The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 11 to 25.
Clarification on the Information Security Practices of Aadhaar Report
http://editors.cis-india.org/internet-governance/blog/clarification-on-the-information-security-practices-of-aadhaar-report
<b>We are issuing a second clarificatory statement on our report titled “Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information” published on May 1, 2017. </b>
<p> </p>
<h4>The report concerned can be accessed <a href="https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1">here</a>, and the first clarificatory statement (dated May 16, 2017) can be accessed <a href="https://cis-india.org/internet-governance/clarification-on-information-security-practices-of-the-aadhaar-report/">here</a>.</h4>
<hr />
<p>This clarificatory statement is being issued in response to reports that misrepresent our research. In light of repeated questions we have received, which seem to emanate from a misunderstanding of our report, we would like to make the following clarifications.</p>
<ol>
<li>Our research involved documentation and taking illustrative screenshots (included in our report) of public webpages on the four government websites listed in our report. These screenshots were taken to demonstrate that the vulnerability existed.<br /><br /></li>
<li>The figure of 130-135 million Aadhaar Numbers quoted in our Report are, as clearly stated, derived directly by adding the aggregate numbers (of beneficiaries/individuals whose data were listed in the three government websites concerned) and published by the portals themselves in the MIS reports publicly available on the portals. The numbers are as follows:<br /><br />
<ul>
<li>10,97,60,343 from NREGA,<br /><br /></li>
<li>63,95,317 from NSAP, and<br /><br /></li>
<li>2,05,60,896 from Chandranna Bima (screenshots included in the report).<br /><br /></li></ul>
<strong>We did not arrive at this number by downloading data ourselves but by adding the figures on the government websites. To our knowledge, no harm, financial or otherwise has been caused to anyone due to the public availability. Further, it must be noted that we published the report only after ascertaining that the websites in questions had masked or removed the data. Therefore our report only points to the possibility that there could be harm caused by malicious actors before the data was taken down. However, we are not aware of any such cases of exploitation, nor do we suggest so anywhere in our report.</strong></li></ol>
<p>We sincerely hope that this clarification helps with a clearer comprehension of the argument and implications of the said report. We urge those who are using our report in their research to reach out to us to prevent the future misinterpretation of the report.</p>
<p><em>— Amber Sinha and Srinivas Kodali</em></p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/clarification-on-the-information-security-practices-of-aadhaar-report'>http://editors.cis-india.org/internet-governance/blog/clarification-on-the-information-security-practices-of-aadhaar-report</a>
</p>
No publisherAmber Sinha and Srinivas KodaliFeaturedHomepageAadhaar2018-11-05T12:08:06ZBlog EntryAfter Supreme Court Setback, Fintech Firms Await Clarity On Aadhaar
http://editors.cis-india.org/internet-governance/news/bloomberg-quint-nishant-sharma-september-27-2018-after-sc-setback-fintech-firms-await-clarity-on-aadhaar
<b>The 12-digit Aadhaar number is now out of bounds for fintech companies in India.</b>
<p style="text-align: justify; ">The article by Nishant Sharma was <a class="external-link" href="https://www.bloombergquint.com/aadhaar/after-supreme-court-setback-fintech-firms-await-clarity-on-aadhaar">published in Bloomberg Quint</a> on September 27, 2018. Pranesh Prakash was quoted.</p>
<hr />
<h3>Video</h3>
<p><iframe frameborder="0" height="315" src="https://www.youtube.com/embed/FiEbZcL3lnY" width="560"></iframe></p>
<hr />
<p style="text-align: justify; ">With the Supreme Court on Wednesday terming Aadhaar authentication by private companies as “<a href="https://www.bloombergquint.com/law-and-policy/2018/09/26/aadhaar-a-quick-summary-of-the-supreme-court-majority-order" target="_blank">unconstitutional</a>”, companies such as online wallets and e-tailers, among others, will now have to make changes to how they onboard and verify customers, in addition to how they transact.</p>
<p style="text-align: justify; ">In a 567-page majority judgment authored by Justice Sikri and concurred upon by two other judges—Chief Justice Dipak Misra and Justice AM Khanwilkar—it said that Section 57 of the Aadhaar Act, which allows private companies to use Aadhaar for authentication services based on a contract between the corporate and an individual, would enable commercial exploitation of private data and hence is unconstitutional.</p>
<p style="text-align: justify; ">“What it essentially means is that the private bodies, such as lending platforms, wallets, or any private entity, cannot use Aadhaar for authentication,” said Anirudh Rastogi founder at Ikigai Law (formerly TRA), a law firm that specialises in representing businesses on data privacy.</p>
<p style="text-align: justify; ">The decision is set to impact private companies right from Flipkart-owned PhonePe, Paytm, Reliance Jio and Amazon, among others, which rely on Aadhaar for e-verification. Amazon recently launched cardless equated monthly installments on Amazon Pay through the digital finance platform Capital Float and asked customers to provide Aadhaar numbers or virtual ID and PAN details on the Amazon app for verification.</p>
<h3 style="text-align: justify; ">'Aadhaar Is Just Another ID'</h3>
<p style="text-align: justify; ">Pranesh Prakash, fellow, Centre for Internet and Society, said that with this judgment Aadhaar is no longer an identity infrastructure as its creators have dreamt of. “It is now just another ID.”</p>
<p style="text-align: justify; ">For those opposed to Aadhaar, on privacy and security grounds, this may be a part victory. But for the Fintech industry it stymies the use of quick Aadhaar-based e-KYC (know your customer norms) to onboard customers. “The fintech industry thrives on the instant paperless mantra, and this move will curb its rapid growth, ” Amrish Rau, co-founder of PayU, said in a text message.</p>
<p style="text-align: justify; ">The verdict is also set to push up costs for the industry. Rau said: “Conducting physical KYC would be a costly affair, with every physical KYC costing about Rs 100 per person.”</p>
<p style="text-align: justify; ">Companies like PhonePe await more clarity. “We are waiting to hear from bodies like the Reserve Bank of India, UIDAI on what KYC that will be required for wallets moving ahead," Sameer Nigam, cofounder of PhonePe, said. "Whether we go to no KYC, lower limit environment or go to the physical KYC environment."</p>
<p style="text-align: justify; ">The judgment also stated that the identification number will not be mandatory for opening bank accounts, mobile-phone connections or for admissions into educational institutions. However, Aadhaar will continue to be mandatory for the distribution of state-sponsored welfare schemes including direct benefit transfers and the public distribution system. Taxpayers will have to link their Permanent Account Numbers to the biometric database.</p>
<h3 style="text-align: justify; ">Aadhaar-Based KYC: Allowed With Consent?</h3>
<p style="text-align: justify; ">The Supreme Court has concluded that the part of section 57 which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals.</p>
<p style="text-align: justify; ">Prasanna S, a Supreme Court advocate and lawyer for one of the petitioners in the Aadhaar matter interpreted it to mean that even if a customer voluntarily wants to use Aadhaar for e-KYC, businesses cannot accept it.</p>
<blockquote style="text-align: justify; ">They have struck down the part of Section 57 that allows use of Aadhaar based on a contract. A contract, by nature is voluntary, But since the court has struck down this part, even voluntary use won’t be permitted.</blockquote>
<p style="text-align: justify; ">Prasanna S, Advocate, Supreme Court</p>
<h3 style="text-align: justify; ">Jaitley Hints At Legal Backing</h3>
<p style="text-align: justify; ">Meanwhile, Finance Minister Arun Jaitley on Wednesday hinted that the Centre is likely to examine whether separate legal backing is needed for Section 57 of the Aadhaar Act, the newswire PTI reported. “So, let us first read the judgement. There are two-three prohibited areas. Are they because they are totally prohibited or are they because they need legal backing,” Jaitley was quoted as saying.</p>
<p style="text-align: justify; ">Rastogi of Ikigai Law said that the court has left open for the government to promulgate a law to enable private parties to use Aadhaar that can withstand judicial scrutiny.</p>
<p style="text-align: justify; ">Rahul Matthan, a technology partner at law firm Trilegal differed with this view. He said that since the apex court has ruled that private entities cannot access the Aadhaar infrastructure, it means that even if the government brings a specific law to allow for that, it would be unconstitutional.</p>
<p style="text-align: justify; ">Prasanna agreed with this interpretation.</p>
<blockquote style="text-align: justify; ">The court has hinted that commercial exploitation of personal information will fail the proportionality test laid down by it in the Right to Privacy judgment. This is one of the grounds for them to conclude that Section 57 is unconstitutional. So even a law is introduced, private access will be impermissible.</blockquote>
<p style="text-align: justify; ">Prasanna S, Advocate, Supreme Court</p>
<h3 style="text-align: justify; ">Are Aadhaar-Based KYCs Tainted?</h3>
<p style="text-align: justify; ">Since the use of Aadhaar by private entities has been struck down, does it mean entities who have used it for KYC so far have to re-do that exercise? And data that was collected as part of Aadhaar-based KYC- does that need to be deleted?</p>
<p style="text-align: justify; ">The majority order hasn’t specifically addressed these questions, Matthan pointed out. But went on to explain that his reading of the judgment is that the court wants things to remain as they are.</p>
<blockquote style="text-align: justify; ">The Supreme Court has said that collection of data before the Aadhaar Act was introduced is valid. If you follow that sentiment, may be we can argue that there’s no requirement to delete the data.</blockquote>
<p style="text-align: justify; ">Rahul Matthan, Partner, Trilegal</p>
<p style="text-align: justify; "><br />Whatever has been done without the authority of law has to go, Prasanna said. But this outcome may not be practical and another hearing before the Supreme Court may be required to clear these questions, he added.</p>
<p style="text-align: justify; ">Private entities such as the online cab aggregator Ola have already removed eKYC from its e-wallet when BloombergQuint last checked. Others may follow suit.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/bloomberg-quint-nishant-sharma-september-27-2018-after-sc-setback-fintech-firms-await-clarity-on-aadhaar'>http://editors.cis-india.org/internet-governance/news/bloomberg-quint-nishant-sharma-september-27-2018-after-sc-setback-fintech-firms-await-clarity-on-aadhaar</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-10-01T23:39:42ZNews ItemNational Health Stack: Data For Data’s Sake, A Manmade Health Hazard
http://editors.cis-india.org/internet-governance/blog/bloomberg-quint-murali-neelakantan-swaraj-barooah-swagam-dasgupta-torsha-sarkar-august-14-2018-national-health-stack-data-for-datas-sake-a-manmade-health-hazard
<b>On Oct. 5, 2017, an HIV positive woman was denied admission in Hyderabad’s Osmania General Hospital even though she was entitled to free treatment under India’s National AIDS Control Organisation programme. Another incident around the same time witnessed a 24-year-old pregnant woman at Tikamgarh district hospital in Madhya Pradesh being denied treatment by hospital doctors once she tested positive for HIV. The patient reportedly delivered the twins outside the maternity ward after she was turned away by the hospital, but her newborn twin girls died soon after.</b>
<p style="text-align: justify; ">The op-ed was <a class="external-link" href="https://www.bloombergquint.com/opinion/2018/08/14/data-for-datas-sake-a-manmade-health-hazard#gs.bT20zK4">published in Bloomberg Quint</a> on August 14, 2018.</p>
<hr />
<p style="text-align: justify; ">Apart from facing the severity of their condition, patients afflicted with diseases such as HIV, tuberculosis, and mental illnesses, are often subject to social stigma, sometimes even leading to the denial of medical treatment. Given this grim reality would patients want their full medical history in a database?</p>
<p style="text-align: justify; ">The ‘National Health Stack’ as described by the NITI Aayog in its consultation paper, is an ambitious attempt to build a digital infrastructure with a “deep understanding of the incentive structures prevalent in the Indian healthcare ecosystem”. If the government is to create a database of individuals’ health records, then it should appreciate the differential impact that it could have on the patients.</p>
<blockquote>The collection of health data, without sensitisation and accountability, has the potential to deny healthcare to the vulnerable.</blockquote>
<p style="text-align: justify; ">We have innumerable instances of denial of services due to Aadhaar and there is a real risk that another database will lead to more denial of access to the most vulnerable.</p>
<p style="text-align: justify; ">Earlier, we had outlined some key aspects of the NHS, the ‘world’s largest’ government-funded national healthcare scheme. Here we discuss some of the core technical issues surrounding the question of data collection, updating, quality, and utilisation.</p>
<h3>Resting On A Flimsy Foundation: The Unique Health ID</h3>
<p style="text-align: justify; ">The National Health Stack envisages the creation of a unique ID for registered beneficiaries in the system — a ‘Digital Health ID’. Upon the submission of a ‘national identifier’ and completion of the Know Your Customer process, the patient would be registered in the system, and a unique health ID generated.</p>
<p style="text-align: justify; ">This seemingly straightforward process rests on a very flimsy foundation. The base entry in the beneficiary registry would be linked to a ‘strong foundational ID’. Extreme care needs to be taken to ensure that this is not limited to an Aadhaar number. Currently, the unavailability of Aadhaar would not be a ground for denial of treatment to a patient only for their first visit; the patient must provide Aadhaar or an Aadhaar enrolment slip to avail treatment thereafter. This suggests that the national healthcare infrastructure will be geared towards increasing Aadhaar enrollment, with the unstated implication that healthcare is a benefit or subsidy — a largess of government, and not, as the courts have confirmed, a fundamental right.</p>
<blockquote style="text-align: justify; ">Not only is this project using government-funded infrastructure to deny its citizens the fundamental right to healthcare, it is using the desperate need of the vulnerable for healthcare to push the ‘Aadhaar’ agenda.</blockquote>
<p style="text-align: justify; ">Any pretence that Aadhaar is voluntary is slowly fading with the government mandating it at every step of our lives.</p>
<p style="text-align: justify; "><img alt="Aadhaar Seva kendra. (Source: Aadhaar Official Account/Facebook)&nbsp;" class="qt-image" src="https://images.assettype.com/bloombergquint%2F2018-01%2Fd7f4b53a-b069-484d-8c28-511c516aa4d5%2F3a192ed0-8a18-4518-95be-ac5234239e94.jpg?w=480&auto=format%2Ccompress" /></p>
<div class="visualClear" style="text-align: justify; ">Aadhaar Seva kendra. (Source: Aadhaar Official Account/Facebook</div>
<div class="visualClear" style="text-align: justify; "></div>
<h3>Is The Health ID An Effective And Unique Identifier?</h3>
<p style="text-align: justify; ">Even if we choose to look past the fact that the validity of Aadhaar is still pending the test of legality before the apex court, a foundational ID would mean that the data contained within that ID is unique, accurate, incorruptible, and cannot be misused. These principles, unfortunately, have been compromised by the UIDAI in the Aadhaar project with its lack of uniqueness of identity (i.e, fake IDs and duplicity), failure to authenticate identity, numerous alleged data leaks (‘alleged’ because UIDAI maintains that there haven’t been any leaks), lack of connectivity to be able to authenticate identity and numerous instances of inaccurate information which cannot be corrected.</p>
<p>Linking something as crucial and basic as healthcare data with such a database is a potential disaster.</p>
<p>There is a real risk that incorrect linking could cause deaths or inappropriate medical care.</p>
<h3>The High Risk Of Poor Quality Data</h3>
<p style="text-align: justify; ">The NITI Aayog paper envisages several expansive databases that are capable of being updated by different entities. It includes enrollment and updating processes but seems to assume that all these extra steps will be taken by all the relevant stakeholders and does not explain the motivation for stakeholders to do so.</p>
<p style="text-align: justify; ">In a country where government doctors, hospitals, wellness centres, etc are overburdened and understaffed, this reliance is simply not credible. For instance, all attributes within the registries are to be digitally signed by an authorised updater, there must be an audit trail for all changes made to the registries, and surveyors will be tasked with visiting providers in person to validate the data. Identifying these precautions as measures to assure accurate data is a great step towards building a national health database, but this seems an impossible task.</p>
<blockquote>Who are these actors and what will incentivise them to ensure the accuracy and integrity of data?</blockquote>
<p style="text-align: justify; ">In other words, what incentive and accountability structures will ensure that data entry and updating is accurate, and not approached from a more ‘<i>jugaad</i>’ ‘let’s just get this done for the sake of it’ attitude that permeates much of the country. How will patients have access to the database to be able to check its accuracy? Is it possible for a patient (who will presumably be ill) to gain easy access to an updater to change their data? If so, how? It is worth noting that the patient’s ‘right’ to check her data assumes that they have access to a computer that is connected to the internet as well as a good level of digital literacy, which is not the case in India for a significant section of the population. Even data portability loses its potential benefits if the quality of data on these registries is not reliable. In this case, healthcare providers will need to verify their patients’ health history using physical records instead, rendering the stack redundant.</p>
<p>Who will be liable to the patient for misdiagnosis based on the database?</p>
<p><img alt="A sonographic image is displayed on a monitor as a patient undergoes an ultrasound scan in Bikaner, Rajasthan, India. (Photographer: Prashanth Vishwanathan/Bloomberg)" class="qt-image" src="https://images.assettype.com/bloombergquint%2F2018-08%2Fe1659408-49ba-4188-b57e-aef377c69eb0%2Fm1291107.jpg?w=480&auto=format%2Ccompress" /></p>
<div class="visualClear">A sonographic image is displayed on a monitor as a patient undergoes an ultrasound scan in Bikaner, Rajasthan, India. (Photographer: Prashanth Vishwanathan/Bloomberg)</div>
<p style="text-align: justify; ">Leaving the question of accountability vague opens updaters to the possibility of facing dangerous and unnecessarily punitive measures in the future. The NITI Aayog paper fails to address this key issue which arose recently. Despite being a notifiable disease, there are reports that numerous doctors from the private sector failed to notify or update TB cases to the Ministry of Health and Family Welfare ostensibly on the grounds that they did not receive consent from their patients to share their information with the government. This was met with a harsh response from the government which stated that clinical establishment that failed to notify tuberculosis patients would face jail time. According to a few doctors, the government’s new move would coerce patients to go to ‘underground clinics’ to receive treatment discreetly and hence, would not solve the issue of TB.</p>
<blockquote>The document also offers no specific recommended procedures regarding how inaccurate entries will be corrected or deleted.</blockquote>
<p style="text-align: justify; ">It is then perhaps not a stretch to imagine that these scenarios would affect the quality of the data stored; defeating NITI Aayog’s objective of researchers using the stack for high-quality medical data.</p>
<p style="text-align: justify; ">The reason why the quality and integrity of data is at the head of the table is that all the proposed applications of the NHS (analytics, fraud detection etc.) assume a high quality, accurate dataset. At the same time, the enrolment process, updating process and disclosed measures to ensure data quality will effectively lead to poor quality data. If this is the case, then applications derived from the NHS dataset should assume an imperfect data, rather than an accurate dataset, which should make one wonder if no data is better than data that is certainly inaccurate.</p>
<h3>Lack Of Data Utilisation Guidelines</h3>
<p style="text-align: justify; ">Issues with data quality are exacerbated depending on how and where it is used, and who uses it. The paper has identified some users to be health-sector stakeholders such as healthcare providers (hospitals, clinics, labs etc), beneficiaries, doctors, insurers and accredited social health activists but misses laying down utilisation guidelines. The foresight to create a dataset that can be utilised by multiple actors for numerous applications is commendable, but potentially problematic -- especially if guidelines on how this data is to be used by stakeholders (especially the private sector) are ignored.</p>
<p style="text-align: justify; ">In order to bridge this knowledge gap, India has the opportunity to learn from the legal precedent set by foreign institutions. As an example, one could examine the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. which sets out strict guidelines for how businesses are to handle sensitive health data in order to maintain the individual’s privacy and security. It goes one step further to also lay down incentive and accountability structures in order that business associates necessarily report security breaches to their respective covered entities.</p>
<blockquote>If we do not take necessary precautions now, we not only run the risk of poor security and breach of privacy but of inaccurate data that renders the national health data repository a health risk for the whole patient population.</blockquote>
<p style="text-align: justify; ">There’s also the lack of clarity on who is meant to benefit from using such a database or whether the benefits are equal to all stakeholders, but more on that in a subsequent piece.</p>
<p style="text-align: justify; "><img alt="A medical team uses a glucometer to check the blood glucose level of a patient at a mobile clinic in Pancharala, on the outskirts of Bengaluru, India. (Photographer: Dhiraj Singh/Bloomberg)" class="qt-image" src="https://images.assettype.com/bloombergquint%2F2018-08%2F5e7e7b41-1513-4161-b195-5b8a77c6e4f1%2F314780590_1_20.jpg?w=480&auto=format%2Ccompress" /></p>
<div class="visualClear" style="text-align: justify; ">A medical team uses a glucometer to check the blood glucose level of a patient at a mobile clinic in Pancharala, on the outskirts of Bengaluru, India. (Photographer: Dhiraj Singh/Bloomberg)</div>
<div class="visualClear" style="text-align: justify; "></div>
<h3>It’s Your Recipe, You Try It First!</h3>
<p style="text-align: justify; ">If the NITI Aayog and the government are sure that there is a need for a national healthcare database, perhaps they can start using the Central Government Health Scheme (which includes all current and retired government employees and their families) as a pilot scheme for this. Once the software, database and the various apps built on it are found to be good value for money and patients benefit from excellent treatment all over the country, it could be expanded to those who use the Employees’ State Insurance system, and then perhaps to the armed forces. After all, these three groups already have a unique identifier and would benefit from the portability of healthcare records since they are likely to be transferred and posted all over the country. If, and only if, it works for these groups and the claimed benefits are observed, then perhaps it can be expanded to the rest of the country’s healthcare systems.</p>
<p><i>Murali Neelakantan is an expert in healthcare laws. Swaraj Barooah is Policy Director at The Centre for Internet and Society. Swagam Dasgupta and Torsha Sarkar are interns at The Centre for Internet and Society.</i></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/bloomberg-quint-murali-neelakantan-swaraj-barooah-swagam-dasgupta-torsha-sarkar-august-14-2018-national-health-stack-data-for-datas-sake-a-manmade-health-hazard'>http://editors.cis-india.org/internet-governance/blog/bloomberg-quint-murali-neelakantan-swaraj-barooah-swagam-dasgupta-torsha-sarkar-august-14-2018-national-health-stack-data-for-datas-sake-a-manmade-health-hazard</a>
</p>
No publisherMurali Neelakantan, Swaraj Barooah, Swagam Dasgupta and Torsha SarkarPrivacyAadhaarInternet GovernanceHealthcare2018-09-16T05:01:18ZBlog EntrySpreading unhappiness equally around
http://editors.cis-india.org/internet-governance/blog/business-standard-july-31-2018-sunil-abraham-spreading-unhappiness-equally-around
<b>The section of civil society opposed to Aadhaar is unhappy because the UIDAI and all other state agencies that wish to can process data non-consensually.</b>
<p>The article was published in <a class="external-link" href="https://www.business-standard.com/article/opinion/spreading-unhappiness-equally-around-118073100008_1.html">Business Standard</a> on July 31, 2018.</p>
<hr />
<p style="text-align: justify; ">There is a joke in policy-making circles — you know you have reached a good compromise if all the relevant stakeholders are equally unhappy. By that measure, the B N Srikrishna committee has done a commendable job since there are many with complaints.</p>
<p style="text-align: justify; ">Some in the private sector are unhappy because their demonisation of the European Union’s General Data Protection Regulation (GDPR) has failed. The committee’s draft data protection Bill is closely modelled upon the GDPR in terms of rights, principles, design of the regulator and the design of the regulatory tools like impact assessments. With 4 per cent of global turnover as maximum fine, there is a clear signal that privacy infringements by transnational corporations will be reigned in by the regulator. Getting a law that has copied many elements of the European regulation is good news for us because the GDPR is recognised by leading human rights organisations as the global gold standard. But the bad news for us is that the Bill also has unnecessarily broad data localisation mandates for the private sector.</p>
<p style="text-align: justify; ">Some in the fintech sector are unhappy because the committee rejected the suggestion that privacy be regulated as a property right. This is a positive from the human rights perspective, especially because this approach has been rejected across the globe, including the European Union. Property rights are inappropriate because a natural law framing of the enclosure of the commons into private property through labour does not translate to personal data. Also in comparison to patents — or “intellectual property” — the scale of possible discreet property holdings in personal information is several orders higher, posing unimaginable complexity for regulation, possibly creating a gridlock economy.</p>
<p style="text-align: justify; ">The section of civil society opposed to Aadhaar is unhappy because the UIDAI and all other state agencies that wish to can process data non-consensually. A similar loophole exists in the GDPR. Remember the definition of processing includes “operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction”. This means the UIDAI can collect data from you without your consent and does not have to establish consent for the data it has collected in the past. There is a “necessary” test which is supposed to constrain data collection. But for the last 10 odd years, the UIDAI has deemed it “necessary” to collect biometrics to give the poor subsidised grain. Will those forms of disproportionate non-consensual data collection continue? Most probably because the report recommends that the UIDAI continue to play the role of the regulator with heightened powers. Which is like trusting the fox with<br />the henhouse.</p>
<p style="text-align: justify; ">Employees should be unhappy because the Bill has an expansive ground under which employers can nonconsensually harvest their data. The Bill allows for non-consensual processing of any data “necessary” for recruitment, termination, providing any benefit or service, verifying the attendance or any other activity related to the assessment of the performance”. This is permitted when consent is not an appropriate basis or would involve disproportionate effort on the part of the employer. This is basically a surveillance provision for employers. Either this ground should be removed like in the GDPR or a “proportionate” test should also be introduced otherwise disproportionate mechanisms like spyware on work computers will be installed by employees without providing notice.</p>
<p style="text-align: justify; ">Some free speech activists are unhappy because the law contains a “right to be forgotten” provision. They are concerned that this will be used by the rich and powerful to censor mainstream and alternative media. On the face of the “right to be forgotten” in the GDPR is a much more expansive “right to erasure”, whilst the Bill only provides for a more limited "right to restrict or prevent continuing disclosure”. However, the GDPR has a clear exception for “archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”. The Bill like the GDPR does identify the two competing human rights imperatives — freedom of expression and the right to information. However, by missing the “public interest” test it does not sufficiently social power asymmetries.</p>
<p style="text-align: justify; ">Privacy and security researchers are unhappy because re-identification has been made an offence without a public interest or research exception. It is indeed a positive that the committee has made re-identification a criminal offence. This is because the de-identification standards notified by the regulator would always be catching up with the latest mathematical development. However, in order to protect the very research that the regulator needs to protect the rights of individuals, the Bill should have granted the formal and non-formal academic community immunity from liability and criminal prosecution.</p>
<p style="text-align: justify; ">Lastly but also most importantly, human rights activists are unhappy because the committee again like the GDPR did not include sufficiently specific surveillance law fixes. The European Union has historically handled this separately in the ePrivacy Regulation. Maybe that is the approach we must also follow or maybe this was a missed opportunity. Overall, the B N Srikrishna committee must be commended for producing a good data protection Bill. The task before us is to make it great and to have it enacted by Parliament at the earliest.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/business-standard-july-31-2018-sunil-abraham-spreading-unhappiness-equally-around'>http://editors.cis-india.org/internet-governance/blog/business-standard-july-31-2018-sunil-abraham-spreading-unhappiness-equally-around</a>
</p>
No publishersunilAadhaarInternet GovernancePrivacy2018-07-31T14:49:52ZBlog EntryThe Centre for Internet and Society’s Comments and Recommendations to the: Indian Privacy Code, 2018
http://editors.cis-india.org/internet-governance/blog/the-centre-for-internet-and-society2019s-comments-and-recommendations-to-the-indian-privacy-code-2018
<b>The debate surrounding privacy has in recent times gained momentum due to the Aadhaar judgement and the growing concerns around the use of personal data by corporations and governments.</b>
<p>Click to download the <a class="external-link" href="http://cis-india.org/internet-governance/files/indian-privacy-code">file here</a></p>
<hr />
<p style="text-align: justify; ">As India moves towards greater digitization, and technology becomes even more pervasive, there is a need to ensure the privacy of the individual as well as hold the private and public sector accountable for the use of personal data. Towards enabling public discourse and furthering the development a privacy framework for India, a group of lawyers and policy analysts backed by the Internet Freedom Foundation (IFF) have put together a draft a citizen's bill encompassing a citizen centric privacy code that is based on seven guiding principles.<a href="#_ftn1"><sup><sup>[1]</sup></sup></a> This draft builds on the Citizens Privacy Bill, 2013 that had been drafted by CIS on the basis of a series of roundtables conducted in India.<a href="#_ftn2"><sup><sup>[2]</sup></sup></a> Privacy is one of the key areas of research at CIS and we welcome this initiative and hope that our comments make the Act a stronger embodiment of the right to privacy.</p>
<h1 style="text-align: justify; ">Section by Section Recommendations</h1>
<h2 style="text-align: justify; ">Preamble</h2>
<p style="text-align: justify; "><b>Comment:</b> The Preamble specifies that the need for privacy has increased in the digital age, with the emergence of big data analytics.</p>
<p style="text-align: justify; "><b>Recommendation:</b> It could instead be worded as ‘with the emergence of technologies such as big data analytics’, so as to recognize the impact of multiple technologies and processes including big data analytics.</p>
<p style="text-align: justify; "><b>Comment:</b> The Preamble states that it is necessary for good governance that all interceptions of communication and surveillance be conducted in a systematic and transparent manner subservient to the rule of law.</p>
<p style="text-align: justify; ">Recommendation: The word ‘systematic’ is out of place, and can be interpreted incorrectly. It could instead be replaced with words such as ‘necessary’, ‘proportionate’, ‘specific’, and ‘narrow’, which would be more appropriate in this context.</p>
<h2 style="text-align: justify; ">Chapter 1</h2>
<h2 style="text-align: justify; ">Preliminary</h2>
<p style="text-align: justify; "><b>Section 2: </b>This Section defines the terms used in the Act.</p>
<p style="text-align: justify; "><b>Comment:</b> Some of the terms are incomplete and a few of the terms used in the Act have not been included in the list of definitions.</p>
<p style="text-align: justify; "><b>Recommendations:</b></p>
<ul style="text-align: justify; ">
<li>The term “effective consent” needs to be defined. The term is first used in the Proviso to Section 7(2), which states “Provided that effective consent can only be said to have been obtained where...:”It is crucial that the Act defines effective consent especially when it is with respect to sensitive data.</li>
<li>The term “open data” needs to be defined. The term is first used in Section 5 that states the exemptions to the right to privacy. Subsection 1 clause ii states as follows “the collection, storage, processing or dissemination by a natural person of personal data for a strictly non-commercial purposes which may be classified as open data by the Privacy Commission”. Hence the term open data needs to be defined in order to ensure that there is no ambiguity in terms of what open data means.</li>
<li>The Act does not define “erasure”, although the term erasure does come under the definition of destroy (Section 2(1)(p)). There are some provisions that use the word erasure , hence if erasure and destruction mean different acts then the term erasure needs to be defined, otherwise in order to maintain uniformity the sections where erasure is used could be substituted with the term “destroy” as defined under this Act.</li>
<li>The definition of “sensitive personal data” does not include location data and identification numbers. The definition of sensitive data must include location data as the Act also deals in depth with surveillance. With respect to identification numbers, the Act needs to consider identification numbers (eg. the Aadhaar number, PAN number etc.) as sensitive information as this number is linked to a person's identity and can reveal sensitive personal data such as name, age, location, biometrics etc. Example can be taken from Section 4(1) of the GDPR<a href="#_ftn3"><sup><sup>[3]</sup></sup></a> which identifies location data as well as identification numbers as sensitive personal data along with other identifies such as biometric data, gender race etc.</li>
<li>The Act defines consent as the “unambiguous indication of a data subject’s agreement” however, the definition does not indicate that there needs to be an informed consent. Hence the revised definition could read as follows “the informed and unambiguous indication of a data subject’s agreement”. It is also unclear how this definition of consent relates to ‘effective consent’. This relationship needs to be clarified.</li>
<li>The Act defines ‘data controller’ in Section 2(1)(l) as “ any person including appropriate government..”. In order to remove any ambiguity over the definition of the term person, the definition could specify that the term person means any natural or legal person.</li>
<li>The Act defines ‘data processor’ in Section (2(1)(m) as “means any person including appropriate government”. In order to remove any ambiguity over the definition of the term ‘any person’, the definition could specify that the term person means any natural or legal person. </li>
</ul>
<h2 style="text-align: justify; ">CHAPTER II</h2>
<h2 style="text-align: justify; ">Right to Privacy</h2>
<p style="text-align: justify; "><b>Section 5: </b>This section provides exemption to the rights to privacy<b>. </b></p>
<p style="text-align: justify; "><b>Comment: </b>Section 5(1)(ii) states that the collection, storage, processing or dissemination by a natural person of personal data for a strictly non-commercial purposes are exempted from the provisions of the right to privacy. This clause also states that this data may be classified as open data by the Privacy Commission. This section hence provides individuals the immunity from collection, storage, processing and dissemination of data of another person. However this provision fails to state what specific activities qualify as non commercial use.</p>
<p style="text-align: justify; "><b>Recommendation: </b>This provision could potentially be strengthened by specifying that the use must be in the public interest. The other issue with this subsection is that it fails to define open data. If open data was to be examined using its common definition i.e “data that can be freely used, modified, and shared by anyone for any purpose”<a href="#_ftn4"><sup><sup>[4]</sup></sup></a> then this section becomes highly problematic. As a simple interpretation would mean that any personal data that is collected, stored, processed or disseminated by a natural person can possibly become available to anyone. Beyond this, India has an existing framework governing open data. Ideally the privacy commissioner could work closely with government departments to ensure that open data practices in India are in compliance with the privacy law.</p>
<h2 style="text-align: justify; ">CHAPTER III</h2>
<h2 style="text-align: justify; ">Protection of Personal Data</h2>
<h2 style="text-align: justify; ">PART A</h2>
<p style="text-align: justify; "><b>Notice by data controller </b></p>
<p style="text-align: justify; "><b>Section 6: </b>This section specifies the obligations to be followed by data controllers in their communication, to maintain transparency and lays down provisions that all communications by Data Controllers need to be complied with.</p>
<p style="text-align: justify; "><b>Comment:</b> There seems to be a error in the <i>Proviso </i>to this section. The proviso states “Provided that all communications by the Data Controllers including but not limited to the rights of Data Subjects under this part <b>shall may be </b>refused when the Data Controller is, unable to identify or has a well founded basis for reasonable doubts as to the identity of the Data Subject or are manifestly unfounded, excessive and repetitive, with respect to the information sought by the Data Subject ”.</p>
<p style="text-align: justify; "><b>Recommendation: </b>The proviso could read as follows “The proviso states “Provided that all communications by the Data Controllers including but not limited to the rights of Data Subjects under this part <b><i>may</i></b> be refused when the Data Controller is…”. We suggest the use of the ‘may’ as this makes the provision less limiting to the rights of the data controller.</p>
<p style="text-align: justify; ">Additionally, it is not completely clear what ‘included but not limited to...’ would entail. This could be clarified further.</p>
<h2 style="text-align: justify; ">PART B</h2>
<h2 style="text-align: justify; ">CONSENT OF DATA SUBJECTS</h2>
<p style="text-align: justify; "><b>Section 10: </b>This section talks about the collection of personal data.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 10(3) lays down the information that a person must provide before collecting the personal data of an individual.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 10(3)(xi) states as follows “the time and manner in which it will be destroyed, or the criteria used to Personal data collected in pursuance of a grant of consent by the data subject to whom it pertains shall, if that consent is subsequently withdrawn for any reason, be destroyed forthwith: determine that time period;”. There seems to be a problem with the sentence construction and the rather complex sentence is difficult to understand.</p>
<p style="text-align: justify; "><b>Recommendation:</b> This section could be reworked in such as way that two conditions are clear, one - the time and manner in which the data will be destroyed and two the status of the data once consent is withdrawn.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 10(3)(xiii) states that the identity and contact details of the data controller and data processor must be provided. However it fails to state that the data controller should provide more details with regard to the process for grievance redressal. It does not provide guidance on what type of information needs to go into this notice and the process of redressal. This could lead to very broad disclosures about the existence of redress mechanisms without providing individuals an effective avenue to pursue.</p>
<p style="text-align: justify; "><b>Recommendation: </b>As part of the requirement for providing the procedure for redress, data controllers could specifically be required to provide the details of the Privacy Officers, privacy commissioner, as well as provide more information on the redressal mechanisms and the process necessary to follow.</p>
<p style="text-align: justify; "><b>Section 11:</b>This section lays out the provisions where collection of personal data without prior consent is possible.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 11 states “Personal data may be collected or received from a third party by a Data Controller the prior consent of the data subject only if it is:..”. However as the title of the section suggests the sentence could indicate the situations where it is permissible to collect personal data without prior consent from the data subject”. Hence the word “without” is missing from the sentence. Additionally the sentence could state that the personal data may be collected or received directly from an individual or from a third party as it is possible to directly collect personal data from an individual without consent.</p>
<p style="text-align: justify; "><b>Recommendation:</b>The sentence could read as “Personal data may be collected or received from an <b>individual or a third party </b>by a Data Controller <b><i>without</i></b> the prior consent of the data subject only if it is:..”.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 11(1)(i) states that the collection of personal data without prior consent when it is “necessary for the provision of an emergency medical service or essential services”. However it does not specify the kind or severity of the medical emergency.</p>
<p style="text-align: justify; "><b>Recommendation: </b>In addition to medical emergency another exception could be made for imminent threats to life.</p>
<p style="text-align: justify; "><b>Section 12: </b>This section details the Special provisions in respect of data collected prior to the commencement of this Act.</p>
<p style="text-align: justify; "><b>Comment:</b> This section states that all data collected, processed and stored by data controllers and data processors prior to the date on which this Act comes into force shall be destroyed within a period of two years from the date on which this Act comes into force. Unless consent is obtained afresh within two years or that the personal data has been anonymised in such a manner to make re-identification of the data subject absolutely impossible. However this process can be highly difficult and impractical in terms of it being time consuming, expensive particularly, in cases of analog collections of data. This is especially problematic in cases where the controller cannot seek consent of the data subject due to change in address or inavailability or death. This will also be problematic in cases of digitized government records.</p>
<p style="text-align: justify; "><b>Recommendation:</b> We suggest three ways in which the issue of data collected prior to the Act can be handled. One way is to make a distinction on the data based on whether the data controller has specified the purpose of the collection before collecting the data. If the purpose was not defined then the data can be deleted or anonymised. Hence there is no need to collect the data afresh for all the cases. The purpose of the data can also be intimated to the data subject at a later stage and the data subject can choose if they would like the controller to store or process the data.The second way is by seeking consent afresh only for the sensitive data. Lastly, the data controller could be permitted to retain records of data, but must necessarily obtain fresh consent before using them. By not having a blanket provision of retrospective data deletion the Act can address situations where deletion is complicated or might have a potential negative impact by allowing storage, deletion, or anonymisation of data based on its purpose and kind.</p>
<p style="text-align: justify; "><b>Comment:</b> Section (2)(1)(i) of the Act states that the data will not be destroyed provided that <b>effective consent</b> is obtained afresh within two years. However as stated earlier the Act does not define effective consent.</p>
<p style="text-align: justify; ">Recommendation: The term <b>effective consent </b>needs to be defined in order to bring clarity to this provision.</p>
<h2 style="text-align: justify; ">PART C</h2>
<h2 style="text-align: justify; ">FURTHER LIMITATIONS ON DATA CONTROLLERS</h2>
<p style="text-align: justify; "><b>Section 16: </b>This section deals with the security of personal data and duty of confidentiality.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 16(2) states “ Any person who collects, receives, stores, processes or otherwise handles any personal data shall be subject to a duty of confidentiality and secrecy in respect of it.” Similarly Section 16(3) states “data controllers and data processors shall be subject to a duty of confidentiality and secrecy in respect of personal data in their possession or control. However apart from the duty of confidentiality and secrecy the data collectors and processors could also have a duty to maintain the security of the data.” Though it is important for confidentiality and secrecy to be maintained, ensuring security requires adequate and effective technical controls to be in place.</p>
<p style="text-align: justify; "><b>Recommendation:</b> This section could also emphasise on the duty of the data controllers to ensure the security of the data. The breach notification could include details about data that is impacted by a breach or attach as well as the technical details of the infrastructure compromised.</p>
<p style="text-align: justify; "><b>Section 17:</b> This section details the conditions for the transfer of personal data outside the territory of India.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 17 allows a transfer of personal data outside the territory of India in 3 situations- If the Central Government issues a notification deciding that the country/international organization in question can ensure an adequate level of protection, compatible with privacy principles contained in this Act; if the transfer is pursuant to an agreement which binds the recipient of the data to similar or stronger conditions in relation to handling the data; or if there are appropriate legal instruments and safeguards in place, to the satisfaction of the data controller. However, there is no clarification for what would constitute ‘adequate’ or ‘appropriate’ protection, and it does not account for situations in which the Government has not yet notified a country/organisation as ensuring adequate protection. In comparison, the GDPR, in Chapter V<a href="#_ftn5"><sup><sup>[5]</sup></sup></a>, contains factors that must be considered when determining adequacy of protection, including relevant legislation and data protection rules, the existence of independent supervisory authorities, and international commitments or obligations of the country/organization. Additionally, the GDPR allows data transfer even in the absence of the determination of such protection in certain instances, including the use of standard data protection clauses, that have been adopted or approved by the Commission; legally binding instruments between public authorities; approved code of conduct, etc. Additionally, it allows derogations from these measures in certain situations: when the data subject expressly agrees, despite being informed of the risks; or if the transfer is necessary for conclusion of contract between data subject and controller, or controller and third party in the interest of data subject; or if the transfer is necessary for reasons of public interest, etc. No such circumstances are accounted for in Section 17.</p>
<p style="text-align: justify; "><b>Recommendation: </b>Additionally, data controllers and processors could be provided with a period to allow them to align their policies towards the new legislation. Making these provisions operational as soon as the Act is commenced might put the controllers or processors guilty of involuntary breaching the provisions of the Act.</p>
<p style="text-align: justify; "><b>Section 19: </b>This section<b> </b>states the special provisions for sensitive personal data.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 19(2) states that in addition to the requirements set out under sub-clause (1), the Privacy Commission shall set out additional protections in respect of:i.sensitive personal data relating to data subjects who are minors; ii.biometric and deoxyribonucleic acid data; and iii.financial and credit data.This however creates additional categories of sensitive data apart from the ones that have already been created.<a href="#_ftn6"><sup><sup>[6]</sup></sup></a> These additional categories can result in confusion and errors.</p>
<p style="text-align: justify; "><b>Recommendation: </b>Sensitive data must not be further categorised as this can lead to confusion and errors. Hence all sensitive data could be subject to the same level of protection.</p>
<p style="text-align: justify; "><b>Section 20:</b> This section states the special provisions for data impact assessment.</p>
<p style="text-align: justify; "><b>Comment:</b> This section states that all data impact assessment reports will be submitted periodically to the State Privacy commission. This section does not make provisions for instances of circumstances in which such records may be made public. Additionally the data impact assessment could also include a human rights impact assessment.</p>
<p style="text-align: justify; "><b>Recommendation:</b> The section could also have provisions for making the records of the impact assessment or relevant parts of the assessment public. This will ensure that the data controllers / processors are subjected to a standard of accountability and transparency. Additionally as privacy is linked to human rights the data impact assessment could also include a human rights impact assessment. The Act could further clarify the process for submission to State Privacy Commissions and potential access by the Central Privacy Commission to provide clarity in process.</p>
<p style="text-align: justify; ">Section 20 requires controllers who use new technology to assess the risks to the data protection rights that occur from processing. ‘New technology’ is defined to include pre-existing technology that is used anew. Additionally, the reports are required to be sent to the State Privacy Commission periodically. However, there is no clarification on the situations in which such an assessment becomes necessary, or whether all technology must undergo such an assessment before their use. Additionally, the differentiation between different data processing activities based on whether the data processing is incidental or a part of the functioning needs to be clarified. This differentiation is necessary as there are some data processors and controllers who need the data to function; for instance an ecommerce site would require your name and address to deliver the goods, although these sites do not process the data to make decisions. This can be compared to a credit rating agency that is using the data to make decisions as to who will be given a loan based on their creditworthiness. Example can taken from the GDPR, which in Article 35, specifies instances in which a data impact assessment is necessary: where a new technology, that is likely to result in a high risk to the rights of persons, is used; where personal aspects related to natural persons are processed automatically, including profiling; where processing of special categories of data (including data revealing ethnic/racial origin, sexual orientation etc), biometric/genetic data; where data relating to criminal convictions is processed; and with data concerning the monitoring of publicly accessible areas. Additionally, there is no requirement to publish the report, or send it to the supervising authority, but the controller is required to review the processor’s operations to ensure its compliance with the assessment report.</p>
<p style="text-align: justify; "><b>Recommendation:</b> The reports could be sent to a central authority, which according to this Act is the Privacy Commission, along with the State Privacy Commission. Additionally there needs to be a differentiation between the incidental and express use of data. The data processors must be given at least a period of one year after the commencement of the Act to present their impact assessment report. This period is required for the processors to align themselves with the provisions of the Act as well as conduct capacity building initiatives.</p>
<h2 style="text-align: justify; ">PART C</h2>
<h2 style="text-align: justify; ">RIGHTS OF A DATA SUBJECT</h2>
<p style="text-align: justify; "><b>Section 21: </b>This section explains the right of the data subject with regard to accessing her data. It states that the data subject has the right to obtain from the data controller information as to whether any personal data concerning her is collected or processed. The data controller also has to not only provide access to such information but also the personal data that has been collected or processed.</p>
<p style="text-align: justify; "><b>Comment:</b> This section does not provide the data subject the right to seek information about security breaches.</p>
<p style="text-align: justify; "><b>Recommendation: </b>This section could state that the data subject has the right to seek information about any security breaches that might have compromised her data (through theft, loss, leaks etc.). This could also include steps taken by the data controller to address the immediate breach as well as steps to minimise the occurrence of such breaches in the future.<a href="#_ftn7"><sup><sup>[7]</sup></sup></a></p>
<h2 style="text-align: justify; ">CHAPTER IV</h2>
<h2 style="text-align: justify; ">INTERCEPTION AND SURVEILLANCE</h2>
<p style="text-align: justify; "><b>Section 28: </b>This section lists out the special provisions for competent organizations.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 28(1) states ”all provisions of Chapter III shall apply to personal data collected, processed, stored, transferred or disclosed by competent organizations unless when done as per the provisions under this chapter ”.This does not make provisions for other categories of data such as sensitive data.</p>
<p style="text-align: justify; "><b>Recommendation:</b> This section needs to include not just personal data but also sensitive data, in order to ensure that all types of data are protected under this Act.</p>
<p style="text-align: justify; "><b>Section 30:</b> This section states the provisions for prior authorisation by the appropriate Surveillance and Interception Review Tribunal.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 30(5) states “any interception involving the infringement of the privacy of individuals who are not the subject of the intended interception, or where communications relate to <b>medical, journalistic, parliamentary or legally privileged material</b> may be involved, shall satisfy additional conditions including the provision of specific prior justification in writing to the Office for Surveillance Reform of the Privacy Commission as to the necessity for the interception and the safeguards providing for minimizing the material intercepted to the greatest extent possible and the destruction of all such material that is not strictly necessary to the purpose of the interception.” This section needs to state why these categories of communication are more sensitive than others. Additionally, interceptions typically target people and not topics of communication - thus medical may be part of a conversation between two construction workers and a doctor will communicate about finances.</p>
<p style="text-align: justify; "><b>Recommendation:</b> The section could instead of singling out “medical, journalistic, parliamentary or legally privileged material” state that “any interception involving the infringement of the privacy of individuals who are not the subject of the intended interception may be involved, shall satisfy additional conditions including the provision of specific prior justification in writing to the Office for Surveillance Reform of the Privacy Commission.</p>
<p style="text-align: justify; "><b>Section 37</b>: This section details the bar against surveillance.</p>
<p style="text-align: justify; "><b>Comment: </b>Section 37(1) states that “no person shall order or carry out, or cause or assist the ordering or carrying out of, any surveillance of another person”. The section also prohibits indiscriminate monitoring, or mass surveillance, unless it is necessary and proportionate to the stated purpose. However, it is unclear whether this prohibits surveillance by a resident of their own residential property, which is allowed in Section 5, as the same could also fall within ‘indiscriminate monitoring/mass surveillance’. For instance, in the case of a camera installed in a residential property, which is outward facing, and therefore captures footage of the road/public space.</p>
<p style="text-align: justify; "><b>Recommendation:</b> The Act needs to bring more clarity with regard to surveillance especially with respect to CCTV cameras that are installed in private places, but record public spaces such as public roads. The Act could have provisions that clearly define the use of CCTV cameras in order to ensure that cameras installed in private spaces are not used for carrying out mass surveillance. Further, the Act could address the use of emerging techniques and technology such as facial recognition technologies, that often rely on publicly available data.</p>
<h2 style="text-align: justify; ">CHAPTER V</h2>
<h2 style="text-align: justify; ">THE PRIVACY COMMISSION</h2>
<p style="text-align: justify; "><b>Section 53:</b> This section details the powers and functions of the Privacy Commission.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 53(2)(xiv) states that the Privacy Commission shall publish periodic reports “providing description of performance, findings, conclusions or recommendations of any or all of the functions assigned to the Privacy Commission”. However this Section does not make provisions for such reporting to happen annually and to make them publicly available, as well as contain details including financial aspects of matters contained within the Act.</p>
<p style="text-align: justify; "><b>Recommendation: </b>The functions could include a duty to disclose the information regarding the functioning and financial aspects of matters contained within the Act. Categories that could be included in such reports include: the number of data controllers, number of data processors, number of breaches detected and mitigated etc.</p>
<h2 style="text-align: justify; ">CHAPTER IX</h2>
<h2 style="text-align: justify; ">OFFENCES AND PENALTIES</h2>
<p style="text-align: justify; "><b> Sections 73 to 80:</b> These sections lay out the different punishments for controlling and processing data in contravention to the provisions of this Act.</p>
<p style="text-align: justify; "><b>Comment:</b> These sections, while laying out different punishments for controlling and processing data in contravention to the provisions of this Act, mets out a fine extending upto Rs. 10 crore. This is problematic as it does not base these penalties on the finer aspects of proportionality, such as offences that are not as serious as the others.<br /> <br /> <b>Recommendation:</b> There could be a graded approach to the penalties based on the degree of severity of the offence.This could be in the form of name and shame, warnings and penalties that can be graded based on the degree of the offence. <br /> ----------------------------------------------------------------------</p>
<p style="text-align: justify; ">Additional thoughts: As India moves to a digital future there is a need for laws to be in place to ensure that individual's rights are not violated. By riding on the push to digitization, and emerging technologies such as AI, a strong all encompassing privacy legislation can allow India to leapfrog and use these emerging technologies for the benefit of the citizens without violating their privacy. A robust legislation can also ensure a level playing field for data driven enterprises within a framework of openness, fairness, accountability and transparency.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; "><a href="#_ftnref1"><sup><sup>[1]</sup></sup></a> These seven principles include: Right to Access, Right to Rectification, Right to Erasure And Destruction of Personal Data,Right to Restriction Of Processing, Right to Object, Right to Portability of Personal Data,Right to Seek Exemption from Automated Decision-Making.</p>
<p style="text-align: justify; "><a href="#_ftnref2"><sup><sup>[2]</sup></sup></a>The Privacy (Protection) Bill 2013: A Citizen’s Draft, Bhairav Acharya, Centre for Internet & Society, https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft</p>
<p style="text-align: justify; "><a href="#_ftnref3"><sup><sup>[3]</sup></sup></a>General Data Protection Regulation, available at https://gdpr-info.eu/art-4-gdpr/.</p>
<p style="text-align: justify; "><a href="#_ftnref4"><sup><sup>[4]</sup></sup></a> Antonio Vetro, Open Data Quality Measurement Framework: Definition and Application to Open Government Data, available at https://www.sciencedirect.com/science/article/pii/S0740624X16300132</p>
<p style="text-align: justify; "><a href="#_ftnref5"><sup><sup>[5]</sup></sup></a> General Data Protection Regulation, available at https://gdpr-info.eu/chapter-5/.</p>
<p style="text-align: justify; "><a href="#_ftnref6"><sup><sup>[6]</sup></sup></a> Sensitive personal data under Section 2(bb) includes, biometric data; deoxyribonucleic acid data;<br /> sexual preferences and practices;medical history and health information;political affiliation;<br /> membership of a political, cultural, social organisations including but not limited to a trade union as defined under Section 2(h) of the Trade Union Act, 1926;ethnicity, religion, race or caste; and<br /> financial and credit information, including financial history and transactions.</p>
<p style="text-align: justify; "><a href="#_ftnref7"><sup><sup>[7]</sup></sup></a> Submission to the Committee of Experts on a Data Protection Framework for India, Amber Sinha, Centre for Internet & Society, available at https://cis-india.org/internet-governance/files/data-protection-submission</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-centre-for-internet-and-society2019s-comments-and-recommendations-to-the-indian-privacy-code-2018'>http://editors.cis-india.org/internet-governance/blog/the-centre-for-internet-and-society2019s-comments-and-recommendations-to-the-indian-privacy-code-2018</a>
</p>
No publisherShweta Mohandas, Elonnai Hickok, Amber Sinha and Shruti TrikanandAadhaarInternet GovernancePrivacy2018-07-20T13:55:46ZBlog EntryIndia's Latest Data Leak: People's Aadhaar Number And Bank Account Are Just One Google Search Away
http://editors.cis-india.org/internet-governance/news/huffington-post-gopal-sathe-july-12-2018-indias-latest-data-leak-is-so-basic-that-peoples-aadhaar-number-bank-account-and-fathers-name-are-just-one-google-search-away
<b>Even Truecaller doesn't reveal this much.
</b>
<p style="text-align: justify; ">The article by Gopal Sathe was published in <a class="external-link" href="https://www.huffingtonpost.in/2018/07/11/indias-latest-data-leak-is-so-basic-that-peoples-aadhaar-number-bank-account-and-fathers-name-are-just-one-google-search-away_a_23479694/">Huffington Post</a> on July 12, 2018.</p>
<hr />
<p style="text-align: justify; ">Imagine being able to hack someone's personal data simply by entering their mobile phone number into a Google search. There is a website of the Andhra Pradesh government that's leaking people's phone numbers, Aadhaar numbers, father's names, passbook and bank account numbers, and the district and <i>mandal</i> where they live - all the link to all this information is the first result you get when you search for the phone numbers of people in the database.</p>
<p style="text-align: justify; ">The Andhra government has been leaking the personal data of more than 23,000 farmers who have received subsidies from the Andhra Pradesh Medicinal and Aromatic Plants Board, and organisation that encourages the growth of Ayurvedic medicines in the state. The subsidies are offered to farmers and tribals in the state, and all their personal data is available on an open database on an Andhra Government website.</p>
<p style="text-align: justify; ">The information is not behind any access control, and you can see all the records, click on them to get the details of anyone, or download everything as an Excel sheet. But what's perhaps worse is that simply by searching for the phone numbers of many of these farmers, we were able to find the detailed information about them. <i>HuffPost India </i>randomly chose a dozen farmers, and in each case, this database was the first result for their phone number on Google.</p>
<p style="text-align: justify; ">That's the most concerning part - in most cases, even when the information has leaked, it isn't readily apparent to people. You have to know the website address, or at the very least spend some time poring through dashboards. In the case of this latest leak, all you need is the person's phone number, and all their information is made visible. <i>HuffPost India </i>has reported this issue to the AP government, much like earlier leaks, although at the time of writing the data is still available online.</p>
<h3 style="text-align: justify; ">Who's held responsible?</h3>
<p style="text-align: justify; ">This is just the latest in a long line of leaks from AP - in just the last few months, we've reported on a website that let you geo-locate homes on the <a href="https://www.huffingtonpost.in/2018/04/25/aadhaar-seeding-fiasco-how-to-geo-locate-every-minority-family-in-ap-with-one-click_a_23419643/" target="_blank">basis of caste and religion</a>; while another tracked all the medicines people buy, <a href="https://www.huffingtonpost.in/2018/06/17/andhra-pradesh-tracked-you-as-you-bought-viagra-then-put-your-name-and-phone-number-on-the-internet-for-the-world-to-see_a_23459943/" target="_blank">such as generic viagra</a>, along with their phone numbers; and one that tracked <a href="https://www.huffingtonpost.in/2018/06/18/ap-government-website-lets-anyone-track-patients-in-ambulances_a_23461912/" target="_blank">pregnant women in ambulances</a> in real time.</p>
<p style="text-align: justify; ">A government official we spoke to in AP Secretariat said that while all the departments have been digitised, an <a href="https://www.huffingtonpost.in/2018/07/08/the-ap-government-has-a-new-security-hub-to-guard-your-data-but-tech-isnt-the-problem_a_23476310/" target="_blank">understanding of security</a> - and privacy - is yet to come. "Even if you tell them, 'this data is not something you can publish', they disagree and say that it is needed for the beneficiaries to be able to access their own information," he explained.</p>
<p style="text-align: justify; ">Karan Saini, a security analyst and consultant who writes on issues of web security and privacy, told HuffPost that the various government departments are generally unresponsive when breaches like this are brought up.</p>
<p style="text-align: justify; ">"Lack of outreach is an issue with all of these organisations," said Saini. "NCIIPC is the only one that can even be found by someone looking at the surface. [These organisations] are hard to get a response from."</p>
<p style="text-align: justify; ">One reason for this, said Srinivas Kodali, a security researcher who has revealed a tremendous amount of leaks in the AP system, is that there is no official system of accountability in the government when it comes to data leaks.</p>
<p style="text-align: justify; ">In May 2017, the AP government passed the <a href="https://apit.ap.gov.in/Other%20Docs/GoAP_Part_IV-B.pdf" target="_blank">Andhra Pradesh Core Digital Data Authority Act</a>, under which in section 37 it states that no legal proceeding shall lie against any officer or employee for anything which is in good faith done. What this means is that leaks and breaches are not something any official in the government can be held responsible for.</p>
<p style="text-align: justify; ">This act came out less than a month after the Centre for Internet and Society in Bengaluru published a <a href="https://thewire.in/tech/aadhaar-card-details-leaked" target="_blank">report</a> stating that 13 crore Aadhaar numbers were leaked - of which 2 crore were from Andhra Pradesh.</p>
<h3 style="text-align: justify; ">A lack of (human) resources</h3>
<p style="text-align: justify; ">AP officials do acknowledge the problem. "There is a major shortage of cybersecurity professionals, and hiring them is a challenge," <a href="https://www.huffingtonpost.in/2018/07/08/the-ap-government-has-a-new-security-hub-to-guard-your-data-but-tech-isnt-the-problem_a_23476310/" target="_blank">said</a> V Premchand, head of the Andhra Pradesh Technology Service, who is in charge of the ongoing security work in the state. AP has seen a major security audit in May this year, and a privacy audit was announced last month.</p>
<p style="text-align: justify; ">"The work is ongoing but it is not something that can happen overnight," Premchand explained. However, others argue that the government isn't doing enough to make use of existing manpower. Unlike other countries, the Indian government does not have any real bug bounty program, where security researchers are incentivised to report weaknesses to organisations for cash rewards and recognition.</p>
<p style="text-align: justify; ">Sai Krishna Kothapalli, a student at IIT Guwahati and a security researcher, told HuffPost that the government actively discourages security experts from providing their support, rather than encouraging them.</p>
<p style="text-align: justify; ">"The US Department of Defense and others have a responsible disclosure program and a lot of people from India take part in that," he said. "Our talent is being used by them instead because the government here does not reply at all."</p>
<p style="text-align: justify; ">"India's top hackers are being employed by people outside the country, even though we have the talent here, because will you spend the time and effort to be ignored here, or report issues to a US company and make thousands of dollars instead?"</p>
<p style="text-align: justify; ">However, security audits in India are only being carried out by agencies that have been empaneled, and most of the hackers active here don't have the certification, he added. "They're too busy actually doing the work, while these big companies do audits, and leave all kinds of security issues behind."</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/huffington-post-gopal-sathe-july-12-2018-indias-latest-data-leak-is-so-basic-that-peoples-aadhaar-number-bank-account-and-fathers-name-are-just-one-google-search-away'>http://editors.cis-india.org/internet-governance/news/huffington-post-gopal-sathe-july-12-2018-indias-latest-data-leak-is-so-basic-that-peoples-aadhaar-number-bank-account-and-fathers-name-are-just-one-google-search-away</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-07-13T15:18:46ZNews ItemDigital Native: Cause an Effect
http://editors.cis-india.org/raw/indian-express-nishant-shah-june-17-2018-digital-native-cause-an-effect
<b>Aadhaar is a self-contained safe system, its interaction with other data and information systems is also equally safe and benign.</b>
<p style="text-align: justify; ">The article was published in the <a class="external-link" href="https://indianexpress.com/article/technology/social/digital-native-cause-an-effect-5219977/">Indian Express</a> on June 17, 2018.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Statistically, it has been proven, that the consumption of ice cream in the country increases significantly in the summer months. In the same months, the number of housebreak incidents also increase. It might be possible, though ridiculous, to now make an argument that eating ice cream leads to increased frequencies of housebreakings, and, hence, sale and consumption of ice cream should be regulated more rigorously. The humour in this situation arises out of the fact that we know, at a very human level, that correlation is not the same as causation.</p>
<p style="text-align: justify; ">We know that just because two things happen in temporal or spatial proximity with each other doesn’t necessarily mean they are connected or responsible in a chain of events. This is because human communication is designed to make a distinction between cause-and-effect relationship and happened-together relationship between two sets of information.</p>
<p style="text-align: justify; ">However, when it comes to computation, things turn slightly different. Within the database logics of computation, two sets of data, occurring in the same instance, are subjected to a simple scrutiny: Either one of them is linked with the other, or, one of the two is noise, and, hence, needs to be removed from the system. Computation systems are foundationally anchored on logic. Within logical systems, all the events and elements described in the system are interlinked and have a causal relationship with each other. Computational learning systems, thus, do not have the capacity to make a distinction between causal and correlative phenomena.</p>
<p style="text-align: justify; ">This is why computation systems of data mining and profiling are so much more efficient than human cognition. Not only are these systems able to compute a huge range of data, but they are also able to make unprecedented, unforeseen, unexpected, and often unimagined connections between seemingly disparate and separate information streams. I present to you this simplified notion of computer logic because it is at the heart of the biometric identity-based debates around <a href="https://indianexpress.com/article/what-is/what-is-aadhaar-card-and-where-is-it-mandatory-4587547/">Aadhaar</a> right now. Recently, Ajay Bhushan Pandey, CEO, UIDAI, wrote an opinion piece that insisted that the data collective mechanisms of Aadhaar are not only safe but also benign. His opinion is backed by Bill Gates, who also famously suggested that “Aadhaar in itself” is not dangerous.</p>
<p style="text-align: justify; ">And, in many ways, Gates is right, even if Pandey’s willful mischaracterisation of Gates’s statement is not. For Gates, a computer scientist looking at the closed architecture of the Aadhaar system, it might appear, that in as much as any digital system could be safe, Aadhaar is indeed safe. In essence, Gates’s description was, that as a logical system of computational architecture, Aadhaar is safe, and the data within it, in their correlation with each other, does not form any sinister networks that we need to worry about.</p>
<p style="text-align: justify; ">However, Pandey takes this “safe in itself” argument to extend it to the applications and implementations of Aadhaar. He argues that because Aadhaar is a self-contained safe system, its interaction with other data and information systems is also equally safe and benign. In this, Pandey, either out of ignorance or willful mischaracterisation, confuses correlation with causality. He refuses to admit that Aadhaar and the biometrics within that are the central focal point around which a variety of data transactions happen which produce causal links between disconnected subjects.</p>
<p style="text-align: justify; ">Thus, the presence of a digital biometric data set might not in itself be a problem, but when it became the central verification system that connects your cellphone with your geolocation data, your presence and movement with your bank account and your income tax returns, your food and lifestyle consumption with your medical records, it starts a causal link between information which was hitherto unconnected, and, hence, considered trivial.</p>
<p style="text-align: justify; ">The alarm that the critics of Aadhaar have been raising is not about whether the data on Aadhaar is safe or not, but, how, in the hands of unregulated authorities, the correlations that Aadhaar generates and translates into causal profiles have dire consequences on the privacy and liberty of the individuals who carry the trace of Aadhaar in all facets of life. Pandey and his team of governors need to explain not the safety of Aadhaar but what happens when the verification information of Aadhaar is exploited to create non-human correlations of human lives, informing policy, penalisation and pathologisation through these processes.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/raw/indian-express-nishant-shah-june-17-2018-digital-native-cause-an-effect'>http://editors.cis-india.org/raw/indian-express-nishant-shah-june-17-2018-digital-native-cause-an-effect</a>
</p>
No publishernishantResearchers at WorkAadhaarDigital Natives2018-06-26T15:21:01ZBlog EntryIndian Cricket Board Exposes Personal Data of Thousands of Players
http://editors.cis-india.org/internet-governance/news/hack-read-waqas-may-15-2018-indian-cricket-board-exposes-personal-data-of-thousands-of-players
<b>The IT security researchers at Kromtech Security Center discovered a trove of personal and sensitive data belonging to around 15,000 to 20,000 Indian applicants participating in cricket seasons 2015-2018.</b>
<p style="text-align: justify; ">The blog post was published on <a class="external-link" href="https://www.hackread.com/indian-cricket-board-exposes-data-of-cricketers/">Hack Read</a> on May 15, 2018.</p>
<hr />
<p style="text-align: justify; ">The authority responsible for protecting this data was The Board of Control for Cricket in India (BCCI) but it was left exposed to the public in two misconfigured AWS (Amazon Web Service) S3 cloud storage buckets.</p>
<p style="text-align: justify; "><a href="https://mackeepersecurity.com/post/bcci-exposed-players-personal-sensitive-data" rel="noopener" target="_blank">According to the analysis</a> from Kromtech researchers, the data was divided into different categories of players including those under 19 years old. The data was accessible to anyone with an Internet connection and basic knowledge of using AWS cloud storage.</p>
<p style="text-align: justify; ">The data was discovered earlier this month and included names, date of birth, place of birth, permanent addresses, email IDs, proficiency details, medical records, birth certificate number, passport number, SSC certificate number, PAN card number, mobile number, landline and phone number of the person who can be contacted in case of emergency.</p>
<p style="text-align: justify; "><img alt="Indian Cricket Board Exposes Personal Data of Thousands of Players" src="https://www.hackread.com/wp-content/uploads/2018/05/indian-cricket-board-exposes-personal-data-of-thousands-of-players-1.png?x62286" /></p>
<p>Screenshot of one of the files that were exposed (Image credit: Kromtech)</p>
<p style="text-align: justify; ">At the time of publishing this article, the BCCI was informed by Kromtech researchers and both misconfigured buckets were secured. However, this is not the first time when such sensitive information was leaked online. In 2017, Bangalore-based Centre for Internet and Society (CIS) <a href="https://www.hackread.com/indian-biometric-system-data-leaked/" rel="noopener" target="_blank">found that</a> names, addresses, date of birth, PAN card details, Aadhaar card numbers and other relevant details of millions of Indian citizen could be found with just a simple Google search.</p>
<p style="text-align: justify; ">On the other hand, lately, AWS buckets have been <a href="https://www.hackread.com/localblox-exposes-millions-of-facebook-linkedin-data/" rel="noopener" target="_blank">making headlines for the wrong reasons</a>. Until now, there have been tons of cases in which misconfigured AWS buckets have been found carrying highly sensitive and confidential data <a href="https://www.hackread.com/unprotected-s3-cloud-bucket-exposed-100gb-of-classified-nsa-data/" rel="noopener" target="_blank">such as classified NSA documents</a> or details about <a href="https://www.hackread.com/misconfigured-amazon-s3-buckets-exposed-us-militarys-social-media-spying-campaign/" rel="noopener" target="_blank">US Military’s social media spying campaign</a>.</p>
<p style="text-align: justify; ">In two such cases, malicious hackers were able to compromise AWS buckets belonging to <a href="https://www.hackread.com/hackers-compromise-tesla-cloud-server-to-mine-cryptocurrency/" rel="noopener" target="_blank">Tesla Motors</a> and <a href="https://www.hackread.com/la-times-website-hacked-mine-monero-cryptocurrency/" rel="noopener" target="_blank">LA Times</a> to secretly mine cryptocurrency. Therefore, if you are an AWS user make sure your cloud server is properly secured.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/hack-read-waqas-may-15-2018-indian-cricket-board-exposes-personal-data-of-thousands-of-players'>http://editors.cis-india.org/internet-governance/news/hack-read-waqas-may-15-2018-indian-cricket-board-exposes-personal-data-of-thousands-of-players</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-05-18T05:01:50ZNews ItemAadhaar Remains an Unending Security Nightmare for a Billion Indians
http://editors.cis-india.org/internet-governance/news/the-wire-karan-saini-may-11-2018-aadhaar-remains-an-unending-security-nightmare-for-a-billion-indians
<b>Yesterday was the 38th and last day of hearings in the Supreme Court case challenging the constitutional validity of India’s biometric authentication programme. After weeks of arguments from both sides, the Supreme Court has now reserved the matter for judgement.</b>
<p style="text-align: justify; ">The article by Karan Saini was published in the <a class="external-link" href="https://thewire.in/government/aadhaar-remains-an-unending-security-nightmare-for-a-billion-indians">Wire</a> on May 11, 2018.</p>
<hr />
<p style="text-align: justify; ">Since its inception, the Aadhaar project has lurched from controversy to scandal. In the last two years, the debate has heavily centred around issues of data security, privacy and government overreach. This debate, unfortunately, like with most things Aadhaar, has been obfuscated in no small part due to the manner in which the Unique Identification Authority of India (UIDAI) reacts to critical public discussion.</p>
<p style="text-align: justify; ">As India waits for the apex court’s judgement, this is as good time as any to take stock of the security and privacy flaws underpinning the Aadhaar ecosystem.</p>
<h3 style="text-align: justify; ">Poor security standards</h3>
<p style="text-align: justify; ">Let’s start with the lackadaisical attitude towards information security. As has become evident in the <a href="https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof/view" target="_blank">past</a>, harvesting and collecting Aadhaar numbers – or acquiring scans and prints of valid Aadhaar cards – has become a trivial matter.</p>
<p style="text-align: justify; ">There are several government websites which implement Aadhaar authentication while at the same time lack in basic security practices such as the use of SSL to encrypt user traffic and/or the use of captchas to protect against brute-force or scraping attacks. This includes the biometric attendance website of the <a href="http://dgftbct.attendance.gov.in/register/myemp" rel="noopener" target="_blank">Director General of Foreign Trade</a>, the website for the <a href="http://nfsm.gov.in/dbt/aadhaarverification.aspx" rel="noopener" target="_blank">National Food Security Mission</a> and the <a href="http://medleaprhry.gov.in/PvtAddRecord.aspx" rel="noopener" target="_blank">Medleapr website</a>.</p>
<p style="text-align: justify; ">With numerous government websites being susceptible, problematic issues such as the use of open directories to store sensitive data gives us a look into how even the bare minimum – when it comes to adhering to security best practices – isn’t enforced across the gamut of websites which interface with Aadhaar.</p>
<p style="text-align: justify; ">It should not be acceptable practice to have government websites with open web directories containing PDF scans of dozens of Aadhaar cards available for just about anyone to view and/or download. Yet, over the past year and even before, many government websites have been found to either inadvertently or knowingly publish this information without much regard for the potential consequences it could have.</p>
<p style="text-align: justify; ">The UIDAI has repeatedly shown an attitude of hostility and dismissiveness when it comes to fixing security and privacy issues which are present in the Aadhaar ecosystem. It has also shown no signs of how it plans to tackle this problem.</p>
<p style="text-align: justify; ">In my personal experience as a security researcher, I have found and reported a cache of more than 40,000 scanned Aadhaar cards being available through an unsecured database managed by a private company, which relied on those scans for the purposes of verifying and maintaining records of their customers.</p>
<p style="text-align: justify; ">What’s worse is that the media reports regarding Aadhaar information being exposed may only be scratching the surface of the issue as more data may actually be susceptible to access and theft, and simply yet to be found and publicly reported. For example, data could be leaking through publicly available data stores of third-party companies interfacing with Aadhaar, or through inadequately secured API and sensitive portals without proper access controls.</p>
<p style="text-align: justify; ">Not all security incidents become a matter of public knowledge, so what we know at any given point about the illegal exposure of Aadhaar information may just be a glimpse of what is actually out there.</p>
<p style="text-align: justify; ">It should be acknowledged that the possession of these 12-digit numbers and their corresponding demographic information can open up room for potential fraud – or at the very least make it easier for criminals to carry out identity theft and SIM and banking fraud.</p>
<p style="text-align: justify; ">A <a href="https://thewire.in/economy/aadhaar-fraud-uidai" target="_blank">detailed analysis</a> of all publicly-reported Aadhaar-related or Aadhaar-enabled fraud over the last few years shows that the problem is not only real but deserves far more attention than what it has received so far.</p>
<h3 style="text-align: justify; ">Threat level infinity</h3>
<p style="text-align: justify; ">Taking a step back, it’s clear that the Aadhaar project snowballed into an ecosystem that it now struggles to control.</p>
<p style="text-align: justify; ">For instance, demographic information – as is stated in the draft for the <a href="https://www.uidai.gov.in/images/the_aadhaar_act_2016.pdf" rel="noopener" target="_blank">Aadhaar Act</a> (NIDAI Bill 2010) – was originally considered confidential information, meaning no entity could request your demographic information such as name, address, phone number etc. for purposes of eKYC.</p>
<p style="text-align: justify; ">However, as the ecosystem has progressed, the implementation and usage of eKYC have also changed and grown significantly with companies like PayTM utilising eKYC for the purposes of requesting and verifying customer information. It should be considered that data which has been collected by any of these companies through Aadhaar can be accessed by them in the future for an indefinite period of time depending on their own policies regarding storage and retention of the data.</p>
<p style="text-align: justify; ">If there ever is a breach of the CIDR or a mirrored silo containing a significant amount of Aadhaar-related data, it would directly affect more than one billion people. To put this in perspective, it would easily be the single largest breach of data in terms of the sheer number of people affected <i>and</i> it would have far-reaching consequences for everyone affected which might be very hard to offset.</p>
<p style="text-align: justify; ">On a comparatively smaller scale – although just as serious, if not more in terms of potential implications – would be a breach of any given state’s resident data hub (SRDH) repository. In some cases, SRDHs <a href="https://www.thenewsminute.com/article/13-lakh-aadhaar-numbers-leaked-andhra-govt-website-linked-personal-details-80178" rel="noopener" target="_blank">have been known to integrate data</a> acquired from other sources containing information regarding parameters such as caste, banking details, religion, employment status, salaries, and <a href="https://webcache.googleusercontent.com/search?q=cache:-HMXusc-Nm4J:https://mpsrdh.gov.in/aboutUsCitizen.html+&cd=2&hl=en&ct=clnk&gl=in&client=firefox-b-ab" rel="noopener" target="_blank">then linking the same</a> to residents’ corresponding Aadhaar data.</p>
<p style="text-align: justify; ">Damage control would be costly and painstaking due to the number of people enrolled. What adds to the disastrous consequences is that one cannot just deactivate their Aadhaar or opt-out of the programme the way they would with say a compromised Facebook or Twitter account. You can always deactivate Facebook. You cannot deactivate your Aadhaar. It should be noted that even with biometrics set to ‘disabled’, Aadhaar verification transactions can be verified through OTP.</p>
<p style="text-align: justify; ">Additionally, the Aadhaar ecosystem is such that information about individuals can be accessed not just from UIDAI servers but also from other third-party databases where Aadhaar numbers are linked with their own respective datasets. Due to this aspect – multiple points of failure are introduced for possible compromise of data, especially because third-party databases are almost certainly not as secure as the CIDR.</p>
<p style="text-align: justify; ">Recently, after taking a closer look at the ecosystem of websites which incorporate the use of Aadhaar based authentication, I <a href="https://www.karansaini.com/extracting-aadhaar-linked-phone-numbers/" rel="noopener" target="_blank">discovered that it was possible</a> to extract the phone number linked to any given Aadhaar through the use of websites which poorly implemented Aadhaar text-based (OTP) authentication.</p>
<p style="text-align: justify; ">This process worked by first retrieving the last four digits of the phone number linked to an Aadhaar using any website which reveals this information (this includes DigiLocker, NFSM.gov.in and seems to be standard practice which seems to be enforced by UIDAI) and then performing an enumeration attack on the first six digits using websites which allow the user to provide both their Aadhaar number and the verified phone number linked to it.</p>
<p style="text-align: justify; ">This again highlights that while secure practices might be followed by the UIDAI, the errors in implementation and other flaws are introduced neverthelessby third parties who interface with Aadhaar, posing a risk to the privacy and security of its data.</p>
<h3 style="text-align: justify; ">The bank mapper rabbit hole</h3>
<p style="text-align: justify; ">As of February 24, 2017, it <a href="https://thewire.in/government/india-inc-needs-to-fix-numerous-basic-%20information-security-flaws-quickly)" target="_blank">was possible</a> to retrieve bank linking status information directly from UIDAI’s website without any prior verification.</p>
<p style="text-align: justify; ">However, after this information was reported, the ‘<a href="https://uidai.gov.in/" rel="noopener" target="_blank">uidai.gov.in</a>’ website was updated to first require requesters to prove their identity before retrieving Aadhaar bank-linking data from the endpoint on their website.</p>
<p style="text-align: justify; ">A year later – when business technology news site <i>ZDNet </i>published their report regarding a flawed API on the website of a state-owned utility company (later revealed to be Indane) – part of the data revealed included bank linking status information which was identical to what was previously revealed on UIDAI’s website without proper authentication.</p>
<p style="text-align: justify; ">This suggests that both the Indane API and UIDAI website utilised the National Payments Corporation of India (NPCI) to retrieve bank-linking data – but as of now, this remains conjecture since Indane never put out a statement or gave a public comment regarding the flawed API on their website.</p>
<p style="text-align: justify; ">More importantly, what this also suggests is that the NPCI never placed any controls or security mechanisms (such as request throttling or access controls) on the lookup requests it processed for the UIDAI (and seemingly for Indane as well).</p>
<p style="text-align: justify; ">This means that while the UIDAI may have fixed their website to not reveal bank linking data without proper verification – the issue was not rectified at its core by the NPCI – allowing the same to happen a year later in Indane’s case. This practice also classifies as a case of security through obscurity, <a href="http://users.softlab.ntua.gr/~taver/security/secur3.html" rel="noopener" target="_blank">which</a> “is the belief that a system of any sort can be secure so long as nobody outside of its implementation group is allowed to find out anything about its internal mechanisms”.</p>
<h3 style="text-align: justify; ">Who is on the hook?</h3>
<p style="text-align: justify; ">There is a lack of needed accountability when it comes to data breaches. Have any of the organisations against whom allegations of data breach been made been investigated and acted on? Have fines been imposed on those responsible for allowing access/theft of user data? Have there been reports published by any of the affected organisations in which they investigate any alleged breaches to either provide insight regarding the breach and its impact, the scale of data accessed, logs of access and other crucial evidence or dismiss the allegations by proving that there was no intrusion which took place?</p>
<p style="text-align: justify; ">Most of the times, organisations do not even accept that a breach has taken place, let alone take responsibility for the same and strive to better protect user data in the future.</p>
<p style="text-align: justify; ">Switching to ‘PR spin mode’ should never be the answer when dealing with the data of billion-plus Indian citizens and residents. This can be observed in almost all cases where a breach or security lapse was alleged.</p>
<p style="text-align: justify; ">The UIDAI has also acquired the dubious reputation of sending legal notices and slapping cases on journalists and security researchers who seek to highlight the security and privacy problems ailing the Aadhaar infrastructure.</p>
<p style="text-align: justify; ">In March 2017, a case against Sameer Kochhar – chairman of the Skoch Group – was filed on the basis of a complaint from Yashwant Kumar of the UIDAI allegedly for “spreading rumours on the internet about vulnerability of the Aadhaar system”. Kochhar had written an article in February 2017 titled “Is a Deep State at Work to Steal Digital India?” in which a request replay attack on biometric Aadhaar authentication was demonstrated.</p>
<p style="text-align: justify; ">Two months later, The Centre for Internet and Society published a report regarding several government websites which were inadvertently leaking millions of Aadhaar card numbers. A few days after this report was published, the UIDAI <a href="https://in.reuters.com/article/india-aadhaar-breach/critics-of-aadhaar-project-say-they-have-%20been-harassed-put-under-surveillance-idINKCN1FX1SS" rel="noopener" target="_blank">sent a legal notice to the organisation</a>, stating that the people involved with the report had to be “brought to justice”.</p>
<p style="text-align: justify; ">In January 2018, an investigative story was published by Rachna Khaira of <em>The Tribune</em> newspaper – in which she reported that access to an Aadhaar portal was being sold by “agents” for as cheap as Rs 500. In response to this story – the UIDAI first sought to discredit the investigative work by calling it a ‘case of misreporting’ – after which they attempted to downplay the magnitude of the report by citing that biometrics were safe and had not been breached.</p>
<p style="text-align: justify; ">Following this, the Delhi crime branch registered an FIR against the reporter and others named in the article on the basis of a complaint by a UIDAI official, with charges ranging from forgery, cheating by impersonation and unauthorised access of a computer system.</p>
<p style="text-align: justify; ">In March 2018, <em>ZDNet</em> published a report about Aadhaar-related data leaking from an unsecured API on a utility provider’s website. This was the result of days of testing to first confirm the existence issue and its scope. It was preempted by more than a month of attempted communication through several channels of communication – email, phone, even direct messages via Twitter – with both Indane and the UIDAI (and even the Indian Consulate in New York).</p>
<p style="text-align: justify; ">But still, when the report was published after a lack of acknowledgement/response from affected parties, the UIDAI was quick to deny the report as well as any possibility of such a thing occurring. The Aadhaar agency then released a statement in which they said they were ‘contemplating legal action’ against the publication of their report.</p>
<p style="text-align: justify; ">Data security and privacy laws won’t do much to affect the dismissive and hostile attitude the UIDAI seems to have regarding the people that investigate and report on security and privacy issues relating to Aadhaar.</p>
<h3 style="text-align: justify; ">Hide and seek</h3>
<p style="text-align: justify; ">In general, when it comes to reports of security breaches and security incidents, many authorities in India prefer playing the blame-game. This was seen latest in response to an internal letter (ironically marked as ‘SECRET’) that was circulated on social media – which mentioned that data was stolen from the Aadhaar Seeding portal of the EPFO by hackers exploiting a known vulnerability in the Apache Struts framework.</p>
<p style="text-align: justify; ">Following this – the EPFO <a href="https://economictimes.indiatimes.com/wealth/personal-finance-news/epfo-slams-aadhaar-data-theft-reports-on-social-media/articleshow/63999631.cms?utm_source=WAPusers&utm_medium=whatsappshare&utm_campaign=socialsharebutton&from=mdr" rel="noopener" target="_blank">quickly switched to PR mode</a> and publicly issued a statement through their official Twitter account (@socialepfo) denying the breach – saying that “There is no leak from EPFO database. We have already shut down the alleged Aadhaar seeding site run by Common Service Centres on 22.03.2018.”</p>
<p style="text-align: justify; ">Every time reports of a potential breach or leak of data circulate, Indian government agencies are quick to come out and announce that no breach has taken place. However, this is always to be taken just on the basis of their saying so, as opposed to the reports which they’re meant to be arguing (in some cases) contain verifiable evidence which is the result of arduous investigative work.</p>
<p style="text-align: justify; ">Regardless, passing around the blame and in cases completely denying security incidents is not something authorities should be doing when it concerns the data of more than a billion people.</p>
<p style="text-align: justify; ">In response to a recent story by <em>Asia Times</em> <a href="https://www.thewire.in/government/cracked-aadhaar-enrolment-software-being-sold" rel="noopener" target="_blank">regarding Aadhaar enrolment software being cracked and sold</a>, the UIDAI sought to discredit and discount the report through messages shared on their social media profiles – where they stated that the report was “baseless, false, misleading and irresponsible”.</p>
<p style="text-align: justify; ">The UIDAI should have an interest in protecting any and all data which stems from or relates to Aadhaar as it has to do with a project they are ultimately responsible for. It should not matter whether the leak occurred from a portal on EPFO’s website, an API without proper access controls on Indane’s website, a website of the Andhra Pradesh state government, through biometric request replay attacks, through sold access to admin portals and cracked software, or however else. It should ultimately be the UIDAI’s responsibility to not only be reactive about these issues when they’re brought to light but to do so in such a way which does not hinder reporters from continuing their work.</p>
<p style="text-align: justify; ">Additionally, if the UIDAI wishes to keep its systems as secure as they could be – they should proactively seek such reports about flaws or vulnerabilities in critical infrastructure pertaining to their project.</p>
<h3 style="text-align: justify; ">The way forward</h3>
<p style="text-align: justify; ">In April 2018, the head of the Indian Computer Emergency Response Team (CERT-IN), <a href="https://factordaily.com/vulnerability-reported-cert/" rel="noopener" target="_blank">rather defensively noted</a> that “not a single person had reported any incident” to the organisation.</p>
<p style="text-align: justify; ">CERT-In, a part of the IT ministry, is the central agency responsible for dealing with security issues and incidents. To put it bluntly, it has not done a very great job of outreach when it comes to the people it ultimately relies on: security researchers and hackers.</p>
<p style="text-align: justify; ">In India, there is an abundance of skills and talent when it comes to IT security and this could be of immense help to organisations responsible for managing critical infrastructure – but only if they cared enough to utilise it to the fullest extent.</p>
<p style="text-align: justify; ">Ajay Bhushan Pandey, the CEO of UIDAI, promised a secure and legal bug reporting environment for the Aadhaar ecosystem sometime in 2017. However, almost a year later, there are no tangible signs of any steps being taken to ensure the same. In fact, the UIDAI would already be straying from their usual course of action if they stopped harassing people reporting on issues of security and privacy with regard to Aadhaar.</p>
<p style="text-align: justify; ">It has been suggested that the UIDAI employ a bug bounty programme – which involves rewarding hackers with monetary compensation or through means such as an addition to a ‘Security Hall of Fame’ as an incentive.</p>
<p style="text-align: justify; ">I personally believe that there is no need for a bug bounty programme in its traditional sense – meaning that UIDAI should not have to provide material incentives to attract hackers to report valid issues to them. Simply acknowledging the work of those that discover and report valid issues should more than likely be incentive enough to get talent on-board.</p>
<p style="text-align: justify; ">The US Department of Defense (DoD) employs a similar approach <a href="https://www.hackerone.com/sites/default/files/2018-03/Distributed%20Defense-How%20Governments%20Deploy%20Hacker-Powered%20Security.pdf" rel="noopener" target="_blank">where they invite hackers from the world</a> over to test their systems for security vulnerabilities/bugs and then report them in a responsible manner. What the hackers get in return is the acknowledgement of their skill and devotion to ensuring the security of DoD’s platform. Something similar needs to be set up with regard to critical information infrastructures in India so that issues can be reported by anyone who wishes to do so – without hassle and/or fear of persecution hanging over the heads of hackers.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-wire-karan-saini-may-11-2018-aadhaar-remains-an-unending-security-nightmare-for-a-billion-indians'>http://editors.cis-india.org/internet-governance/news/the-wire-karan-saini-may-11-2018-aadhaar-remains-an-unending-security-nightmare-for-a-billion-indians</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-05-13T16:28:40ZNews ItemIndia's National ID Project Brings Pain to Those it Aims to Help
http://editors.cis-india.org/internet-governance/news/ozy-aayush-soni-may-11-2018-indias-national-id-project-brings-pain-to-those-it-aims-to-help
<b>Poor management, corruption and fraud are threatening to derail the world’s largest national identity project. </b>
<p style="text-align: justify; ">The blog post by Aayush Soni was <a class="external-link" href="https://www.ozy.com/fast-forward/indias-national-id-project-brings-pain-to-those-it-aims-to-help/86381">published in Ozy.com</a> on May 11, 2018.</p>
<hr />
<p style="text-align: justify; ">For Phoolmati, a resident of the Kusumpur Pahari slum in south <a href="https://www.ozy.com/good-sht/how-delhi-went-hipster/69430" target="_blank">Delhi</a>, standing every month in a queue at the neighborhood fair-price shop was a trusted routine. When her turn came up, she would place her thumb on a scanning machine that confirmed her identity. But on a biting-cold morning this past January, she had to return home empty-handed because, the shopkeeper told her, the “server was down.”</p>
<p style="text-align: justify; ">The next day, it happened again. On her third try, Phoolmati thought she had gotten lucky when the machine scanned her thumb successfully. But she was in for a shock. “The shopkeeper told me that, according to the computer records, I’ve already taken my quota of wheat flour for the month,” she says. When she protested and showed her ration card, another form of identification, the shopkeeper wouldn’t accept it.</p>
<p style="text-align: justify; ">Left with no choice, Phoolmati had to buy wheat flour from the open market at 25 rupees per kilogram — more than 12 times the amount she usually paid at fair-price shops. She wasn’t alone. At a weekly meeting of slum residents in a temple courtyard in April, many women complained about the difficulty of buying subsidized food grains to the Satark Nagrik Sangathan (Alert Citizens Organization), a nonprofit that seeks accountability from government agencies. Nanno Devi, a 67-year-old homemaker whose fingers are wrinkled with age, said that she didn’t receive her quota of wheat flour for January because a fingerprint-scanning machine couldn’t detect her thumb impression.</p>
<p style="text-align: justify; ">Nor are the urban poor, like Phoolmati, the only ones with such complaints. Students with government scholarships, senior citizens with pensions, farmers entitled to subsidies, religious minorities and backward castes eligible for benefits, patients at public hospitals, young couples trying to get married and professionals updating their bank details are all on the front line of an unparalleled experiment that was meant to help them but is hurting them instead.</p>
<p style="text-align: justify; ">Theirs is the lived experience of <a href="https://www.ozy.com/fast-forward/whos-ready-for-the-biometric-id-revolution/30972" target="_blank">Aadhaar</a>, a unique 12-digit identity system that includes an individual’s biometrics and demographic data — and that must verify an individual’s identity for the government, increasingly, to even recognize their existence. First rolled out in 2010, it is modeled on America’s Social Security number system, with the aim that government subsidies and welfare programs reach the intended beneficiaries and aren’t siphoned off by middlemen.</p>
<p style="text-align: justify; ">But over the past three years, India’s Narendra Modi government has cajoled, pressured and often effectively forced people into enrolling for this ID, even though it isn’t required by law. Today, a person’s bank account risks being frozen if it isn’t linked to her Aadhaar number. Her PAN (permanent account number) card, used to file income tax, could be declared invalid. Mobile phone companies can disconnect her number if it isn’t authenticated through biometrics. An Aadhaar number (or an enrollment number, in case someone has already applied for it) is mandatory to open a new bank account, get a new passport, invest in mutual funds or register a marriage. A joke making the rounds on Twitter is that very soon, Aadhaar will be mandatory for a person to swipe right on Tinder.</p>
<p style="text-align: justify; ">In the absence of any privacy law, much of the concern within sections of India’s educated middle class has focused on questions about personal freedom, data security and mass surveillance. But a parallel tide of complaints is rising from those the program was meant to help, rooted in complications it has instead imposed upon them. This growing frustration is threatening to derail the initiative in a manner privacy can’t, in a nation where millions live in cramped city apartments with strangers, and the distinction between personal and public is often blurred.</p>
<p style="text-align: justify; ">Cases of fraud, mismanagement and corruption hurting Aadhaar beneficiaries are tumbling out into the public domain almost every week. In late March, hackers used weaknesses in the Aadhaar database to steal data from a government organization that manages more than $120 billion in the pensions and savings of millions of Indians. In January, a 10-year-old girl from the Dalit community — historically at the bottom of India’s caste ladder — was denied a school scholarship because officials had misnamed her on her Aadhaar card. Last October, a farm loan waiver program in Maharashtra state ran into trouble after officials discovered that 100 farmers had the same Aadhaar identity number.</p>
<p style="text-align: justify; ">The Modi government maintains that it takes both the security of personal data and the concerns of Aadhaar beneficiaries seriously. But it is reluctant to answer any questions about identity theft, corruption, privacy or misappropriated benefits. Neither Ajay Bhushan Pandey, the current CEO of the Unique Identification Authority of India (UIDAI), which runs Aadhaar, nor Vikas Shukla, its spokesperson, responded to multiple requests for comment.</p>
<p style="text-align: justify; ">At a public rally in early May, Modi — who had himself opposed the program before he came to power in 2014 — called critics of Aadhaar “opponents of technology” unwilling to evolve with the times. Increasingly, though, many are questioning whether it’s Aadhaar’s own identity that has changed the most from when the idea first came up. “From a project of inclusion, it has become a project of exclusion,” says Usha Ramanathan, a lawyer who focuses on issues of development and poverty. Just ask Phoolmati.</p>
<p style="text-align: justify; ">Aadhaar was the brainchild of Nandan Nilekani, a former CEO of tech giant Infosys, who in a 2009 book argued that multiple forms of identification made it “difficult” to establish a “definitive identity” for India’s citizens.</p>
<p style="text-align: justify; ">A single identity linked to passports, PAN cards and other national databases, Nilekani argued, would not only solve this problem but also help eliminate the exasperating processes that India’s bureaucracy is notorious for — mountains of paper, proof of identity in triplicate and a glacial pace of work. It would help citizens avail government benefits that are rightfully theirs. Such a system would reduce a citizen’s dependence on distribution mechanisms susceptible to leakages and make “the moral scruples of our bureaucrats redundant,” Nilekani wrote. “An IT-enabled, accessible national <a href="https://www.ozy.com/fast-forward/should-you-carry-a-municipal-id-card/31240" target="_blank">ID system</a> would be nothing less than revolutionary in how we distribute state benefits and welfare handouts.”</p>
<p style="text-align: justify; ">That same year, the Congress Party–led United Progressive Alliance government offered Nilekani a chance to translate his idea into reality, appointing him UIDAI chairman. Under Nilekani the UIDAI hired people from within the Indian bureaucracy as well as those outside it. The initial team of 50 included software engineers, designers and entrepreneurs from Silicon Valley as well as lawyers and policy wonks who worked at the head office in New Delhi. Each of the eight regional offices had a staff of 20.</p>
<p style="text-align: justify; ">In its early-stage avatar, the team had thought out solutions to problems such as the ones the residents of Kusumpur Pahari faced, says a policy consultant who worked with the UIDAI in 2010 and spoke on condition of anonymity. “You can use old methods and physically verify a person’s name and address [by going to their house] if biometrics aren’t working,” the consultant says. “It’s built into the architecture [of Aadhaar].” In his view, the current government under <a href="https://www.ozy.com/provocateurs/the-man-busting-narendra-modis-tall-tales/83435" target="_blank">Modi</a> — whose Bharatiya Janata Party defeated the Congress Party and came to power in 2014 — and the UIDAI setup have made a “mess” of the program. He also believes that the goal has shifted from inclusion to mass enrollment. Nilekani did not respond to a request for comment.</p>
<p style="text-align: justify; ">For sure, Aadhaar has staunch supporters too, who argue that it has helped reduce the misuse of government subsidies. In July 2017, India’s junior minister for consumer affairs, food and public distribution, C.R. Chaudhary, told the country’s Parliament that Aadhaar had helped the government delete nearly 25 million fake ration cards that the poor use to access subsidized food ingredients.</p>
<div class="pagebreak" style="text-align: justify; "></div>
<div class="ozy-advert-wrapper" style="text-align: justify; ">
<div id="sas_86381_2"></div>
</div>
<p style="text-align: justify; ">“This unnecessary fearmongering around Aadhaar is uncalled for,” says Sanjay Anandaram of iSpirit, a software industry think tank. In his view, it’s “last-mile deployment challenges” like fingerprint authentication, one-time-password systems and server glitches that need to be fixed, not Aadhaar. He juxtaposes anecdotal examples of people struggling to gain benefits with the “larger purpose” he believes Aadhaar serves. “It is a revolutionary system to ensure governance improves — especially for centrally administered programs,” he says.</p>
<p style="text-align: justify; ">The UIDAI has made some efforts too, if not to improve security of personal data then at least to allow citizens to check whether their Aadhaar identity has been misused. They can go online and view any occasions when their Aadhaar identity was used to access benefits.</p>
<p style="text-align: justify; ">But for millions of Indians dependent on subsidies, pensions, scholarships and other benefits, the concerns go well beyond privacy. Getting an Aadhaar identity can be a struggle. Earlier this year, the Punjab government conceded that it can’t process nearly 200,000 farm loan waiver claims either because intended beneficiaries don’t have Aadhaar cards or because the UIDAI is still processing their applications. At the same time, not signing on to Aadhaar is increasingly not an option. In February 2017, Chaudhary’s ministry made it mandatory for individuals to have an Aadhaar card to access subsidized food grains. Then, in October, an 11-year-old girl died of starvation in the central state of Jharkhand because the local ration dealer refused to give her family food grains for six months, as they had not linked their ration cards to Aadhaar. Facing criticism, the government asked states not to deny the poor the food grains they are entitled to, but the incident underscored how the Aadhaar initiative is cutting the needy off from subsidy access, rather than helping them, suggests Ramanathan, the lawyer. “People are dying because of Aadhaar,” she says.</p>
<p style="text-align: justify; ">But the <a href="https://www.ozy.com/rising-stars/can-modis-new-nemesis-take-down-the-prime-minister/85152" target="_blank">Modi government</a> has shown no signs of rethinking either the ways in which Aadhaar appears to hurt the poorest in Indian society or its data security protocols. Instead, it has appeared keener to target whistle-blowers pointing out weaknesses in the initiative.</p>
<p style="text-align: justify; ">It cost Rachna Khaira, a reporter, only 500 rupees ($7.50) to access the entire Aadhaar database — the names, addresses, fingerprint scans, iris scans, mobile phone numbers, email addresses, postal index numbers (PINs) and Aadhaar numbers of 830 million Indians. She “purchased” the service offered by anonymous sellers on WhatsApp and transferred the money via Paytm, a popular digital wallet company, to an “agent,” who created a “gateway” for Khaira. He then gave her a log-in ID and a password to that gateway, which allowed Khaira unrestricted access to the Aadhaar database. Her report, published in January in <em>The Tribune</em>, one of India’s oldest English dailies, created a national stir. Instead of trying to plug the holes the report had revealed, the UIDAI filed criminal cases against Khaira and the newspaper, accusing them of breaching privacy.</p>
<p style="text-align: justify; ">Khaira’s wasn’t the first piece of evidence to expose the vulnerability of the Aadhaar database. In May 2017, a report by the Centre for Internet and Society, a nonprofit organization, claimed that 130 million to 135 million Aadhaar numbers were published on four websites: the National Social Assistance Programme, the National Rural Employment Guarantee Scheme and two projects run by Andhra Pradesh state. “This is the largest exercise in the world of the conversion of public information into an asset and then its privatization,” says Nikhil Pahwa, editor of MediaNama and a critic of Aadhaar.</p>
<p style="text-align: justify; ">These breaches of security highlight corruption and mismanagement that belie claims the government continues to peddle. In April 2017, Ravi Shankar Prasad, India’s minister of information and technology, told Parliament that “Aadhaar is robust. Aadhaar is safe. Aadhaar is secure, and totally accountable.” The government hasn’t appeared too perturbed by privacy concerns. On July 22, 2015, Mukul Rohatgi, the then attorney general, argued before the country’s Supreme Court that “the right of privacy is not a guaranteed right under our constitution.” That set off a two-year-long hearing before a nine-judge bench of the court, which unanimously ruled in 2017 that the right to privacy was indeed a fundamental right.</p>
<p style="text-align: justify; ">The criticism from social groups Aadhaar was meant to benefit, though, has left the Modi administration on the defensive. Since the passage of the 2016 Aadhaar law, civil society activists have filed 12 petitions in the <a href="https://www.ozy.com/provocateurs/why-this-rohingya-refugee-is-taking-on-indias-government/82487" target="_blank">Supreme Court</a> challenging its legality. In January, the All India Kisan Sabha, one of India’s largest farmer organizations with millions of members, petitioned the top court against government moves to link subsidies to Aadhaar identities. Some leaders from Modi’s party, the BJP, have also started questioning their own government in Parliament about cases of beneficiaries denied their due because of the Aadhaar program. The Supreme Court, which is holding regular hearings on the case, has extended indefinitely the date by which citizens must link all identity documents to their Aadhaar number, until it rules on the validity of the legislation. At stake is the trust the Indian people can place in their government.</p>
<p style="text-align: justify; ">Back in Kusumpur Pahari, much of that trust has already eroded. In his 2014 election campaign, Modi had promised to stand guard as a <em>chaukidaar</em> (watchman) over the country’s resources, to prevent corruption. But when someone illegally withdrew Phoolmati’s grains by using her Aadhaar identity, the watchman wasn’t able to stop the theft.</p>
<p style="text-align: justify; ">For Phoolmati and other residents of Kusumpur Pahari, their ration cards guaranteed them food, and were a rare pillar of certainty in an unstable life. The Aadhaar-linked fingerprint authentication system is a source of frustration, and they don’t want it, they make clear at their weekly meeting. They now get their ration some months, and other months they don’t. Life on the fringes of society was already tough. Aadhaar, they say, has made it harder still.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/ozy-aayush-soni-may-11-2018-indias-national-id-project-brings-pain-to-those-it-aims-to-help'>http://editors.cis-india.org/internet-governance/news/ozy-aayush-soni-may-11-2018-indias-national-id-project-brings-pain-to-those-it-aims-to-help</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-05-12T00:53:39ZNews ItemAadhaar data of over 89 lakh MNREGA workers in Andhra Pradesh leaked online
http://editors.cis-india.org/internet-governance/news/new-indian-express-april-26-2018-aadhaar-data-over-89-lakh-mnrega-workers-in-andhra-pradesh-leaked-online
<b>Independent security researcher Kodali Srinivas tweeted screenshots of Aadhaar data of 89,38,138 MNREGA workers available on the Andhra Pradesh Benefit Disbursement Portal.</b>
<p style="text-align: justify; ">The article was <a class="external-link" href="http://www.newindianexpress.com/states/andhra-pradesh/2018/apr/26/aadhaar-data-of-over-89-lakh-mnrega-workers-in-andhra-pradesh-leaked-online-1806717.html">published in New Indian Express</a> on April 27, 2018.</p>
<hr />
<p style="text-align: justify; ">Independent security researcher Kodali Srinivas, who exposed the leakage of Aadhaar and other personal data of 1.34 lakh beneficiaries on the State Housing Corporation website, on Thursday tweeted screenshots of Aadhaar data of 89,38,138 MNREGA workers availalbe on the Andhra Pradesh Benefit Disbursement Portal, which is maintained by APOnline, a joint venture between the Tata Consultancy Services (TCS) and the State government.</p>
<p style="text-align: justify; ">Hours after he blew the whistle, the website administrators began masking the data. In May 2017, Srinivas had co-authored a report for the Centre for Internet and Society, exposing how the Aadhaar data of 13.5 crore card holders was leaked online. The data was then leaked by four government portals, National Social Assistance Programme, National Rural Employment Guarantee Scheme, Chandranna Bima Scheme of the Government of Andhra Pradesh and Daily Online Payment Reports of NREGA of the Government of Andhra Pradesh.</p>
<p style="text-align: justify; ">It appears that almost a year later, nothing much has changed. Srinivas told TNIE he had sent a mail to the chief operating officer, APOnline and Universal Identification Authority of India, the National Critical Information Infrastructure Protection Centre, and CERT-In, the Centre's cyber response wing. When contacted, Balasubramanyam, Joint Secretary (NREGS) told TNIE, "I have seen it. It is Benefit Disbursement Portal... not maintained by us. We have been very careful ever since that massive leak of data last year."</p>
<p style="text-align: justify; ">Executive (operations), APOnline, S Chandramouleeswara Reddy refused comment saying that he was not the competent authority to speak on the issue. APOnline developed ICT solution for MGNREGA scheme, a framework involving Department of Posts, for disbursement of entitlements after accurate authentication of the entitlements through finger print authentication. TCS implements the ICT solution for MGNREGA in the State.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/new-indian-express-april-26-2018-aadhaar-data-over-89-lakh-mnrega-workers-in-andhra-pradesh-leaked-online'>http://editors.cis-india.org/internet-governance/news/new-indian-express-april-26-2018-aadhaar-data-over-89-lakh-mnrega-workers-in-andhra-pradesh-leaked-online</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-05-05T08:43:53ZNews ItemPension won’t be denied for want of Aadhaar, says EPFO
http://editors.cis-india.org/internet-governance/news/livemint-prashant-k-nanda-and-komal-gupta-pension-wont-be-denied-for-want-of-aadhaar-epfo
<b>The move is aimed at ensuring that no retired government employee is deprived of pension for want of Aadhaar or failure of fingerprint authentication.</b>
<p style="text-align: justify; ">The article by Prashant K. Nanda and Komal Gupta published by <a class="external-link" href="https://www.livemint.com/Politics/J0wTnWuLVVNsejAcJygdRO/Dont-delay-pension-disbursal-in-pretext-of-Aadhaar-linking.html">Livemint</a> on April 11, 2018 quoted Pranesh Prakash.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Tens of thousands of pensioners under the employees pension scheme will not be denied their monthly pension if their Aadhaar authentication fails or they do not have the 12-digit unique ID, the Employees Provident Fund Organisation (EPFO) has indicated.</p>
<p style="text-align: justify; ">The retirement fund manager has asked banks and post offices to facilitate pension disbursement without making senior citizens do the rounds.</p>
<p style="text-align: justify; ">The move comes after EPFO received several complaints of denial of pension by banks.</p>
<p style="text-align: justify; "><span>For paying pension to those whose fingerprint authentication fails, “banks may make provisions for iris scanner, along with the fingerprint scanner in bank branches. It has been observed that in many cases, iris authentication is successful even though fingerprint authentication may have failed. This is particularly true for many senior citizens. In such cases, digital life certificate may be generated on the basis of iris authentication and pension may be given,” the EPFO said in a circular on Monday.</span></p>
<p style="text-align: justify; ">And when both iris and fingerprint authentication are not feasible, “an entry should be made in the exception register with reasons and pension may be provided on the basis of paper life certificate and physical Aadhaar card or E-Aadhaar card of the pensioner after due verification as deemed fit by the bank,” the circular said.</p>
<p style="text-align: justify; ">The move is aimed at ensuring that no senior citizen is deprived of pension for want of Aadhaar or failure of fingerprint authentication.</p>
<p style="text-align: justify; "><span>Banks have been advised to ensure that benefits of the pension scheme reach the citizens and a proper mechanism for “handling exceptions” is put in place.</span></p>
<p style="text-align: justify; ">“Banks should make special arrangements for the bed-ridden, differently abled, or senior citizens who are unable to visit the Aadhaar enrolment centre,” the circular said.</p>
<p style="text-align: justify; ">EPFO has also instructed pension disbursing banks and post offices to make necessary arrangements for enrolling pensioners for Aadhaar and to carry out authentication through iris, especially for those who cannot be verified through fingerprints.</p>
<p style="text-align: justify; "><span>The Unique Identification Authority of India (UIDAI) has been under the scanner over the past few months over allegations of access to pension being denied as the fingerprints of the elderly do not match biometrics in the Aadhaar database.</span></p>
<p style="text-align: justify; ">So far, pensioners had to furnish a life certificate and needed to authenticate it using biometrics.</p>
<p style="text-align: justify; ">“The fact that it is coming now means that the Unique Identification Authority of India’s claim in the Supreme Court about no person having been denied any benefit due to the lack of Aadhaar is simply untrue,” said Bengaluru-based Pranesh Prakash, an affiliated fellow with the Yale Law School’s Information Society Project that works on issues related to the intersection of law, technology and society.</p>
<p style="text-align: justify; "><span>Prakash, however, welcomed EPFO’s move laying down “a procedure both for those who don’t have an Aadhaar number, as well as those whose biometrics fail for any reason”.</span></p>
<p style="text-align: justify; ">Prakash further said that “as per the UIDAI’s own data, failure rates for iris authentication are higher (8.54%) than for fingerprints (6%). So the utility of pushing for iris authentication is unclear.”</p>
<p style="text-align: justify; ">There are more than 1.2 billion Aadhaar holders in the country.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-prashant-k-nanda-and-komal-gupta-pension-wont-be-denied-for-want-of-aadhaar-epfo'>http://editors.cis-india.org/internet-governance/news/livemint-prashant-k-nanda-and-komal-gupta-pension-wont-be-denied-for-want-of-aadhaar-epfo</a>
</p>
No publisherAdminAadhaarInternet Governance2018-04-10T22:33:39ZNews ItemUIDAI servers or third parties, Aadhaar leaks are dangerous: Experts
http://editors.cis-india.org/internet-governance/news/business-standard-mayank-jain-march-27-2018-uidai-servers-or-third-parties-aadhaar-leaks-are-dangerous-experts
<b>Even though the UIDAI has denied these reports, its arguments rest on shaky grounds, according to experts.</b>
<p style="text-align: justify; ">The article by Mayank Jain was published in <a class="external-link" href="http://www.business-standard.com/article/current-affairs/uidai-servers-or-third-parties-aadhaar-leaks-are-dangerous-experts-118032601008_1.html">Business Standard</a> on March 27, 2018. Pranesh Prakash was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The government has told the Supreme Court that the Aadhaar data “remains safely behind 13-feet high walls” and it will take “the age of the universe” to break one key in the Unique Identification Authority of India’s (UIDAI’s) encryption.</p>
<p style="text-align: justify; ">Even if this claim is taken at face value, experts suggest leaks from third-party databases seeded with Aadhaar numbers are equally dangerous and the UIDAI is responsible for the damage. <span>The most recent case came from a report published online and it said random numbers could provide access to the Aadhaar data, which also includes people’s financial information, from a state-owned company’s database. </span><span>Even though the UIDAI has denied these reports, its arguments rest on shaky grounds, according to experts.“There is no truth in this story as there has been absolutely no breach of the UIDAI’s Aadhaar database.</span></p>
<p style="text-align: justify; ">Aadhaar remains safe and secure,” the UIDAI said on Twitter shortly after the story broke on ZDNet.The authority added even if the report was taken to be true, “it would raise security concerns on the database of that Utility Company and has nothing to do with the security of the UIDAI’s Aadhaar database”.This has been the authority’s defence in several such cases but those in the know of things say it doesn’t hold water simply because the Aadhaar data is not concentrated in the UIDAI’s complexes anymore and has spread across various databases.“Publishing this by the state entities is a violation under the Aadhaar Act.</p>
<p style="text-align: justify; ">Even if you publish your Aadhaar number, it is a violation of the law,” said Pranesh Prakash, policy director at the Centre for Internet and Society.“Saying that the UIDAI has not been compromised is thoroughly insufficient because for customers, it doesn’t matter if the leak comes from servers operated by the UIDAI or from others holding copies of the UIDAI database.”Prakash said it should be the authority’s responsibility to help others comply with the law and prevent data leaks.</p>
<p style="text-align: justify; ">He gave the example of biometric leaks from Gujarat government servers and how criminals used them to forge fingerprints.The possibility of data leaks was demonstrated when Robert Baptiste, purportedly a French app developer, announced on Twitter how he got access to thousands of scanned Aadhaar card copies through simple Google searches.In an interview to Business Standard, Baptiste said the major threat was data handling by third parties, which could lead to identity theft.Even the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, has provisions that debar making public citizens’ Aadhaar-related information public unless required for certain purposes.</p>
<p style="text-align: justify; ">“Whoever intentionally discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication to any person not authorised under this Act” can be in jail for three years and pay a fine of ~10,000 under the Act.A lawyer appearing on the petitioners’ side in the ongoing Supreme Court case on the constitutional validity of Aadhaar said only the UIDAI had the powers to file cases against people who published Aadhaar information. Hence everyone else is helpless despite the leaks.</p>
<p style="text-align: justify; ">The UIDAI’s argument that Aadhaar information can’t be misused is duplicitous because the regulations under the Aadhaar Act assure individuals that if biometric authentication fails, they should have other means of identifying themselves, says Kiran Jonnalagadda, founder of HasGeek.“So the regulations guarantee that anyone in possession of stolen identity information will be able to misuse it without biometric authentication,” he said.Prakash agreed with this. He said demographic authentication, which is an acceptable authentication method under the Aadhaar Act, was prone to misuse as long as Aadhaar numbers remained public.“Aadhaar is used as just a piece of paper, unlike security features embedded in passports or even permanent account number cards. Thus, demographic authentication merely involves providing Aadhaar numbers and details like addresses, which can be used even for things like getting entry into an airport by just printing a ticket and having a fake Aadhaar,” he said.</p>
<p style="text-align: justify; "><em>Queries sent to the UIDAI were not answered till the time of going to press</em></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/business-standard-mayank-jain-march-27-2018-uidai-servers-or-third-parties-aadhaar-leaks-are-dangerous-experts'>http://editors.cis-india.org/internet-governance/news/business-standard-mayank-jain-march-27-2018-uidai-servers-or-third-parties-aadhaar-leaks-are-dangerous-experts</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-03-27T02:16:55ZNews ItemSecurity experts say need to secure Aadhaar ecosystem, warn about third party leaks
http://editors.cis-india.org/internet-governance/news/economic-times-march-26-2018-nilesh-christopher-security-experts-say-need-to-secure-aadhaar-ecosystem-warn-about-third-party-leaks
<b>The public reckoning of data leaks in India’s national ID database, Aadhaar is still on hold while reports of data leakage through third-parties keep coming. </b>
<p style="text-align: justify; ">The article by Nilesh Christopher was published in <a class="external-link" href="https://economictimes.indiatimes.com/news/politics-and-nation/there-is-a-need-to-secure-full-aadhaar-ecosystem-experts/articleshow/63459367.cms">Economic Times</a> on March 26, 2018. Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; ">While the Unique Identification Authority of India (UIDAI) has maintained that its database is secure and there are no breaches of <a class="external-link" href="https://economictimes.indiatimes.com/topic/Aadhaar">Aadhaar</a> data from its system, security researchers warn that leaks are happening in third-party sites and it is important for the agency to ensure that its ecosystem adopts measures to keep data safe.</p>
<p style="text-align: justify; ">While the Unique Identification Authority of India (<a class="external-link" href="https://economictimes.indiatimes.com/topic/UIDAI">UIDAI</a>) has maintained that its database is secure and there are no breaches of Aadhaar data from its system, security researchers warn that leaks are happening in third-party sites and it is important for the agency to ensure that its ecosystem adopts measures to keep data safe.</p>
<p style="text-align: justify; ">“Securing an entire ecosystem is more important than secure individual databases,” said security researcher Srinivas Kodali. Over the weekend, technology publication <a class="external-link" href="https://economictimes.indiatimes.com/topic/ZDnet">ZDnet </a>citing an Indian security researcher said that it identified Aadhaar data leaks on a system run by a state-owned utility company <a class="external-link" href="https://economictimes.indiatimes.com/topic/Indane">Indane</a> that allowed anyone to access sensitive information like a name, Aadhar number, bank details. The leak was plugged soon after the report appeared.</p>
<p style="text-align: justify; ">UIDAI came out with a strong statement denying the breach. “There is no truth in the story as there has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure,” the government agency said.</p>
<p style="text-align: justify; ">There have been no reports of any breach in the core database so far. However, it is the third-parties that have acted as weak links.</p>
<p style="text-align: justify; ">“The simple parallel that can be drawn is, though Facebook’s core database of users information was secure, the data leak happened through third-party developers and organisation like Cambridge Analytica that have allegedly misused it,” Kodali said.</p>
<p style="text-align: justify; ">In case of Aadhar too, the allegations of breaches have not been on ‘Aadhaar database’ but rather at insecure government websites and third-parties with API access to the database. “In this aspect, the issue in Facebook and Aadhaar is similar. In both the cases there was no breach of database, but it was third parties that acted as the weakest link. In both cases, it was a legitimate means of access through API that was open for abuse,” said Sunil Abraham, executive director, Center for Internet and Society.</p>
<p style="text-align: justify; ">UIDAI could take a leaf from Indian Space Research Organisation while handling <a class="external-link" href="https://economictimes.indiatimes.com/topic/data-breach">data breach</a> reports. The state-run space agency put out a note appreciating security researches for their efforts. An email ID to report flaws is more important than summoning people regarding data breaches.</p>
<p style="text-align: justify; ">“The fear of criminal prosecution hanging over the heads of ethical hackers would not help us develop a robust and strong security architecture,” said Karan Saini, a Delhi-based security researcher who first highlighted the Aadhaar leak at Indane.</p>
<p style="text-align: justify; ">“UIDAI is working on a policy to enable security experts to report issues in a legal and safe manner,” tweeted Ajay Bhushan Pandey, chief executive of India's Unique Identification Authority (UIDAI), the government department that administers the Aadhaar database. Seven months after the tweet, Pandey’s promise of a bug-reporting mechanism has still has not fructified.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/economic-times-march-26-2018-nilesh-christopher-security-experts-say-need-to-secure-aadhaar-ecosystem-warn-about-third-party-leaks'>http://editors.cis-india.org/internet-governance/news/economic-times-march-26-2018-nilesh-christopher-security-experts-say-need-to-secure-aadhaar-ecosystem-warn-about-third-party-leaks</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-03-26T22:37:30ZNews ItemAadhaar safety
http://editors.cis-india.org/internet-governance/news/asian-age-march-25-2018-aadhaar-safety
<b>We get experts to give their take on a current issue each week and lend their perspective to a much-discussed topic.</b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="http://www.asianage.com/life/more-features/250318/aadhaar-safety.html">Asian Age</a> on March 25, 2018.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Attorney General K. K. Venugopal claiming before a five-judge constitutional Bench of the Supreme Court that Aadhaar data remains safe and secure behind a complex with 13-ft high and 5-ft thick walls has resulted in a series of trolls and hilarious responses. We ask tech experts if this is the proper way to ensure safety of digital data and their opinions on alternatives, if any, to keep public data safe.</p>
<p style="text-align: justify; "><strong>‘Safety claims are bogus’<br /><em>Hrishikesh Bhaskaran, Privacy Activist</em></strong><br />Aadhaar safety claims are bogus. It is vulnerable and its vulnerabilities were pointed out by many information security experts in the past. If someone says that a 13-ft high 5-ft thick wall complex is protecting your digital data (which is well connected to the outside network) be sure that a village is missing its idiot. Digital data leak almost always happens through the network. Multiple cases were reported about the Aadhaar data leak (The Tribune report for example). Many government sites are leaking Aadhaar details of citizens and are available publicly through a simple Google search. (Read as the data are already in public without anyone hacking into it).</p>
<p style="text-align: justify; ">The system is defective by design and is maintained by mediocre talents and technology. I feel that their claims about the huge walled protection are a tactic to divert discussion on the human rights angle because otherwise, the government will have no choice but to scrap the whole Aadhaar idea. The only way to protect the personal data of citizens is to start afresh.</p>
<p style="text-align: justify; "><strong>‘Multi-level security assumes added significance’<br /><em>Jaideep Mehta, CEO of VCCircle.com</em></strong><br />Physical security is an important component in the overall security architecture. In addition there is a need to protect the data with multiple levels of cyber security including data encryption, bio-metric driven access, protection against malware and so on. Multi-dimensional security assumes added significance as this is a nationally important database.</p>
<p style="text-align: justify; "><strong>‘Tightening system, or line of human command more important’<br /><em>Ershad Kaleebullah, Technology Editor</em></strong><br />There are right ways to secure digital data. I know of solutions at the individual user level. But for something of Aadhaar’s size the security of digital data will obviously happen at a much, much larger scale. All the resident data and raw biometrics are stored in UIDAI’s datacentre and even fortifying it with the world’s thickest and tallest wall is not going to protect them. I’m really not sure of any foolproof data security systems in the world at that scale. Tightening the system or the line of human command is more important. If Snowden can walk out of NSA with highly confidential information on a lowly thumb drive, Aadhaar data can be easily hacked. If I have to be blunt here, Indians can’t keep a secret to save their lives.</p>
<p style="text-align: justify; "><strong>‘Your data security is in your hands, always be cautious’<br /><em>Viraj Kumar Pratapwant, Senior Software Design Engineer</em></strong><br />First off, no hacker is going to run into a data center and rob data disks. The idea to construct high and thick walls will make anyone chuckle. Speaking about alternatives, let's talk about data. Basically there are two types of data: Data in Motion and Data at Rest. With the right set of firewalls guarding these two kinds will ensure some amount of security. Sensitive and vital information should always be encrypted and kept out of reach for any external source to access this data. Having multiple steps of verification could help the user safeguard his authenticity. Your data and privacy are the most important factor, they should only be shared with trusted sources and with your consent. A lot of data are going digital and soon our lives will completely rely on digital data. The government should enforce strict vigilance to public data. They should make sure that the consumers should follow all the security guidelines and must prove that the data will be saved responsibly. Any compromise caused by any sources should be penalised by law. Lastly, your data security is in your hands, always be cautious about who and where you are giving the data.</p>
<p style="text-align: justify; "><em><strong>Sunil Abraham, Executive Director at Centre for Internet and Society</strong></em><br />Encryption, regardless of the key length, is only useful when citizens have absolute control of the private key. If the UIDAI had gone with smart cards my private key would have only been stored on my smart card. Even though the data in encrypted in the CIDR - the deduplication software needs to compare the bio metric of the person getting enrolled with the unencrypted bio metric of others already in the database. This means that the engineer who controls the software has access to the whole bio metric database. If a foreign state installs a Trojan on the engineer's system it can get into the CIDR. The deduplication software is a proprietary black box software which is owned by a foreign corporation. We don't know what hidden capabilities are there in this software.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/asian-age-march-25-2018-aadhaar-safety'>http://editors.cis-india.org/internet-governance/news/asian-age-march-25-2018-aadhaar-safety</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-03-26T17:09:26ZNews Item