biometrics, once I compromise it, it’s lifelong.”</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/bloomberg-mayank-jain-january-17-2017-dangers-of-aadhaar-based-payments-that-no-one-is-talking-about'>http://editors.cis-india.org/internet-governance/news/bloomberg-mayank-jain-january-17-2017-dangers-of-aadhaar-based-payments-that-no-one-is-talking-about</a>
</p>
No publisherpraskrishnaDigital PaymentPrivacyInternet GovernanceDigital MoneyDigital IndiaAadhaar2017-01-17T14:39:53ZNews ItemThe soon-to-be launched Aadhaar Pay will let you make purchases using your fingerprint
http://editors.cis-india.org/internet-governance/news/economic-times-indulekha-aravind-january-15-2017-the-soon-to-be-launched-aadhaar-pay-will-let-you-make-purchases-using-your-fingerprint
<b>Paying for your groceries and other goods by using your biometrics instead of an e-wallet, debit card or cash seems to be the next phase in the Centre’s ambitious push to shift the country to a “less cash” economy, as its mandarins term it.</b>
<p style="text-align: justify; ">The article by Indulekha Aravind was <a class="external-link" href="http://economictimes.indiatimes.com/news/economy/policy/the-soon-to-be-launched-aadhaar-pay-will-let-you-make-purchases-using-your-fingerprint/articleshow/56542475.cms">published in the Economic Times</a> on 15 January 2017. Sunil Abraham was <a class="external-link" href="http://economictimes.indiatimes.com/et-now/experts/sunil-abraham-on-aadhaars-misuse-during-demonetisation/videoshow/56544492.cms">consulted for this</a>.</p>
<hr />
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">Ajay Bhushan Pandey, CEO of the Unique Identification Authority of India (UIDAI), says it will be rolling out Aadhaar-enabled payment system, or Aadhaar Pay, for merchants in the next few weeks. This will be an app for merchants that enables them to receive payments through biometric authentication of the customer, provided their bank accounts are linked to their Aadhaar number. "A pilot is under way in fair price shops in Andhra Pradesh where shopkeepers are accepting payments from PDS beneficiaries. The results are very encouraging," says Pandey.</p>
<p style="text-align: justify; ">The idea takes off from the existing Aadhaar-enabled payment system (AEPS) used by bank business correspondents (BCs) in rural areas to disburse and accept cash, using micro ATMs. "We are trying to tweak this so that a similar device can be used by a local merchant," says Pandey. Adoption will depend on two factors: merchants’ acceptance of it and whether they can use an app rather than a micro ATM. The biggest advantage through this method of payment, says Pandey, is that the customer will not need a credit or debit card, or even a smartphone.</p>
<p style="text-align: justify; "><img alt="The soon-to-be launched Aadhaar Pay will let you make purchases using your fingerprint" class="gwt-Image" src="http://img.etimg.com/photo/56542603/page-19-1.jpg" title="The soon-to-be launched Aadhaar Pay will let you make purchases using your fingerprint" /></p>
<p style="text-align: justify; ">The limits for transactions using AEPS, such as the number of daily transactions, will be left to the discretion of the banks. In the long term, the AEPS will be migrated to the BHIM (Bharat Interface for Money) platform but the rollout of Aadhaar Pay will happen before that. Post demonetisation, banking BC’s number of transactions using AEPS has leapt from 4-5 lakh to 14-15 lakh, says Pandey. According to Reserve Bank of India data on electronic payment systems, the total volume of such transactions jumped from 671 million in November 2016 to 957 million in December. USSD-based payments, which can be done using a basic feature phone, are among the biggest beneficiaries: the volume rose from just 7,000 in November to 1,02,000 in December, and value of transactions from over Rs 7,000 to over Rs 1 lakh. Prepaid payment instruments — mainly mobile wallets — rose from 59 million to 88 million in the same period (and value from Rs 1,300 crore to Rs 2,100 crore).</p>
<p style="text-align: justify; ">While Aadhaar Pay is likely to ride the demonetisation wave if it is launched soon, certain concerns remain, as the list is how secure such a payment system will be. The UIDAI CEO says it is a paramount concern for the organisation, too. "We are using the latest technology to ensure the information stays encrypted end to-end, so that information is not leaked or misused. In the months to come, we will strengthen the security."</p>
<p style="text-align: justify; "><b>Wary About Security</b> <br /> Sunil Abraham, executive director of the Centre for Internet and Society, a think tank that has been analysing the Aadhaar project for six years, outlines several reasons why Aadhaar-based biometrics is inappropriate for authentication in payments, unlike card-based payments that use cryptography. <br /> <br /> "With biometrics, there is always an error ratio. It is imprecise matching, whereas with cryptography (smart cards), there is no false positive or negative. You either have the key (PIN) or you don’t. It is also very cheap to defeat biometric authentication — even an unlettered person can do it," says Abraham. It would be easy enough, he says, to replicate someone else’s fingerprint by pressing it against lukewarm wax and filling the mould with glue to get a dummy finger. In contrast, compromising a smart card requires more cost and effort, from tech-savviness to machines such as a skimmer that will read the card. "And once you are compromised,you are compromised forever. You can’t change it, like a debit card PIN."</p>
<p style="text-align: justify; ">Using Aadhaar for authentication had proved to be a failure during the exchange of currency notes following demonetisation, he adds, pointing to how the poor and the middle class stood in queues for money while stacks of new currency were recovered from the homes of businessmen and bureaucrats. "When you have bank officials who are corrupt, giving them your biometrics is giving them more ammunition for corruption." To catch the criminals, law enforcement agencies had to resort to CCTV footage,a relatively older technology, he says. Others point out that while it may be secure, certain factors stand in the way of making biometrics-based payment authentication a large-scale success. Amrish Rau, CEO of PayU India, a payment gateway provider, cites a list of reasons why it would inevitably take off but only in 5-10 years.</p>
<p style="text-align: justify; ">"For one, the technology is not yet good enough. There are also bandwidth and data constraints in sending biometric data," says Rau. Even in more mature markets, it has yet to find widespread acceptance, he says, pointing to the slow adoption of Apple Pay and Samsung Pay in the US. "It’s not the answer today.” This is in contrast to NITI Aayog CEO Amitabh Kant’s recent remarks that cards and PoS machines would become redundant by 2020 because Indians would be making payments using their thumb (biometrics). "... my view is that in the next two and a half years, India will make all its debit cards, credit cards, all ATM machines, all PoS machines totally irrelevant,” Kant had said at a Pravasi Bharatiya Divas session in Bengaluru.</p>
<div style="text-align: justify; ">UIDAI’s Pandey is more circumspect. “I wouldn’t say who would replace what. But from the government’s side we are encouraging all modes of digital payment. India has a diverse population and some people might prefer using a card, others a wallet. Collectively, they will contribute to a less-cash society.”</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/economic-times-indulekha-aravind-january-15-2017-the-soon-to-be-launched-aadhaar-pay-will-let-you-make-purchases-using-your-fingerprint'>http://editors.cis-india.org/internet-governance/news/economic-times-indulekha-aravind-january-15-2017-the-soon-to-be-launched-aadhaar-pay-will-let-you-make-purchases-using-your-fingerprint</a>
</p>
No publisherpraskrishnaDemonetisationDigital PaymentDigital GovernanceDigital EconomyPrivacyInternet GovernanceDigital MoneyVideoAadhaarBiometrics2017-01-16T03:14:22ZNews ItemComments on the Report of the Committee on Digital Payments (December 2016)
http://editors.cis-india.org/internet-governance/blog/comments-on-the-report-of-the-committee-on-digital-payments-dec-2016
<b>The Committee on Digital Payments constituted by the Ministry of Finance and chaired by Ratan P. Watal, Principal Advisor, NITI Aayog, submitted its report on the "Medium Term Recommendations to Strengthen Digital Payments Ecosystem" on December 09, 2016. The report was made public on December 27, and comments were sought from the general public. Here are the comments submitted by the Centre for Internet and Society.</b>
<p> </p>
<h3><strong>1. Preliminary</strong></h3>
<p><strong>1.1.</strong> This submission presents comments by the Centre for Internet and Society (“CIS”) <strong>[1]</strong> in response to the report of the Committee on Digital Payments, chaired by Mr. Ratan P. Watal, Principal Advisor, NITI Aayog, and constituted by the Ministry of Finance, Government of India (“the report”) <strong>[2]</strong>.</p>
<h3><strong>2. The Centre for Internet and Society</strong></h3>
<p><strong>2.1.</strong> The Centre for Internet and Society, CIS, is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, and open access), internet governance, telecommunication reform, digital privacy, and cyber-security.</p>
<p><strong>2.2.</strong> CIS is not an expert organisation in the domain of banking in general and payments in particular. Our expertise is in matters of internet and communication governance, data privacy and security, and technology regulation. We deeply appreciate and are most inspired by the Ministry of Finance’s decision to invite entities from both the sectors of finance and information technology. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved, especially the citizens and the users. CIS is thankful to the Ministry of Finance for this opportunity to provide a general response on the report.</p>
<h3><strong>3. Comments</strong></h3>
<p><strong>3.1.</strong> CIS observes that the decision by the Government of India to withdraw the legal tender character of the old high denomination banknotes (that is, Rs. 500 Rs. 1,000 notes), declared on November 08, 2016 <strong>[3]</strong>, have generated <strong>unprecedented data about the user base and transaction patterns of digital payments systems in India, when pushed to its extreme use due to the circumstances</strong>. The majority of this data is available with the National Payments Corporation of India and the Reserve Bank of India. CIS requests the authorities concerned to consider <strong>opening up this data for analysis and discussion by public at large and experts in particular, before any specific policy and regulatory decisions are taken</strong> towards advancing digital payments proliferation in India. This is a crucial opportunity for the Ministry of Finance to embrace (open) data-driven regulation and policy-making.</p>
<p><strong>3.2.</strong> While the report makes a reference to the European General Data Protection Directive, it does not make a reference to any substantive provisions in the Directive which may be relevant to digital payments. Aside from the recommendation that privacy protections around the purpose limitation principle be relaxed to ensure that payment service providers be allowed to process data to improve fraud monitoring and anti-money laundering services, the report is silent on significant privacy and data protection concerns posed by digital payments services. <strong>CIS strongly warns that the existing data protection and security regulations under Information Technology (Reasonable security practices and procedures and sensitive personal data or information), Rules are woefully inadequate in their scope and application to effectively deal with potential privacy concerns posed by digital payments applications and services.</strong> Some key privacy issues that must be addressed either under a comprehensive data protection legislation or a sector specific financial regulation are listed below. The process of obtaining consent must be specific, informed and unambiguous and through a clear affirmative action by the data subject based upon a genuine choice provided along with an option to opt out at any stage. The data subjects should have clear and easily enforceable right to access and correct their data. Further, data subjects should have the right to restrict the usage of their data in circumstances such as inaccuracy of data, unlawful purpose and data no longer required in order to fulfill the original purpose.</p>
<p><strong>3.3.</strong> The initial recommendation of the report is to “[m]ake regulation of payments independent from the function of central banking” (page 22). This involves a fundamental transformation of the payment and settlement system in India and its regulation. <strong>We submit that a decision regarding transformation of such scale and implications is taken after a more comprehensive policy discussion, especially involving a wider range of stakeholders</strong>. The report itself notes that “[d]igital payments also have the potential of becoming a gateway to other financial services such as credit facilities for small businesses and low-income households” (page 32). Thus, a clear functional, and hence regulatory, separation between the (digital) payments industry and the lending/borrowing industry may be either effective or desirable. Global experience tells us that digital transactions data, along with other alternative data, are fast becoming the basis of provision of financial and other services, by both banking and non-banking (payments) companies. We appeal to the Ministry of Finance to adopt a comprehensive and concerted approach to regulating, enabling competition, and upholding consumers’ rights in the banking sector at large.</p>
<p><strong>3.4.</strong> The report recognises “banking as an activity is separate from payments, which is more of a technology business” (page 154). Contemporary banking and payment businesses are both are primarily technology businesses where information technology particularly is deployed intimately to extract, process, and drive asset management decisions using financial transaction data. Further, with payment businesses (such as, pre-paid instruments) offering return on deposited money via other means (such as, cashbacks), and potentially competing and/or collaborating with established banks to use financial transaction data to drive lending decisions, including but not limited to micro-loans, it appears unproductive to create a separation between banking as an activity and payments as an activity merely in terms of the respective technology intensity of these sectors. <strong>CIS firmly recommends that regulation of these financial services and activities be undertaken in a technology-agnostic manner, and similar regulatory regimes be deployed on those entities offering similar services irrespective of their technology intensity or choice</strong>.</p>
<p><strong>3.5.</strong> The report highlights two major shortcomings of the current regulatory regime for payments. Firstly “the law does not impose any obligation on the regulator to promote competition and innovation in the payments market” (page 153). It appears to us that the regulator’s role should not be to promote market expansion and innovation but to ensure and oversee competition. <strong>We believe that the current regulator should focus on regulating the existing market, and the work of the expansion of the digital payments market in particular and the digital financial services market in general be carried out by another government agency, as it creates conflict of interest for the regulator otherwise.</strong> Secondly, the report mentions that Payment and Settlement Systems Act does not “focus the regulatory attention on the need for consumer protection in digital payments” and then it notes that a “provision was inserted to protect funds collected from customers” in 2015 (page 153). <strong>This indicates that the regulator already has the responsibility to ensure consumer protection in digital payments. The purview and modalities of how this function of course needs discussion and changes with the growth in digital payments</strong>.</p>
<p><strong>3.6.</strong> The report identifies the high cost of cash as a key reason for the government’s policy push towards digital payments. Further, it mentions that a “sample survey conducted in 2014 across urban and rural neighbourhoods in Delhi and Meerut, shows that despite being keenly aware of the costs associated with transacting in cash, most consumers see three main benefits of cash, viz. freedom of negotiations, faster settlements, and ensuring exact payments” (page 30). It further notes that “[d]igital payments have significant dependencies upon power and telecommunications infrastructure. Therefore, the roll out of robust and user friendly digital payments solutions to unelectrified areas/areas without telecommunications network coverage, remains a challenge.” <strong>CIS much appreciates the discussion of the barriers to universal adoption and rollout of digital payments in the report, and appeals to the Ministry of Finance to undertake a more comprehensive study of the key investments required by the Government of India to ensure that digital payments become ubiquitously viable as well as satisfy the demands of a vast range of consumers that India has</strong>. The estimates about investment required to create a robust digital payment infrastructure, cited in the report, provide a great basis for undertaking studies such as these.</p>
<p><strong>3.7.</strong> CIS is very encouraged to see the report highlighting that “[w]ith the rising number of users of digital payment services, it is absolutely necessary to develop consumer confidence on digital payments. Therefore, it is essential to have legislative safeguards to protect such consumers in-built into the primary law.” <strong>We second this recommendation and would like to add further that financial transaction data is governed under a common data protection and privacy regime, without making any differences between data collected by banking and non-banking entities</strong>.</p>
<p><strong>3.8.</strong> We are, however, very discouraged to see the overtly incorrect use of the word “Open Access” in this report in the context of a payment system disallowing service when the client wants to transact money with a specific entity <strong>[4]</strong>. This is not an uncommon anti-competitive measure adopted by various platform players and services providers so as to disallow users from using competing products (such as, not allowing competing apps in the app store controlled by one software company). <strong>The term “Open Access” is not only the appropriate word to describe the negation of such anti-competitive behaviour, its usage in this context undermines its accepted meaning and creates confusion regarding the recommendation being proposed by the report.</strong> The closest analogy to the recommendation of the report would perhaps be with the principle of “network neutrality” that stands for the network provider not discriminating between data packets being processed by them, either in terms of price or speed.</p>
<p><strong>3.9.</strong> A major recommendation by the report involves creation of “a fund from savings generated from cash-less transactions … by the Central Government,” which will use “the trinity of JAM (Jan Dhan, Adhaar, Mobile) [to] link financial inclusion with social protection, contributing to improved Social and Financial Security and Inclusion of vulnerable groups/ communities” (page 160-161). <strong>This amounts to making Aadhaar a mandatory ID for financial inclusion of citizens, especially the marginal and vulnerable ones, and is in direct contradiction to the government’s statements regarding the optional nature of the Aadhaar ID, as well as the orders by the Supreme Court on this topic</strong>.</p>
<p><strong>3.10.</strong> The report recommends that “Aadhaar should be made the primary identification for KYC with the option of using other IDs for people who have not yet obtained Aadhaar” (page 163) and further that “Aadhaar eKYC and eSign should be a replacement for paper based, costly, and shared central KYC registries” (page 162). <strong>Not only these measures would imply making Aadhaar a mandatory ID for undertaking any legal activity in the country, they assume that the UIDAI has verified and audited the personal documents submitted by Aadhaar number holders during enrollment.</strong> A mandate for <em>replacement</em> of the paper-based central KYC agencies will only remove a much needed redundancy in the the identity verification infrastructure of the government.</p>
<p><strong>3.11.</strong> The report suggests that “[t]ransactions which are permitted in cash without KYC should also be permitted on prepaid wallets without KYC” (page 164-165). This seems to negate the reality that physical verification of a person remains one of the most authoritative identity verification process for a natural person, apart from DNA testing perhaps. <strong>Thus, establishing full equivalency of procedure between a presence-less transaction and one involving a physically present person making the payment will only amount to removal of relatively greater security precautions for the former, and will lead to possibilities of fraud</strong>.</p>
<p><strong>3.12.</strong> In continuation with the previous point, the report recommends promotion of “Aadhaar based KYC where PAN has not been obtained” and making of “quoting Aadhaar compulsory in income tax return for natural persons” (page 163). Both these measures imply a replacement of the PAN by Aadhaar in the long term, and a sharp reduction in growth of new PAN holders in the short term. <strong>We appeal for this recommendation to be reconsidered as integration of all functionally separate national critical information infrastructures (such as PAN and Aadhaar) into a single unified and centralised system (such as Aadhaar) engenders massive national and personal security threats</strong>.</p>
<p><strong>3.13.</strong> The report suggest the establishment of “a ranking and reward framework” to recognise and encourage for the best performing state/district/agency in the proliferation of digital payments. <strong>It appears to us that creation of such a framework will only lead to making of an environment of competition among these entities concerned, which apart from its benefits may also have its costs. For example, the incentivisation of quick rollout of digital payment avenues by state government and various government agencies may lead to implementation without sufficient planning, coordination with stakeholders, and precautions regarding data security and privacy</strong>. The provision of central support for digital payments should be carried out in an environment of cooperation and not competition.</p>
<p><strong>3.14.</strong> CIS welcomes the recommendation by the report to generate greater awareness about cost of cash, including by ensuring that “large merchants including government agencies should account and disclose the cost of cash collection and cash payments incurred by them periodically” (page 164). It, however, is not clear to whom such periodic disclosures should be made. <strong>We would like to add here that the awareness building must simultaneously focus on making public how different entities shoulder these costs. Further, for reasons of comparison and evidence-driven policy making, it is necessary that data for equivalent variables are also made open for digital payments - the total and disaggregate cost, and what proportion of these costs are shouldered by which entities</strong>.</p>
<p><strong>3.15.</strong> The report acknowledges that “[t]oday, most merchants do not accept digital payments” and it goes on to recommend “that the Government should seize the initiative and require all government agencies and merchants where contracts are awarded by the government to provide at-least one suitable digital payment option to its consumers and vendors” (page 165). This requirement for offering digital payment option will only introduce an additional economic barrier for merchants bidding for government contracts. <strong>We appeal to the Ministry of Finance to reconsider this approach of raising the costs of non-digital payments to incentivise proliferation of digital payments, and instead lower the existing economic and other barriers to digital payments that keep the merchants away</strong>. The adoption of digital payments must not lead to increasing costs for merchants and end-users, but must decrease the same instead.</p>
<p><strong>3.16.</strong> As the report was submitted on December 09, 2016, and was made public only on December 27, 2016, <strong>it would have been much appreciated if at least a month-long window was provided to study and comment on the report, instead of fifteen days</strong>. This is especially crucial as the recently implemented demonetisation and the subsequent banking and fiscal policy decisions taken by the government have rapidly transformed the state and dynamics of the payments system landscape in India in general, and digital payments in particular.</p>
<h3><strong>Endnotes</strong></h3>
<p><strong>[1]</strong> See: <a href="http://cis-india.org/">http://cis-india.org/</a>.</p>
<p><strong>[2]</strong> See: <a href="http://finmin.nic.in/reports/Note-watal-report.pdf">http://finmin.nic.in/reports/Note-watal-report.pdf</a> and <a href="http://finmin.nic.in/reports/watal_report271216.pdf">http://finmin.nic.in/reports/watal_report271216.pdf</a>.</p>
<p><strong>[3]</strong> See: <a href="http://finmin.nic.in/cancellation_high_denomination_notes.pdf">http://finmin.nic.in/cancellation_high_denomination_notes.pdf</a>.</p>
<p><strong>[4]</strong> Open Access refers to “free and unrestricted online availability” of scientific and non-scientific literature. See: <a href="http://www.budapestopenaccessinitiative.org/read">http://www.budapestopenaccessinitiative.org/read</a>.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/comments-on-the-report-of-the-committee-on-digital-payments-dec-2016'>http://editors.cis-india.org/internet-governance/blog/comments-on-the-report-of-the-committee-on-digital-payments-dec-2016</a>
</p>
No publisherSumandro Chattapadhyay and Amber SinhaUIDDigital IDBig DataDigital EconomyDigital AccessPrivacyDigital SecurityData RevolutionDigital PaymentInternet GovernanceDigital IndiaData ProtectionDemonetisationHomepageFeaturedAadhaar2017-01-12T12:32:22ZBlog EntryHow private companies are using Aadhaar to try to deliver better services (but there's a catch)
http://editors.cis-india.org/internet-governance/news/scroll-m-rajshekhar-how-private-companies-are-using-aadhaar-to-deliver-better-services-but-theres-a-catch
<b>They are gathering more information on you.</b>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "><section class="columns large-6 normal-article-content scroll-article-content article-content">
<div class="article-body">
<p>The article by M. Rajshekhar was <a class="external-link" href="http://scroll.in/bulletins/40/delays-in-indias-infrastructure-projects-has-a-large-impact-on-key-social-indicators">published in Scroll.in</a> on December 22, 2016. Sunil Abraham was quoted.</p>
<hr />
<p>In 2006, Ajay Trehan set up AuthBridge, a background verification company in Gurgaon. That was a time when business process outsourcing was booming. Global companies like Citibank were relocating back-office functions to India. Outfits like AuthBridge sprang up in response to help these companies find qualified staffers. They vetted applicants by running identity checks, verifying education and employment records, doing reference checks and more.</p>
<p>Ten years later, AuthBridge’s client profile has changed. With rising insecurity over crimes in India’s cities, like the December 2012 gangrape in Delhi, or the rape of a young woman in an Uber taxi in 2014, local companies – sizeably from e-commerce and businesses with delivery services – have also started vetting employees and partners to check if they have any criminal history. “Now, we have about 700-800 clients,” said Trehan. “Of them, just 20%-30% are foreign companies.”</p>
<p>AuthBridge’s verification process has changed too. Earlier, its employees used to physically verify the credentials of an applicant by travelling to her school or college, meeting her previous employer, vetting her identity papers with the government department that issued them, and so on.</p>
<p>Now they simply run a query on an electronic database.</p>
<h3 class="cms-block-heading cms-block"><b>Aadhaar enters the private sector</b></h3>
<p>Aadhaar, as India’s Unique Identity Project is called, aims to give a 12-digit unique identity number to all residents by collecting their fingerprint and iris scans. As of September, its database, maintained by the Unique Identity Authority of India, held the names, addresses and biometric information of more than 105 crore people.</p>
<p>The project was created by the United Progressive Alliance government in 2009 to reduce leakages in the country’s welfare programmes.</p>
<p>But, quietly, a range of private sector companies have started using it. This includes verification firms like Authbridge, banks like HDFC, telecommunications companies like Reliance Jio, among others.</p>
<p>So far, most discussions on Aadhaar have focused on its utility for welfare delivery and the risk of government surveillance. But as private sector companies incorporate Aadhaar into their systems, fresh questions and concerns are emerging about what this means. A recent tweet by a journalist that went viral encapsulated these concerns.</p>
<figure class="cms-block-embed-twitter cms-block-embed cms-block"> </figure>
<p>To understand the rewards and risks of the use of Aadhaar by private companies, here is a detailed look at how they are using it.</p>
<h3 class="cms-block-heading cms-block"><b>Five ways of using Aadhaar</b></h3>
<p>The first way in which companies are using Aadhaar is <b>pure authentication. </b>This is how Authbridge uses Aadhaar. It sends a name and Aadhaar number to the Unique Identity Authority’s server, which responds to say whether they have matched.</p>
<p>Apart from background verification companies, Aadhaar-based authentication can also be used by employers. “A factory hiring women or a security agency hiring guards and wanting to be sure these people are who they claim to be,” said Pramod Varma, the chief architect and technology advisor for the Aadhaar project.</p>
<p>It could also be used by regulated entities with strong Know Your Customer or KYC norms like banks or telecommunications companies. In the old days of branch-based banking, KYC was not a problem, said Varma, since “the bank manager knew all his customers”. But now, KYC is much harder since banks have moved to “core banking with millions of accounts in the server”. Instant Aadhaar-authentication, he said, is useful for verifying customers.</p>
<p>The second is <b>authentication plus</b>. Here, at the time of authentication, a company also downloads the customer’s data from the Aadhaar database. This is what companies like Reliance Jio are doing.</p>
<p>When a customer provides his Aadhaar number to the company, the company not only runs a query on the Aadhaar database to verify the name and number, it also downloads other information about the customer held on the server, like address, date of birth and gender.</p>
<p>This data can be used to electronically fill out the Know Your Customer forms, replacing what is right now a manual process, said Anupam Varghese, the head (products) of Eko India Financial Services, a financial services startup in the phone banking and remittances segment.</p>
<p>It is a disruptive proposition that companies find useful. In India, the cost of enrolling customers is so high, said Abhishek Sinha, the founder of Eko, that it prices a set of financial products beyond the reach of most Indians. “Authenticating a credit card customer and vetting her identity papers will cost anywhere between Rs 150-Rs 200,” he said. A company can recover that investment only if the customer racks up at least Rs 10,000 on the card, assuming a 2% margin on card transactions.</p>
<p>With its instant authentication and automatic form filling, Aadhaar-based electronic Know Your Customer, said Sinha, slashes those costs and makes it easier for companies to offer financial products which become viable even with a smaller volume of transactions. This allows the growth of financial products for less affluent customer segments.</p>
<p>Subsequently, these companies might pad up those databases by adding their own data. This is a third model of using Aadhaar: <b>authentication plus private database</b>.</p>
<p>For instance, <a href="http://scroll.in/article/805467/how-the-government-gains-when-private-companies-use-aadhaar">TrustID</a>, a mobile app which claims it can verify “your maid, driver, electrician, tutor, tenant and all service professionals” using Aadhaar, wants users to rate the services of the people they eventually employ. In effect, it is <a href="http://scroll.in/article/805467/how-the-government-gains-when-private-companies-use-aadhaar">creating</a> a private database.</p>
<p>Others, like Eko, are adding financial transaction histories to the Aadhaar data.</p>
<p>While these three uses are built around Aadhaar-based authentication, the remaining three uses – <b>database sharing, data broking, </b><b>deduplication</b><b> </b>– pivot around use of just the Aadhaar number. They are based on recent changes in how companies use customer data.</p>
<h3 class="cms-block-heading cms-block"><b>The customer data boom</b></h3>
<p>Customer data has acquired centrality for several Indian companies, particularly startups in e-commerce and financial services.</p>
<p>In some sectors, Varma said, “the cost of switching [between rival companies] is very low,” which heightens the need for customisation. “The better you can serve, they more sticky you get for a customer.” In other sectors, said Varghese, competition chips away at margins. Which is another reason to try and come up with better services and products.</p>
<p>This is where data can help.</p>
<p>In a conversation in October, Nandan Nilekani, software entrepreneur and the first chairperson of the Unique Identity Authority of India, explained why. “Companies like Ola compete with global companies like Uber which have a tremendous advantage in that they have more data – more customers globally – and better algorithms,” he said. If Ola has 5 million customers, Uber has 100 million. Which means Uber’s algorithms – thanks to pattern recognition and machine learning – will be more accurate.</p>
<p>For all these reasons, said Varma, companies in a handful of business verticals are trying to create “a 360 degree view of their customer”.</p>
<p>What has enabled this is a couple of technological trends. The ability to store and process data, said Nilekani, has gone up enormously in the last 15 years. At the same time, data itself has proliferated as electronic devices like mobile phones create records of voice, photos, messages and the locations of customers.</p>
<p>“All this is realtime data. So, on scale, speed and frequency, we have seen a jump,” said Nilekani.</p>
<p>This rising appetite for data is resulting in a couple of novel outcomes.</p>
<h3 class="cms-block-heading cms-block"><b>Enter, the sharing of customer data</b></h3>
<p>Indian companies have begun sharing databases.</p>
<p>A good example is an experimental partnership between Eko, the banking and remittances company, and Capital Float, a financial services startup which gives short term loans.</p>
<p>The two companies worked out an arrangement where Eko shared a part of its database about its distributors with Capital Float. This shared information contained aggregated and anonymised information on distributors and their working capital positions, said Varghese. Capital Float evaluated the database and came back with a list of distributors it could lend to. Eko, then, forwarded these offers to the distributors. After taking their consent, data about the distributors who were interested in the loans was shared with Capital Float.</p>
<p>On the surface, this is a counter-intuitive development: if customer data holds the key to competitive advantage, companies should closely safeguard their data.</p>
<p>But as it turns out, there are strong reasons to share data.</p>
<p>Both Eko and Capital Float, for instance, are small, specialised players in the financial services market which is dominated by banks. Data sharing is one way to compete with banks by offering complementary services to customers.</p>
<p>It is not clear how endemic data-sharing will get. According to Varma, it will be used selectively. “I cannot see organisations sharing databases at will,” he said. “They will be shared only if they can be used to offer an additional service to the client.”</p>
<p>But a programmer who works at iSpirt, a product software evangelising association<b> </b>based in Bangalore, and who did not want to be identified, said the trend will grow. In the financial sector, as new players like mobile wallet companies acquire more customers, banks that refuse to share data will miss out on emergent markets, he said. “Keeping everything behind closed doors – not participating in data exchanges – is now harmful,” he said.</p>
<p>Sunil Abraham, who heads the Centre For Internet and Society, foresees the rise of another kind of data-sharing – by companies that aggregate customer data from multiple sources and market that to clients. These could be data brokers like US-based Acziom, he said. These could also be more specialised firms like medical transcription companies, which simultaneously serve hospitals, insurance and pharmaceutical companies.</p>
<p>The question is: what does all this have to do with Aadhaar?</p>
<h3 class="cms-block-heading cms-block"><b>The utility of Aadhaar</b></h3>
<p>Aadhaar makes it easier to <b>compare and combine diverse databases.</b></p>
<p>This is what India’s microfinance companies are doing. As <i>Scroll.in</i> reported <a href="http://scroll.in/article/817366/despite-the-supreme-court-you-need-aadhaar-to-get-a-loan-from-microfinance-companies">recently</a>, Microfinance Institutions Network, an association of microlenders, has told its member companies to seed the Aadhaar numbers of their borrowers into their databases. By searching the databases for the Aadhaar number of a prospective borrower, it will be possible to identify if she has already taken too many loans.</p>
<p>This is a scenario Nilekani bristles at. “You do not need Aadhaar for that,” he said. “You can triangulate databases using email or phone number or name.”</p>
<p>But the iSpirt programmer said, “With Aadhaar, the level of certainty is higher than what you would get by using name, phone number or email.” Between databases, the spelling of names might vary. Phone numbers change, especially in a country like India where prepaid mobile connections outnumber postpaid connections. Only a small part of the country’s population uses email. With Aadhaar, said the programmer, it gets easier to correlate databases.</p>
<p>Aadhaar, added Varma, can also be used to clean up databases. Banks, he said, can use the Aadhaar number to create better customer profiles by identifying all accounts owned by a person. This is the fifth use – <b>deduplication</b><b>. </b></p>
<h3 class="cms-block-heading cms-block"><b>What it all means</b></h3>
<p>The implications are obvious. A lot of companies already had databases about their customers. Now, as Nilekani said, technology is allowing the collection of ever greater amounts of information about us. The sharing of databases means companies will have ever more detailed customer profiles.</p>
<p>In a sense, we are entering a future where multiple databases – including several that we are not even aware of – will contain information about us. A hospital and an insurance company might share their records. Or intermediary companies, which service both of them, might create their own databases.</p>
<p>This information will materially affect our lives. As already happens online, companies will increasingly base their products on algorithms that parse data about our behaviour and then offer a customised price – which could be geared to serve or exploit us.</p>
<p>These algorithms, as <i>Propublica</i> <a class="link-external" href="https://www.propublica.org/series/machine-bias" rel="nofollow" target="_blank">reported</a>, can be <a class="link-external" href="https://www.propublica.org/series/machine-bias" rel="nofollow" target="_blank">opaque</a>.</p>
<p>In a sense, much of this is a familiar trajectory. The United States too, as the iSpirt programmer said, “saw a lot of irresponsible data sharing without enough control for civilians”.</p>
<p>That is where India is heading as well. As <i>Scroll </i>noted in its <a href="http://scroll.in/article/805467/how-the-government-gains-when-private-companies-use-aadhaar">article</a> about TrustID, when the company creates scores for the workers who use its app, they might not always be aware of that rating – or be in a position to challenge that rating.</p>
<p>There are large questions here. Who owns the data about you in a company’s database? Take your information in, say, Ola’s database – the address from where you get picked up or dropped, the phone number, the places you visit most often. Is the data owned by you, Ola or the driver? Should you have a say if a company wants to share this data? If you grant permission, how does one ensure it is used correctly?</p>
<p>Right now, as the next story in this series will show, this is a poorly regulated landscape.</p>
<p><i>This is the third part in a series on the expansion of Aadhaar and the concerns around it. The first two parts can be read <a href="http://scroll.in/tags/38792/identity-project">here.</a></i></p>
</div>
<i class="mail-us-section">We welcome your comments at <a href="mailto:?Subject=How%20private%20companies%20are%20using%20Aadhaar%20to%20try%20to%20deliver%20better%20services%20%28but%20there%27s%20a%20catch%29&to=letters@scroll.in" target="_blank">letters@scroll.in.</a></i>
<ul class="article-tags-list">
</ul>
</section></p>
<p style="text-align: justify; "> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/scroll-m-rajshekhar-how-private-companies-are-using-aadhaar-to-deliver-better-services-but-theres-a-catch'>http://editors.cis-india.org/internet-governance/news/scroll-m-rajshekhar-how-private-companies-are-using-aadhaar-to-deliver-better-services-but-theres-a-catch</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-12-23T02:04:59ZNews ItemWorkshop Report - UIDAI and Welfare Services: Exclusion and Countermeasures
http://editors.cis-india.org/internet-governance/blog/workshop-report-uidai-and-welfare-services-august-27-2016
<b>This report presents summarised notes from a workshop organised by the Centre for Internet and Society (CIS) on Saturday, August 27, 2016, to discuss, raise awareness of, and devise countermeasures to exclusion due to implementation of UID-based verification for and distribution of welfare services.</b>
<p> </p>
<h2>Introduction</h2>
<p>The Centre for Internet and Society organised a workshop on "UIDAI and Welfare Services: Exclusion and Countermeasures" at the Institution of Agricultural on Technologists on August 27 in Bangalore to discuss, raise awareness of, and devise countermeasures to exclusion due to implementation of UID-based verification for and distribution of welfare services <strong>[1]</strong>. This was a follow-up to the workshop held in Delhi on “Understanding Aadhaar and its New Challenges” at the Centre for Studies in Science Policy, JNU on May 26th and 27th 2016 <strong>[2]</strong>. In this report we summarise the key concerns raised and the case studies presented by the participants at the workshop held on August 27, 2016.</p>
<h2>Implementation of the UID Project</h2>
<p><strong>Question of Consent:</strong> The Aadhaar Act <strong>[3]</strong> states that the consent of the individual must be taken at the time of enrollment and authentication and it must be informed to him/her the purpose for which the data would be used. However, the Act does not provide for an opt-out mechanism and an individual is compelled to give consent to continue with the enrollment process or to complete an authentication.</p>
<p><strong>Lack of Adherence to Court Orders:</strong> Despite of several orders by Supreme Court stating that use of Aadhaar cannot be made mandatory for the purpose of availing benefits and services, multiple state governments and departments have made it mandatory for a wide range of purposes like booking railway tickets <strong>[4]</strong>, linking below the poverty line ration cards with Aadhaar <strong>[5]</strong>, school examinations <strong>[6]</strong>, food security, pension and scholarship <strong>[7]</strong>, to name a few.</p>
<p><strong>Misleading Advertisements:</strong> A concern was raised that individuals are being mislead in the necessity and purpose for enrollment into the project. For example, people have been asked to enrol by telling them that they might get excluded from the system and cannot get services like passports, banks, NREGA, salaries for government employees, denial of vaccinations, etc. Furthermore, the Supreme Court has ordered Aadhaar not be mandatory, yet people are being told that documentation or record keeping cannot be done without UID number.</p>
<p><strong>Hybrid Governance:</strong> The participants pointed out that with the Aadhaar (Targeted delivery of financial and other subsidies, benefits and services) Act, 2016 (hereinafter referred to as Aadhaar Act, 2016 ) being partially enforced, multiple examples of exclusion as reported in the news are demonstrating how the Aadhaar project is creating a case of hybrid governance i.e private corporations playing a significant role in Governance. This can be seen in case of Aadhaar where we see many entities from private sector being involved in its implementation, as well as many software and hardware companies.</p>
<p><strong>Lack of Transparency around Sharing of Biometric Data:</strong> The fact how and why the Government is relying on biometrics for welfare schemes is unclear and not known. Also, there is no information on how biometric data that is collected through the project is being used and its ability as an authenticating device. Along with that, there is very little information on companies that have been enlisted to hold and manage data and perform authentication.</p>
<p><strong>Possibility of Surveillance:</strong> Multiple petitions and ongoing cases have raised concerns regarding the possibility of surveillance, tracking, profiling, convergence of data, and the opaque involvement of private companies involved in the project.</p>
<p><strong>Denial of Information:</strong> In an RTI filed by one of the participant requesting to share the key contract for the project, it was refused on the grounds under section 8(1) (d) of the RTI Act, 2005. However, it was claimed that the provision would not be applicable since the contract was already awarded and any information disclosed to the Parliament should be disclosed to the citizens. The Central Information Commission issued a letter stating that the contractual obligation is over and a copy of the said agreement can be duly shared. However, it was discovered by the said participant that certain pages of the same were missing , which contained confidential information. When this issue went before appeal before the Information Commissioner, the IC gave an order to the IC in Delhi to comply with the previous order. However, it was communicated that limited financial information may be given, but not missing pages. Also, it was revealed that the UIDAI was supposed to share biometric data with NPR (by way of a MoU), but it has refused to give information since the intention was to discontinue NPR and wanted only UIDAI to collect data.</p>
<h2>Concerns Arising from the Report of the Comptroller and Auditor General of India (CAG) on Implementation of PAHAL (DBTL) Scheme</h2>
<p>A presentation on the CAG compliance audit report of PAHAL on LPG <strong>[8]</strong> revealed how the society was made to believe that UID will help deal with the issue of duplication and collection as well as use of biometric data will help. The report also revealed that multiple LPG connections have the same Aadhaar number or same bank account number in the consumer database maintained by the OMCs, the bank account number of consumers were also not accurately recorded, scrutiny of the database revealed improper capture of Aadhaar numbers, and there was incorrect seeding of IFSC codes in consumer database. The participants felt that this was an example of how schemes that are being introduced for social welfare do not necessarily benefit the society, and on the contrary, has led to exclusion by design. For example, in the year 2011, by was of the The Liquefied Petroleum Gas (Regulation of Supply and Distribution) Amendment Order, 2011 <strong>[9]</strong>, the Ministry of Petroleum and Natural Gas made the Unique Identification Number (UID) under the Aadhaar project a must for availing LPG refills. This received a lot of public pushback, which led to non-implementation of the order. In October 2012, despite the UIDAI stating that the number was voluntary, a number of services began requiring the provision of an Aadhaar number for accessing benefits. In September 2013, when the first order on Aadhaar was passed by court <strong>[10]</strong>, oil marketing companies and UIDAI approached the Supreme Court to change the same and allow them to make it mandatory, which was refused by the Court. Later in the year 2014, use of Aadhaar for subsidies was made mandatory. The participants further criticised the CAG report for revealing the manner in which linking Aadhaar with welfare schemes has allowed duplication and led to ghost beneficiaries where there is no information about who these people are who are receiving the benefits of the subsidies. For example, in Rajasthan, people are being denied their pension as they are being declared dead due to absence of information from the Aadhaar database.</p>
<p>It was said that the statistics of duplication mentioned in the report show how UIDAI (as it claims to ensure de-duplication of beneficiaries) is not required for this purpose and can be done without Aadhaar as well. Also, due to incorrect seeding of Aadhaar number many are being denied subsidy where there is no information regarding the number of people who have been denied the subsidy because of this. Considering these important facts from the audit report, the discussants concluded how the statistics reflect inflated claims by UIDAI and how the problems which are said to be addressed by using Aadhaar can be dealt without it. In this context, it is important to understand how the data in the aadhaar database maybe wrong and in case of e-governance the citizens suffer. Also, the fact that loss of subsidy-not in cash, but in use of LPG cylinder - only for cooking, is ignored. In addition to that, there is no data or way to check if the cylinder is being used for commercial purposes or not as RTI from oil companies says that no ghost identities have been detected.</p>
<h2>UID-linked Welfare Delivery in Rajasthan</h2>
<p>One speaker presented findings on people's experiences with UID-linked welfare services in Rajasthan, collected through a 100 days trip organised to speak to people across the state on problems related to welfare governance. This visit revealed that people who need the benefits and access to subsidies most are often excluded from actual services. It was highlighted that the paperless system is proving to be highly dangerous. Some of the cases discussed included that of a disabled labourer, who was asked to get an aadhaar card, but during enrollment asked the person standing next to him to put all his 5 fingers for biometric data collection. Due to this incorrect data, he is devoid of all subsidies since the authentication fails every time he goes to avail it. He stopped receiving his entitlements. Though problems were anticipated, the misery of the people revealed the extent of the problems arising from the project. In another case, an elderly woman living alone, since she could not go for Aadhaar authentication, had not been receiving the ration she is entitled to receive for the past 8 months. When the ration shop was approached to represent her case, the dealers said that they cannot provide her ration since they would require her thumb print for authentication. Later, they found out that on persuading the dealer to provide her with ration since Aadhaar is not mandatory, they found out that in their records they had actually mentioned that she was being given the ration, which was not the case. So the lack of awareness and the fact that people are entitled to receive the benefits irrespective of Aadhaar is something that is being misused by dealers. This shows how this system has become a barrier for the people, where they are also unaware about the grievance redressal mechanism.</p>
<h2>Aadhaar and e-KYC</h2>
<p>In this session, the use of Aadhaar for e-KYC verification was discussed The UID strategy document describes how the idea is to link UIDAI with money enabled Direct Benefit Transfer (DBT) to the beneficiaries without any reason or justification for the same. It was highlighted by one of the participants how the Reserve Bank of India (RBI) believed that making Aadhaar compulsory for e-KYC and several other banking services was a violation of the Money Laundering Act as well as its own rules and standards, however, later relaxed the rules to link Aadhaar with bank accounts and accepted its for e-KyC with great reluctance as the Department of Revenue thought otherwise. It was mentioned how allowing opening of bank accounts remotely using Aadhaar, without physically being present, was touted as a dangerous idea. However, the restrictions placed by RBI were suddenly done away with and opening bank accounts remotely was enabled via e-KYC.</p>
<p>A speaker emphasised that with emerging FinTech services in India being tied with Aadhaar via India Stack, the following concerns are becoming critical:</p>
<ol><li>With RBI enabling creation of bank accounts remotely, it becomes difficult to to track who did e-KYC and which bank did it and hold the same accountable.<br /><br /></li>
<li>The Aadhaar Act 2016 states that UIDAI will not track the queries made and will only keep a record of Yes/No for authentication. For example, the e-KYC to open a bank account can now be done with the help of an Aadhaar number and biometric authentication. However, this request does not get recorded and at the time of authentication, an individual is simply told whether the request has been matched or not by way of a Yes/No <strong>[11]</strong>. Though UIDAI will maintain the authentication record, this may act as an obstacle since in case the information from the aadhaar database does not match, the person would not be able to open a bank account and would only receive a yes/no as a response to the request.<br /><br /></li>
<li>Further, there is a concern that the Aadhaar Enabled Payment System being implemented by the National Payment Corporation of India (NCPI) would allow effectively hiding of source and destination of money flow, leading to money laundering and cases of bribery. This possible as NCPI maintains a mapper where each bank account is linked (only the latest one). However, Aadhaar number can be linked with multiple bank accounts of an individual. So when a transaction is made, the mapper records the transaction only from that 1 account. But if another transaction takes place with another bank account, that record is not maintained by the mapper at NCPI since it records only transactions of the latest account seeded in that. This makes money laundering easy as the money moves from aadhaar number to aadhaar number now rather than bank account to bank account.</li></ol>
<h2>Endnotes</h2>
<p><strong>[1]</strong> See: <a href="http://cis-india.org/internet-governance/events/uidai-and-welfare-services-exclusion-and-countermeasures-aug-27">http://cis-india.org/internet-governance/events/uidai-and-welfare-services-exclusion-and-countermeasures-aug-27</a>.</p>
<p><strong>[2]</strong> See: <a href="http://cis-india.org/internet-governance/blog/report-on-understanding-aadhaar-and-its-new-challenges">http://cis-india.org/internet-governance/blog/report-on-understanding-aadhaar-and-its-new-challenges</a>.</p>
<p><strong>[3]</strong> See: <a href="https://uidai.gov.in/beta/images/the_aadhaar_act_2016.pdf">https://uidai.gov.in/beta/images/the_aadhaar_act_2016.pdf</a>.</p>
<p><strong>[4]</strong> See: <a href="http://scroll.in/latest/816343/aadhaar-numbers-may-soon-be-compulsory-to-book-railway-tickets">http://scroll.in/latest/816343/aadhaar-numbers-may-soon-be-compulsory-to-book-railway-tickets</a>.</p>
<p><strong>[5]</strong> See: <a href="http://www.thehindu.com/news/national/karnataka/linking-bpl-ration-card-with-aadhaar-made-mandatory/article9094935.ece">http://www.thehindu.com/news/national/karnataka/linking-bpl-ration-card-with-aadhaar-made-mandatory/article9094935.ece</a>.</p>
<p><strong>[6]</strong> See: <a href="http://timesofindia.indiatimes.com/india/After-scam-Bihar-to-link-exams-to-Aadhaar/articleshow/54000108.cms">http://timesofindia.indiatimes.com/india/After-scam-Bihar-to-link-exams-to-Aadhaar/articleshow/54000108.cms</a>.</p>
<p><strong>[7]</strong> See: <a href="http://www.dailypioneer.com/state-editions/cs-calls-for-early-steps-to-link-aadhaar-to-ac.html">http://www.dailypioneer.com/state-editions/cs-calls-for-early-steps-to-link-aadhaar-to-ac.html</a>.</p>
<p><strong>[8]</strong> See: <a href="http://www.cag.gov.in/sites/default/files/audit_report_files/Union_Commercial_Compliance_Full_Report_25_2016_English.pdf">http://www.cag.gov.in/sites/default/files/audit_report_files/Union_Commercial_Compliance_Full_Report_25_2016_English.pdf</a>.</p>
<p><strong>[9]</strong> See: <a href="http://petroleum.nic.in/docs/lpg/LPG%20Control%20Order%20GSR%20718%20dated%2026.09.2011.pdf">http://petroleum.nic.in/docs/lpg/LPG%20Control%20Order%20GSR%20718%20dated%2026.09.2011.pdf</a>.</p>
<p><strong>[10]</strong> See: <a href="http://judis.nic.in/temp/494201232392013p.txt">http://judis.nic.in/temp/494201232392013p.txt</a>.</p>
<p><strong>[11]</strong> Section 8(4) of the Aadhaar Act, 2016 states that "The Authority shall respond to an authentication query with a positive, negative or any other appropriate response sharing such identity information excluding any core biometric information."</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/workshop-report-uidai-and-welfare-services-august-27-2016'>http://editors.cis-india.org/internet-governance/blog/workshop-report-uidai-and-welfare-services-august-27-2016</a>
</p>
No publishervanyaDigital PaymentData SystemsResearchers at WorkUIDInternet GovernanceSurveillanceBig DataAadhaarWelfare GovernanceBig Data for DevelopmentDigital ID2019-03-16T04:34:11ZBlog EntryCIS Submission to TRAI Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks
http://editors.cis-india.org/telecom/blog/cis-submission-trai-note-on-interoperable-scalable-public-wifi
<b>This submission presents responses by the CIS on the Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks published by the TRAI on November 15, 2016. Our analysis of the solution proposed in the Note, in brief, is that there is no need of a solution for non-existing interoperability problem for authentication and payment services for accessing public Wi-Fi networks. The proposed solution in this Note only adds to over-regulation in this sector, and does not incentivise new investment in the sector, but only establishes UIDAI and NPCI as the monopoly service providers for authentication and payment services.</b>
<p> </p>
<p>The comments were authored by Japreet Grewal, Pranesh Prakash, Sharath Chandra, Sumandro Chattapadhyay, Sunil Abraham, and Udbhav Tiwari, with expert comments from Amelia Andersdotter.</p>
<hr />
<h2>1. Preliminary</h2>
<p><strong>1.1.</strong> This submission presents responses by the Centre for Internet and Society (“CIS”) <strong>[1]</strong> on the <em>Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks</em> (“the Note”) published by the Telecom Regulatory Authority of India (“TRAI”) on November 15, 2016 <strong>[2]</strong>.</p>
<p><strong>1.2.</strong> The CIS welcomes the effort undertaken by TRAI to map regulatory and other barriers to deployment of public Wi-Fi in India. We especially appreciate that TRAI has recognised <strong>[3]</strong> two key barriers to provision of public Wi-Fi networks identified and highlighted in our earlier response to the <em>Consultation Paper on Proliferation of Broadband through Public WiFi</em> <strong>[4]</strong>: 1) over regulation (including, licensing requirements, data retention, and Know Your Customer policy), and 2) paucity of spectrum <strong>[5]</strong>.</p>
<h2>2. General Responses</h2>
<p><strong>2.1.</strong> Before responding to the specific questions posed by the Note, we would like to make the following observations.</p>
<p><strong>2.2.</strong> There is no need of a solution for non-existing interoperability problem for authentication and payment services for accessing public Wi-Fi networks. The proposed solution in this Note only adds to over-regulation in this sector. The proposed solution does not incentivise new investment in the sector, but only establishes UIDAI and NPCI as the monopoly service providers for authentication and payment services.</p>
<p><strong>2.3.</strong> As the TRAI has consulted widely with industry and other stakeholders before it settled on the list of priority issues contained in Section C.6 of the Note, we are surprised to find that this Note aims to address only the problem of lack of “seamless interoperable payment system for Wi-Fi networks” (Section C.6.d. Of the Note), and does not discuss and propose solutions for any other key barriers identified by the Note.</p>
<p><strong>2.4.</strong> The Note fails to clarify the “interoperability” problem in the payment system for usage of public Wi-Fi networks that it is attempting to solve. The Note identifies that lack of “single standard” for “authentication and payment mechanisms” for accessing public Wi-Fi networks as a key impediment to provide scalable and interoperable public Wi-Fi networks across the country <strong>[6]</strong>. By conceptualising the problem in this manner, TRAI has bundled together two completely different concerns - authentication and payment - into one and this is at the root of the problems emanating from the proposed solution in this Note.</p>
<p><strong>2.5.</strong> Lack of standard process for authentication is created by over-regulation via Know Your Customer (“KYC”) policies, and selection of eKYC service provided by UIDAI as the only acceptable authentication mechanism for all users of public Wi-Fi networks across India, creating further economic and legal challenges for smaller would-be providers of public Wi-Fi networks as they assess their liabilities and start-up costs. Additionally, since this would amount to making UID/Aadhaar enrolment mandatory for any user of public wi-fi networks, it seems to create a contradiction with previously communicated policy from the UIDAI and the Government that no such obligation should arise. Supreme Court has also mandated over successive Orders that enrolment for UID/Aadhaar number should remain optional for the citizens and residents.</p>
<p><strong>2.6.</strong> As was observed by the respondents to the TRAI Consultation concluded earlier this year, there is no interoperability problem that needs to be solved regarding payments for accessing public Wi-Fi networks. Payment services continue to be evolved and payment aggregator services provided by existing companies may be expected to resolve many of the outstanding issues of service proliferation in the upcoming years, at least in the absence of additional mandatory technical measures imposed by the government. Bundling of payment with authentication will only undermine the already existing independent market for payment aggregators, and further enforce mandatoriness of UID/Aadhaar number.</p>
<p><strong>2.7.</strong> Further, the payment mechanism proposed would seem to worsen difficulties for tourists and foreigners in accessing public Wi-Fi in India, as well adds an additional layer of authentication in a system already identified (even in the Note itself) to be overburdened by regulations regarding KYC and data retention. Section C.6.b of the Note highlights the problems faced by foreigners and tourists when the authentication mechanism is premised upon use of One Time Password (OTP) that requires a functioning local mobile phone number. It contradicts itself later by proposing an authentication method that requires the user to not only download an application onto their mobile/desktop device, but also to enrol for UID/Aadhaar number and/or to use their existing UID/Aadhaar number. Instead of reducing the existing barriers to provision of and access to public Wi-Fi, which the Note is supposed to achieve, it creates significant new barriers.</p>
<p><strong>2.8.</strong> The technological architecture advanced by the Note upholds support of governance and surveillance projects that, in addition to being costly in their implementation and thereby slowing down the objective of getting India connected, are also of questionable value to the security of the Indian polity. UID, UPI, and related projects risk undermining cyber-security through their reliance on centralised architectures and interfere with healthy competitive market dynamics between commercial and non-commercial actors.</p>
<p><strong>2.9.</strong> The Note continues to only consider and enable commercial models for the provision of public Wi-Fi networks. We have identified this as a problematic assumption in our last submission <strong>[7]</strong>. It is most crucial that TRAI does not ignore and fail to promote and facilitate the possibility of not-for-profit models that involve grassroot communities, academia, and civil society.</p>
<p><strong>2.10.</strong> Last but not the least, the term “Wi-Fi” refers to a particular technology for establishing wireless local area networks. Further, the term is a trademark of the Wi-Fi Alliance <strong>[8]</strong>. It is this not a neutral term, and it must not be used as a general and universal synonym for wireless local area networks. We recommend that TRAI may consider using a technology-neutral term, say “public wireless services” or “public networking services”, to describe the sector. Following the terminology used in the Note, we have decided to continue using the term “Wi-Fi” in this response. This does not reflect our agreement about the appropriateness of this term. Important: The recommendation for technology-neutral regulation also comes with the qualification that safeguards like regulations on Listen Before Talk and Cycle Time are required to prevent technologies like LTE-U from squatting on spectrum and interfering with connections based on other standards.</p>
<h2>3. Specific Responses</h2>
<h4>Q1. Is the architecture suggested in the consultation note for creating unified authentication and payment infrastructure will enable nationwide standard for authentication and payment interoperability?</h4>
<p><strong>3.1.</strong> No. The proposed infrastructure is likely to be costly for a large number of actors to implement and undermine some of the ongoing innovation in the Indian digital payment services industry. Rather than being helpful, it risks introducing additional requirements on an industry that TRAI has already identified as facing a number of large challenges.</p>
<p><strong>3.2.</strong> There is no need for a unified architecture that provides nationwide standard for authentication and payment interoperability. It does not offer any incentive towards provision of public Wi-Fi networks. Neither is there an interoperability problem at the physical or data link layers that has been pointed out, nor is government mandated interoperability required at the payment or ID layer since there are private entities that provide such interoperability (like, payment aggregators). Additionally, we believe it is inappropriate that the TRAI is trying to predict the most suitable business/technological model for digital payments to be used for accessing commercial Wi-Fi networks. India has a booming online payments industry, and it must be allowed to evolve in an enabling regulatory environment that allow for competition and ensures responsible practices.</p>
<p><strong>3.3.</strong> The Note identifies several structural impediments to expansion of public Wi-Fi networks in India, namely paucity of backhaul connectivity infrastructure (Section C.6.a), Inadequate associated infrastructure to offer carrier grade Wi-Fi network (Section C.6.c), dependency of authentication mechanism on pre-existing (Indian) mobile phone connection (Section C.6.b), and limited availability of spectrum to be used for public Wi-Fi networks (Section C.6.e). All these are crucial concerns and none of them have been addressed by the architecture suggested in the Note.</p>
<h4>Q2. Would you like to suggest any alternate model?</h4>
<p><strong>3.4.</strong> Yes. The model proposed in the Note is likely to exclude several types of potential users (say, foreigners and tourists), and impose a single authentication and payment service provider for accessing public Wi-Fi networks, which may undermine both competition and security in the market for these services.</p>
<p><strong>3.5.</strong> Internationally, there are cities and regions (say, the city of Barcelona and the Catalonia region in Spain) where public Wi-Fi networks have been provided in a pervasive and efficient manner by taking a light regulatory approach that enables opportunities for potential providers to set up their own infrastructures and additionally have access to backhaul. Further, reducing legal requirements on authentication should be considered in place of government mandated technical architectures for authentication and payment. In particular, allowing for anonymous access to Public Wi-Fi or wireless connectivity would reduce both the administrative and the technical burden on potential providers at the hyper-local level, especially for providers whose main activity it is not, and cannot be, to provide internet services (say, event venues, malls, and shops).</p>
<p><strong>3.6.</strong> The CIS suggests the following steps towards conceptualising an “alternative model”:</p>
<ol><li>remove existing regulatory disincentives,<br /><br /></li>
<li>urgently explore policies to promote deployment of wired infrastructures in general, and to enable a larger range of actors, including local authorities, to invest in and deploy local infrastructures by reducing licensing requirements in particular,<br /><br /></li>
<li>examine spectrum requirements for provision of public Wi-Fi, and<br /><br /></li>
<li>provide incentives, such as allowing telecom service providers to share backhaul traffic over public Wi-Fi, and ways for telecom service providers to lower their costs if they also make Internet access available for free.</li></ol>
<h4>Q3. Can Public Wi-Fi access providers resell capacity and bandwidth to retail users? Is “light touch regulation” using methods such as “registration” instead of “licensing” preferred for them?</h4>
<p><strong>3.7.</strong> CIS holds that capacity and bandwidth are neither comparable to tangible goods nor to digital currency. They are a utility, and the provider of the utility has to accept that their customers use the utility in the way they see fit, even if that use entails sharing said capacity and bandwidth with downstream private persons or customers. Wi-Fi capabilities are currently a built-in standardised feature of all consumer routers. Any individual, community, or store with access to an internet connection and a consumer router could become a public Wi-Fi access provider at no additional cost to themselves, furthering the goals of the Indian government in its Digital India strategy to ensure public and universal access to the internet.</p>
<p><strong>3.8.</strong> In order to exploit the opportunities awarded by a large amount of entities in the Indian society potentially becoming Public Wi-Fi providers, TRAI should require neither registration nor licensing of these actors. Imposing administrative burdens on potential public Wi-Fi access providers creates legal uncertainty and will cause a lot of actors, who may otherwise contribute to the goals of Digital India, not to do so. This is particularly true for community organisers and citizens, who may not have access to legal assistance and therefore may avoid contributing to the goals of the government.</p>
<p><strong>3.9.</strong> Light touch regulation when it comes to both granting license to public Wi-Fi access providers as well as authentication of retail users, however, are needed not only as an exceptional practice for such instances but as a general practice in case of entities offering public Wi-Fi services, either commercially or otherwise. Further, additional laxity in administrative responsibilities is needed to incentivise provision of free, that is non-commercial, public Wi-Fi networks.</p>
<h4>Q4. What should be the regulatory guidelines on “unbundling” Wi-Fi at access and backhaul level?</h4>
<p><strong>3.10.</strong> The Note refers to unbundling of activities related to provision of Wi-Fi but it does not define the term. It is neither explained which specific activities at access and backhaul levels must be considered for unbundling.</p>
<p><strong>3.11.</strong> While unbundling should clearly be allowed and any regulatory hurdles to unbundling should be removed, any such decision must be taken with a focus on urgently addressing the stagnated growth in landline and backhaul, as identified in Section C.6.a of the Note. Relying only on spectrum intensive infrastructures, such as mobile base stations, for providing connectivity, creates a heavy regulatory burden for the TRAI, while simultaneously not ensuring optimal connectivity for business and private users. The CIS is concerned that the focus of the Note on standardising a government-mediated authentication and payment mechanism detracts attention from this urgent obstacle to the fulfillment of the Digital India plans of accelerated provision of broadband highways, universal access, and public, especially free, access to internet services.</p>
<p><strong>3.12.</strong> From the example of European telecommunications legislations, implementation of policy measures to ensure that vertical integration between infrastructure (say, cables, switches, and hubs) providers and service (say, providing a subscriber with a household modem or a SIM card) providers in the telecommunications sector does not become a barrier to new market entrants has yielded much success in countries that have pursued it, like Sweden and Great Britain.</p>
<p><strong>3.13.</strong> Further, there should be no default assumption of bundling by the TRAI. In particular, the TRAI should consider reviewing all regulations that may cause bundling to occur when this is not necessary, and put in place in a monitoring mechanism for ensuring that bundled practises (especially in electronic networks, base station infrastructures, backhaul and similar) do not cause competitive problems or raise market entry barriers <strong>[9]</strong>. In most EU countries, especially where the corporate structure of incumbent(s) is not highly vertically integrated, interconnection requirements for electronic network providers of wired networks in the backhaul or backbone (effectively price regulated interconnection), and a conscious effort to ensure that new market players can enter the field, have ensured a competitive telecommunications environment. TRAI may consider reviewing the European regulation on local loop unbundling (1999) and discussions on functional separation (especially by the British regulatory authority Ofcom), within an Indian context.</p>
<h4>Q5. Whether reselling of bandwidth should be allowed to venue owners such as shop keepers through Wi-Fi at premise? In such a scenario please suggest the mechanism for security compliance.</h4>
<p><strong>3.14.</strong> Yes. Venue owners should be allowed to provide public Wi-Fi service both on a commercial and non-commercial basis.</p>
<p><strong>3.15.</strong> It is not clear from the Note and the question what type of security concerns the TRAI is seeking to address. In terms of payment security, the payment industry already has a large range of verification and testing mechanisms. The CIS objects to the mandatory introduction of the proposed payment system so as to ensure greater security for Wi-Fi access providers and the users.</p>
<p><strong>3.16.</strong> As far as hardware-related security issues are concerned, it is again unclear why consumer equipment compliant with existing Wi-Fi standards would not be sufficiently secure in the Indian context. Wi-Fi has proven to be a sturdy technical standard, its adoption is high in multiple jurisdictions around the world, and it also enjoys great technical stability. Similar security assessments could easily be made for alternative wireless technologies, such as WiMaX.</p>
<p><strong>3.17.</strong> The CIS foresees problems is in the allocation of risk and liability by law. The already existing legal obligation to verify the identity of each user, for instance, is likely to introduce a large administrative burden on potential Public Wi-Fi providers, which may lead to such potential providers abstaining from entering the market. Should the identification requirement be removed, however, other concerns pertaining to legal obligations may arise. These include liability for user activities on the web or on the internet (cf. copyright infringement, libel, hate speech). We propose a “safe harbour” mechanism in these cases, limiting the liability of the potential public Wi-Fi provider.</p>
<h4>Q6. What should be the guidelines regarding sharing of costs and revenue across all entities in the public Wi-Fi value chain? Is regulatory intervention required or it should be left to forbearance and individual contracting?</h4>
<p><strong>3.18.</strong> The market segments identified by the TRAI in Section F.18 of the Note should normally all be competitive markets themselves, and so do not require regulatory assistance in sharing of costs and revenues. The more elaborate the requirements imposed on each actor of each market segment identified by the TRAI in Section F.18, the more costly the roll-out of public Wi-Fi is going to be for the market actors. Such a cost is not avoided by price regulation.</p>
<p><strong>3.19.</strong> The TRAI may instead consider introducing public funding for backhaul roll-out in remote areas, where the market is unlikely to engage in such roll-out on its own. Presently, some Indian states (such as Karnataka) are committing to public funding for wireless access in remote areas. The Union Government can assist such endeavours.</p>
<h2>Endnotes</h2>
<p><strong>[1]</strong> See: <a href="http://cis-india.org/">http://cis-india.org/</a>.</p>
<p><strong>[2]</strong> See: <a href="http://trai.gov.in/Content/ConDis/20801_0.aspx">http://trai.gov.in/Content/ConDis/20801_0.aspx</a>.</p>
<p><strong>[3]</strong> See Section C.6 of the Note.</p>
<p><strong>[4]</strong> See: <a href="http://trai.gov.in/Content/ConDis/20782_0.aspx">http://trai.gov.in/Content/ConDis/20782_0.aspx</a>.</p>
<p><strong>[5]</strong> See: <a href="http://cis-india.org/telecom/blog/cis-submission-to-trai-consultation-on-proliferation-of-broadband-through-public-wifi-networks">http://cis-india.org/telecom/blog/cis-submission-to-trai-consultation-on-proliferation-of-broadband-through-public-wifi-networks</a>.</p>
<p><strong>[6]</strong> See Section E.11. of the Note.</p>
<p><strong>[7]</strong> See: <a href="http://cis-india.org/telecom/blog/cis-submission-to-trai-consultation-on-proliferation-of-broadband-through-public-wifi-networks">http://cis-india.org/telecom/blog/cis-submission-to-trai-consultation-on-proliferation-of-broadband-through-public-wifi-networks</a>.</p>
<p><strong>[8]</strong> See: <a href="https://www.wi-fi.org/">https://www.wi-fi.org/</a>.</p>
<p><strong>[9]</strong> See: Monitoring bundled products in the telecommunications sector is also recommended by the OECD: <a href="http://oecdinsights.org/2015/06/22/triple-and-quadruple-play-bundles-of-communication-services-towards-all-in-one-packages/">http://oecdinsights.org/2015/06/22/triple-and-quadruple-play-bundles-of-communication-services-towards-all-in-one-packages/</a>.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/telecom/blog/cis-submission-trai-note-on-interoperable-scalable-public-wifi'>http://editors.cis-india.org/telecom/blog/cis-submission-trai-note-on-interoperable-scalable-public-wifi</a>
</p>
No publisherJapreet Grewal, Pranesh Prakash, Sharath Chandra, Sumandro Chattapadhyay, Sunil Abraham, and Udbhav Tiwari, with expert comments from Amelia AndersdotterDigital PaymentPublic Wireless NetworkTRAIInternet GovernanceTelecomFeaturedAadhaarHomepageUID2016-12-12T13:59:00ZBlog Entry