The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 121 to 135.
Now, Aadhaar details displayed in Mizoram too
http://editors.cis-india.org/internet-governance/news/national-herald-sebastian-pt-april-26-2017-now-aadhaar-details-displayed-in-mizoram-too
<b>Contrary to the Centre’s assurances, government websites are revealing digital details of the poor, leaving them vulnerable to financial frauds and identity theft.</b>
<p>The article by Sebastian PT was <a class="external-link" href="https://www.nationalheraldindia.com/news/2017/04/26/aadhaar-details-displayed-in-mizoram-jharkhand-chandigarh-financial-fraud-violating-supreme-court-order">published in the National Herald</a> on April 26, 2017. Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; ">Could there be a method to the madness? Or is it just carelessness? From the Jharkhand Government to the Union Territory of Chandigarh to the Union Ministry of Water and Sanitation to even Mizoram’s Food and Civil Supplies Department, government websites are found to have displayed Aadhaar details of citizens, a crime under the law.</p>
<p style="text-align: justify; ">In Jharkhand, details of 16 lakh beneficiaries – their bank account details, ration card and the 12-digit Aadhaar number – were displayed on the website of the Directorate of Social Security. Similar blunders were witnessed from different corners of the country from Chandigarh to Kerala, where details of 35 lakh people have been breached. This flies in the face of the Government’s repeated claims on data privacy, that Aadhaar details are completely safe.</p>
<p style="text-align: justify; ">The law doesn’t allow this. The displaying of the Aadhaar data, for instance, is in clear violation of Section 29 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. The provision clearly says that “no” Aadhaar number or core biometric information of an Aadhaar number holder shall be “published, displayed or posted publicly”.<br /><br />“There appears to be no regulation worth the name as far as the Aadhaar project is concerned,” says economist Reetika Khera from IIT Delhi.<br /><br />So, will these officials responsible be punished according to the Act? More importantly, what about the damage of leaking such sensitive, apparently confidential data?</p>
<h3 style="text-align: justify; ">Irreparable Damage</h3>
<p style="text-align: justify; ">Several cyber security experts have been warning of the possibility of precisely such leaks and Opposition parties were vociferously pointing this out while the Centre was brazenly violating the Supreme Court’s orders and forcibly extending Aadhaar to almost everything – including it being linked to one’s Permanent Account Number (PAN), used for filing income tax.</p>
<p style="text-align: justify; ">“What has been broken through technology, can’t be fixed with the law,” says Sunil Abraham, Executive Director of Bangalore-based research organisation, the Centre for Internet and Society.</p>
<p style="text-align: justify; ">The data breach just made it easy for players in the black market for ID (identification) documents to be lapped up to create false ID cards, for instance.</p>
<p style="text-align: justify; ">When demonetisation was being implemented, sources say that black money hoarders apparently bought fake IDs which were made from stolen Aadhaar details to get the old notes exchanged – one way for doing this was perhaps by opening new bank accounts or to, say, utilise unused Jan Dhan accounts to deposit the money. Now, one can only imagine what terrorists can do with these details.</p>
<p style="text-align: justify; ">So far, perhaps, the only solace is that the biometric details of the beneficiaries weren’t leaked. But, in the backdrop of the lax attitude of the various government departments, even that too is just waiting to happen, fear experts.</p>
<p style="text-align: justify; ">Abraham warns that Aadhaar was always a risky proposition as it was based on biometrics, which “made it very insecure”. He terms it as a “mass surveillance technology” – that too a poorly-designed technology – which, in fact, “undermines security”. Once biometric data are compromised, it cannot be secured again. Instead of biometrics, he suggests the UIDAI shift to using smart cards.</p>
<p style="text-align: justify; ">The unfettered forcible linking of almost everything – from bank accounts to one’s PAN card – to Aadhaar only makes things worse. “The Centre is ‘seeding’ the various data bases with the Aadhaar number, which is a very bad move. And, involving various private and public agencies in this only makes the entire thing very precarious,” warns Abraham. He points out that, for instance, when the PAN cards are linked with the Aadhaar number, breach made possible.</p>
<p style="text-align: justify; ">Instead, he says, the government should adopt the ‘tokenisation approach’, instead of the ‘seeding approach’. What this means is that, say, if the PAN card is to be linked to Aadhaar, then UIDAI issues a token number and not the original 12-digit Aadhaar number. So, even if a breach happens, the hacker will not be able to get all the Aadhaar details, he says.</p>
<p style="text-align: justify; ">However, the government does not seem to be taking the issue of privacy very seriously. What perhaps is not being understood is that this is not just a privacy issue, but making the masses vulnerable to frauds. Instead of treading cautiously in implementing Aadhaar, the government seems to be in a hurry to extend it to almost every possible silo in an individual’s life.</p>
<p style="text-align: justify; ">“Given the callous attitude of central and state governments, I hope that the Supreme Court will stop the government from a forced linking of Aadhaar, on the one hand, and bank accounts and PAN numbers on the other hand,” says Khera.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/national-herald-sebastian-pt-april-26-2017-now-aadhaar-details-displayed-in-mizoram-too'>http://editors.cis-india.org/internet-governance/news/national-herald-sebastian-pt-april-26-2017-now-aadhaar-details-displayed-in-mizoram-too</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-04-27T16:59:37ZNews ItemAadhaar: A widening net
http://editors.cis-india.org/internet-governance/news/livemint-april-21-2017-komal-gupta-apurva-vishwanath-suranjana-roy-aadhaar-a-widening-net
<b>As India makes Aadhaar compulsory for a range of services, concerns about potential data breaches remain more than six years after the govt started building the world’s largest biometric identification system.</b>
<p>The article by Komal Gupta, Apurva Vishwanath and Suranjana Roy was <a class="external-link" href="http://www.livemint.com/Politics/eTxrtAxzFq738LzFdx7yXK/Aadhaar-A-widening-net.html">published in Livemint</a> on April 21, 2017. Pranesh Prakash was quoted.</p>
<hr />
<p style="text-align: center; "><img alt="The Aadhaar project, under which a 12-digit identification number is to be allotted to every Indian resident, was originally supposed to be a way of plugging leakages in the delivery of state benefits such as subsidized grains to the poor. Photo: Priyanka Parashar/Mint" class="img-responsive" height="378" src="http://www.livemint.com/rf/Image-621x414/LiveMint/Period2/2017/04/21/Photos/Processed/asia-cover.JPG" title="The Aadhaar project, under which a 12-digit identification number is to be allotted to every Indian resident, was originally supposed to be a way of plugging leakages in the delivery of state benefits such as subsidized grains to the poor. Photo: Priyanka Parashar/Mint" width="582" /></p>
<p>On 29 March, a storm broke out on social media after private data that former Indian cricket captain M.S. Dhoni had furnished to get enrolled in India’s unique identity system, known as Aadhaar, were leaked online.</p>
<p style="text-align: justify; ">The popular cricketer’s wife, Sakshi, flagged the matter on Twitter, tagging information technology (IT) minister Ravi Shankar Prasad. “Is there any privacy left? Information of Aadhaar card, including application, is made public property,” Sakshi fumed on the microblogging site.</p>
<p>The minister replied: “Sharing personal information is illegal. Serious action will be taken against this.”</p>
<p style="text-align: justify; ">It turned out to be the fault of an overenthusiastic common services centre in Dhoni’s home town of Ranchi licensed to enrol people in Aadhaar. The centre was promptly blacklisted. “We have ordered further inquiry on the matter and action will be taken against all those involved in the leak,” said Ajay Bhushan Pandey, chief executive officer of the Unique Identification Authority of India (UIDAI), which administers Aadhaar.</p>
<p style="text-align: justify; ">The matter blew over soon enough, but it served to illustrate the lingering concerns about potential data breaches and privacy violations surrounding Aadhaar, which has become the world’s largest biometric identification database with 1.13 billion people enrolled in it in the past six years.</p>
<p style="text-align: justify; ">The project, under which a 12-digit identification number is to be allotted to every Indian resident, was originally supposed to be a way of plugging leakages in the delivery of state benefits such as subsidized grains to the poor.</p>
<p style="text-align: justify; ">It has now become mandatory for everything ranging from opening a bank account and getting a driver’s licence or a mobile phone connection to filing of income tax returns. Even government school students entitled to a free mid-day meal need an Aadhaar number.</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/AadhaarMint.jpg" alt="Aadhaar " class="image-inline" title="Aadhaar " /></p>
<p style="text-align: justify; ">The use of Aadhaar has only expanded with the government going on an overdrive to promote cashless transactions and payment systems linked to the biometric ID system after banning old, high-value bank notes in November in a crackdown on unaccounted wealth hidden away from the taxman.</p>
<p style="text-align: justify; ">For instance, the Aadhaar-Enabled Payment System (AEPS) empowers a bank customer to use Aadhaar as her identity to access her Aadhaar-enabled bank account and perform basic banking transactions like cash deposit or withdrawal through a bank agent or business correspondent.<br /><br />The customer can carry out transactions by scanning her fingerprint at any micro ATM or biometric point-of-sale (POS) terminal, and entering the Aadhaar number linked to the bank account. A merchant-led model of AEPS, called Aadhaar Pay, has also been launched.<br /><br />Last week, Prime Minister Narendra Modi launched the BHIM-Aadhaar platform—a merchant interface linking the unique identification number to the Bharat Interface for Money (BHIM) mobile application. This will enable merchants to receive payments through fingerprint scans of customers.<br /><br />“Any citizen without access to smartphones, Internet, debit or credit cards will be able to transact digitally through the BHIM-Aadhaar platform,” a government statement said.<br /><br />Aadhaar’s growing importance in the economy has only served to deepen concerns about potential data breaches. And there are other concerns as well.<br /><br />For instance, the Aadhaar biometric authentication failure rate in the rural job guarantee scheme, which assures 100 days of work a year to one member of every rural household, is as high as 36% in the southern state of Telangana, according to data released by the state government.<br /><br />“Aadhaar is supposed to be an enabler and it will happen only when it is made voluntary. Biometric authentications might fail due to poor data connectivity and transactions might not happen even though the Aadhaar number of the person is there; so, what’s the benefit,” asked Pranesh Prakash, policy director of the Centre for Internet and Society, a Bengaluru-based think tank.<br /><br />Aadhaar was the brainchild of the previous United Progressive Alliance (UPA) government, which lost power in the 2014 general election to the National Democratic Alliance (NDA). The first 10 Aadhaar numbers were handed over to residents of a small village called Tembhli in Maharashtra on 29 September 2010 in the presence of then prime minister Manmohan Singh, Congress party president Sonia Gandhi and Aadhaar’s chief architect Nandan Nilekani, a co-founder of software services giant Infosys Ltd.</p>
<p style="text-align: justify; ">After coming to power, the NDA systematically went about making Aadhaar the pivot of government welfare programmes. In March last year, Parliament passed the Aadhaar Bill to make the use of Aadhaar mandatory for availing of government subsidies despite resistance from opposition parties.<br /><br />Last month, finance minister Arun Jaitley said the 12-digit number would eventually become a single, monolithic proof of identity for every Indian, replacing every other identity card.<br /><br />To be sure, Aadhaar has helped the government better target beneficiaries of its welfare programmes, cutting out middlemen and corruption. For instance, the government claims to have saved about Rs50,000 crore in cooking gas subsidies by linking the Aadhaar number with bank accounts in which the subsidy is directly transferred.<br /><br />Yet, Aadhaar has its critics, who have challenged the project on grounds including potential compromise of national security, violation of the right to privacy and exclusion of people from welfare programmes. The Supreme Court has cautioned the government that no citizen can be denied access to welfare programmes for lack of an Aadhaar number.<br /><br />Before cricketer Dhoni’s data breach made the headlines, in February, UIDAI filed a complaint against Axis Bank Ltd, business correspondent Suvidhaa Infoserve and e-sign provider eMudhra, alleging they had attempted unauthorized authentication and impersonation by illegally storing Aadhaar biometrics. The breach was noticed after one individual performed 397 biometric transactions between 14 July 2016 and 19 February 2017. All three entities have been temporarily barred from offering Aadhaar-related services until UIDAI makes a final decision.</p>
<p style="text-align: justify; ">Pranesh Prakash of the Centre for Internet and Society said rules on the use of Aadhaar data are inadequate.<br /><br />“UIDAI is allowed to share the information of a person from its database on its website, after taking proper consent of that person. However, there is no law which states what should be done if any other party does that with the same individual. Such rules must be in place,” Prakash said.<br /><br />Four years after the Aadhaar project took off, a retired judge took the government to court. K. Puttaswamy, a former judge of the Karnataka high court, moved the Supreme Court in 2013, arguing that Aadhaar violated his fundamental right to privacy under the constitution. The case opened the gates for legal challenges to Aadhaar. Over the next few years till date, at least a dozen cases had questioned the legality of the project.<br /><br />Ramon Magsaysay award winner Aruna Roy brought a case on behalf of manual workers whose faint finger prints, she said, often go undetected. Currently, only 44 million out of the 101 million beneficiaries of India’s rural job entitlement are paid through Aadhaar.<br /><br />To be sure, India’s Constitution does not contain a black and white reference to a “fundamental right to privacy”, that the government cannot violate. The list of rights says “no person shall be deprived of his life or personal liberty except according to a procedure established by law”—often interpreted by courts as an all-encompassing right including right to live with dignity, right to speedy justice and even a right to clean air.<br /><br />Nilekani, the man behind Aadhaar, has cautioned that privacy is a broader issue involving how people retain their privacy in day-to-day life. “Privacy is an all-encompassing issue because of the rapid rate of digitization the world is seeing. Your smartphone has sensors, GPS and is generating more and more information about everything; voice-activated devices could also be recording your conversations. There’s a profusion of CCTV cameras at malls, restaurants, ATMs recording your movements,” Nilekani said in a recent interview with The Economic Times.<br /><br />But this is where a problem arises. Although there is concurrence on the need for a privacy law, there is a great reluctance on the part of the government to come out with one.<br /><br />“We don’t have a comprehensive privacy law; all our databases are unlinked. The government is trying to link the databases using Aadhaar for all schemes but a separate privacy law must be there for protecting any piece of information, whether or not linked to Aadhaar,” said Rahul Matthan, a partner at law firm Trilegal and a Mint columnist.</p>
<p style="text-align: justify; ">Matthan said first a privacy law must be put in place and then there has to be a discussion on what all it must include.<br /><br />The government on its part pointed out that India’s apex court itself has been indecisive on a right to privacy.<br /><br />“The larger question on privacy needs to be settled by the court. Till then, one cannot comment on secondary concerns,” attorney general Mukul Rohatgi said in an interview.<br /><br />In 2015, the Supreme Court decided that a bench of at least seven judges will rule on the privacy issue, while clarifying that the government cannot make Aadhaar a mandatory proof of identity for its welfare schemes. Twenty months after the judicial order, the larger bench is yet to be formed by the apex court. The passing of the Aadhaar Act in Parliament to provide statutory backing to Aadhaar also indicates a departure from the Indian government’s position of not taking a legislative stand while an issue is under the apex court’s consideration.<br /><br />For example, one of the reasons the Indian government has shown restraint in repealing a colonial law that criminalizes homosexuality is because the apex court is seized of the issue.<br /><br />In the absence of legislation and pending an authoritative ruling by the top court, whether 1.3 billion Indians are entitled to their privacy remains a grey area. Meanwhile, the government is seemingly in the final stretch of its Aadhaar enrolment drive.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-april-21-2017-komal-gupta-apurva-vishwanath-suranjana-roy-aadhaar-a-widening-net'>http://editors.cis-india.org/internet-governance/news/livemint-april-21-2017-komal-gupta-apurva-vishwanath-suranjana-roy-aadhaar-a-widening-net</a>
</p>
No publisherpraskrishnaBiometricsAadhaarInternet GovernancePrivacy2017-04-22T05:06:23ZNews Item11th Meeting of Information Systems Security Sectional Committee (LITD 17)
http://editors.cis-india.org/internet-governance/news/11th-meeting-of-information-systems-security-sectional-committee-litd-17
<b>Udbhav Tiwari represented CIS at this meeting organized by the Bureau of Indian Standards (BIS) at Manak Bhavan, New Delhi on April 13, 2017.</b>
<p style="text-align: justify; ">The meeting was the national mirror meeting for the 28th ISO/IEC JTC 1/SC 27 Plenary and Working Group Meetings being held at Hamilton, New Zealand between the April 18 and 25, 2017. The meeting provided a fascinating insight into the government and industry viewpoints on key cyber security and privacy issues, especially on the Aadhaar.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/11th-meeting-of-information-systems-security-sectional-committee-litd-17'>http://editors.cis-india.org/internet-governance/news/11th-meeting-of-information-systems-security-sectional-committee-litd-17</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-04-19T02:57:03ZNews ItemOpposition questions govt move to make Aadhaar must
http://editors.cis-india.org/internet-governance/news/livemint-april-12-2017-komal-gupta-opposition-questions-govt-move-to-make-aadhaar-must
<b>Congress leader Jairam Ramesh claimed that the Aadhaar system was becoming an instrument of social exclusion rather than one of identity. </b>
<p style="text-align: justify; ">The article by Komal Gupta was <a class="external-link" href="http://www.livemint.com/Politics/nwqpFParHM0Ym8F4Dwt3yL/Rajya-Sabha-debates-Aadhaar-Opposition-points-to-flaws.html">published in Livemint</a> on April 11, 2017. Pranesh Prakash was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The Rajya Sabha on Monday witnessed a lively debate on Aadhaar, with the opposition questioning the government’s move to make the 12-digit unique identification number mandatory for a host of welfare benefits.<br /><br />Congress leader Jairam Ramesh claimed that the Aadhaar system was becoming an instrument of social exclusion rather than one of identity.<br /><br />“My major concern is implementation, how Aadhaar is being used to exclude people to avail benefits of the schemes which have been designed for them…If you need to apply to avail benefits, it’s as good as mandatory,” said Ramesh.</p>
<p style="text-align: justify; ">The former cabinet minister argued that over 25% of the population will stand excluded.<br /><br />“The Rs50,000 crore savings due to Aadhaar linkage as given by the government is highly questionable,” he said, adding that according to Comptroller and Auditor General (CAG) reports, 92% of the savings on domestic gas subsidies is not on account of Aadhaar implementation or direct benefit transfer. “Instead, it is because of the fall in international oil prices,” Ramesh argued.<br /><br />Trinamool Congress member Derek O’Brien said that for manual labourers, biometric identification does not always match and that can deprive them of welfare.<br /><br />He gave the example of Andhra Pradesh, where almost half the 85,000 ration card holders in 2014 were unable to get subsidized foodgrains due to faulty point of sale machines and biometrics not matching.</p>
<p style="text-align: justify; ">K.T.S Tulsi, member of Parliament and senior Supreme Court advocate, said, “Not in my whole career have I come across a greater mutilation of a statutory provision than what has taken place in the case of Aadhaar.” He said Section 29 of the Aadhaar Act doesn’t permit data stored with the Unique Identification Authority of India (UIDAI) to be shared with anyone but a provision was later made for voluntary agreement to allow the sharing of data.<br /><br />IT and law minister Ravi Shankar Prasad said, “No religion, income, medical history, ethnicity or education is asked in Aadhaar. Even email ID and phone number is optional.”<br /><br />“The right of privacy of individuals must be respected. The privacy of the data cannot be breached by us except in the case of national security,” Prasad added.<br /><br />He claimed that the government has been blacklisting operators that share data from the Aadhaar system. It has blacklisted 34,000 operators, and has taken action against 1,000 of them.</p>
<p style="text-align: justify; ">Prasad also said that UIDAI will be accountable to the Parliament.<br /><br />Expressing concern on mandating the use of Aadhaar for different services, Pranesh Prakash, Policy director of the Centre for Internet and Society, said, “As an enabler, people would want to have Aadhaar. But when it is made mandatory, it becomes more of a disenabler instead of an enabler.”<br /><br />“With the move towards a digital economy, setting up of a data protection authority as recommended by the Shah committee is important along with mass surveillance and greater accountability from the government,” he added.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-april-12-2017-komal-gupta-opposition-questions-govt-move-to-make-aadhaar-must'>http://editors.cis-india.org/internet-governance/news/livemint-april-12-2017-komal-gupta-opposition-questions-govt-move-to-make-aadhaar-must</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-04-12T14:19:20ZNews ItemPrivacy in the Age of Big Data
http://editors.cis-india.org/internet-governance/blog/asian-age-amber-sinha-april-10-2017-privacy-in-the-age-of-big-data
<b>Personal data is freely accessible, shared and even sold, and those to whom this information belongs have little control over its flow.</b>
<p style="text-align: justify; ">The article was published in the <a class="external-link" href="http://www.asianage.com/india/all-india/100417/privacy-in-the-age-of-big-data.html">Asian Age</a> on April 10, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">In 2011 it was estimated that the quantity of data produced globally surpassed 1.8 zettabyte. By 2013, it had increased to 4 zettabytes. This is a result of digital services which involve constant data trails left behind by human activity. This expansion in the volume, velocity, and variety of data available, together with the development of innovative forms of statistical analytics on the data collected, is generally referred to as “Big Data”. Despite significant (though largely unrealised) promises about Big Data, which range from improved decision-making, increased efficiency and productivity to greater personalisation of services, concerns remain about the impact of such datafication of all human activity on an individual’s privacy. Privacy has evolved into a sweeping concept, including within its scope matters pertaining to control over one’s body, physical space in one’s home, protection from surveillance, and from search and seizure, protection of one’s reputation as well as one’s thoughts. This generalised and vague conception of privacy not only comes with great judicial discretion, it also thwarts a fair understanding of the subject. Robert Post called privacy a concept so complex and “entangled in competing and contradictory dimensions, so engorged with various and distinct meanings”, that he sometimes “despairs whether it can be usefully addressed at all”.</p>
<p style="text-align: justify; ">This also leaves the idea of privacy vulnerable to considerable suspicion and ridicule. However, while there is a lack of clarity over the exact contours of what constitutes privacy, there is general agreement over its fundamental importance to our ability to lead whole lives. In order to understand the impact of datafied societies on privacy, it is important to first delve into the manner in which we exercise our privacy. The ideas of privacy and data management that are prevalent can be traced to the Fair Information Practice Principles (FIPP). These principles are the forerunners of most privacy regimes internationally, such as the OECD Privacy Guidelines, APEC Framework, or the nine National Privacy Principles articulated by the Justice A.P. Shah Committee Report. All of these frameworks have rights to notice, consent and correction, and how the data may be used, as their fundamental principles. It makes the data subject to the decision-making agent about where and when her/his personal data may be used, by whom, and in what way. The individual needs to be notified and his consent obtained before his personal data is used. If the scope of usage extends beyond what he has agreed to, his consent will be required for the increased scope.</p>
<p style="text-align: justify; ">In theory, this system sounds fair. Privacy is a value tied to the personal liberty and dignity of an individual. It is only appropriate that the individual should be the one holding the reins and taking the large decisions about the use of his personal data. This makes the individual empowered and allows him to weigh his own interests in exercising his consent. The allure of this paradigm is that in one elegant stroke, it seeks to ensure that consent is informed and free and also to implement an acceptable trade-off between privacy and competing concerns. This approach worked well when the number of data collectors were less and the uses of data was narrower and more defined. Today’s infinitely complex and labyrinthine data ecosystem is beyond the comprehension of most ordinary users. Despite a growing willingness to share information online, most people have no understanding of what happens to their data.</p>
<p style="text-align: justify; ">The quantity of data being generated is expanding at an exponential rate. From smartphones and televisions, trains and airplanes, sensor-equipped buildings and even the infrastructures of our cities, data now streams constantly from almost every sector and function of daily life, “creating countless new digital puddles, lakes, tributaries and oceans of information”. The inadequacy of the regulatory approaches and the absence of a comprehensive data protection regulation is exacerbated by the emergence of data-driven business models in the private sector and the adoption of data-driven governance approach by the government. The Aadhaar project, with over a billion registrants, is intended to act as a platform for a number of digital services, all of which produce enormous troves of data. The original press release by the Central Government reporting the approval by the Cabinet of Ministers of the Digital India programme, speaks of “cradle to grave” digital identity as one of its vision areas.</p>
<p style="text-align: justify; ">While the very idea of the government wanting to track its citizens’ lives from cradle to grave is creepy enough in itself, let us examine for a minute what this form of datafied surveillance will entail. A host of schemes under Digital India shall collect and store information through the life cycle of an individual. The result, as we can see, is building databases on individuals, which when combined, will provide a 360 degree view into the lives of individuals. Alongside the emergence of India Stack, a set of APIs built on top of the Aadhaar, conceptualised by iSPIRT, a consortium of select IT companies from India, to be deployed and managed by several agencies, including the National Payments Corporation of India, promises to provide a platform over which different private players can build their applications.</p>
<p style="text-align: justify; ">The sum of these interconnected parts will lead to a complete loss of anonymity, greater surveillance and impact free speech and individual choice. The move towards a cashless economy — with sharp nudges from the government — could lead to lack of financial agencies in case of technological failures as has been the case in experiments with digital payments in Africa. Lack of regulation in emerging data driven sectors such as Fintech can enable predatory practices where right to remotely deny financial services can be granted to private sector companies. An architecture such as IndiaStack enables datafication of financial transactions in a way that enables linked and structured data that allows continued use of the transaction data collected. It is important to recognise that at the stage of giving consent, there are too many unknowns for us to make informed decisions about the future uses of our personal data. Despite blanket approvals allowing any kind of use granted contractually through terms of use and privacy policies, there should be legal obligations overriding this consent for certain kinds of uses that may require renewed consent.</p>
<p style="text-align: justify; "><b>Biometrics-based identification in UK: </b>In 2005, researchers from London School of Economics and Political Science came out with a detailed report on the UK Identity Cards Bill (‘UK Bill’) — the proposed legislation for a national identification system based on biometrics. The project also envisaged a centralised database (like India) that would store personal information along with the entire transaction history of every individual. The report pointed strongly against the centralising storage of information and suggested other alternatives such as a system based on smartcards (where biometrics are stored on the card itself) or offline biometric-reader terminals.</p>
<p style="text-align: justify; ">As per the report, the alternatives would also have been cheaper as neither required real-time online connectivity. In India, online authentication is a far greater challenge. According to Network Readiness Index, 2016, India ranks 91, whereas UK is placed eight. Poor Internet connectivity can raise a lot of problems in the future including paralysis of transactions. The UK identification project was subsequently discarded as a result of the privacy and cost considerations raised in this report.</p>
<h3 style="text-align: justify; ">Aadhaar: Privacy concerns</h3>
<ol style="text-align: justify; ">
<li>Once the data is collected through National Information Utilities, it will be privatised and controlled by private utilities.</li>
<li>Once an individual’s data is entered in the system, it cannot be deleted. That individual will have no control over it.</li>
<li>Aadhaar Data (Demographic details along with photographs) are shared/transferred with the private entities including telecom companies as per the Aadhaar (Targeted delivery of Financial and other subsidies, benefits and services) Act, 2016 with the consent of Aadhaar number holder to fulfil their e-KYC requirements. The data is shared in encrypted form through secured channel.</li>
<li>Aadhaar Enabled Payment System (AEPS) on which 119 banks are live.</li>
<li>More than 33.87 crore transactions have taken place through AEPS, which was only 46 lakhs in May 2014.</li>
<li>As on 30-9-2016, 78 government schemes were linked to Aadhaar.</li>
<li>The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, provides that no core-biometric information (fingerprints, iris scan) shall be shared with anyone for any reason whatsoever (Sec 29) and that the biometric information shall not be used for any purpose other than generation of Aadhaar and authentication.</li>
<li>Access to the data repository of UIDAI, called the Central Identities Data Repository(CIDR), is provided to third parties or private companies.</li>
</ol>
<p style="text-align: justify; "><b>Central Monitoring System</b> (CMS) is already live in Delhi, New Delhi and Mumbai. Union minister Ravi Shankar Prasad revealed this in one of his replies in the Lok Sabha last year. CMS has been set up to automate the process of Lawful Interception & Monitoring of telecommunications.</p>
<p style="text-align: justify; "><b>Central Monitoring System</b> (CMS) is already live in Delhi, New Delhi and Mumbai. Union minister Ravi Shankar Prasad revealed this in one of his replies in the Lok Sabha last year. CMS has been set up to automate the process of Lawful Interception & Monitoring of telecommunications.</p>
<p style="text-align: justify; "><b>Lawful Intercept </b>and Monitoring (LIM) systems are used by the Indian Government to intercept records of voice, SMSes, GPRS data, details of a subscriber’s application and recharge history and call detail record (CDR) and monitor Internet traffic, emails, web-browsing, Skype and any other Internet activity of Indian users.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/asian-age-amber-sinha-april-10-2017-privacy-in-the-age-of-big-data'>http://editors.cis-india.org/internet-governance/blog/asian-age-amber-sinha-april-10-2017-privacy-in-the-age-of-big-data</a>
</p>
No publisheramberInternet GovernanceAadhaarBig DataPrivacy2017-04-11T14:43:59ZBlog EntryIndia’s National ID Program May Be Turning The Country Into A Surveillance State
http://editors.cis-india.org/internet-governance/news/buzzfeednews-pranav-dixit-april-4-2017-indias-national-id-program-may-be-turning-the-country-into-a-surveillance-state
<b> For seven years, India’s government has been scanning the irises and fingerprints of its citizens into a massive database. The once voluntary program was intended to fix the country’s corrupt welfare schemes, but critics worry about its Orwellian overtones. </b>
<p style="text-align: justify; ">The blog post by Pranav Dixit was <a class="external-link" href="https://www.buzzfeed.com/pranavdixit/one-id-to-rule-them-all-controversy-plagues-indias-aadhaar?utm_term=.ksRqWv6w#.vdnR3bQx">published by BuzzFeedNews</a> on April 4, 2017. Sunil Abraham was quoted.</p>
<hr style="text-align: justify; " />
<p><i>An abridged version of the blog post containing Sunil Abraham's quotes are reproduced below</i>:</p>
<h3 style="text-align: justify; ">“You can’t change your fingerprints”</h3>
<p style="text-align: justify; "><b>Sunil Abraham, the</b> CIS director, calls himself a “technological critic” of the Aadhaar platform. For years, he’s been warning of the security risks associated with a centralized repository of the demographic and biometric details of a billion or so people.</p>
<p style="text-align: justify; ">“Aadhaar is a sitting duck,” Abraham told BuzzFeed News. That’s not an unreasonable assessment considering that India’s track record for protecting people’s private data is <a href="https://www.buzzfeed.com/pranavdixit/the-medical-reports-of-43000-people-including-hiv-patients-w">far from stellar</a>. Earlier this year, for example, a security researcher discovered a website that was leaking the Aadhaar demographic data of more than 500,000 minors. The website was subsequently shut down, but the incident raised questions about Aadhaar’s security protocols — particularly those around data shared with third parties.</p>
<p style="text-align: justify; ">Abraham’s concerns are not without global precedent. In 2012, Ecuadorian police jailed blogger Paul Moreno for breaking <a href="https://www.wired.com/2012/12/security-post-lands-ecuadorian-blogger-in-jail/">into the country’s online national identity database</a> and registering himself as Ecuadorian President Rafael Correa. In April 2016, <a href="https://www.wired.com/2016/04/hack-brief-turkey-breach-spills-info-half-citizens/">hackers posted</a> a database containing names, national IDs, addresses, and birth dates of more than 50 million Turkish citizens, including Turkish President Recep Tayyip Erdogan; later that month, Mexico’s entire voter database — over 87 million national IDs, addresses, and more — <a href="http://www.in.techspot.com/news/security/mexicos-voter-database-containing-the-records-of-over-80-million-citizens-leaked-online/articleshow/51979787.cms"> was leaked</a> onto Amazon’s cloud servers by as-yet-untraced sources; and in the Philippines, more than 55 million voters had their private information — including fingerprints — <a href="http://www.wired.co.uk/article/philippines-data-breach-fingerprint-data">released on the Dark Web</a>.</p>
<div class="buzz_superlist_item_left_small longform_pullquote buzz-superlist-item buzz_superlist_item" id="superlist_4501688_10817551" style="text-align: justify; ">
<blockquote class="solid white_pullquote">
<p>“When this database is hacked — and it will be — it will be because someone breaches the computer security that protects the computers actually using the data.”</p>
</blockquote>
</div>
<p style="text-align: justify; ">“What is the price that we pay as a nation if our database of over a billion people — complete with all 10 fingerprints and iris scans — leaks?” Abraham asked. The consequences, he said, will be permanent. Unlike a password, which you can reset at any time, your biometrics, if compromised, are the ultimate privacy breach. “You can’t change your fingerprints.”</p>
<p style="text-align: justify; ">The UIDAI <a href="https://uidai.gov.in/images/aadhaar_question_and_answers.pdf">claims</a> that the Aadhaar database is protected using the “highest available public key cryptography encryption (PKI-2048 and AES-256)” and would take “billions of years” to crack.</p>
<p style="text-align: justify; ">“Encryption like this doesn’t typically get broken, it gets circumvented,” security researcher Troy Hunt told BuzzFeed News. “For example, the web application that sits in front of it is compromised and data is retrieved after decryption.” Or alternatively, he said, the encryption key itself is compromised. “Naturally, governments will offer all sorts of assurances on these things, but the simple, immutable fact is that once large volumes are centralized like this, there is a heightened risk of security incidents and of the data consequently being lost or exposed,” he added.</p>
<p style="text-align: justify; ">Cryptographer and cybersecurity expert Bruce Schneier echoed Hunt’s assessment. “When this database is hacked — and it will be — it will be because someone breaches the computer security that protects the computers actually using the data,” he said. “They will go around the encryption.”</p>
<p style="text-align: justify; ">Nilekani — who did not respond to BuzzFeed News’ requests for comment — recently dismissed concerns around the project’s privacy implications as “hand-waving.” In an <a href="http://cio.economictimes.indiatimes.com/news/corporate-news/show-me-even-one-example-of-data-theft-aadhaar-is-very-very-secure-nandan-nilekani/57982816">interview</a> with the <i>Economic Times</i>, he repeatedly stressed how secure Aadhaar’s “advanced encryption technology” was. “I can categorically say that it’s the most secure system in India and among the most secure systems in the world,” he said.</p>
<p style="text-align: justify; ">Abraham is unconvinced by such assurances. He believes Aadhaar fundamentally changes the equation between a citizen and a state. “There’s a big difference between you identifying yourself to the government, and the government identifying who you are,” he said.</p>
<p>Aadhaar’s opponents say the program’s implementation has left India’s poorest people with no choice but to use it. “If you link people’s food subsidies, wages, bank accounts, and other crucial things to Aadhaar, you hit them where it hurts the most,” Ramanathan argued. “You leave them with no choice but to sign up.”</p>
<p style="text-align: justify; ">“Can you imagine if the United States passed a law that said that every person who wished to get food stamps would need their fingerprints registered in a government-owned database?” a journalist turned Aadhaar activist who did not wished to be named told BuzzFeed News. “Imagine what a scandal that would be.”</p>
<p style="text-align: justify; ">For Nilekani, such criticism is just overstatement and drama. “I think this so-called anti-Aadhaar lobby is really just a small bunch of liberal elites who are in some echo chamber,” he said during a recent <a href="https://www.facebook.com/etnow/videos/1471268036248071/">interview</a> with Indian business news channel <i>ET Now</i>. “The reality is that a billion people are using Aadhaar. A lot of the accusations are just delusional. Aadhaar is not a system for surveillance. [The critics] live in a bubble and are not connected to reality.”</p>
<p style="text-align: justify; ">Abraham laughed off Nilekani’s comments. “The Unique Identification Authority of India will become the monopoly provider of identification and authentication services in India,” he said. “That sounds like a centrally planned communist state to me. I don’t know which left liberal elites he’s talking about.”</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/buzzfeednews-pranav-dixit-april-4-2017-indias-national-id-program-may-be-turning-the-country-into-a-surveillance-state'>http://editors.cis-india.org/internet-governance/news/buzzfeednews-pranav-dixit-april-4-2017-indias-national-id-program-may-be-turning-the-country-into-a-surveillance-state</a>
</p>
No publisherpraskrishnaBiometricsAadhaarInternet GovernancePrivacy2017-04-07T12:49:30ZNews ItemAadhaar marks a fundamental shift in citizen-state relations: From ‘We the People’ to ‘We the Government’
http://editors.cis-india.org/internet-governance/blog/hindustan-times-pranesh-prakash-april-3-2017-aadhaar-marks-a-fundamental-shift-in-citizen-state-relations
<b>Your fingerprints, iris scans, details of where you shop. Compulsory Aadhaar means all this data is out there. And it’s still not clear who can view or use it.</b>
<p>The article was published in the <a class="external-link" href="http://www.hindustantimes.com/india-news/what-s-really-happening-when-you-swipe-your-aadhaar-card-to-make-a-payment/story-2fLTO5oNPhq1wyvZrwgNgJ.html">Hindustan Times</a> on April 3, 2017.</p>
<hr />
<p> </p>
<p style="text-align: center; "><img src="http://editors.cis-india.org/home-images/Aaadhaar.png" alt="Aadhaar" class="image-inline" title="Aadhaar" /><br />Until recently, people were allowed to opt out of Aadhaar and withdraw consent to have their data stored. This is no longer going to be an option.<br />(Siddhant Jumde / HT Illustration)</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Imagine you’re walking down the street and you point the camera on your phone at a crowd of people in front of you. An app superimposes on each person’s face a partially-redacted name, date of birth, address, whether she’s undergone police verification, and, of course, an obscured Aadhaar number.<br /><br />OnGrid, a company that bills itself as a “trust platform” and offers “to deliver verifications and background checks”, used that very imagery in an advertisement last month. Its website notes that “As per Government regulations, it is mandatory to take consent of the individual while using OnGrid”, but that is a legal requirement, not a technical one.<br /><br />Since every instance of use of Aadhaar for authentication or for financial transactions leaves behind logs in the Unique Identification Authority of India’s (UIDAI) databases, the government can potentially have very detailed information about everything from the your medical purchases to your use of video-chatting software. The space for digital identities as divorced from legal identities gets removed. Clearly, Aadhaar has immense potential for profiling and surveillance. Our only defence: law that is weak at best and non-existent at worst.</p>
<p style="text-align: justify; ">The Aadhaar Act and Rules don’t limit the information that can be gathered from you by the enrolling agency; it doesn’t limit how Aadhaar can be used by third parties (a process called ‘seeding’) if they haven’t gathered their data from UIDAI; it doesn’t require your consent before third parties use your Aadhaar number to collate records about you (eg, a drug manufacturer buying data from various pharmacies, and creating profiles using Aadhaar).<br /><br />It even allows your biometrics to be shared if it is “in the interest of national security”. The law offers provisions for UIDAI to file cases (eg, for multiple enrollments), but it doesn’t allow citizens to file a case against private parties or the government for misuse of Aadhaar or identity fraud, or data breach.<br /><br />It is also clear that the government opposes any privacy-related improvements to the law. After debating the Aadhaar Bill in March 2016, the Rajya Sabha passed an amendment by MP Jairam Ramesh that allowed people to opt out of Aadhaar, and withdraw their consent to UIDAI storing their data, if they had other means of proving their identity (thus allowing Aadhaar to remain an enabler).</p>
<p style="text-align: justify; ">But that amendment, as with all amendments passed in the Rajya Sabha, was rejected by the Lok Sabha, allowing the government to make Aadhaar mandatory, and depriving citizens of consent. While the Aadhaar Act requires a person’s consent before collecting or using Aadhaar-provided details, it doesn’t allow for the revocation of that consent.<br /><br />In other countries, data security laws require that a person be notified if her data has been breached. In response to an RTI application asking whether UIDAI systems had ever been breached, the Authority responded that the information could not be disclosed for reasons of “national security”.<br /><br />The citizen must be transparent to the state, while the state will become more opaque to the citizen.</p>
<h2 style="text-align: justify; ">How Did Aadhaar Change?</h2>
<table class="invisible">
<tbody>
<tr>
<td style="text-align: justify; ">
<p> </p>
<p>How did Aadhaar become the behemoth it is today, with it being mandatory for hundreds of government programmes, and even software like Skype enabling support for it?</p>
<p>The first detailed look one had at the UID project was through an internal UIDAI document marked ‘Confidential’ that was leaked through WikiLeaks in November 2009. That 41-page dossier is markedly different from the 170-page ‘Technology and Architecture’ document that UIDAI has on its website now, but also similar in some ways.</p>
</td>
<td><img src="http://www.hindustantimes.com/rf/image_size_960x540/HT/p2/2017/04/01/Pictures/_36723476-16e4-11e7-85c6-0f0e633c038c.jpg" /></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">In neither of those is the need for Aadhaar properly established. Only in November 2012 — after scholars like Reetika Khera pointed out UIDAI’s fundamental misunderstanding of leakages in the welfare delivery system — was the first cost-benefit analysis commissioned, by when UIDAI had already spent ₹28 billion. That same month, Justice KS Puttaswamy, a retired High Court judge, filed a PIL in the Supreme Court challenging Aadhaar’s constitutionality, wherein the government has argued privacy isn’t a fundamental right.</p>
<blockquote class="pullquote" style="text-align: justify; ">Every time you use Aadhaar, you leave behind logs in the UIDAI databases. This means that the government can potentially have very detailed information about everything from the your medical purchases to your use of video-chatting software.</blockquote>
<p style="text-align: justify; ">Even today, whether the ‘deduplication’ process — using biometrics to ensure the same person can’t register twice — works properly is a mystery, since UIDAI hasn’t published data on this since 2012. Instead of welcoming researchers to try to find flaws in the system, UIDAI recently filed an FIR against a journalist doing so.</p>
<p style="text-align: justify; ">At least in 2009, UIDAI stated it sought to prevent anyone from “[e]ngaging in or facilitating profiling of any nature for anyone or providing information for profiling of any nature for anyone”, whereas the 2014 document doesn’t. As OnGrid’s services show, the very profiling that the UIDAI said it would prohibit is now seen as a feature that all, including private companies, may exploit.</p>
<p style="text-align: justify; ">UID has changed in other ways too. In 2009, it was as a system that never sent out any information other than ‘Yes’ or ‘No’, which it did in response to queries like ‘Is Pranesh Prakash the name attached to this UID number’ or ‘Is April 1, 1990 his date of birth’, or ‘Does this fingerprint match this UID number’.</p>
<p style="text-align: justify; ">With the addition of e-KYC (wherein UIDAI provides your demographic details to the requester) and Aadhaar-enabled payments to the plan in 2012, the fundamentals of Aadhaar changed. This has made Aadhaar less secure.</p>
<h3 style="text-align: justify; ">Security Concerns</h3>
<p style="text-align: justify; ">With Aadhaar Pay, due to be launched on April 14, a merchant will ask you to enter your Aadhaar number into her device, and then for your biometrics — typically a fingerprint, which will serve as your ‘password’, resulting in money transfer from your Aadhaar-linked bank account.</p>
<p style="text-align: justify; ">Basic information security theory requires that even if the identifier (username, Aadhaar number etc) is publicly known — millions of people names and Aadhaar numbers have been published on dozens of government portals — the password must be secret. That’s how most logins works, that’s how debit and credit cards work. How are you or UIDAI going to keep your biometrics secret?</p>
<p style="text-align: justify; ">In 2015, researchers in Carnegie Mellon captured the iris scans of a driver using car’s side-view mirror from distances of up to 40 feet. In 2013, German hackers fooled Apple iOS’s fingerprint sensors by replicating a fingerprint from a photo taken off a glass held by an individual. They even replicated the German Defence Minister’s fingerprints from photographs she herself had put online. Your biometrics can’t be kept secret.</p>
<blockquote class="pullquote" style="text-align: justify; ">Typically, even if your username (in this case, Aadhaar number) is publicly known, your password must be secret. That’s how most logins works, that’s how debit and credit cards work. How are you or UIDAI going to keep your biometrics secret?</blockquote>
<p style="text-align: justify; ">In the US, in a security breach of 21.5 million government employees’ personnel records in 2015, 5.2 million employees’ fingerprints were copied. If that breach had happened in India, those fingerprints could be used in conjunction with Aadhaar numbers not only for large-scale identity fraud, but also to steal money from people’s bank accounts.</p>
<p style="text-align: justify; ">All ‘passwords’ should be replaceable. If your credit card gets stolen, you can block it and get a new card. If your Aadhaar number and fingerprint are leaked, you can’t change it, you can’t block it.</p>
<p style="text-align: justify; ">The answer for Aadhaar too is to choose not to use biometrics alone for authentication and authorisation, and to remove the centralised biometrics database. And this requires a fundamental overhaul of the UID project.</p>
<p style="text-align: justify; ">Aadhaar marks a fundamental shift in citizen-state relations: from ‘We the People’ to ‘We the Government’. If the rampant misuse of electronic surveillance powers and wilful ignorance of the law by the state is any precedent, the future looks bleak. The only way to protect against us devolving into a total surveillance state is to improve rule of law, to strengthen our democratic institutions, and to fundamentally alter Aadhaar. Sadly, the political currents are not only not favourable, but dragging us in the opposite direction.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/hindustan-times-pranesh-prakash-april-3-2017-aadhaar-marks-a-fundamental-shift-in-citizen-state-relations'>http://editors.cis-india.org/internet-governance/blog/hindustan-times-pranesh-prakash-april-3-2017-aadhaar-marks-a-fundamental-shift-in-citizen-state-relations</a>
</p>
No publisherpraneshBiometricsAadhaarInternet GovernancePrivacy2017-04-04T16:10:06ZBlog EntryGet an Aadhaar card if you don't have one
http://editors.cis-india.org/internet-governance/news/business-standard-march-27-2017-priya-nair-and-sanjay-kumar-singh-get-an-aadhaar-card-if-you-dont-have-one
<b>The Aadhaar number has been made compulsory for filing tax return. With both the government and private parties insisting on it for various activities despite the Supreme Court's assertion that is not mandatory, you need to get one at the earliest.</b>
<p style="text-align: justify; ">The article by Priya Nair and Sanjay Kumar Singh was published in the <a class="external-link" href="http://www.business-standard.com/article/economy-policy/from-i-t-returns-to-phone-connections-aadhaar-gets-more-teeth-117032600717_1.html">Business Standard</a> on March 27, 2017. Udbhav Tiwari was quoted.</p>
<hr />
<p style="text-align: justify; ">Until now the need for an Aadhaar card arose if someone wanted to avail of the LPG subsidy, or if senior citizens wanted to enjoy a concession on train tickets. This 12-digit number, which is a proof of identity, is largely used by the government to distribute cash benefits and other subsidies under its welfare schemes. Since submitting the Aadhaar card at the time of opening a bank account, investing in a mutual fund, etc is optional (you can submit another proof of identity), many people have still not bothered to get one. That ambivalent attitude will now have to change. <br /><br />This year onwards all those filing income tax returns will have to furnish their Aadhaar number. There is a field in the income tax return form for Aadhaar number. Don’t forget to fill it this year. If you do not have an Aadhaar number, you will have to submit the enrolment number of your application for Aadhaar. "In case of failure to intimate the Aadhaar number, the PAN allotted to the person shall be deemed invalid and the other provisions of the Income Tax Act shall apply, as if the person has not applied for allotment of PAN," says Amarpal Chadha, tax partner, people advisory services, EY India.<br /><br />Experts say that this step has been taken to deal with the problem of duplicate permanent account numbers (PAN) and to control black money. Says Kuldip Kumar, partner and leader-personal tax at PwC India: “Many people have more than one PAN, even though there is a penalty under the Income Tax Act for doing so. The government is linking PAN to Aadhaar to deal with this problem. This step will also help control black money. Whether you invest in stocks, shares, or do any other high-value transaction, over a period of time the tax department will be able to see all this information at the click of a button." Other experts also agree that this step will create an audit trail for various transactions. “Linking of Aadhaar and PAN will throw up any discrepancies in reported transactions and provide a ready database to the revenue authorities for necessary action,” says Vikas Vasal, partner, Grant Thornton India.<br /><br /><b>Interim problems</b><br />This measure is expected to create a slew of problems for people. Many individuals may still not have an Aadhaar card. They should apply for one post-haste. Everyone needs to check if their Aadhaar and PAN details match. If there are discrepancies between the two, get either your Aadhaar or PAN details updated so that you do not face problems at the time of filing returns. Details on how to update the Aadhaar and PAN are available on the web sites of UID and the IT department respectively (see box). <br /><br />Non-Resident Indians (NRI) and foreign nationals may also need to obtain an Aadhaar number now. Many NRIs have an income (before claiming any deduction) that exceeds the basic exemption limit of Rs 2.5 lakh, and hence file a tax return in India. Foreign nationals who have spent time in India and earned an income also need to file a tax return. Indian residents who have been sent by their companies to work abroad will also have to scramble for the card. "March is about to end and tax returns will have to be filed by the end of July. Persons who have to file a tax return but are abroad will face a challenge getting the Aadhaar card made in time since you have to be physically present in India for this purpose,’’ says Kumar. The government may possibly grant some leeway to such people. <br /><br />Even though the Supreme Court has said that Aadhaar is not mandatory, there are several instances where the authorities are insisting on it. Those applying for domicile proof and those who want to get their property registered are being asked to provide this number. Some telecom providers also insist on it before giving a connection. Schools are asking for it from students. You need it to appear for competitive exams like IIT JEE. Online providers of financial products insist on Aadhaar since it makes KYC easier. With the government moving strongly towards making Aadhaar compulsory, one can't escape complying with this regulation. <br /><br /><b>Risks of an Aadhaar-centric system</b><br />There are several risks associated with Aadhaar, whose basic purpose is authentication and authorisation. The first problem arises from the fact that it is easily accessible to miscreants. Aadhaar numbers of thousands of people have been uploaded on the Internet. "Since the Aadhaar number has to be given at so many places, it can be misused to pull information about people from the centralised database. In the case of credit and debit cards, we are told not to shares these numbers publicly as the number is the first thing required for carrying out a transaction. That is not the case with Aadhaar. UID's position is that you should treat your Aadhaar number carefully. But the fact is that the Aadhaar number is not used carefully either by consumers or businesses. It is a fairly public number. With Aadhaar too much power is being vested in a number that is quite public,’’ says Udbhav Tiwari, policy officer, Centre for Internet and Society, Bengaluru.</p>
<p style="text-align: justify; ">Second, Aadhaar has a centralised database, and all centralised databases are vulnerable to hacking. Third, biometrics are not a very secure form of authentication. "Fingerprints are easy to forge. The UID says that the device (used to check the fingerprint) should not remember the biometrics but should only transfer it to UID which will verify the information. But miscreants could use a device that captures your biometrics," says Tiwari. <br /><br />Other documents used for identification like PAN and passport are not easy to duplicate because of their security features. PAN, for instance, has a hologram. The power of the passport lies not in the passport number but in the document. Without the passport one cannot travel internationally. But in case of Aadhaar one can go on the Internet and print a new Aadhaar card. “If somebody has managed to capture my fingerprint and has my Aadhaar number, he can use it wherever Aadhaar is required,’’ says Tiwari.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/business-standard-march-27-2017-priya-nair-and-sanjay-kumar-singh-get-an-aadhaar-card-if-you-dont-have-one'>http://editors.cis-india.org/internet-governance/news/business-standard-march-27-2017-priya-nair-and-sanjay-kumar-singh-get-an-aadhaar-card-if-you-dont-have-one</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-04-04T15:39:05ZNews ItemThe Aadhaar of all things
http://editors.cis-india.org/internet-governance/news/hindu-businessline-shriya-mohan-the-aadhaar-of-all-things
<b>From a severely critical stand against Aadhaar in 2014, the Modi-led BJP in power has made a sharp U-turn to bulldoze its way into having every Indian scanned, tagged and labelled. A timeline of the country’s chequered date with the unique identification project.</b>
<p>The article by Shriya Mohan was published in the <a class="external-link" href="http://www.thehindubusinessline.com/blink/cover/the-aadhaar-of-all-things/article9609603.ece">Hindu Businessline </a>on March 31, 2017. Sunil Abraham was quoted.</p>
<hr />
<p class="body" style="text-align: justify; ">You’ve probably read the WhatsApp joke about a post-Aadhaar scenario in 2020 India. A man orders pizza over phone. He is asked for his Aadhaar number first. He then orders a family-size seafood pizza, only to be reminded by the attendant about his high blood pressure and cholesterol levels (thanks to his Aadhaar history visible to everybody “on the system”) and is advised to order the low-fat Hokkien Mee pizza instead, based on his recent search history on Hokkien cuisine. As if this isn’t creepy enough, the pizza guy refuses a card payment, citing the man’s maxed-out credit cards, advises against ATM withdrawal owing to his massive overdraft and even decides to hold off the free cola offer given his dire health situation. When the man turns livid, he is told to mind his language, given that in 2007 he was already imprisoned for verbally abusing a policeman!</p>
<p class="body" style="text-align: justify; ">2020 is two and a half years away, and the WhatsApp scenario appears less incredulous by the day.</p>
<p class="body" style="text-align: justify; ">By the government’s latest estimate, 112,01,12,468 Aadhaar cards have been issued since January 2009, when the Unique Identification Authority of India (UIDAI) was set up under the Planning Commission. So if you are an adult Indian resident without an Aadhaar card, you are in a two per cent minority (98 per cent adults are covered).</p>
<p class="body" style="text-align: justify; ">Last week, Finance Minister Arun Jaitley said the 12-digit number would be the single monolith identity for all Indians in the coming years, replacing every other identity card. The government is serious because each week a new scheme is added to the three dozen schemes in which Aadhaar has been made mandatory. All the 84 schemes under the direct subsidy benefit transfer programme are expected to follow suit.</p>
<p class="body" style="text-align: justify; ">Here are just a few instances in which you should be ready to whip out your Aadhaar card — a free midday meal at a government school, access to Sarv Shiksha Abhiyan, LPG subsidy and foodgrains under the public distribution system, six scholarship schemes for students with disabilities, getting your EPF pensions, booking a train ticket online, getting a backward caste quota or benefit, and, according to the most recent directive in the Finance Bill, filing your tax returns.</p>
<p class="body" style="text-align: justify; ">Why did a dispensation so critical of Aadhaar in 2014 make a sharp U-turn to bulldoze its way into having every single Indian citizen scanned, tagged and labelled?</p>
<p class="body" style="text-align: justify; ">The earliest felt need for an identification project can be traced to the Kargil Review Committee, instituted by the Vajpayee Government in 1999, in the wake of the Indo-Pak war. The Krishnaswamy Subrahmanyam-led panel had recommended a citizenship database for the identification of legitimate Indian citizens living in border areas.</p>
<p class="body" style="text-align: justify; ">As outlined in a Scroll article, this quickly expanded to include all Indians under the Multipurpose National Identity Card project, which was pilot tested in a few villages. The Citizenship Act was also amended to give a legislative backing to the scheme, which built on the Bharatiya Janata Party’s general stance against illegal immigrants.</p>
<p class="body" style="text-align: justify; "><b>The search for identity</b></p>
<p class="body" style="text-align: justify; ">The Citizenship Act was amended in 2004 by the incumbent Congress government to make way for the National Population Register (NPR), a database of the identities of all Indian residents, maintained by the Registrar General and Census Commissioner of India.</p>
<p class="body" style="text-align: justify; ">Eventually, in 2009, Aadhaar, or UIDAI, surfaced as a 12-digit identification number that served as proof of identity and address — meaning, it applies to all residents whether they are citizens or not, unlike with the NPR. Aadhaar, which means ‘basis’ in Hindi, is intended to be an all-encompassing substratum of identities that can provide “instant access to services like banking, mobile phone connections and other government and non-government services”. The United Progressive Alliance government managed to link it to its Direct Benefit Transfer (DBT) system for subsidies provided to targeted groups.</p>
<p class="body" style="text-align: justify; ">As the main Opposition party, the BJP had felt that the Aadhaar number ought to have been given only to Indian citizens, and not all residents, which, in its view, would include millions of illegal immigrants.</p>
<p class="_hoverrDone body" style="text-align: justify; ">Nandan Nilekani, the former CEO of IT giant Infosys, was appointed UIDAI chairman in July 2009. The first Aadhaar number was issued in September 2010, and then the pace accelerated: 100 million by November 2011, 200 million by February 2012 and 500 million by end of 2013. “We felt speed was strategic. Doing and scaling things quickly was critical. If you move very quickly it doesn’t give opposition the time to consolidate,” Nilekani told Forbes India in a 2013 interview.</p>
<p class="body" style="text-align: justify; ">Here’s the part most of us forget: The largest opposition that Nilekani was referring to at that time was the BJP.</p>
<p class="body" style="text-align: justify; ">“The people who thought of themselves as having given birth to IT in this country refused to listen to a common man like me. Even the SC has demanded answers,” Narendra Modi, then Gujarat chief minister, had said and alleged that the Aadhaar programme was a bundle of lies to loot the country’s treasury.</p>
<p class="body" style="text-align: justify; ">As the BJP’s prime ministerial candidate for the 2014 Lok Sabha elections, days ahead of delivering the party’s biggest-ever victory, he had tweeted: “On Aadhaar, neither the Team that I met nor PM could answer my Qs on security threat it can pose. There is no vision, only political gimmick.” Recently, when Aadhaar enrolments had crossed the billion mark, this tweet was dug out prominently.</p>
<p class="body" style="text-align: justify; "><b>The U-turn</b></p>
<p class="body" style="text-align: justify; ">So, what changed? How did the Aadhaar’s primary opposition become it’s key crusader?</p>
<p class="body" style="text-align: justify; ">There were two meetings that supposedly changed the destiny of the Aadhaar project. In the first week of June 2014, as Nilekani was vacating his government-allotted Lutyen’s bungalow as UIDAI chief, he met Modi and Jaitley and persuaded the new regime to persist with Aadhaar. The more important meeting was with Vijay Madan, the UIDAI director general and mission director. According to a Governance Now article, when the UID team spoke of the potential savings from plugging subsidy leakages, and weeding out “ghost beneficiaries”, Modi asked them to give a precise estimate. The figure was “up to ₹50,000 crore a year” or a good 9.4 per cent of India’s ₹5,31,177-crore fiscal deficit.</p>
<p class="body" style="text-align: justify; ">Modi in his keenness to showcase the arrival of “acche din” immediately sought a 100-crore enrolment target at the ‘earliest’, putting paid to speculations that the new government would shelve the UIDAI project. A funding of ₹2,039.64 crore was formalised in the 2014-2015 Budget presented a week later, to create the infrastructure to enrol 30 crore people to add to the 70 crore already enrolled. The UIDAI targeted the 1-billion mark by the end of that fiscal.</p>
<p class="body" style="text-align: justify; "><b>Money bill to beat legal hurdles</b></p>
<p class="body" style="text-align: justify; ">It was in November 2012 that the SC admitted a PIL filed by retired Karnataka High Court judge KS Puttaswamy and advocate Parvesh Khanna, questioning the government’s decision to issue Aadhaar even as the National Identification Authority of India Bill 2010 was pending before the Rajya Sabha since December 3, 2010. They argued that there was no legislative backing for obtaining personal information. Also, the proposed law was rejected by the Parliamentary Standing Committee on Finance.</p>
<p class="body" style="text-align: justify; ">The PIL argued that linking the Aadhaar number with food security, LPG subsidy, the Employees’ Provident Fund and other direct benefit transfers made the enrolment mandatory, thereby falsifying the government’s claim that it was voluntary. Several other PILs too voiced similar privacy concerns.</p>
<p class="body" style="text-align: justify; ">Currently, there are two legal strictures governing the validity of Aadhaar: the apex court order of October 15, 2015, limiting the card’s voluntary use to six schemes (PDS, MGNREGA, LPG, NEPS and social assistance programmes) and prohibiting the government from making it mandatory for receiving any benefits or services; and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, which is under challenge today. Both strictures have distinct operational status, but petitioners argue that recent government directives making Aadhaar mandatory are leading them to wonder whether the SC’s interim order is overshadowed by the Aadhaar Act or if the government is defying the court.</p>
<p class="body" style="text-align: justify; ">On March 3, 2016, in a surprise move, to put all dissent to rest, the Aadhaar Act was introduced as a Money Bill in Parliament to give it legislative backing. Things moved pretty fast thereon. On March 11, the Aadhaar Act 2016 was passed in the Lok Sabha. On March 26, the Act was notified. Accusing the BJP-led NDA government of showing “utter contempt” for the Rajya Sabha by taking the Money Bill route, senior Congress leader Jairam Ramesh challenged it in the Supreme Court in April. He likened the use of the Money Bill, which was passed overruling amendments moved in the Rajya Sabha, to “knocking a nail in the coffin of the Upper House”.</p>
<p class="body" style="text-align: justify; ">The government’s move took many, including Aadhaar advocates, by surprise. “We need to separate Aadhaar as identity from its specific functionality for which it’s used,” says Praveen Chakravarty, a senior fellow at the IDFC institute and a former member of Nilekani’s core team. He believes that just as a voter ID alone isn’t enough to vote, seeing the ownership of an Aadhaar card as key for any transaction is “fear-mongering”. Its use will still involve a process of checks and balances.</p>
<p class="body" style="text-align: justify; ">But can’t thumb prints be replicated with Fevicol?</p>
<p class="body" style="text-align: justify; ">“Sure, there could be failures, as there are with any system. But this is a far more foolproof method than any we’ve had before. Internationally also, biometric is to authenticate a higher level of security.”</p>
<p class="body" style="text-align: justify; "><b>The argument for privacy</b></p>
<p class="body" style="text-align: justify; ">“Aadhaar has the potential to improve welfare service delivery. But it has to be achieved in an inclusive manner befitting a truly liberal society and not through coercion,” says Chakravarty.</p>
<p class="body" style="text-align: justify; ">His only misgiving is with the use of the Money Bill to introduce the Aadhaar, without any right to privacy. “It should have gone through the process of debate in Parliament. Then it wouldn’t have been passed without a strong right to privacy safeguard,” he says, pointing that even a junior UIDAI officer can access the data of anybody he/she chooses.</p>
<p class="body" style="text-align: justify; ">“Aadhaar inverts the idea of transparency. It makes people transparent but the State opaque,” says legal expert Usha Ramanathan, a legal expert and anti-Aadhaar crusader.</p>
<p class="body" style="text-align: justify; ">The use of Aadhar as verification at every instance can help piece together very detailed information about citizens. These include banking transactions, online purchases, travel itineraries, mobile phone usage, location history and practically anything that can be electronically recorded and verified with an Aadhaar.</p>
<p class="body" style="text-align: justify; ">In February this year, the UIDAI filed a police case against Axis Bank and others for alleged unauthorised authentication and impersonation attempts by illegally storing Aadhaar biometrics.</p>
<p class="body" style="text-align: justify; ">The latest outcry over breached privacy involved a screenshot of cricketer Mahendra Singh Dhoni’s personal details that went viral on Twitter. The UIDAI blacklisted the agency that revealed Dhoni’s Aadhaar details after his wife complained to the IT Minister. A recent Scroll report shows the UIDAI received 1,390 similar complaints but took no action.</p>
<p class="body" style="text-align: justify; ">There are legitimate fears such an information database might eventually be misused, for instance in racial profiling or revealing voting preferences.</p>
<p class="body" style="text-align: justify; ">In January this year, Hyderabad-based ECIL developed a biometric-enabled mobile terminal for instant authentication of a voter “to prevent rigging of votes”. Till August 2015, the Election Commission was working on seeding Aadhaar data with that of voter ID card, in an attempt to weed out fake voters. However, the poll panel stopped this exercise after the SC ruled that Aadhaar be made compulsory only for PDS and LPG distribution.</p>
<p class="body" style="text-align: justify; "><a href="http://www.thehindubusinessline.com/blink/cover/nandan-nilekani-demonising-of-aadhaar-is-irresponsible/article9608232.ece" target="_blank">Nilekani, in an interview to BLink</a>, insisted that the Aadhaar has more privacy regulations than any other service in the world. He also pointed out that all election commission data is already online, and anyone can look up any voter’s name, date of birth, gender and address.</p>
<p class="body" style="text-align: justify; ">Additionally, social media profiles too are shared publicly of our own volition.</p>
<p class="body" style="text-align: justify; ">Concurring with this view, Chakravarty says, “It is surprising that we’re perfectly okay with giving all our life information to a 32-year-old named Mark Zuckerberg. However, this is voluntary. Whether we fully know consequences or not is another matter altogether.”</p>
<p class="body" style="text-align: justify; ">With the Finance Bill requiring all PAN cards to be linked to Aadhaar, there is added concern over privacy. Sunil Abraham, founder of the Centre for Internet and Society, says Aadhaar runs the risk of being used fraudulently. “If I want to get you in trouble, I can make a large purchase of gold against your Aadhaar number, which is linked to your PAN,” he explains.</p>
<p class="body" style="text-align: justify; ">He advocates for a system where different government departments don’t store Aadhaar numbers in their databases but instead use a token issued by UIADI kiosks. This would prevent proliferation of the number.</p>
<p class="body" style="text-align: justify; "><b>Technical glitches</b></p>
<p class="body" style="text-align: justify; ">In February this year, Modi claimed in the Lok Sabha that plugging leakages through Aadhaar had saved the government ₹14,000 crore. And that nearly four crore fake ration cards have been seized till date.</p>
<p class="body" style="text-align: justify; ">One method of establishing a fake ration card is if the owner has not availed himself of his ration. Ever since Aadhaar’s biometric identification has been linked to point-of-sale (POS) machines at ration shops, residents have had to queue up with a prayer on their lips. A lot could go wrong — the biometric might not recognise them or, worse, there could be a network failure, forcing everyone to return home empty-handed. In both instances, while ration shop owners should ideally mark such transactions under ‘Transactions with “N” response from Aadhaar’, they invariably mark them under “Household yet to take ration”, implying that the beneficiary has chosen not to take home her share.</p>
<p class="body" style="text-align: justify; ">The February 2017 data for 22 ration shops across Delhi, accessed on the Department of Food & Supplies website, shows that none have a single beneficiary marked under “N”. At a Delhi Cantonment outlet, of the 1,038 registered beneficiaries only 168 have been marked “Y”, or ‘Yes’, showing they have taken their rations. Another 871 have been marked “Household yet to take ration” and none have been marked ‘N’ to indicate glitches in the Aadhaar authentication.</p>
<p class="body" style="text-align: justify; ">As Amrita Johri of citizens’ action group Satark Nagrik Sangathan explains, “Aadhaar relies on internet and electricity. This might seem like a problem only of rural areas. But we don’t have to go far. In South Delhi’s East Mehraam Nagar, there is a ration shop with no mobile signal and no network. Officials said we have to show that Aadhaar is a success, so the shop’s POS machine was finally hung on a jamun tree to get it to work.”</p>
<p class="body" style="text-align: justify; ">She questions the government’s reluctance to acknowledge the many instances of failure in the project.</p>
<p class="body" style="text-align: justify; ">Frighteningly, three consecutive failed attempts could lead to the card being placed in an abeyance list and possibly invalidated.</p>
<p class="body" style="text-align: justify; "><b>Top performers and laggards</b></p>
<p class="body" style="text-align: justify; ">Delhi is rated one of the better performing States/union territories, while Rajasthan has one of the worst records with the maximum number of biometric and network failures.</p>
<p class="body" style="text-align: justify; ">According to the government’s 2017 monthly estimates, 27 per cent of the residents whose Aadhaar cards have been seeded to the PDS were denied rations owing to biometric or network failure. This figure would be higher if the unseeded cards are also taken into account.</p>
<p class="body" style="text-align: justify; ">Nikhil Dey, founder of Rajasthan’s Mazdoor Kisan Shakti Sangathan (MKSS) says his organisation is fighting with its back against a wall.</p>
<p class="body" style="text-align: justify; ">“Nearly 73 lakh households get their monthly rations in this State, where a little over a crore households are eligible to receive them. We’re not even talking about exclusions here,” says Dey. Besides network failure, there are many instances of the old and sick who are unable to visit the shop to physically verify themselves.</p>
<p class="body" style="text-align: justify; ">“Back-up options such as OTP (one-time password) or facial recognition only work in theory,” says Dey. He alleges that shop owners often fudge the OTP system by punching in their own numbers and stealing the quotas of genuine beneficiaries.</p>
<p class="body" style="text-align: justify; ">He too believes that several names have been struck off as dead to project that the Aadhaar has weeded out a high number of fake social security pension ers.</p>
<p class="body" style="text-align: justify; ">Nilekani applauds Andhra Pradesh for its progress in the Aadhaar project by investing in infrastructure to eliminate technical glitches. J Satyanarayana, the UIDAI’s part-time chairperson, told BLink in an email interview that Aadhaar has led to transparency and efficiency in nearly all government schemes in AP.</p>
<p class="body" style="text-align: justify; ">During March 2017, 42.29 lakh (93.02 per cent) pensioners received their payment through Aadhaar-based biometric authentication, he says, adding that real-time monitoring systems are in place.</p>
<p class="body" style="text-align: justify; ">“The entire PDS (rations) is linked to Aadhaar,” he says. As many as 1.21 crore (87.39 per cent) card holders collected their ration this month, and 95.94 lakh received wages (totalling ₹5,283 crore under MNREGA through Aadhaar-enabled systems, he informs.</p>
<p class="body" style="text-align: justify; ">Neighbouring Telangana too is known for its 99 per cent Aadhaar enrollment, leading to an impressive 80 per cent of its population accessing the PDS.</p>
<p class="body" style="text-align: justify; ">BP Acharya, special chief secretary in Telangana’s planning department says, “Aadhaar’s use can perhaps be most seen in Telangana’s speedy clearances, investment promotion, creating licences and clearances for shops and establishments.”</p>
<p class="body" style="text-align: justify; ">Telangana took the Aadhaar database project one step further through its Citizen 360 programme. In August 2014, months after the State was newly formed, it conducted one of the largest household surveys in a single day, covering one crore households. This data was integrated with the Aadhaar database and now links different benefits on the same platform. Now the Aadhaar identity is linked to other details such as the holder’s driving licence and even crime record.</p>
<p class="body" style="text-align: justify; ">The UIDAI holds out AP and Telangana as shining examples of Aadhaar’s efficiency when backed by the right network and infrastructure. But for the lakhs of biometric factory rejects who are denied their rights, Aadhaar can only mean a mass experiment gone horribly wrong.</p>
<table class="plain" style="text-align: justify; ">
<tbody>
<tr>
<td>
<p class="body"><b><i>Aadhaar Timeline</i></b></p>
<p class="body" style="text-align: justify; "><b>2006</b></p>
<p class="body" style="text-align: justify; ">The ministry of communications and information technology approves the ‘Unique ID for Below Poverty Line (BPL) families’ project under the chairmanship of Arvind Virmani, then principal advisor, Planning Commission</p>
<p class="body" style="text-align: justify; "><b>2008</b></p>
<p class="body" style="text-align: justify; ">Empowered group of ministers formed by former Prime Minister Manmohan Singh decides to collate two schemes — the National Population Register under the Citizenship Act, 1955 and the UID project — to conceive Aadhaar.</p>
<p class="body" style="text-align: justify; "><b>2009</b></p>
<p class="body" style="text-align: justify; ">Planning Commission issues a notification to constitute the Unique Identification Authority of India (UIDAI).</p>
<p class="body" style="text-align: justify; ">Government appoints Infosys co-founder Nandan Nilekani as the first chairman of UIDAI, with the rank and status of a cabinet minister.</p>
<p class="body" style="text-align: justify; "><b>2012</b></p>
<p class="body" style="text-align: justify; ">Former Karnataka high court judge justice K Puttaswamy files a public interest litigation before the Supreme Court (SC) declaring that Aadhaar violates an individual’s right to privacy and that the scheme lacks legislative backing.</p>
<p class="body" style="text-align: justify; "><b>2014</b></p>
<p class="body" style="text-align: justify; ">In an interim order, the SC restrains the UIDAI from transferring biometric information with an Aadhaar number to any other agency without the individual’s consent in writing.</p>
<p class="body" style="text-align: justify; "><b>2015</b></p>
<p class="body" style="text-align: justify; ">Three-judge bench of the apex court rules the unique identity number is not mandatory to avail of benefits from government programmes, restricting the use of Aadhaar to beneficiaries of the public distribution system and subsidies on cooking gas and kerosene, and refers the question on privacy to a larger constitution bench.</p>
<p class="body" style="text-align: justify; ">Centre moves SC seeking a review and modification of the August 11 interim order. A five-judge constitution bench modifies the same and extends the use of Aadhaar to Mahatma Gandhi National Rural Employment Guarantee Scheme, Jan Dhan Yojana, pensions and the Employees’ Provident Fund scheme.</p>
<p class="body" style="text-align: justify; "><b>2016</b></p>
<p class="body" style="text-align: justify; ">Finance minister Arun Jaitley announces in the budget speech that the government will offer statutory backing for Aadhaar. The Lok Sabha passes the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 as a Money Bill, rejecting Rajya Sabha recommendations.</p>
<p class="body" style="text-align: justify; "><b>2017</b></p>
<p class="body" style="text-align: justify; ">Aadhaar is made mandatory for three dozen schemes with 84 more expected under direct benefit transfers, including midday meal scheme and universal education.</p>
<p class="body" style="text-align: justify; ">SC again rules that Aadhaar cannot be made mandatory for welfare schemes.</p>
</td>
</tr>
</tbody>
</table>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/hindu-businessline-shriya-mohan-the-aadhaar-of-all-things'>http://editors.cis-india.org/internet-governance/news/hindu-businessline-shriya-mohan-the-aadhaar-of-all-things</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-04-03T15:46:23ZNews ItemDigital native: You can check out, you can never leave
http://editors.cis-india.org/raw/indian-express-nishant-shah-april-2-2017-digital-native-you-can-check-out-you-can-never-leave
<b>Aadhaar is not something you define and opt into, it is something that defines you.</b>
<p style="text-align: justify; ">The article was <a class="external-link" href="http://indianexpress.com/article/technology/social/digital-native-you-can-check-out-you-can-never-leave-4595503/">published in the Indian Express</a> on April 2, 2017. Nishant Shah is a professor of new media and the co-founder of The Centre for Internet & Society, Bangalore.</p>
<hr />
<p style="text-align: justify; ">Ok. I get it. You don’t want yet another piece on the horrors and perils of the surveillance state that has come to the forefront with Aadhaar numbers now being tied to our taxes. I know that you must have already made up your mind about whether this is a good thing or a bad thing. If you believe that the way to streamlining bureaucracy and making our systems more accountable is transparency, then you are ready to welcome the digital ecosystem of Aadhaar, as introducing checks and balances that might help to curb some of the excesses and wastes of our governance systems . If you are of the opinion, however, that the state cannot be trusted with our information, without the oversee of the Parliament and the judiciary, then you want to resist this mandatory implementation of the “voluntary” Aadhaar. And, for once, I am unable to take a side, favouring one set of arguments over the other. This ambiguity does not come from a lack of political conviction. I continue to fear about the future of our lives when these technologies of control and domination fall in the hands of governments which have an authoritarian bend of mind.</p>
<p style="text-align: justify; ">Instead, my lack of preference on the good, bad and ugly sides of Aadhaar stems from a completely different concern around network technologies of digital connectivity that has found very little attention in the almost zealous discourse about “yes Aadhaar, no Aadhaar”.</p>
<p style="text-align: justify; ">This is a concern about the relationship between technological networks and the messy realities that we embody. There has been an easy acceptance of a digital network as a description of our everyday life. If you look at any network that you belong to — from public discussion forums to private WhatsApp groups — you will realise that these networks offer to visualise your connections and transactions with the people, places and things in your circles. Thus, it is possible to say that <a href="http://indianexpress.com/about/facebook/">Facebook</a> describes your collection of friends and your social life. Or you could suggest that <a href="http://indianexpress.com/about/linkedin/">LinkedIn</a> is a visualisation of your professional landscape. And, in a similar vein, we can also propose that Aadhaar is a representation of the working of our government systems of identification.</p>
<p style="text-align: justify; ">Each one of these propositions, seemingly innocent, is blatantly wrong. Facebook, for example, didn’t just connect you with your friends. It has fundamentally changed the idea of what is a friend. For a generation of young people who grew up naturalised in social media, the notion of a friend has lost all its meaning and nuance. Every connection, acquaintance, friend of a friend, a random stranger who likes the same band as you do, is now a friend. And the increasing anxiety we have about people falling prey to predatory friendships is because Facebook has now normalised the idea that if somebody calls you their friend, you don’t have to worry about sharing personal and private information with them. Similarly , for anybody who has spent time on LinkedIn, we know that it is not just a portal that describes our work. It is the space where we stay connected with events and people far removed from us. It is the resource pool that we draw on while looking for new work. It is also the space that we keep an eye on just to see if a better job has opened up. It is a collection of events, links and connections that not only shows what you do but what you aspire for, who you connect with and what are the kinds of professional ambitions you see for yourself.</p>
<p style="text-align: justify; ">Just like Facebook and LinkedIn, which don’t just describe a reality but actually simulate, prescribe and shape it, Aadhaar is a digital network that is seeking to change the very foundational reality of our lives. Like most digital networks, it is not merely an explanation of how things are but the context within which who we are and what we do finds meaning and validation. Thus, Aadhaar might propose that it is merely trying to describe your identity but it is actually offering to shape a new one for you. The programme might suggest that it is trying to implement a system already in place, but it is, in reality, creating an entirely new system within which you and I have to now find space, function and identity. The latest announcements of mainstreaming Aadhaar merely betray this fact – that Aadhaar is not something you define and opt into, Aadhaar defines you. And opting out is going to have severe penalties and consequences.</p>
<p style="text-align: justify; ">Digital networks have long masqueraded as benign visualisations of the world. But they are, in principle, blueprints that transform the world as we know it. This, in itself, is not bad. However, hiding this transformation is. Because when a transformation happens, especially at systemic levels, it is always the people who are the most vulnerable that suffer the most from it. Think about the older friend who might not be the most tech savvy and how they struggle for inclusion on Facebook and WhatsApp messages. Pay some attention to people who did not understand the public nature of LinkedIn and ended up getting fired because they wrote about their current work conditions and the desire to change them. And, similarly, do think if the people who are being pushed into these digital ecosystems without adequate digital literacy, care and information about the consequences of their actions, are being made vulnerable in their access to resources of life and dignity.</p>
<p style="text-align: justify; ">Whether you and I like Aadhaar or not is not really the question. The question is not about the right to privacy either. What is at stake in this deployment of Aadhaar is a government that is pushing radical transformations of the life of its citizens without consulting with them and addressing their needs. In the past, when governments have done this, we have developed strong voices of protest and correction asking the state to be responsible towards those affected by the transformation. The reliance on the digital, however, allows these governments to escape this responsibility and, in the guise of description, are making prescriptions of reality which need to be resisted.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/raw/indian-express-nishant-shah-april-2-2017-digital-native-you-can-check-out-you-can-never-leave'>http://editors.cis-india.org/raw/indian-express-nishant-shah-april-2-2017-digital-native-you-can-check-out-you-can-never-leave</a>
</p>
No publishernishantResearchers at WorkAadhaarDigital Natives2017-05-05T01:31:46ZBlog EntryAnalysis of Key Provisions of the Aadhaar Act Regulations
http://editors.cis-india.org/internet-governance/blog/analysis-of-key-provisions-of-aadhaar-act-regulations
<b>In exercise of their powers under of the powers conferred by Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016, (Aadhaar Act) the UIDAI has come out with a set of five regulations in late 2016 last year. In this policy brief, we look at the five regulations, their key provisions and highlight point out the unresolved, issues, unaddressed, and created issues as result of these regulations. </b>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">This blog post was edited by Elonnai Hickok</p>
<hr style="text-align: justify; " />
<h3 style="text-align: justify; ">Introduction</h3>
<p style="text-align: justify; ">At the outset it is important to note that a concerning feature of these regulations is that they intend to govern the processes of a body which has been in existence for over six years, and has engaged in all the activities sought to be governed by these policies at a massive scale, considering the claims of over one billion Aadhaar number holders. However, the regulation do not acknowledge, let alone address past processes, practices, enrollments, authentications, use of technology etc. this fact, and there are no provisions that effectively address the past operations of the UIDAI. Below is an analysis of the five regulations issued thus far by the UIDAI.</p>
<h3 style="text-align: justify; ">Unique Identification Authority of India (Transactions of Business at Meetings of the Authority) Regulations<a href="#_ftn1" name="_ftnref1"><sup><sup>[1]</sup></sup></a></h3>
<p style="text-align: justify; ">These regulations framed under clause (h) of sub-section (2) of section 54 read with sub-section (1) of section 19 of the Aadhaar Act, deal with the meetings of the UIDAI, the process following up to each meeting, and the manner in which all meetings are to be conducted.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 3.</h4>
<p style="text-align: justify; ">Meetings of the Authority– (1) There shall be no less than three meetings of the Authority in a financial year on such dates and at such places as the Chairperson may direct and the interval between any two meetings shall not in any case, be longer than five months</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">The number of times that UIDAI would meet in a year is far too less, taking in account the significance of the responsibilities of UIDAI as the sole body for policy making for all issues related to Aadhaar. In contrast, the Telecom Regulatory Authority of India is required to meet at least once a month. Other bodies such as SEBI and IRDAI are also required to meet at least four times<a href="#_ftn2" name="_ftnref2"><sup><sup>[2]</sup></sup></a> and six times<a href="#_ftn3" name="_ftnref3"><sup><sup>[3]</sup></sup></a> in a year respectively.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 8 (5)</h4>
<p style="text-align: justify; ">Decisions taken at every meeting of the Authority shall be published on the website of Authority unless the Chairperson determines otherwise on grounds of ensuring confidentiality.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">The Chairperson has the power to determine withholding publication of the decisions of the meeting on the broad grounds of ‘confidentiality’. Given the fact that the decisions taken by UIDAI as a public body can have very real implications for the rights of residents, the ground of confidentiality is not sufficient to warrant withholding publication. It is curious that instead of referring to the clearly defined exceptions laid down in other similar provisions such as the exceptions in Section 8 of the Right to Information Act, 2005, the rules merely refer to vague and undefined criteria of ‘confidentiality’.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 14 (4)</h4>
<p style="text-align: justify; ">Members of the Authority and invitees shall sign an initial Declaration at the first meeting of the Authority for maintaining the confidentiality of the business transacted at meetings of the Authority in Schedule II.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">The above provision, combined with the fact that there is no provision regarding publication of the minutes of the meetings of UIDAI raise serious questions about the transparency of its functioning.</p>
<h3 style="text-align: justify; ">Unique Identification Authority of India (Enrolment and Update) Regulations<a href="#_ftn4" name="_ftnref4"><sup><sup>[4]</sup></sup></a></h3>
<p style="text-align: justify; ">These regulations, framed under sub-section (1), and sub-clauses (a), (b), (d,) (e), (j), (k), (l), (n), (r), (s), and (v) of sub-section (2), of Section 54 of the Aadhaar Act deals with the enrolment process, the generation of an Aadhaar number, updation of information and governs the conduct of enrolment agencies and associated third parties.</p>
<h4 style="text-align: justify; ">Provisions:</h4>
<p style="text-align: justify; ">Sub-Regulation 8 (2), (3) and (4)</p>
<p style="text-align: justify; ">The standard enrolment/update software shall have the security features as may be specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">All equipment used in enrolment, such as computers, printers, biometric devices and other accessories shall be as per the specifications issued by the Authority for this purpose.</p>
<p style="text-align: justify; ">The biometric devices used for enrolment shall meet the specifications, and shall be certified as per the procedure, as may be specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">Sub-Regulation 3 (2)</p>
<p style="text-align: justify; ">The standards for collecting the biometric information shall be as specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">Sub-Regulation 4 (5)</p>
<p style="text-align: justify; ">The standards of the above demographic information shall be as may be specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">Sub-Regulation 6 (2)</p>
<p style="text-align: justify; ">For residents who are unable to provide any biometric information contemplated by these regulations, the Authority shall provide for handling of such exceptions in the enrolment and update software, and such enrolment shall be carried out as per the procedure as may be specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">Sub-Regulation 14 (2)</p>
<p style="text-align: justify; ">In case of rejection due to duplicate enrolment, resident may be informed about the enrolment against which his Aadhaar number has been generated in the manner as may be specified by the Authority.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">Though in February 2017, the UIDAI published technical specifications for registered devices<a href="#_ftn5" name="_ftnref5"><sup><sup>[5]</sup></sup></a>, the regulations leave unaddressed issues such as lack of appropriately defined security safeguards in the Aadhaar. There is a general trend of continued deferrals in the regulations by stating that matters would be specified later on important aspects such as rejection of applications, uploading of the enrolment packet to the CIDR, the procedure for enrolling residents with biometric exceptions, the procedure for informing residents about acceptance/rejection of enrolment application, specifying the convenience fee for updation of residents’ information, the procedure for authenticating individuals across services etc.c. There is a clear failure to exercise the mandate delegated to UIDAI, leaving key matters to determined at a future unspecified date. The delay and ambiguity around when regulations will be defined is all the more problematic in light of the fact that the project has been implemented since 2010 and the Aadhaar number is now mandatory for availing a number of services.</p>
<p style="text-align: justify; ">Further it is important to note that a number of policies put out by the UIDAI predate these regulations, on which the regulations are completely silent, thus neither endorsing previous policies nor suggesting that they may be revisited. Further, the regulations choose to not engage with the question of operation of the Aadhaar project, enrolment and storage of data etc prior to the notification of these regulations, or the policies which these regulations may regularise. For instance, the regulations do not specify any measures to deal with issues arising out of enrolment devices used prior to the development of the February 2017 specifications.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 32</h4>
<p style="text-align: justify; ">The Authority shall set up a contact centre to act as a central point of contact for resolution of queries and grievances of residents, accessible to residents through toll free number(s) and/ or e-mail, as may be specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">(2) The contact centre shall:</p>
<ol style="text-align: justify; ">
<li>Provide a mechanism to log queries or grievances and provide residents with a unique reference number for further tracking till closure of the matter;</li>
<li>Provide regional language support to the extent possible;</li>
<li>Ensure safety of any information received from residents in relation to their identity information;</li>
<li>Comply with the procedures and processes as may be specified by the Authority for this purpose.</li>
</ol>
<p style="text-align: justify; ">(3) Residents may also raise grievances by visiting the regional offices of the Authority or through any other officers or channels as may be specified by the Authority.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">While the setting up of a grievance redressal mechanism under the regulations is a welcome move, there is little clarity about the procedure to be followed, nor is a timeline for it specified. The chapter on grievance redressal is in fact one of the shortest chapters in the regulations. The only provision in this chapter deals with the setting up of a contact centre, a curious choice of term for what is supposed to be the primary quasi judicial grievance redressal body for the Aadhaar project. In line with the indifferent and insouciant terminology of ‘contact centre’, the chapter is restricted to the matters of the logging of queries and grievances by the contact centre, and does not address the matter of procedure or timelines, and even the substantive provisions about the nature of redress available. Furthermore, the obligation on the contact centre to protect information received is limited to ‘ensuring safety’ an ambiguous standard that does not speak to any other standards in Indian law.</p>
<h3 style="text-align: justify; ">Aadhaar (Authentication) Regulations, 2016<a href="#_ftn6" name="_ftnref6"><sup><sup>[6]</sup></sup></a></h3>
<p style="text-align: justify; ">These regulations, framed under sub-section (1), and sub-clauses (f) and (w) of sub-section (2) of Section 54 of the Aadhaar Act deals with the authentication framework for Aadhaar numbers, the governance of authentication agencies and the procedure for collection, storage of authentication data and records.</p>
<h4 style="text-align: justify; ">Provisions:</h4>
<p style="text-align: justify; ">Sub-Regulation 5 (1)</p>
<p style="text-align: justify; ">At the time of authentication, a requesting entity shall inform the Aadhaar number holder of the following details:—</p>
<p style="text-align: justify; ">(a) the nature of information that will be shared by the Authority upon authentication;</p>
<p style="text-align: justify; ">(b) the uses to which the information received during authentication may be put; and</p>
<p style="text-align: justify; ">(c) alternatives to submission of identity information</p>
<p style="text-align: justify; ">Sub-Regulation 6 (2)</p>
<p style="text-align: justify; ">A requesting entity shall obtain the consent referred to in sub-regulation (1) above in physical or preferably in electronic form and maintain logs or records of the consent obtained in the manner and form as may be specified by the Authority for this purpose.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">Sub-regulation 5 mentions that at the time of authentication, requesting entities shall inform the Aadhaar number holder of alternatives to submission of identity information for the purpose of authentication. Similarly, sub-regulation 6 mentions that requesting entity shall obtain the consent of the Aadhaar number holder for the authentication. However, in neither of the above circumstances do the regulations specify the clearly defined options that must be made available to the Aadhaar number holder in case they do not wish submit identity information, nor do the regulations specify the procedure to be followed in case the Aadhaar number holder does not provide consent.</p>
<p style="text-align: justify; ">Most significantly, this provision does little by way of allaying the fears raised by the language in Section 8 (4) of the Aadhaar Act which states that UIDAI “shall respond to an authentication query with a positive, negative or any other appropriate response sharing such identity information.” This section gives a very wide discretion to UIDAI to share personal identity information with third parties, and the regulations do not temper or qualify this power in any way.</p>
<h4 style="text-align: justify; ">Sub-Regulation 11 (1) and (4)</h4>
<p style="text-align: justify; ">The Authority may enable an Aadhaar number holder to permanently lock his biometrics and temporarily unlock it when needed for biometric authentication.</p>
<p style="text-align: justify; ">The Authority may make provisions for Aadhaar number holders to remove such permanent locks at any point in a secure manner.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">A welcome provision in the regulation is that of biometric locking which allows Aadhaar number holders to permanently lock his biometrics and temporarily unlock it only when needed for biometric authentication. However, in the same breath, the regulation also provides for the UIDAI to make provisions to remove such locking without any specified grounds for doing so.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 18 (2), (3) and (4)</h4>
<p style="text-align: justify; ">The logs of authentication transactions shall be maintained by the requesting entity for a period of 2 (two) years, during which period an Aadhaar number holder shall have the right to access such logs, in accordance with the procedure as may be specified.</p>
<p style="text-align: justify; ">Upon expiry of the period specified in sub-regulation (2), the logs shall be archived for a period of five years or the number of years as required by the laws or regulations governing the entity, whichever is later, and upon expiry of the said period, the logs shall be deleted except those records required to be retained by a court or required to be retained for any pending disputes.</p>
<p style="text-align: justify; ">The requesting entity shall not share the authentication logs with any person other than the concerned Aadhaar number holder upon his request or for grievance redressal and resolution of disputes or with the Authority for audit purposes. The authentication logs shall not be used for any purpose other than stated in this sub-regulation.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">While it is specified that the authentication logs collected by the requesting entities shall not be shared with any person other than the concerned Aadhaar number holder upon their request or for grievance redressal and resolution of disputes or with the Authority for audit purposes, and that the authentication logs may not be used for any other purpose, the maintenance of the logs for a period of seven years seems excessive. Similarly, the UIDAI is also supposed to store Authentication transaction data for over five years. This is in violation of the widely recognized data minimisation principles which seeks that data collectors and data processors delete personal data records when the purpose for which it has been collected if fulfilled. While retention of data for audit and dispute-resolution purpose is legitimate, the lack of specification of security standards and the overall lack of transparency and inadequate grievance redressal mechanism greatly exacerbate the risks associated with data retention.</p>
<h3 style="text-align: justify; ">Aadhaar (Sharing of Information) Regulations, 2016 and Aadhaar (Data security) Regulations, 2016<a href="#_ftn7" name="_ftnref7"><sup><sup>[7]</sup></sup></a></h3>
<p style="text-align: justify; ">Framed under the powers conferred by sub-section (1), and sub-clause (o) of sub-section (2), of Section 54 read with sub-clause (k) of sub-section (2) of Section 23, and sub-sections</p>
<p style="text-align: justify; ">(2) and (4) of Section 29, of the Aadhaar Act, the Sharing of Information regulations look at the restrictions on sharing of identity information collected by the UIDAI and requesting entities. The Data Security regulation, framed under powers conferred by clause (p) of subsection (2) of section 54 of the Aadhaar Act, looks at security obligations of all service providers engaged by the UIDAI.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 6 (1)</h4>
<p style="text-align: justify; ">All agencies, consultants, advisors and other service providers engaged by the Authority, and ecosystem partners such as registrars, requesting entities, Authentication User Agencies and Authentication Service Agencies shall get their operations audited by an information systems auditor certified by a recognised body under the Information Technology Act, 2000 and furnish certified audit reports to the Authority, upon request or at time periods specified by the Authority.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">The regulation states that audits shall be conducted by an information systems auditor certified by a recognised body under the Information Technology Act, 2000. However, there is no such certifying body under the Information Technology Act. This suggests a lack of diligence in framing the rules, and will inevitably to lead to inordinate delays, or alternately, a lack of a clear procedure in the appointment of an auditor. Further, instead of prescribing a regular and proactive process of audits, the regulation only limits audits to when requested or as deemed appropriate by UIDAI. This is another, in line of many provisions, whose implication is power being concentrated in the hands of UIDAI, with little scope for accountability and transparency.</p>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">In conclusion, it must be stated that the regulations promulgated by the UIDAI leave a lot to be desired. Some of the most important issues raised against the Aadhaar Act, which were delegated to the UIDAI’s rule making powers have not been addressed at all. Some of the most important issues such as data security policies, right to access records of Aadhaar number holders, procedure to be followed by the grievance redressal bodies, uploading of the enrolment packet to the CIDR, procedure for enrolling residents with biometric exceptions, procedure for informing residents about acceptance/rejection of enrolment application have left unaddressed and ‘may be specified’ at a later data. These failures leave a gaping hole especially in light of the absence of a comprehensive data protection legislation in India, as well the speed and haste with the enrolment and seeding has been done by the UIDAI, and the number of services, both private and public, which are using or planning to use the Aadhaar number and the authentication process as a primary identifier for residents.</p>
<p style="text-align: justify; "><a href="#_ftnref1" name="_ftn1"><sup><sup>[1]</sup></sup></a> Available at <a href="https://uidai.gov.in/legal-framework/acts/regulations.html">https://uidai.gov.in/legal-framework/acts/regulations.html</a></p>
<p style="text-align: justify; "><a href="#_ftnref2" name="_ftn2"><sup><sup>[2]</sup></sup></a> <a href="https://www.irda.gov.in/ADMINCMS/cms/frmGeneral_Layout.aspx?page=PageNo62&flag=1">https://www.irda.gov.in/ADMINCMS/cms/frmGeneral_Layout.aspx?page=PageNo62&flag=1</a></p>
<p style="text-align: justify; "><a href="#_ftnref3" name="_ftn3"><sup><sup>[3]</sup></sup></a> <a href="http://www.sebi.gov.in/acts/boardregu.html">http://www.sebi.gov.in/acts/boardregu.html</a></p>
<p style="text-align: justify; "><a href="#_ftnref4" name="_ftn4"><sup><sup>[4]</sup></sup></a> Available at <a href="https://uidai.gov.in/legal-framework/acts/regulations.html">https://uidai.gov.in/legal-framework/acts/regulations.html</a></p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "><a href="#_ftnref5" name="_ftn5"><sup><sup>[5]</sup></sup></a> Available at: https://uidai.gov.in/images/resource/aadhaar_registered_devices_2_0_09112016.pdf</p>
<p style="text-align: justify; "><a href="#_ftnref6" name="_ftn6"><sup><sup>[6]</sup></sup></a> Available at <a href="https://uidai.gov.in/legal-framework/acts/regulations.html">https://uidai.gov.in/legal-framework/acts/regulations.html</a></p>
<p style="text-align: justify; "><a href="#_ftnref7" name="_ftn7"><sup><sup>[7]</sup></sup></a> Available at <a href="https://uidai.gov.in/legal-framework/acts/regulations.html">https://uidai.gov.in/legal-framework/acts/regulations.html</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/analysis-of-key-provisions-of-aadhaar-act-regulations'>http://editors.cis-india.org/internet-governance/blog/analysis-of-key-provisions-of-aadhaar-act-regulations</a>
</p>
No publisheramberUIDPrivacyInternet GovernanceUIDAIBiometricsAadhaar2017-04-03T14:05:01ZBlog EntryIt’s the technology, stupid
http://editors.cis-india.org/internet-governance/blog/the-hindu-businessline-march-31-2017-sunil-abraham-its-the-technology-stupid
<b>Eleven reasons why the Aadhaar is not just non-smart but also insecure.</b>
<p style="text-align: justify; ">The article was <a class="external-link" href="http://www.thehindubusinessline.com/blink/cover/11-reasons-why-aadhaar-is-not-just-nonsmart-but-also-insecure/article9608225.ece">published in Hindu Businessline</a> on March 31, 2017.</p>
<hr />
<p style="text-align: justify; ">Aadhaar is insecure because it is based on biometrics. Biometrics is surveillance technology, a necessity for any State. However, surveillance is much like salt in cooking: essential in tiny quantities, but counterproductive even if slightly in excess. Biometrics should be used for targeted surveillance, but this technology should not be used in e-governance for the following reasons:<br /><br />One, biometrics is becoming a remote technology. High-resolution cameras allow malicious actors to steal fingerprints and iris images from unsuspecting people. In a couple of years, governments will be able to identify citizens more accurately in a crowd with iris recognition than the current generation of facial recognition technology.<br /><br />Two, biometrics is covert technology. Thanks to sophisticated remote sensors, biometrics can be harvested without the knowledge of the citizen. This increases effectiveness from a surveillance perspective, but diminishes it from an e-governance perspective.<br /><br />Three, biometrics is non-consensual technology. There is a big difference between the State identifying citizens and citizens identifying themselves to the state. With biometrics, the State can identify citizens without seeking their consent. With a smart card, the citizen has to allow the State to identify them. Once you discard your smart card the State cannot easily identify you, but you cannot discard your biometrics.<br /><br />Four, biometrics is very similar to symmetric cryptography. Modern cryptography is asymmetric. Where there is both a public and a private key, the user always has the private key, which is never in transit and, therefore, intermediaries cannot intercept it. Biometrics, on the other hand, needs to be secured during transit. The UIDAI’s (Unique Identification Authority of India overseeing the rollout of Aadhaar) current fix for its erroneous choice of technology is the use of “registered devices”; but, unfortunately, the encryption is only at the software layer and cannot prevent hardware interception.<br /><br />Five, biometrics requires a centralised network; in contrast, cryptography for smart cards does not require a centralised store for all private keys. All centralised stores are honey pots — targeted by criminals, foreign States and terrorists.<br /><br />Six, biometrics is irrevocable. Once compromised, it cannot be secured again. Smart cards are based on asymmetric cryptography, which even the UIDAI uses to secure its servers from attacks. If cryptography is good for the State, then surely it is good for the citizen too.<br /><br />Seven, biometrics is based on probability. Cryptography in smart cards, on the other hand, allows for exact matching. Every biometric device comes with ratios for false positives and false negatives. These ratios are determined in near-perfect lab conditions. Going by press reports and even UIDAI’s claims, the field reality is unsurprisingly different from the lab. Imagine going to an ATM and not being sure if your debit card will match your bank’s records.<br /><br />Eight, biometric technology is proprietary and opaque. You cannot independently audit the proprietary technology used by the UIDAI for effectiveness and security. On the other hand, open smart card standards like SCOSTA (Smart Card Operating System for Transport Applications) are based on globally accepted cryptographic standards and allow researchers, scientists and mathematicians to independently confirm the claims of the government.<br /><br />Nine, biometrics is cheap and easy to defeat. Any Indian citizen, even children, can make gummy fingers at home using Fevicol and wax. You can buy fingerprint lifting kits from a toystore. To clone a smart card, on the other hand, you need a skimmer, a printer and knowledge of cryptography.<br /><br />Ten, biometrics undermines human dignity. In many media photographs — even on the @UIDAI’s Twitter stream — you can see the biometric device operator pressing the applicant’s fingers, especially in the case of underprivileged citizens, against the reader. Imagine service providers — say, a shopkeeper or a restaurant waiter — having to touch you every time you want to pay. Smart cards offer a more dignified user experience.<br /><br />Eleven, biometrics enables the shirking of responsibility, while cryptography requires a chain of trust.<br /><br />Each legitimate transaction has repudiable signatures of all parties responsible. With biometrics, the buck will be passed to an inscrutable black box every time things go wrong. The citizens or courts will have nobody to hold to account.</p>
<p style="text-align: justify; ">The precursor to Aadhaar was called MNIC (Multipurpose National Identification Card). Initiated by the NDA government headed by Atal Bihari Vajpayee, it was based on the open SCOSTA standard. This was the correct technological choice.<br /><br />Unfortunately, the promoters of Aadhaar chose biometrics in their belief that newer, costlier and complex technology is superior to an older, cheaper and simpler alternative.<br /><br />This erroneous technological choice is not a glitch or teething problem that can be dealt with legislative fixes such as an improved Aadhaar Act or an omnibus Privacy Act. It can only be fixed by destroying the centralised biometric database, like the UK did, and shifting to smart cards.<br /><br />In other words, you cannot fix using the law what you have broken using technology.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-hindu-businessline-march-31-2017-sunil-abraham-its-the-technology-stupid'>http://editors.cis-india.org/internet-governance/blog/the-hindu-businessline-march-31-2017-sunil-abraham-its-the-technology-stupid</a>
</p>
No publishersunilBiometricsAadhaarInternet GovernancePrivacy2017-04-07T12:53:21ZBlog EntryHow Aadhaar compromises privacy? And how to fix it?
http://editors.cis-india.org/internet-governance/blog/hindu-op-ed-sunil-abraham-march-31-2017-how-aadhaar-compromises-privacy-and-how-to-fix-it
<b>Aadhaar is mass surveillance technology. Unlike targeted surveillance which is a good thing, and essential for national security and public order – mass surveillance undermines security. And while biometrics is appropriate for targeted surveillance by the state – it is wholly inappropriate for everyday transactions between the state and law abiding citizens. </b>
<p style="text-align: justify; ">The op-ed was published in the <a class="external-link" href="http://www.thehindu.com/opinion/op-ed/is-aadhaar-a-breach-of-privacy/article17745615.ece">Hindu</a> on March 31, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">When assessing a technology, don't ask - “what use is it being put to today?”. Instead, ask “what use can it be put to tomorrow and by whom?”. The original noble intentions of the Aadhaar project will not constrain those in the future that want to take full advantage of its technological possibilities. However, rather than frame the surveillance potential of Aadhaar in a negative tone as three problem statements - I will propose three modifications to the project that will reduce but not eliminate its surveillance potential.</p>
<p style="text-align: justify; "><b>Shift from biometrics to smart cards:</b><span> In January 2011, the Centre for Internet and Society had written to the parliamentary finance committee that was reviewing what was then called the “National Identification Authority of India Bill 2010”. We provided nine reasons for the government to stop using biometrics and instead use an open smart card standard. Biometrics allows for identification of citizens even when they don't want to be identified. Even unconscious and dead citizens can be identified using biometrics. Smart cards, on the other hand, require pins and thus citizens' conscious cooperation during the identification process. Once you flush your smart cards down the toilet nobody can use them to identify you. Consent is baked into the design of the technology. If the UIDAI adopts smart cards, we can destroy the centralized database of biometrics just like the UK government did in 2010 under Theresa May's tenure as Home Secretary. This would completely eliminate the risk of foreign governments, criminals and terrorists using the biometric database to remotely, covertly and non-consensually identify Indians.</span></p>
<p style="text-align: justify; "><b>Destroy the authentication transaction database:</b><span> The Aadhaar Authentication Regulations 2016 specifies that transaction data will be archived for five years after the date of the transaction. Even though the UIDAI claims that this is a zero knowledge database from the perspective of “reasons for authentication”, any big data expert will tell you that it is trivial to guess what is going on using the unique identifiers for the registered devices and time stamps that are used for authentication. That is how they put Rajat Gupta and Raj Rajratnam in prison. There was nothing in the payload ie. voice recordings of the tapped telephone conversations – the conviction was based on meta-data. Smart cards based on open standards allow for decentralized authentication by multiple entities and therefore eliminate the need for a centralized transaction database.</span></p>
<p style="text-align: justify; "><b>Prohibit the use of Aadhaar number in other databases:</b><span> We must, as a nation, get over our obsession with Know Your Customer [KYC] requirements. For example, for SIM cards there is no KYC requirement is most developed countries. Our insistence on KYC has only resulted in retardation of Internet adoption, a black market for ID documents and unnecessary wastage of resources by telecom companies. It has not prevented criminals and terrorists from using phones. Where we must absolutely have KYC for the purposes of security, elimination of ghosts and regulatory compliance – we must use a token issued by UIDAI instead of the Aadhaar number itself. This would make it harder for unauthorized parties to combine databases while at the same time, enabling law enforcement agencies to combine databases using the appropriate authorizations and infrastructure like NATGRID. The NATGRID, unlike Aadhaar, is not a centralized database. It is a standard and platform for the express assembly of sub-sets of up to 20 databases which is then accessed by up to 12 law enforcement and intelligence agencies.</span></p>
<p style="text-align: justify; "><span>To conclude, even as a surveillance project – Aadhaar is very poorly designed. The technology needs fixing today, the law can wait for tomorrow.</span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/hindu-op-ed-sunil-abraham-march-31-2017-how-aadhaar-compromises-privacy-and-how-to-fix-it'>http://editors.cis-india.org/internet-governance/blog/hindu-op-ed-sunil-abraham-march-31-2017-how-aadhaar-compromises-privacy-and-how-to-fix-it</a>
</p>
No publishersunilSurveillanceAadhaarInternet GovernancePrivacy2017-04-01T07:00:06ZBlog Entryक्या आधार पर जल्दबाज़ी में है सरकार?
http://editors.cis-india.org/internet-governance/news/ndtv-march-27-2017-discussion-on-aadhaar
<b>Amber Sinha took part in a discussion on Aadhaar aired by NDTV on March 27, 2017. </b>
<p style="text-align: justify; ">एक जुलाई 2017 से आयकर रिटर्न भरने और पैन नंबर के लिए आधार नंबर देना अनिवार्य हो जाएगा. बिना आधार के अब आयकर रिटर्न नहीं भरा जा सकेगा. जिस किसी के पास पैन कार्ड है उसे एक जुलाई तक आधार नंबर देना होगा. अगर ऐसा नहीं करेंगे तो पैन कार्ड अवैध हो जाएगा. माना जाएगा कि आपके पास पैन कार्ड या पैन नंबर नहीं है. आयकर फार्म और पैन नंबर में आधार को अनिवार्य किये जाने से कई सवाल फिर से उठे हैं. 2009 से लेकर 2017 के बीच आधार के इस्तमाल को लेकर, इसके लीक होने से लेकर अनिवार्य किये जाने के ख़तरे को लेकर कई बहसें सुनी, पचासों लेख पढ़े. दूसरी तरफ हमने समाज में देखा कि आधार को लेकर ग़ज़ब का उत्साह है.</p>
<p style="text-align: justify; "><a class="external-link" href="http://www.ndtv.com/video/shows/prime-time/is-the-government-in-a-hurry-on-aadhaar-452934?relatedviaplayer">Watch the Video on NDTV</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/ndtv-march-27-2017-discussion-on-aadhaar'>http://editors.cis-india.org/internet-governance/news/ndtv-march-27-2017-discussion-on-aadhaar</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-03-29T03:52:08ZNews ItemIndia’s biometric ID scans make sci-fi a reality
http://editors.cis-india.org/internet-governance/news/financial-times-march-27-2017-amy-kazmin-indias-biometric-id-scans-make-sci-fi-a-reality
<b>I have been thinking about my fingerprints and the secrets that may lie within my eyes — and whether I want to share them with the Indian government. I may not however have a choice.
</b>
<p style="text-align: justify; ">The article by Amy Kazmin was published in the <a class="external-link" href="https://www.ft.com/content/46dcb248-0fcb-11e7-a88c-50ba212dce4d">Financial Times</a> on March 27, 2017. Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; ">India has the world’s largest domestic biometric identification system, known as Aadhaar. Since 2010, the government has collected fingerprints and iris scans from more than 1bn residents, and each has been assigned a 12-digit <a class="external-link" href="https://uidai.gov.in/">identification number</a>.</p>
<p style="text-align: justify; ">The scheme is championed by Nandan Nilekani, the billionaire co-founder of IT company Infosys. It was initially conceived to ensure poor Indians received subsidised food entitlements and other welfare benefits that were previously siphoned off by unscrupulous intermediaries. It was also seen as offering poor Indians, many of whom lack birth certificates, with a portable ID that can be used anywhere in the country.</p>
<p style="text-align: justify; ">Until now, obtaining an Aadhaar number was voluntary, though most Indians enrolled without hesitation as they see its potential benefits. But New Delhi is now enlisting Aadhaar, which means “foundation” or “base” in Hindi, in more than just welfare schemes. This would mean sharing one’s biometric details isn’t really optional any more despite a Supreme Court ruling that it should be “purely voluntary”.</p>
<p style="text-align: justify; ">Last week, the government issued a rule requiring an Aadhaar number for filing tax returns, ostensibly to improve tax compliance. It has also decided that all cell phone numbers must be linked to an Aadhaar number by 2018. Even Indian Railways has plans to demand Aadhaar from those booking train tickets online.</p>
<p style="text-align: justify; ">What was once touted as an initiative to improve delivery of welfare suddenly now seems like the foundation of a surveillance state — and I admit the prospect of putting my own biometrics in the database leaves me uneasy.</p>
<p style="text-align: justify; ">As a US citizen, I’ve never had to give my biometric data to my government. Domestically, fingerprints are only taken from criminal suspects, or applicants for government jobs, though I know foreign citizens are fingerprinted on arrival.</p>
<p style="text-align: justify; ">To me, the idea of sharing eye scans evokes the dystopian Hollywood film, Minority Report, which depicts a near future in which optical-recognition cameras allow the authorities to identify anyone in any public place. The hero on the run, played by Tom Cruise, has an illegal eye transplant to avoid detection.</p>
<p style="text-align: justify; ">In recent days, many Indian academics and activists have raised concerns about Aadhaar data security, the lack of privacy rules and the absence of any accountability structure if data are misused.</p>
<p style="text-align: justify; ">"Biometrics is being weaponised," says Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society. "What you need to be worried about is that someone will clean out your bank account or frame you in a crime," he says.</p>
<p style="text-align: justify; ">Pratap Bhanu Mehta, director of the Centre for Policy Research, has written of the “conversion of Aadhaar from a tool of citizen empowerment to a tool of state surveillance and citizen vulnerability”.</p>
<p style="text-align: justify; ">I call <a class="external-link" href="https://www.ft.com/content/058c4b48-d43c-11e6-9341-7393bb2e1b51">Mr Nilekani</a>, of whose honourable intentions I have no doubt. After leaving Infosys in 2009, he spent five years in government, working to get Aadhaar off the ground. He says he is “extremely offended” when his project is accused of being part of a surveillance society, a narrative he says is “completely misrepresenting” the project. “I can steal your fingerprint off your glass. I don’t need this fancy technology,” he says. “Surveillance is far better done by following my phone, or when I use a map to order a taxi: the map knows where I am. Our internet companies know where you are.”</p>
<p style="text-align: justify; ">But in a society known for ingenious means of bypassing rules, such as having multiple taxpayer ID cards to aid evasion, Mr Nilekani says biometric authentication of individuals can bring discipline and reduce cheating. “It’s like you are creating a rule-based society,” he says, “it’s the transition that is going on right now.” I hang up, hardly reassured. To me, it seems clear that in India, as in so many places these days, Big Brother is increasingly watching.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/financial-times-march-27-2017-amy-kazmin-indias-biometric-id-scans-make-sci-fi-a-reality'>http://editors.cis-india.org/internet-governance/news/financial-times-march-27-2017-amy-kazmin-indias-biometric-id-scans-make-sci-fi-a-reality</a>
</p>
No publisherpraskrishnaBiometricsAadhaarInternet GovernancePrivacy2017-03-28T02:45:28ZNews Item