Centre for Internet and Society

Making Aadhaar Mandatory: Gamechanger For Governance?

praskrishna — 2016-03-24T06:50:10Z

Why a programme that both the Congress and the BJP have hailed as transformational has divided Parliament this week? The Aadhaar Bill which was passed this week aims at facilitating government benefits and subsidies to citizens said Finance Minister Arun Jaitley.

Yet it became a reason for the Rajya Sabha to raise key questions. On the panel - Chandan Mitra, Rajya Sabha MP, BJP; Ajoy Kumar, Spokesperson, Congress; Tathagat Sathapathy, Lok Sabha MP, Biju Janata Dal; Rajeev Chandrashekhar, Rajya Sabha MP; Sunil Abraham, Executive Director, Centre for Internet & Society; and Shekhar Gupta, Senior Journalist.

Video

Link to NDTV website

For more details visit http://editors.cis-india.org/internet-governance/news/ndtv-march-20-2016-making-aadhaar-mandatory-gamechanger-for-governance

How the government gains when private companies use Aadhaar

praskrishna — 2016-04-01T15:58:38Z

This blog post by M. Rajshekhar and Anumeha Yadav was published in Scroll.in on March 24, 2016. Sunil Abraham was quoted.

Last week, Rajya Sabha made a last-ditch attempt to modify the contentious Aadhaar legislation introduced by the Modi government. Since the legislation was introduced as a Money Bill, the Upper House had no powers to amend it. It could only send back the bill with recommended amendments.

One of the clauses which Rajya Sabha wished to amend related to the use of the Aadhaar number, the 12-digit unique identification number assigned after the collection of an individual’s biometrics in the form of fingerprints and iris scans.

Clause 57 said that anyone, whether an individual or a public or private organisation, could use the Aadhaar number. Rajya Sabha voted to restrict the use of the number to the government. After all, the government had justified introducing Aadhaar legislation as a Money Bill by stating that it would be used for delivering government subsidies and benefits funded out of the Consolidated Fund of India. If the delivery of government welfare is the aim of Aadhaar, why should private companies be allowed to use it?

The Rajya Sabha recommended dropping clause 57 to limit the use of Aadhaar to government agencies. But the Lok Sabha rejected its recommendation, and cleared the Bill in its original form, paving the way for private companies to use Aadhaar.

Strikingly, however, well before the Bill was cleared, a private company started advertising its services as “India’s 1st Aadhaar based mobile app to verify your maid, driver, electrician, tutor, tenant and everyone else instantly”. In an article for Scroll.in, legal researcher Usha Ramanathan said, “A private company is advertising that it can use Aadhaar to collate information about citizens at a price. It says this openly, even as a case about the privacy of the information collected for the biometrics-linked government database is still pending in the Supreme Court.”

LinkedIn for plumbers

The company that owns the mobile app called TrustID believes it is not doing anything wrong.

Monika Chowdhry, who heads the marketing division of Swabhimaan Distribution Services, the company that created TrustID, defended the app, saying it offers the valuable service of verifying people's identities. “In our day to day life, we do a lot of transactions with people – like maids or plumbers. Till now, you would have to trust them on what they said about themselves and what others said about the quality of their work.” The company is solving that problem, she said. “We are saying ask the person for their Aadhaar number and name and we will immediately tell you if they are telling the truth or not,” Chowdhry said.

Chowdhry said that over time, the Aadhaar number of individuals will be used to create a private verified database of TrustIDs. “Our plan is to create a rating mechanism,” she said. Referring to the option for maid, plumbers and other service providers on the app, she added: “People like you and me, we have Linkedin and Naukri. What do these people have?”

How does the company use Aadhaar for verification and is there a reason to be concerned?

Aadhaar authentication

After you have logged into the TrustID app, you can choose from a dropdown menu of categories. You can send anyone's Aadhaar number, gender and name – or even biometrics – and the app claims it can verify their identity.

The app performs Aadhaar authentication – which means it matches an Aadhaar number with the information stored against that number in the servers of the Unique Identification Authority of India. At the time an individual enrols for an Aadhaar number, they disclose their name, gender, address and give biometric scans. This information is held in a database maintained by the UID authority.

One of the criticisms of Aadhaar has been that the database of millions of people could be misused in the absence of a privacy law in India. First, there is the question about whether the biometrics are secure. Second, there are risks that accompany the uncontrolled use of unique numbers.

In response, the proponents of Aadhaar have said that the data is encrypted and secure, and can be accessed only by the authority. Those wanting to authenticate – or match – the Aadhaar number cannot directly access the database. They can simply make requests to the authority which authenticates the number for them.

So far, it appeared that the authority was taking Aadhaar authentication requests solely from government agencies. For instance, to pay wages to workers of the rural employment guarantee programme.

But TrustID’s example showed that private companies too have been sending authentication requests to the authority. This is not entirely surprising for those who have followed the blueprint for Aadhaar as envisioned by Nandan Nilekani, its founder. In an interview in 2012, Nilekani spoke about creating a "thriving application system" using Aadhaar for both the public and private sector.

Chowdhary said Swabhimaan Distribution Services registered as an Aadhaar authentication agency in November 2015, and the app was launched in January 2016.

TrustID, or Swabhimaan, is not the only private company that has signed up as an authentication agency for Aadhaar. A quick Google search throws up the name of Alankit, which wants to “provide Aadhaar Enabled Services to its beneficiaries, clients and customers and can further verify the correctness of the Aadhaar numbers provided ” .

This shows the authority entered into agreements with private companies well before the Aadhaar law was passed in Parliament. The companies were running ahead of legislation in a space unbounded by law, and the UIDAI supported them in this.

It is unclear how many private companies were sending requests for Aadhaar authentication. Scroll's questions to Harish Agrawal, the deputy director general of Aadhaar's Authentication and Application Division, remained unanswered.

In an interview to Business Standard, ABP Pandey, the director general of the UIDAI, said, "Usually what happens is that first a law is passed and thereafter the institutions are built and operations start. Here it has happened the other way around. The operations – the enrolment – is almost complete. The organisation is also there and has been working under executive orders. Now everything has to be kind of retrofitted in to the acts and the regulations."

Why is this problematic?

For one, allowing private companies to use the Aadhaar number shows that the government’s stated aims of Aadhaar are misleading.

Both in the Supreme Court and in Parliament, the government has pushed for the use of Aadhaar as an instrument of welfare delivery. It justified passing Aadhaar legislation as a Money Bill by emphasising its importance to its welfare schemes. But as the case of Swabhimaan shows, Aadhaar's uses clearly go well beyond what the Bill's preamble describes as the “targeted delivery of subsidies, benefits and services, the expenditure for which is incurred from the Consolidated Fund of India.”

Two, biometrics and unique identification numbers are a qualitatively new form of private information. As such, they bring unknown risks. India does not have a privacy law, and a law defining the use of biometrics and unique numbers is yet to be created. Delhi-based lawyer Apar Gupta said, “Even the Aadhaar Bill is yet to be approved by the president. Its rules are yet to be drafted. There is not enough legal guidance on its use.”

Three, companies like Swabhimaan would be in a position to construct databases of their own. Take TrustID. When it starts retaining Aadhaar numbers, and adds ratings to them, it creates a database of its own, which amounts to creating profiles of people.

Here, as Ramanathan said, the analogy with the networking site LinkedIn doesn't work. “When I have an account on LinkedIn, I update my data,” she said. But the TrustID app generates profiles out of the ratings that others give. Even if a prospective employee shares his/her Aadhaar number, it does not amount to free consent since getting a job hinges on giving that number.

In the future, companies could use Aadhaar numbers in unknown ways, for instance, to combine multiple databases – banks, telecom companies, hospitals – to create detailed profiles of you and me that they can monetise. In effect, Aadhaar becomes a commercial instrument for private companies, and not just a mechanism for the delivery of government welfare.

Gains for the government

Sunil Abraham, the executive director of the Centre for Internet and Society, further explained the risks that arise when databases are combined. He cited the example of OCEAN, the system created by researchers at the Indraprastha Institute of Information Technology to raise privacy awareness. OCEAN used publicly available information held by the government (voter identity card, PAN card, driving licence) to access details about citizens in Delhi. This public data was combined with people's Facebook and Twitter accounts, and the aggregated results were visualised as a family tree which showed information extending to a person’s parents, siblings and spouse.

"If a company like TrustID tied up with OCEAN, it can create a very detailed profile of an individual," said Abraham. "To continue with the example of a job-seeker, if a employer uses TrustID to verify applicants' identity or profiles, the App may combine a database like OCEAN to track that you logged into Twitter at, say 2 am on most nights. It can profile you as someone who might not turn up at work on time in the morning."

Abraham pointed out that the government too stands to gain by allowing private companies to use Aadhaar for authentication. "Use of authentication by private companies will mean UIDAI can have information on authentications performed on you, or by you, over time in the private sphere as well, say during such a job search," he said. For instance, when TrustID runs a search for your prospective employers using your Aadhaar number, the government knows you have applied for a job at certain companies. "This is unnecessary involvement of the government, giving it access to information in an area that it should not have access to."

Over time, such Aadhaar authentication for private services in companies, hospitals, or hotels will "help the government gain granular data on citizens", he said.

Perhaps that explains why the government rushed the Aadhaar Bill through Parliament, allowing little time and room for public debate.

For more details visit http://editors.cis-india.org/internet-governance/news/scroll.in-march-24-2016-rajshekhar-anumeha-yadav-how-the-govt-gains-when-private-companies-use-aadhaar

Seven reasons why Parliament should debate the Aadhaar bill (and not pass it in a rush)

praskrishna — 2016-03-24T02:25:24Z

Critics say the Aadhaar Bill does not address concerns over privacy, even as government is rushing the Bill without adequate parliamentary scrutiny.

The blog post by Anumeha Yadav was published in Scroll.in on March 11, 2016. Pranesh Prakash was quoted.

Since it was launched by the United Progressive Alliance government in 2009, the Unique Identification project called Aadhaar has functioned without a legal framework. The project, which aims to assign a biometric-based number to every Indian resident, has been run under an executive order, which means Parliament has no oversight over it.

An Aadhaar Bill was introduced in 2010 but it was rejected by a parliamentary committee over legislative, security, and privacy concerns.

For long, critics have expressed concerns over collecting and centralising citizens' biometric data ‒ such as fingerprints and retina scans ‒ on a mass scale in the absence of a privacy law. The Supreme Court in several orders in 2014 and 2015 affirmed that the government cannot require people to register for an Aadhaar number and no one can be deprived of a government service for not having an Aadhaar number. The Supreme Court is now set to form a constitution bench to examine the contours of the right to privacy flowing from the government's arguments in the Aadhaar case.

Before the bench begins its work, however, the Modi government has introduced a new Bill on Aadhaar, which could override the court's orders.

The Aadhaar (Target Delivery of Financial and Other Subsidies, Benefits and Services) Bill was introduced on March 3 in Lok Sabha. Finance minister Arun Jaitley said the new Bill addresses concerns over privacy and the security and confidentiality of information.

But a close examination of the Bill shows several questions remain.

1. Does the Bill make it mandatory for you to get an Aadhaar number?
Yes, you may have to compulsorily enrol under Aadhaar, despite the privacy concerns explained in the sections below.

Four-time member of the Lok Sabha, Bhartruhari Mahtab of the Biju Janata Dal, was on the parliamentary committee on finance that examined the previous Aadhaar Bill introduced in 2010. He said the new Aadhaar Bill does not specify that it will not be made mandatory.

“There is duplicity over this issue,” said Mahtab. “Nandan Nilekani [the former chairperson of the Unique Identification Authority of India] repeatedly told us in the parliamentary committee that Aadhaar is not mandatory. The Supreme Court also said, 'You cannot make it mandatory.'”

But if a service agent asks for Aadhaar mandatorily, then as a beneficiary, citizens have no option but to get an Aadhaar number, Mahtab explained. “The government, or a private company, cannot force me to get an Aadhaar number," he said. "The government should bring a law that clearly says Aadhaar is not mandatory.”

A committee of experts on privacy, chaired by Justice AP Shah, had recommended in 2012 that the Bill should specify that individuals have the choice to opt-in or out-of providing their Aadhaar number, and a service should not be denied to individuals who do not provide their number. The Unique Identification Authority of India had then stated to the committee that the enrolment in Aadhaar is voluntary.

But the new Aadhaar Bill does not incorporate a categorical clause on opt-in and opt-out. Instead, it broadens the scope of Aadhaar. Jaitley said the Bill will allow the government to ask a citizen to produce an Aadhaar number to avail of any government subsidy. But section 7 of the Bill is phrased more broadly, and refers to not just subsidies but any “subsidy, benefit or service” for which expense is incurred on the Consolidated Fund of India, or the government treasury.

7. The Central Government or, as the case may be, the State Government may, for the purpose of establishing identity of an individual as a condition for receipt of a subsidy, benefit or service for which the expenditure is incurred from, or the receipt therefrom forms part of, the Consolidated Fund of India, require that such individual undergo authentication, or furnish proof of possession of Aadhaar number or in the case of an individual to whom no Aadhaar number has been assigned, such individual makes an application for enrolment: Provided that if an Aadhaar number is not assigned to an individual, the individual shall be offered alternate and viable means of identification for delivery of the subsidy, benefit or service.

As noted above, the proviso in section 7 is premised on the phrase: “if an Aadhaar number is not assigned”. This, along with language preceding in the section, indicates that a citizen may be compulsorily required to apply for enrolment.

Section 8 permits a “requesting entity” to utilise identity information for authentication with the Central Identities Data Repository. A “requesting entity” is defined under Section 2(u), and will include private entities.

2. Does the Bill allow Aadhaar authorities to share your personal data?
Yes, in the "interest of national security", a term that remains undefined.

Both legal experts and members of Parliament have flagged the provisions in the Bill on the circumstances in which users' data, including core biometrics information, can be shared.

The debate centres over the interception provisions in section 33.

In a piece in The Indian Express, Nandan Nilekani, the former chairperson of the issuing authority, stated that the Aadhaar Bill provides that no core biometric information can be shared, a principle without exception. “...Clause 29(1) is not overridden by Clause 33(2),” he noted.

However, a closer reading of the Bill shows this is not the case. Clause 33(2), in fact, does provide an exception to clause 29(1)(b):

33(2) Nothing contained in sub-section (2) or sub-section (5) of section 28 and clause (b) of sub-section (1), sub-section (2) or sub-section (3) of section 29 shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security in pursuance of a direction of an officer not below the rank of Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government

where, Section 29(1)(b) states:

29. (1) No core biometric information, collected or created under this Act, shall be — (b) used for any purpose other than generation of Aadhaar numbers and authentication under this Act.

Pranesh Prakash, a lawyer and policy director of the Centre for Internet and Society said: “This implies that the core biometric information, collected or created under the Aadhaar Act, may be used for purposes other than the generation of Aadhaar numbers and authentication 'in the interest of national security.'"

Legal experts point out that the phrase “national security” is undefined in the present bill, as well as the General Clauses Act, and thus the circumstances in which an individual's information may be disclosed remains open to interpretation.

Section 33(1) permits the disclosure of an individual's demographic information (but not biometrics) following an order by a district judge. It says that no such order shall be made without giving an opportunity of hearing to the UIDAI , but not to the person whose data is being disclosed.

3. Does the Bill protect you from interception and surveillance?
No, the Bill does not provide for transparency concerning covert surveillance.

Section 33(2), which permits disclosure of demographic and biometric pursuant to directions of the joint secretary in interest of national security, says such disclosures will be for three months initially, and a fresh renewal can be granted for another three months, without a limitation on the number of such renewals.

This can lead to a user being under continuous surveillance, and without any notification to the user even after the surveillance ceases, violating one of necessary and proportionate principles on communications surveillance related to user notification and right to effective remedy. In some countries, this principle has been incorporated in law. For example, in Canada, the law limits the time of wiretapping surveillance, and imposes an obligation to notify the person under surveillance within 90 days of the end of the surveillance, extendable to a maximum of three years at a time.

“The interception provisions are severely problematic," said Apar Gupta, a technology lawyer. "They are not open to independent scrutiny and even derogate from the already deficient practices which relate to phone tapping (Rule 419-A of the Telegraph Rules) and interception of data (Interception Rules, 2011).”

Legal scholar Usha Ramanathan pointed out that the Bill lacks provisions on giving notice to a person in case of breach of information, in case of third party use of data, or change in purpose of use of data – which were among provisions recommended by the Justice Shah Committee on Privacy in 2012.

4. Does the Bill allow you to seek redress in case of breach of information?
Yes, but the provisions are weak.

Government officials overseeing the project said that the 2016 Bill is an improvement over the 2010 Bill as it safeguards the information of those enrolled as per sections of the Information Technology Act, 2000.

But technology law experts say the adjudicatory system for disclosure of sensitive personal data under the IT Act has structural flaws and is not functional.

“Initial complaints against the disclosure of sensitive personal data go to an adjudicating officer who is usually the IT Secretary of the state government and may not be trained in law,” said Gupta, the technology lawyer. “There is no court infrastructure and no permanent seat for such cases. The appellate body, the Cyber Appellate Tribunal, has not been made operational in the last three years. Hence, the civil remedies offered [in the Aadhaar Bill] are at best illusionary and unenforceable.”

5. Does the Bill give you the right to alter your information?
No, it leaves you to the mercy of the Unique Identification Authority of India.

Imagine a situation where a user simply wants to change their first or last name, or say, not use their caste name. Under Section 31 of the Bill, individuals can only request the UID authority, which may do so “if it is satisfied”. There is no penalty on the authority if it fails to respond. The Bill does not provide for a user to even be able to approach a court to ask for their information relating to Aadhaar to be corrected.

International norms for data protection give individuals the right to correct and alter information, if their demographic data changes. They provide for individuals to have a copy of their information, and to approach courts for an order to rectify, block, erase inaccurate information.

In an interview to Mint, Sunil Abraham, director of the Centre for Internet and Society, compared the rights of Aadhaar users to the rights we now take for granted as internet users. “Authentication factors [biometrics in the case of Aadhaar], commonly known as passwords, should always be revocable,” noted Abraham. “That means if the password is compromised, you should be able to change the password or at least say that this password is no longer valid.” In its current form, the Aadhaar Bill gives users no such rights.

6. Is the current Bill an improvement over the previous one?
Not really.

The Aadhaar Bill 2016 provides that the renewals of requests for disclosure of data will be reviewed by an oversight committee consisting of the cabinet secretary and the secretaries in the department of legal affairs and the department of electronics and information technology.

This is a watered down version of the provisions in the previous Unique Identification Authority of India 2010 Bill, said Chinmayi Arun, executive director, Centre for Communication Governance at the National Law University Delhi.

“The previous version or the 2010 Bill provided for a three-member review committee, consisting of the nominees of the prime minister, the leader of the opposition, and a third nominee of a union cabinet minister, with the restriction that these nominees could not be a member of parliament or a member of a political party,” Arun said. “This would be a more independent committee than the one proposed now, wherein there will be executive oversight for executive orders."

Regarding penalties, the previous 2010 Bill made copying, deleting, stealing, or altering information in the Central Identities Data Repository, punishable with a jail term of upto three years and a fine not less than Rs 1 crore.

Section 38 of the new Aadhaar Bill now makes the same offence punishable with a jail term of upto three years and reduces the upper limit of the fine to “not less than ten lakh rupees”.

7. Finally, does the Aadhaar Bill have enough parliamentary scrutiny?
The government has introduced the legislation on Aadhaar in the form of a Money Bill, which means the power of the Rajya Sabha to review and amend the Bill is curtailed ‒ if the Speaker Sumitra Mahajan certifies that this is a Money Bill.

The parliamentary committee on finance under Bharatiya Janata Party MP Yashwant Sinha had rejected the previous Bill in December 2011 citing legislative, security, and privacy concerns. Despite this, two successive Prime Ministers – Manmohan Singh and Narendra Modi – have pushed ahead with Aadhaar project.

A common refrain has been that the unique biometric identity will resolve the problem of the poor in India to prove identity and overcome "one of the biggest barriers preventing the poor from accessing benefits and subsidies." But last April, the UIDAI in response to an RTI application revealed that of 83.5 crore Aadhaar numbers issued till then, 99.97% were issued to people who already had at least two existing identification documents, only 0.21 million (0.03%) used the "introducer system" that provides an exception to those lacking identity proof.

More recently, there has been no public consultation by the government over the latest Bill.

For more details visit http://editors.cis-india.org/internet-governance/news/scroll.in-anumeha-yadav-march-24-2016-seven-reasons-why-parliament-should-debate-the-aadhaar-bill-and-not-pass-it-in-a-rush

Debate: Five Aadhaar Myths that Don’t Stand Up to Scrutiny

praskrishna — 2016-04-01T15:48:17Z

We need to reboot the Aadhaar debate by asking why we want to create a centralised biometric database of Indian residents in the first place.

The article by Reetika Khera was published in the Wire on March 23, 2016.

A recent article, ‘Identification simplified, myths busted’, by Piyush Peshwani and Bhuwan Joshi (hereafter, Peshwani & Joshi) makes some questionable claims about the UID project. Peshwani & Joshi’s strategy appears to be to ignore those questions to which they do not have an answer (e.g., that Aadhaar is mostly redundant as far as NREGA, PDS, etc., are concerned). For others, they cherry-pick ‘facts’ without acknowledging the debates surrounding those facts. Here is a selection.

#1: To get Aadhaar, you need a Proof of ID (PoID) and Proof of address (PoA)

Peshwani & Joshi: “For many, Aadhaar is perhaps the first document of their existence – a robust proof of their identity and address that can be verified online. No more closed doors for them!”

Peshwani & Joshi: “The Demographic Data Standards and Verification Procedures committee prescribes a list of valid 18 proof of identity and 33 valid proof of address documents for getting an Aadhaar.”

Fact: In fact, 99.97% of those who have Aadhaar, used PoID and PoA to get it. For those who have neither, there is an “introducer system”, but according to a reply to an RTI request, only 0.03% of those who have the Aadhaar number used this route.

As far as closed doors are concerned, Aadhaar does not guarantee any benefits: work through NREGA, widow or old-age pensions or PDS rations. There are separate eligibility conditions for those programmes which continue to apply.

#2 On costs

Peshwani & Joshi: “Does it justify the cost? Yes, absolutely, according to the World Bank, which said the initiative is estimated to be saving the Indian government about $1 billion annually by thwarting corruption, even as it underlined that digital technologies promote inclusion, efficiency and innovation.”

Fact: Savings due to the use of Aadhaar have been disputed. The government has claimed it has saved Rs. 14,672 crore on LPG subsidies due to Aadhaar while they are likely lower – by a factor of 100 (see Business Standard or Wall Street Journal).

Peshwani & Joshi: “Even before the World Bank’s endorsement of Aadhaar, the Delhi-based National Institute of Public Finance and Policy (NIPFP) conducted a detailed cost-analysis study on Aadhaar in 2012… the study found that the Aadhaar project would yield an internal rate of return in real terms of 52.85% to the government.”

Fact: The NIPFP cost-benefit was based on unrealistic assumptions – e.g., estimates of leakages that Aadhaar could plug were available for only two out of seven schemes; for the rest, they assumed leakage rates which are termed ‘conservative’, but are actually not.

In their response, the NIPFP team admitted that “a full-fledged cost benefit analysis of Aadhaar is difficult” because “many gains from Aadhaar are difficult to quantify because they are intangible” and, “even if in specific schemes there may be tangible benefits, the information available on those schemes does not permit a precise quantification of those benefits.”

They went on to say that “The study has steered away from relying exclusively on analyses of isolated and small sample sets”. What evidence did the NIPFP study rely on? “For ASHAs, Janani Suraksha Yojana and scholarships, no analysis, large or small has been used. For the Indira Awaas Yojana, the three analyses relied on exclusively are a Times of India news report, a press release based on a discussion in Parliament and a “Scheme Brief” by the Institute for Financial Management and Research (IFMR). Interestingly, the corruption estimate in the IFMR brief cross-refers to the Times of India article (apart from a CAG report)!” (Khera, 2013)

#3 De-duplication

Peshwani & Joshi: “Aadhaar means no fake, ghost or duplicate beneficiaries. Double-dipping will become more and more difficult with Aadhaar, a number that is well de-duplicated with the use of biometrics.”

Fact: De-duplication is one possible contribution of Aadhaar – but that needs biometrics, not a centralised biometric database. Local biometrics (used extensively in Andhra Pradesh before UID) mean that biometric data is stored by the concerned government department or on the local e-POS machine’s memory chip. It has the advantage that connectivity is not required (you are authenticated by the machine), errors and corrections can be correctly locally, making it more practical. The distinction between a local and centralised database is important (see #5 below).

Further, no one has a reliable estimate of the duplication problem. Two government estimates of duplicates exist: the Dhande committee for LPG (2%) and in NREGA job cards from the Government of Andhra Pradesh (also 2%).

#4 Exclusion

Peshwani & Joshi: “As far as exclusion in delivery of other services due to biometric authentication accuracy is concerned, it is important to go beyond scratching the surface.”

Fact: When the PDS was integrated with Aadhaar: “The Andhra Pradesh Food and Civil Supplies Corporation found that…nearly one-fifth ration card holders did not buy their ration.” Further, “When the government delved deeper in the issue, it was found that out of the 790 cases interviewed for the study, 400 reported exclusion. Out of the excluded cases, 290 were due to fingerprint mismatch and 93 were because of Aadhaar card mismatch. The remaining 17 cases were due to failure of E-PoS.” More here.

Moreover, Peshwani & Joshi pick one definition of ‘exclusion’ (due to biometric failure) when in fact, exclusion has a broader meaning. For instance, “In Chitradurga (Karnataka), Rs.100-150 million in wages from 2014-15 were held up for a year. When payments were being processed, their job cards could not be traced in NREGAsoft. Upon enquiry, the district administration learnt field staff had deleted them to achieve ‘100% Aadhaar-seeding’.”

#5 Profiling and privacy violations

Peshwani & Joshi: “A prominent criticism of Aadhaar is that it ‘profiles’ people.” …“Most of us have one or more identity/address documents, such as a passport, ration card, PAN card, driving licence, vehicle registration documents or a voter ID card. The government departments managing these already have our data. Aadhaar is no different. We give our data to banks, to insurance companies and to telecom companies for accounts, policies and mobile connections.”

Fact: That’s like saying BJP can be more corrupt because the Congress was corrupt. Instead we need to engage more seriously with the work of Sunil Abraham, Amber Sinha and others at the Centre of Internet and Society. There are crucial differences between Aadhaar and Social Security Number in the US, see this. Malavika Jayaram listed the UID project among a slew of “big brother” projects facilitating mass surveillance in India.

Conclusion

The debate on UID tends to begin with the premise that Aadhaar is necessary for ‘good governance’. Those claims of the UIDAI have long been demolished. In a nutshell, Aadhaar cannot help identify the poor, its possession does not guarantee inclusion into government social welfare (go to #1). It cannot reduce PDS or NREGA corruption as claimed in their early documents. Thankfully, PDS–NREGA corruption has been on the decline without Aadhaar – more needs to be done. (More details? Try this and this.)

Bihar shows how much corruption in the PDS can be reduced without Aadhaar. Credit: Reetika Khera

Aadhaar is not required for portability of benefits or for cash transfers. Cash transfers need bank accounts. To get a bank account, you need a proof of ID and a proof of address (go to #1). Aadhaar can help de-duplicate, but so can local biometrics (go to #3). We need to “reboot” the Aadhaar debate, starting on the right terms – why exactly do we need to create a centralised biometric database of Indian residents?

For more details visit http://editors.cis-india.org/internet-governance/news/the-wire-march-23-2016-reetika-khera-debate-five-aadhaar-myths-that-dont-stand-up-to-scrutiny

In India, Biometric Data Storage Sparks Demands for Privacy Laws

praskrishna — 2016-03-23T02:27:05Z

In India, calls for strict privacy laws are growing after this week's passage of a measure that allows federal agencies access to biometric data of the nation's citizens, the world's largest such repository.

The article by Anjana Pasricha was published in Voice of America on March 18, 2016. Pranesh Prakash gave inputs.

The government says the use of biometrics will help cut rampant graft in the distribution of subsidies, but activists and opposition lawmakers warn it could usher in an era of increased state surveillance.

Raghubir Gaur, who works as an electrician in the capital, New Delhi, says he has never collected subsidized rations such as wheat and rice, because “somebody else has been taking the rations I should have gotten.” Now, with a national proof of identity, or "Aadhaar" card in his hands, Gaur says he is confident he will be able to access his designated subsidies.

The Aadhaar card is being used to give welfare benefits to the poor, who often cannot provide any proof identity, allowing corrupt officials to siphon entitlements.

The government says it has saved nearly $2 billion by preventing misuse of the subsidies in the last fiscal year alone.

Critics fear ‘police state’

Civil activists and research groups, however, have dubbed the Aadhaar program “surveillance technology” that constitutes a serious breach of privacy. They point to identity-verification systems in other countries, where cards or identification numbers are used for verification without creating a gigantic central database that documents every last transaction.

Indeed, the Aadhaar database also stores fingerprints and iris scans of every account holder, labeling each with a 12-digit identification number.

Concerns that this could lead to a massive invasion of privacy have been heightened because the new law allows the data to be used “in the interest of national security.”

“From verifying yourself to the ticket conductor on a train to someone who is delivering something at your house, all the way to opening a new bank account, all these transactions get logged against the centralized data base," says Pranesh Prakash of the Center for Internet and Society in Bangalore. "So this invades your life completely and thoroughly.”

Some lawyers and privacy advocates say this has made it even more important to support a strong privacy law to ensure the huge government database isn't misused.

Finance Minister Arun Jaitley has defended the biometrics legislation, saying the data will be accessed only in rare cases that require authorization by a senior official.

“You mark my words, you are midwifing a police state,” said lawmaker Asaduddin Owaisi, just one parliamentarian opposed passage of the legislation and found no comfort in Jaitley's assurances.

Fraud concerns

Despite objections, the bill was passed by legislators who argued that such a move is critical to ensuring subsidies reach intended beneficiaries in a country where millions are poor and illiterate.

Attempts to draft a right to privacy bill to protect individuals against misuse of data by government or private agencies date back to 2010, but have made little headway. The latest push started in 2014.

Citing a cyberattack targeting the U.S. government, in which a hacker gained access to the information of millions of people, research groups have also flagged security concerns around India’s ambitious Aadhaar program.

“If this database gets leaked, the entire identification system collapses because people will be able to authenticate themselves as anyone else. So identity fraud is a great concern,” said Prakash of the Center for Internet and Society.

Nearly one billion biometric identity cards have been issued in India in the last six years.

For more details visit http://editors.cis-india.org/internet-governance/news/voice-of-america-anjana-pasricha-march-18-2016-in-india-biometric-data-storage-sparks-demands-for-privacy-laws

Dead and Clicking

praskrishna — 2016-03-23T01:42:20Z

A look at the phenomenon of digital memorials; repositories and time capsules of a life even after it's ended in the real world.

The article by Jayanthi Madhukar and Sowmya Rajaram was published by Bangalore Mirror on March 20, 2016. Rohini Lakshane was quoted.

On the first death anniversary of his father-in-law last week, Pradip Mehta (36) decided to show the 120 relatives gathered at his home in Rajkot the digital memoriam he had created through Shradhanjali.com, India's first and only memory portal. As he clicked on the page, the photograph of his father-in-law popped out to the accompaniment of the Mrityunjaya mantra. Curious relatives looked on as he showed them the photo album on the portal where all good moments with the deceased we're captured for eternity. "There were two reasons why I chose this kind of memoriam," he explains. "Instead of paying a fortune on print media for the announcement, this online profile will be up for 30-odd years. And by uploading all the pictures and videos, my wife and I are making sure that he will be 'alive' for our 12-year-old son in the future." Mehta regrets that he grew up with practically no idea of his ancestors. "We don't take efforts to know our lineage at all."

That may not be the case with the millennial generation and the people who follow them. With an entire life online — selfies uploaded to Facebook, tweets, posts, Instagrams of their meals and dubsmashes — leaving behind a legacy is less a matter of choice and more a matter of inevitability. Everybody leaves behind a footprint on the Internet, but some of it can be controlled even after their death. Today, your loved ones have a 'life' beyond their death — on memorialised pages on Facebook, on webpages dedicated to their memory, and even on QR codes on their gravestones that will link to information about them online.

Indeed, the dead may soon outnumber the living, at least in the virtual space. A US statistician has calculated that Facebook's dead will outnumber the living by 2098. And when that is the case, the rules must evolve.

In memoriam

Take the way social norms have evolved in the virtual space. When a death is announced on social media, online friends begin sharing thoughts and comments. Some may not have even met the deceased in the real world but their digital interactions had been extensive enough for them to suffer a sense of grief.

So, how does one mourn a loved one who has piled up an extensive amount of digital possessions? Do they deserve an online memorial? Facebook certainly thinks so. On the social networking website, families can get full access to profiles only if there's documented instruction from the deceased. You can let the site know if a person has passed away, and Facebook will memorialise the account, which means that person's Facebook account now appears with a 'Remembering' above their name. A legacy contact (someone you choose to look after your account if it's memorialised) can then write posts, respond to new friend requests and such. There are many such accounts on the site — take the accounts (now memorialised pages) of actor Sanjit Bedi (of TV show Sanjeevani fame), Sheryl Sandberg's late husband Dave Goldberg and late F1 driver Jules Bianchi. All this, if you don't explicitly ask for your account to be deleted after your death.

In an earlier interview to The Huffington Post, Facebook spokesperson Fred Wolens had said: "When we receive a report that a person on Facebook is deceased, we put the account in a special memorialised state. Certain more sensitive information is removed, and privacy is restricted to friends only. The profile and wall are left up so that friends and loved ones can make posts in remembrance. If we're contacted by a close family member with a request to remove the profile entirely, we will honor that request."

Time capsule

Shradhanjali.com works a little differently. For Vivek Vyas, co-founder of Shradhanjali.com, the idea was born out of empathy rather than business opportunity. He says one particular incident prompted him to offer the memorial service online. He and his friend (now partner) Vimal Popat were eating samosas at a roadside restaurant off Rajkot in 2011. The paper in which the savouries were packed was the obituary page. "It was disturbing to see the photographs of the deceased wrapped around the samosas, oil-stained and later, discarded as rubbish." The friends spoke of having an online memoriam which would be decorous to the memory of the departed.

Back home, the two researched similar sites and to their surprise, found no other site offering such a service in India. "Let's do this," Popat urged Vyas, and the two quit their jobs in an insurance company to start the memorial portal. The site went live in 2011, allowing you to relive memories of your loved ones.

First, one has to register by going online to this B2C website with a simple user interface. Once a payment of Rs 2,700 is made for a 30-year subscription, the subscriber can upload information, photographs and videos about their loved one. They are offered a choice of 10 languages (for friends and relatives to write their condolences) and a selection of music that they wish to be played whenever someone visits the profile page. The content is completely user-driven and once the page goes 'live' the link is sent to all the emails that have been uploaded.

Vyas maintains that their website is gaining traction — there are about 400 paid subscribers, many of them are agencies which partner with print media giving 'packages' to the client — and in spite of not marketing aggressively, the number is growing. "The concept connects with people in a rather intimate manner," he says, "and some of the people to whom I have explained the site have shed copious tears, they are so moved by the concept of memoralising the departed."

In fact, one of the subscribers initially wrote a cheque of Rs 27,000 insisting that the yeoman service needs better cash appreciation.

The founders maintain that their venture is not comparable with Facebook or a blog as Shradhanjali is free of any advertisements and even sends out reminders of birth and death anniversaries. "Besides, the others are not exclusive platforms for memorials," Vyas stresses.

Life, beyond

Clearly, the meaning of the memory of a loved one is different today. It exists beyond photo albums and physical memories of that person's friends and family. Madhu Nataraj, choreographer and dancer, Natya Stem Dance Kampini, discusses what the community page dedicated to her late mother Maya Rao on Facebook means to her. Although the page was made when she was alive, as a way for her students to address her and to talk about her book, after her death in 2014, Nataraj says today it has become a sort of memorial page, where people post their remembrances of her mother.

"She lives on through her art. Every time I dance or step on stage — and I'm sure this is true even of her students — I remember her. This is just another dimension of that remembering," Nataraj says. In another case, the FB page of Dean D'Souza (a close friend of a writer who did not wish to be named), who died in a helicopter crash in 2013, "brings comfort and a smile". He adds, "Friends are constantly posting on it, and his profile picture is changed regularly, reminding us of a happier time. I found it unnerving at first have FB remind me that "It's Dean's birthday", but not anymore over the years."

Nataraj however emphasises that for an artist of her mother's stature, the legacy is through the memory of her art. Of course it feels good when people pay tribute to her online. But a virtual 'memorial' of her mother's life isn't the only legacy she has.

Digital remembering

But the burgeoning number of such services makes it clear that for many others, a virtual repository of their loved one's life is important. Take The Digital Beyond, a site that discusses how to plan digital legacy management — Facebook accounts, email, bank accounts etc — after death.

There are others. In a page straight out of the movie PS I Love You, a service called My Wonderful Life sends posthumous emails to loved ones. Then there's MyDeathSpace.com, which tracks social media profiles of the dead and maintains an extensive message board and Facebook page.

Services such as Living Headstones allow you to emboss a QR code upon a loved one's headstone. Scanning it connects to a website containing information you and friends add about your loved one, such as: an obituary, family heritage and history, photos, comments by friends and relatives and even links to share content on Facebook or Twitter. Another, Quiring Monuments, adds a link to the granite memorial through which smartphones can connect to your loved one's personalised website.

There are those who might raise their eyebrows at such platforms, but Vyas will have none of it. "Just because you have a mandir (a prayer room) at home, the need for temples will not diminish, will it? There is a decorum given to the memory of the dead on our site."

Do we forget?

But there is also a flipside. In the real world there is a period of mourning, people come to offer condolences and then, it is time to move on. Cyberspace may not allow this clean transition from grief and mourning to a semblance of routine. The thing about having such a digital memoriam is that grieving does not really end. This is a setback, according to clinical psychologist Dr Anand A Rao. "Grief has to be suffered immediately otherwise it will become a reaction later which will require clinical help," he says. But reliving the memory each time someone posts a query or shares a memory does not help either. "Ultimately, grief has to stop and loved one's routines have to continue. Typically I would recommend the presence of such a page for about 15 days, no more," he says.

There is also the matter of insincere tributes. As Nataraj says, she was very hurt when people who "hardly knew" her mother had posted selfies captioned: 'Maya didi', "followed by five hearts". "I found that callous," she says. "There are so many so-called obits and condolence messages and everybody wants to claim that familiarity with her that I'm sometimes wary."

But it doesn't look like the digital memorial phenomenon is going away anytime soon. Rohini Lakshane, researcher at the Centre for Internet and Society, agrees with Dr Rao to an extent, saying that getting constant updates could thwart the process of grieving or healing. "But at the same time, I could see how reaching out to a larger community via public updates or photos could give them strength, moral support and empathy," she says. She points out that if a person feels that their online persona or presence is an extension of themselves, it's a perfectly "legitimate wish" to have. "Given the importance attached to details of events that we post online, I suppose the desire to create a time capsule of it will continue to exist.

For more details visit http://editors.cis-india.org/internet-governance/news/bangalore-mirror-jayanthi-madhukar-sowmya-rajaram-march-20-2016-dead-and-clicking

Hard to broad ban!

praskrishna — 2016-03-22T17:00:07Z

The provisions under the Telegraph Act are wispy and can’t be convincingly invoked to exercise a jurisdiction on the internet world.

The article by Taru Bhatia was published by Governance Now on March 9, 2016. Pranesh Prakash was quoted.

The Haryana government on February 19 suspended mobile internet services in the districts affected by the agitation caused by the Jat community over reservation. The ban was imposed under section 144 of criminal procedure code (CrPC) to control the situation from being fanned by rumours or inflammatory messages.Similar ban was imposed in Gujarat last year during violent protests stirred by Hardik Patel over reservation of Patel community. In a similar manner internet connectivity was snapped in Nagaland, Rajasthan and Jammu and Kashmir last year under section 144 in order to contain law and order situation.

The CrPC section allows an official authorised by the state government to “direct any person to abstain from a certain act or to take certain order” which is “likely to prevent, or tends to prevent, obstruction, annoyance or injury to any person lawfully employed or danger to human life, health or safety, or a disturbance of the public tranquility, or a riot, of an affray”. “An order under this section may, in cases of emergency or in cases where the circumstances do not admit of the serving in due time of a notice upon the person against whom the order is directed, be passed ex parte,” the section states.

However, the civil rights lawyers claim that section 144 is a general law. “Section 144 is a means to curb apprehended danger and nuisance in emergencies, but its use to ban internet access for a region is an excessive and arbitrary use of powers granted to the state government under this provision,” says Mishi Choudhary, legal director, software freedom law centre (SFLC).

They, moreover, believe that the above section is not specific and contextual in cases of communication ban. So what is the correct law that comes in disposal of state authorities during emergencies that call for an urgent step? It’s section 5 of the Indian Telegraph Act, 1885. The act specifically deals with blocking web domains or web pages or blanket ban. Section 5(2) says that states or central government can prevent transmission of any message(s) that cause incitement to unlawful situation. Looking carefully, this section focuses only on blocking of inflammatory message(s), not a blanket ban.

In the case of Gujarat, for example, Hardik Patel, leading the agitation, used WhatsApp to spread the word for Bharat bandh, which consequently caused a blanket ban on data services by the state authorities. Under section 5(2), the authorities could have gone ahead only with banning social media websites and messaging application, instead of a blanket ban.

Section 5(2) of the telegraph Act also allows the authorities to lawfully intercept messages during public emergency. The central government has laid out clear guidelines in 2014, defining circumstances that demands phone tapping and in what manner. Similar guidelines are not there for suspending internet services under same law, however.

“The way in which the ban is imposed is unreasonable. Problem is in the method that is being used in absence of guidelines, defining circumstances under which they can impose a restriction on internet sites,” says Arun Kumar, head of cyber initiatives at Observer Research Foundation (ORF).

If government formulates these rules or guidelines it will set a threshold for state or central authorities, which will define the urgency of imposing ban on internet services. It will also make authorities answerable, limiting the misuse of power under the section 144 of the CrPC.

The civil rights lawyers cite example of section 69 A of the IT Act, 2000, which grants power to the central government to direct notice to intermediaries (for example, Facebook and Twitter), to block public access to any information that could stir violence in the country. In this case the government formulated blocking rules in 2009, providing for examination of complaints. The authority to employ this power however lies with the central government, and so, a state not using this law for taking down any message or domain from public view is understandable, during riot-like situation.

For states to legitimately use their power, it is essential to have similar blocking rules for section 5(2) of telegraph act.

Is blanket ban needed, anyway?

“Blocking all internet access is clearly an unnecessary and disproportionate measure that cannot be countenanced as a ‘reasonable restriction’ on freedom of expression and the right to seek and receive information, which is an integral part of the freedom of expression,” says Pranesh Prakash, policy director, Centre for Internet and Society (CIS).

For instance, he adds, a riot-affected woman seeking to find out the address of the nearest hospital cannot do so on her phone. “Instead of blocking access to the internet, the government should seek to quell rumours by using social networks to spread the truth, and by using social networks to warn potential rioters of the consequences,” he says.

Former Mumbai police commissioner Rakesh Maria used WhatsApp to counter rumours spread after circulation of a fake photo in January 2015. A similar approach could have been taken by state authorities in the case of Gujarat or Haryana; countering miscreants, informing public about the truth and emergency help details.

“Instead of doing that, we saw that in Gujarat, the police themselves engaged in acts of violent vandalism (caught on CCTV cameras), and in Manipur the police shot dead nine Manipuri tribals, including a 11-year-old child,” retorts Pranesh.

Blocking internet should be used as a last resort, and taking a balanced approach that considers interest of every stakeholder in a society is essential, argue civil rights lawyers. It is also imperative on the part of the government to formulate guidelines or a rule book to tackle the arbitrariness exercised by the states and security forces.

For more details visit http://editors.cis-india.org/internet-governance/news/governance-now-march-9-2016-taru-bhatia-hard-to-broad-ban

Aadhaar: Govt will not compromise on national security

praskrishna — 2016-03-22T15:51:13Z

The government is confident that the Aadhaar Bill will be passed.

The article by Shreeja Sen was published by Livemint on March 9, 2016. Pranesh Prakash gave inputs.

In what could raise concerns of privacy activists questioning India’s unique identification project Aadhaar, the government on Tuesday said national security will not be compromised at all.

“We will not compromise on national security; certainly we will not compromise. The Supreme Court has already highlighted certain areas for consideration. We are going ahead taking into consideration all the suggestions of the Supreme Court,” law minister D.V. Sadananda Gowda said at a press conference, when asked how the Aadhaar bill tabled in Parliament last week will balance the protection of core biometrics and national security concerns.

Under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, there are measures to protect core biometric information like fingerprints and iris scans of the unique identification number holders.

However, Section 33 says for the purposes of national security, officials at the joint secretary level and above can access this information. The section has caused some worry to experts. In this analysis , policy director of the Centre for Internet and Society Pranesh Prakash says that the national security clause is worrisome. Adding to their concerns, the bill does not define what national security means.

The government is, however, confident that the bill will be passed. “Certainly it will be passed. The benefits that go from the exchequer to the beneficiaries will be taken care of by this bill,” Gowda said.

For more details visit http://editors.cis-india.org/internet-governance/news/livemint-march-9-2016-shreeja-sen-aadhaar-govt-will-not-compromise-on-national-security

India Still Trying To Turn Optional Aadhaar Identification Number Into A Mandatory National Identity System

praskrishna — 2016-03-24T06:34:21Z

from the sliding-down-the-slippery-slope-to-disaster dept

The blog post was published by Tech Dirt on March 22, 2016. CIS research on Aadhaar was quoted.

Last year, we wrote about India's attempt to turn the use of its Aadhaar system, which assigns a unique 12-digit number to all Indian citizens, into a requirement for accessing government schemes. An article in the Hindustan Times shows that the Indian government is still pushing to turn Aadhaar into a mandatory national identity system. A Bill has just been passed by both houses of the country's parliament, which seeks to give statutory backing to the scheme -- in the teeth of opposition from India's Supreme Court:

There have been orders passed by the Supreme Court that prohibit the government from making Aadhaar mandatory for availing government services whereas this Bill seeks to do precisely that, contrary to the government's argument that Aadhaar is voluntary.

The article notes that in some respects, the new Bill brings improvements over a previous version:

It places stringent restrictions on when and how the UID [Unique Identification] Authority (UIDAI) can share the data, noting that biometric information -- fingerprint and iris scans -- will not be shared with anyone. It seeks prior consent for sharing data with third party. These are very welcome provisions.

But it also contains some huge loopholes:

The government will get sweeping power to access the data collected, ostensibly for "efficient, transparent, and targeted delivery of subsidies, benefits and services" as it pleases "in the interests of national security", thus confirming the suspicions that the UID database is a surveillance programme masquerading as a project to aid service delivery.

The fact that an optional national numbering system now seems to be morphing into a way to monitor what people are doing will hardly come as a surprise to Techdirt readers, but this continued slide down the slippery slope is still troubling, as are other aspects of the new legislation. For example, it was introduced as a "Money Bill," which is normally reserved for matters related to taxation, not privacy. That suggests a desire to push it through without real scrutiny. What makes this attempt to give the Aadhaar number a much larger role in Indian society even more dangerous is the possibility that it won't work:

A recent paper in the Economic and Political Weekly by Hans Mathews, a mathematician with the [Centre for Internet and Society], shows the programme would fail to uniquely identify individuals in a country of 1.2 billion.

A mandatory national identity system that can't even uniquely identify people: sounds like a recipe for disaster.

For more details visit http://editors.cis-india.org/internet-governance/news/tech-dirt-march-22-2016-india-still-trying-to-turn-optional-aadhaar-identification-number-into-mandatory-national-identity-system

February 2016 Bulletin

praskrishna — 2016-03-20T05:13:30Z

The Centre for Internet & Society is happy to share its February 2016 newsletter. Previous issues of the newsletters can be accessed at http://cis-india.org/about/newsletters.

Highlights
The Researchers at Work programme organised the Internet Researchers' Conference 2016 (IRC16) on February 26-28. It was hosted by the Centre for Political Studies at the Jawaharlal Nehru University, and was generously supported by the CSCS Digital Innovation Fund. Subhashish Panigrahi won the Yuva Prerana Samman award. The award was conferred during the 2nd International Conclave of Odia Language (organized by Intellects, a Delhi-based progressive forum of intellectuals) at the India International Centre in New Delhi on February 20, 2016. Odisha News covered the event. Subhashish Panigrahi wrote an article for the Hoot on whether Wikipedia could revive dying Indian languages. Panigrahi stated that by encouraging content and involvement languages could be kept relevant. The article was republished by Pratham Books. Kannada Wikipedia just celebrated its 13th anniversary. As part of the WikipediansSpeak series Subhashish Panigrahi caught up with Vasanth to learn about his contributions to the Kannada Wikipedia. In the discussion Vasanth shared his long time involvement in the Wikimedia movement, and spoke about what drove him every day to edit Wikipedia and helping other fellow Wikimedians. Sunil Abraham's article on Facebook's Free Basics was published by First Post. He stated that there is more to come from TRAI in terms of net neutrality regulations especially for throttling and blocking. Nehaa Chaudhari wrote an article for the Socio Legal Review (National Law School of India University). The article seeks to examine legal and policy lever and the role of regulator in the development of an enabling environment for access to sub-hundred dollar mobile devices. In a recently published paper, Jahnavi Phalkey and Sumandro Chattapadhyay explore public initiatives in technological solutions for educating the poor and the disadvantaged in independent India. The United Nations Educational, Scientific and Cultural Organisation (UNESCO) had published a book in 2014 that examines free speech, expression and media development. The chapter contains a Foreword by Irina Bokova, Director General, UNESCO. Pranesh Prakash contributed to the Independence: Introduction - Global Media Chapter. The book was edited by Courtney C. Radsch. India should apply electronic toll collection systems to roads, and adapt road network concepts in organizing and managing communications networks wrote Shyam Ponappa in an Op-Ed published by the Business Standard.

--------------------------------------
Accessibility & Inclusion
-------------------------------------
India has an estimated 70 million persons with disabilities who don't have access to read printed materials due to some form of physical, sensory, cognitive or other disability. As part of our endeavour to make available accessible content for persons with disabilities we are developing a text-to-speech software in 15 languages with support from the Hans Foundation. The progress made so far in the project can be accessed here.

►NVDA and eSpeak

Report

February 2016 (Suman Dogra; February 28, 2016).

-----------------------------------
Access to Knowledge
-----------------------------------
As part of the Access to Knowledge programme we are doing two projects. The first one (Pervasive Technologies) under a grant from the International Development Research Centre (IDRC) is for research on the complex interplay between pervasive technologies and intellectual property to support intellectual property norms that encourage the proliferation and development of such technologies as a social good. The second one (Wikipedia) under a grant from the Wikimedia Foundation is for the growth of Indic language communities and projects by designing community collaborations and partnerships that recruit and cultivate new editors and explore innovative approaches to building projects.

►Pervasive Technologies

Article

Standard Essential Patents on Low-Cost Mobile Phones in India: A Case to Strengthen Competition Regulation? (Nehaa Chaudhari; Socio Legal Review, National Law School of India University; February 25, 2016).

Participation in Event

2016 Works-in-Progress Intellectual Property ("WIPIP") Colloquium (Organized by School of Law, University of Washington; Washington D.C.; February 19 - 20, 2016). Prof. Jorge Contreras presented a paper co-authored by Rohini Lakshané on the patent landscape conducted for the Pervasive Technologies project.

► Copyright and Patent

MHRD IPR Chair Series: Information Received from University of Madras (Karan Tripathi; February 19, 2016).
MHRD IPR Chair Series: Information Received from Cochin University of Science and Technology (Karan Tripathi; February 21, 2016).
MHRD IPR Chair Series: Information Received from IIT, Bombay (Karan Tripathi; February 22, 2016).
MHRD IPR Chair Series: Information Received from IIT, Delhi (Karan Tripathi; February 22, 2016).
The new Guidelines for Computer Related Inventions are a big win for FOSS in India! (Anubha Sinha; February 23, 2016).

Event Organized

IP Meetup #01: Prof. Biswajit Dhar on 'Intellectual Property issues: The Way Forward post Nairobi WTO Ministerial' (CIS, New Delhi; February 7, 2016). Prof. Dhar gave a talk.

►Wikipedia

As part of the project grant from the Wikimedia Foundation we have reached out to more than 3500 people across India by organizing more than 100 outreach events and catalysed the release of encyclopaedic and other content under the Creative Commons (CC-BY-3.0) license in four Indian languages (21 books in Telugu, 13 in Odia, 4 volumes of encyclopaedia in Konkani and 6 volumes in Kannada, and 1 book on Odia language history in English).

Articles

Can Wikipedia revive dying Indian languages? (Subhashish Panigrahi; The Hoot; February 19, 2016 and mirrored by Pratham Books; February 22, 2016).
Community Digest—Estonians working on a new feedback system for Wikipedia articles (Subhashish Panigrahi; Wikimedia Blog; February 27, 2016).
Looking ahead to the future of the Kannada Wikipedia: Vasanth S.N. (Subhashish Panigrahi; Wikimedia Blog; February 29, 2016).
ଓଡ଼ିଆ ଭାଷା ପାଇଁ ଏକ ଅନୁଶୀଳନ (Subhashish Panigrahi; Suryaprava; February 22, 2016).
ଓଡ଼ିଆ ଭାଷା ପାଇଁ ଏକ ଅନୁଶୀଳନ (Subhashish Panigrahi; Samaja; February 21, 2016).
ମାତୃଭାଷା ଦିବସ: ଆଜିର ସମସ୍ୟା ଓ ଆହ୍ୱାନ (Subhashish Panigrahi; Sambad; February 21, 2016).

Submission

Cultural institution AKA GLAM for more OER (Subhashish Panigrahi; February 27, 2016). Subhashish's submission under the theme of "Innovative approaches to opening up cultural heritage collections for education" has been selected for the OER16 conference to be held in Edinburg, Scotland from 19 to 20 April 2016.

Media Coverage

Youth is responsible for protecting Telugu (Eenadu; January 14, 2016).
Why aren’t Indians using Wikipedia to hold the government to account? (Madhav Gadgil; Scroll.in; February 6, 2016).
Now trending: Regional Indian language social media networks (Kanika Sharma; Hindustan Times; February 14, 2016).
International Mother Language Day (Eenadu; February 21, 2016).
ಪ್ರಶಾಂತವನ (Prashasti Prashantavanam; February 21, 2016).

Award

The Intellects, a Delhi-based progressive forum of intellectuals, held the 2nd International Conclave of Odia Language at the India International Centre in New Delhi on February 20, 2016. Subhashish Panigrahi participated in the event and won the Yuva Prerana Samman award. Odisha News covered the event.

Event Organized

Digitisation sprint at Andhra Loyola College Vijayawada to bring more books on Telugu Wikisource (Andhra Loyola College, Off Eluru Road, Behind Vinayak Theater, Vijayawada, Andhra Pradesh; February 12 to 14, 2016).

-----------------------------------
Openness
-----------------------------------

Our work in the Openness programme focuses on open data, especially open government data, open access, open education resources, open knowledge in Indic languages, open media, and open technologies and standards - hardware and software. We approach openness as a cross-cutting principle for knowledge production and distribution, and not as a thing-in-itself.

Articles

Monitoring Sustainable Development Goals in India: Availability and Openness of Data (Part I) (Kiran AB, Openness Blog, February 22, 2016)

Submission

Open Data Hackathons are Great, but Address Privacy and License Concerns (Nisha Thompson, Cross-posted from DataMeet, February 05, 2016)

Participation in Event

National Koha Conclave (Organized by Informatics Publishing; Fortune Park JP Celestial; Bangalore; February 17, 2016). Sunil Abraham delivered the inaugural address on the occasion.

-----------------------------------
Internet Governance
-----------------------------------

As part of its research on privacy and free speech, CIS is engaged with two different projects. The first one (under a grant from Privacy International and International Development Research Centre (IDRC) is on surveillance and freedom of expression (SAFEGUARDS). The second one (under a grant from MacArthur Foundation) is on studying the restrictions placed on freedom of expression online by the Indian government.

►Big Data

Database on Big Data and Smart Cities International Standards (Vanya Rakesh; February 11, 2016).
Sean McDonald - Ebola: A Big Data Disaster (Sumandro Chattapadhyay; February 29, 2016).

►Freedom of Expression

Articles

‘A Good Day for the Internet Everywhere': India Bans Differential Data Pricing (Subhashish Panigrahi; Global Voices; February 9, 2016).
Net Neutrality Advocates Rejoice As TRAI Bans Differential Pricing (Subhashish Panigrahi; Odisha TV; February 9, 2016).
Facebook's Fall from Grace: Arab Spring to Indian Winter (Sunil Abraham; First Post; February 11, 2016).
Internet Freedom (Sunil Abraham and Vidushi Marda; Asian Age; February 14, 2016).
There is No Such Thing as Free Basics (Subhashish Panigrahi; February 14, 2016).
World Trends in Freedom of Expression and Media Development (Pranesh Prakash; United Nations Educational, Scientific and Cultural Organisation; February 17, 2016). Pranesh Prakash contributed to Independence: Introduction - Global Media Chapter.

Event Organized

Public Debate on 'Differential Pricing': Series 1 (Co-organized by CIS, ICRIER and the Department of Civics and Politics, University of Mumbai; CIS, Bangalore; February 1, 2016).
Public Debate on 'Differential Pricing': Series 2 (Co-organized by CIS, ICRIER and the Department of Civics and Politics, University of Mumbai; Pherozeshah Mehta Bhavan, Vidyanagari, Kalina, Mumbai; February 3, 2016).
Public Debate on 'Differential Pricing': Series 3 (Co-organized by CIS, ICRIER and the Department of Civics and Politics, University of Mumbai; India Habitat Centre, Lodhi Road near Air Force Bal Bharti School, New Delhi; February 5, 2016).

Participation in Event

UNICEF & Nasscom Foundation Workshop on Child Online Protection (Organized by United Nations Children's International Education Fund; Hotel Claridges; New Delhi; February 8, 2016). Jyoti Panday attended the event.

►Privacy

Submission

Comments by the Centre for Internet and Society on the Report of the Committee on Medium Term Path on Financial Inclusion (Vipul Kharbanda; February 27, 2016).

Blog Entry

A Case for Greater Privacy Paternalism? (Amber Sinha; February 14, 2016).

-----------------------------------
Telecom
-----------------------------------
CIS is involved in promoting access and accessibility to telecommunications services and resources and has provided inputs to ongoing policy discussions and consultation papers published by TRAI. It has prepared reports on unlicensed spectrum and accessibility of mobile phones for persons with disabilities and also works with the USOF to include funding projects for persons with disabilities in its mandate:

Bottled-Up National Assets (Shyam Ponappa; Business Standard and Organizing India BlogSpot; February 3, 2016).

-----------------------------------
Researchers at Work
-----------------------------------
The Researchers at Work (RAW) programme is an interdisciplinary research initiative driven by contemporary concerns to understand the reconfigurations of social practices and structures through the Internet and digital media technologies, and vice versa. It is interested in producing local and contextual accounts of interactions, negotiations, and resolutions between the Internet, and socio-material and geo-political processes:

Article

The Aakash Tablet and Technological Imaginaries of Mass Education in Contemporary India (Jahnavi Phalkey and Sumandro Chattapadhyay; February 14, 2016).

Video

RAW Lectures #02: Anil Menon on 'Speculative Fiction and Freedom' - Video (CIS, Bangalore; January 13, 2016). The video was uploaded on February 9, 2016.

Events Organized

Internet Researchers' Conference 2016 (Jawaharlal Nehru University, Delhi; February 26 - 28, 2016).

-----------------------------------
News & Media Coverage
-----------------------------------

CIS gave inputs to the following media coverage:

India bans Facebook’s ‘free’ Internet for the poor (Annie Gowen; Washington Post; February 8, 2016).
Zuckerberg's Plan Spurned as India Backs Full Net Neutrality (Adi Narayan and Bhuma Srivastava; Bloomberg; February 8, 2016).
A Megacorp’s Basic Instinct (Arindam Mukherjee; Outlook; February 8, 2016).
Facebook’s Free Basics hits snag in India (James Crabtree with additional reporting by Tim Bradshaw; Financial Times; February 8, 2016).
Trai upholds Net Neutrality in setback to Facebook’s Free Basics (Moulishree Srivastava and Shauvik Ghosh; Livemint; February 9, 2016).
India Sets Strict New Net Neutrality Rules (Anjana Pasricha; Voice of America; February 9, 2016).
Net neutrality advocates hail Trai verdict (Alnoor Peermohamed; Business Standard; February 9, 2016).
Netizen Report: The EU Wrestles With Facebook Over Privacy (Global Voices; February 11, 2016).
Linking Facebook use to free top-up data (Deccan Chronicle; February 14, 2016).
India's ‘Facebook ruling’ is another nail in the coffin of the MNO model (The Register; February 15, 2016).
Violence call key to 'sedition' (The Telegraph; February 18, 2016).
Why the Internet is Making India Furious (Sanjana Sathian; Ozy; February 19, 2016).
Why India snubbed Facebook's free Internet offer (Daniel Van Boom; Cnet; February 26, 2016).

-----------------------------------
About CIS
-----------------------------------
The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfigurations of social and cultural processes and structures as mediated through the internet and digital media technologies.

► Follow us elsewhere

Twitter: http://twitter.com/cis_india
Twitter - Access to Knowledge: https://twitter.com/CISA2K
Twitter - Information Policy: https://twitter.com/CIS_InfoPolicy
Facebook - Access to Knowledge: https://www.facebook.com/cisa2k
E-Mail - Access to Knowledge: a2k@cis-india.org
E-Mail - Researchers at Work: raw@cis-india.org
List - Researchers at Work: https://lists.ghserv.net/mailman/listinfo/researchers

► Support Us

Please help us defend consumer / citizen rights on the Internet! Write a cheque in favour of 'The Centre for Internet and Society' and mail it to us at No. 194, 2nd 'C' Cross, Domlur, 2nd Stage, Bengaluru - 5600 71.

► Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil@cis-india.org (for policy research), or Sumandro Chattapadhyay, Research Director, at sumandro@cis-india.org (for academic research), with an indication of the form and the content of the collaboration you might be interested in. To discuss collaborations on Indic language Wikipedia projects, write to Tanveer Hasan, Programme Officer, at tanveer@cis-india.org.

CIS is grateful to its primary donor the Kusuma Trust founded by Anurag Dikshit and Soma Pujari, philanthropists of Indian origin for its core funding and support for most of its projects. CIS is also grateful to its other donors, Wikimedia Foundation, Ford Foundation, Privacy International, UK, Hans Foundation, MacArthur Foundation, and IDRC for funding its various projects.

For more details visit http://editors.cis-india.org/about/newsletters/february-2016-bulletin

Pratap Vikram Singh - Why Aadhaar is Baseless?

praskrishna — 2016-04-02T05:31:30Z

This article by Pratap Vikram Singh, Governance Now, discusses the problems emerging out of the UIDAI project due to its lack of mechanisms for informed and granular consent, and for seeking recourse in the case of denial of service. The article quotes Sumandro Chattapadhyay and mentions Hans Varghese Mathew's work on the biometric basis of UIDAI. It was written before the Aadhaar bill was passed in Lok Sabha.

Cross-posted from Governance Now.

It was no less than a roller-coaster ride for Aadhaar, a programme formulated by the UPA government to assign a 12-digit unique number to every Indian resident. From the time it came into being in 2009, Aadhaar drew a volley of criticism, thanks to the misgivings and apprehensions that various critics and civil society organisations had. It was criticised for lack of a clear purpose, degree of effectiveness and absence of a privacy law and was virtually thrown into the bin by a parliamentary panel headed by BJP’s Yashwant Sinha in December 2011.

When the finance minister Arun Jaitley, in his budget speech, announced that the government would introduce the Aadhaar bill during the budget session, expectations were already set high. The bill, giving statutory backing to the unique identification authority of India (UIDAI), the implementing authority, was passed by the Lok Sabha on March 11. While the privacy and voluntary versus mandatory provisions are under the consideration of the supreme court, the bill makes way for linking Aadhaar with all government subsidies, benefits and services. The law on Aadhaar, former UIIDAI chairman Nandan Nilekani wrote in the Indian Express, will help the government in going paperless, presence-less and cashless. The legislation, however, fails to deliver on several counts.

However, prior to evaluating the bill (yet to be passed by the Rajya Sabha at the time of this writing though it is a money bill), let us take a look at its major aspects. For those, who always wondered whether Aadhaar is mandatory or voluntary, the bill 2016 makes it mandatory to avail subsidy, benefit or a service from the government.

The bill has provisions related to information security and confidentiality (section 28) which not only extend to employees of the UIDAI but also consultants and external agencies working with the authority.

The proposed law restricts information sharing. It bars UIDAI from sharing core biometric information – the bill defines it as fingerprints and iris scan – with “anyone for any reason whatsoever” or “used for any purpose other than generation of Aadhaar numbers and authentication under this Act”. The section 32 of the bill entitles Aadhaar number holders to access her or his authentication record. It also bars the authority from collecting, keeping or maintaining information about the purpose of authentication.

Odd Drives the Bill

While the intent is clear and is aimed at streamlining welfare schemes to ensure it reaches the bottom of the pyramid, cutting through the long chain of pilferage and subversion, the bill, however, has several shortcomings. To begin with, the government should not have taken the money bill route to pass the legislation – tactfully avoiding any conclusive discussion and debate in the Rajya Sabha, where it is in minority.

The bill assumes that the technology and the biometric system used by the UIDAI are flawless and it doesn’t provide any recourse in case of denial of a service. “If your fingerprint is not matching and you lose out on service, then what is the alternative mechanism you have,” asks Sumandro Chattapadhyay, research director, centre for internet and society (CIS). The bill doesn’t provide for recourse. “What if the scanning machine fails? What if the identifiers of two people match?”

Based on experiments conducted in the initial days of the Aadhaar programme, Hans Verghese Mathews, another CIS researcher, did a study on the probability of matching of identifiers of two persons. “For the current population of 1.2 billion the expected proportion of duplicands (users whose identifiers match) is 1/121, a ratio which is far too high,” Mathews wrote in the Economic and Political Weekly in February.

“It is like putting the technology in a black box – which can’t be reviewed,” says Chattapadhyay. The bill doesn’t talk about setting up an independent body to review the logs and keep an eye on wrong and duplicate matches.

Who Defines National Security?

According to public policy experts, it is an attempt to seek “minimal legitimacy” from parliament and further adds to the unbridled power of the executive.

Although the bill restricts information sharing in section 29, sections 33 and 48 provide exemption in cases of national security and public emergency, respectively. The legislation, nevertheless, doesn’t elaborate on what constitutes national security and public emergency, leaving it to the executives. The section 33 reads: “Nothing contained in… shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security….”

Similarly, section 48 states that if, at any time, the central government is of the opinion that a public emergency exists, “the central government may, by notification, supersede the Authority for such period, not exceeding six months, as may be specified in the notification and appoint a person or persons as the president may direct to exercise powers and discharge functions under this Act”.

Says Jayati Ghosh, professor, centre for economic studies and planning, Jawaharlal Nehru University, “National security is a very opaque term. Who decides what national security is? Today, the whole JNU is being projected as a threat to national security.” Swagato Sarkar, associate professor and executive director, Jindal school of government and public policy, OP Jindal Global University, says, “The bill has provisions for oversight on the use of Aadhaar, but then it suspends those provisions in case of emergency in the later sections, giving the state the power to use biometric information for whatever it deems fit.”

Sarkar adds, “It seems the bill is simply an instrument for seeking minimum legitimacy from parliament. The bill tries to address the concern of privacy minimally and it hardly serves any purpose.” He believes that there is a need to define the broader contours of democratic control of the state and reassess the changing state-citizen relationship, instead of rejecting the whole idea on the basis of surveillance and privacy. In other words, there is a need for strong parliamentary oversight, and that the Aadhaar related matters shouldn’t be completely delegated to the executive.

In its recommendations on formulating Privacy Act, the justice AP Shah committee in 2012 provided for establishing the office of privacy commissioner at the regional and central levels, defining the role of self-regulating organisations and co-regulation, and creating a system of complaints and redressal for aggrieved individuals. Since the country still doesn’t have any legislation on privacy, people are left on their own in case of an infringement or violation of privacy. Moreover, section 47 states, “No court shall take cognizance of any offence punishable under this Act, save on a complaint made by the Authority or any officer or person authorised by it.”

In its report, the parliamentary committee headed by Yashwant Sinha notes that “enactment of national data protection law… is a prerequisite for any law that deals with large scale collection of information from individuals and its linkages across separate databases”. The committee notes that in absence of data protection legislation, it would be difficult to deal with issues of access, misuse of personal information, surveillance, profiling, linking and matching of databases and securing confidentiality of information.

Subsidy-Aadhaar Linkage

The Sinha committee also takes a cautious view of the role of Aadhaar in curbing leakages in subsidy distribution, as beneficiary identification is done by states. It notes, “Even if the Aadhaar number links entitlements to targeted beneficiaries, it may not even ensure that beneficiaries have been correctly identified. Thus, the present problem of proper identification would persist.”

According to Ghosh, the biggest danger in using Aadhaar for social welfare programmes is that the fingerprints of the rural working class is not always in good shape and hence Aadhaar will not be the best way of identification. “If I am misidentified, I can go to so many places for recourse. But what if a labourer in a remote Jharkhand village is misidentified? Where and whether he would go?” the economist asks. Besides, the bill doesn’t limit the use of Aadhaar and defines areas where it can be used. Section 57 says that the law will not prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, “whether by the state or anybody corporate or person, pursuant to any law, for the time being in force or any contract to this effect.”

According to a PRS Legislative review, since the bill also allows private persons to use Aadhaar as a proof of identity for any purpose, the provision will open a floodgate and enable private entities such as airlines, telecom, insurance and real estate companies to mandate Aadhaar as a proof of identity for availing their services.

Since the bill doesn’t restrict its application, people will not have a choice to identify themselves other than using Aadhaar when corporate organisations make it mandatory, says Chattapadhyay of the CIS. Adds Sarkar, “The bill should clearly mention sectors or services where Aadhaar will be potentially used (or made mandatory). Every time a new sector or service is added to the list, it is done after parliamentary approval.”

So far, 98 crore people have been assigned Aadhaar number. So far the project has costed Rs 8,000 crore.

For more details visit http://editors.cis-india.org/internet-governance/news/gov-now-pratap-vikram-singh-17032016-why-aadhaar-is-baseless

India's billion-member biometric database raises privacy fears

praskrishna — 2016-03-17T15:25:45Z

India's parliament is set to pass legislation that gives federal agencies access to the world's biggest biometric database in the interests of national security, raising fears the privacy of a billion people could be compromised.

The article by Sanjeev Miglani and Manoj Kumar was published by Reuters on March 16, 2016. Sunil Abraham was quoted.

The move comes as the ruling Bharatiya Janata Party (BJP) cracks down on student protests and pushes a Hindu nationalist agenda in state elections, steps that some say erode India's traditions of tolerance and free speech.

It could also usher in surveillance far more intrusive than the U.S. telephone and Internet spying revealed by former National Security Agency (NSA) contractor Edward Snowden in 2013, some privacy advocates said.

The Aadhaar database scheme, started seven years ago, was set up to streamline payment of benefits and cut down on massive wastage and fraud, and already nearly a billion people have registered their finger prints and iris signatures.

Now the BJP, which inherited the scheme, wants to pass new provisions including those on national security, using a loophole to bypass the opposition in parliament.

"It has been showcased as a tool exclusively meant for disbursement of subsidies and we do not realize that it can also be used for mass surveillance," said Tathagata Satpathy, a lawmaker from the eastern state of Odisha.

"Can the government ... assure us that this Aadhaar card and the data that will be collected under it – biometric, biological, iris scan, finger print, everything put together – will not be misused as has been done by the NSA in the U.S.?"

Finance Minister Arun Jaitley has defended the legislation in parliament, saying Aadhaar saved the government an estimated 150 billion rupees ($2.2 billion) in the 2014-15 financial year alone.

A finance ministry spokesman added that the government had taken steps to ensure citizens' privacy would be respected and the authority to access data was exercised only in rare cases.

According to another government official, the new law is in fact more limited in scope than the decades-old Indian Telegraph Act, which permits national security agencies and tax authorities to intercept telephone conversations of individuals in the interest of public safety.

"POLICE STATE"

Those assurances have not satisfied political opponents and people from religious minorities, including India's sizeable Muslim community, who say the database could be used as a tool to silence them.

"We are midwifing a police state," said Asaduddin Owaisi, an opposition MP.

Raman Jit Singh Chima, global policy director at Access, an international digital rights organization, said the proposed Indian law lacked the transparency and oversight safeguards found in Europe or the United States, which last year reformed its bulk telephone surveillance program.

He pointed to the U.S. Foreign Intelligence Surveillance Court, which must approve many surveillance requests made by intelligence agencies, and European data protection authorities as oversight mechanisms not present in the Indian proposal.

The Indian government brought the Aadhaar legislation to the upper house of parliament on Wednesday in a bid to secure passage before lawmakers go into recess.

To get around its lack of a majority there, the BJP is presenting it as a financial bill, which the upper chamber cannot reject. It can return it to the lower house, where the ruling party has a majority.

In its assessment of the measure, New Delhi-based PRS Legislative Research said law enforcement agencies could use someone's Aadhaar number as a link across various datasets such as telephone and air travel records.

That would allow them to recognize patterns of behavior and detect potential illegal activities.

But it could also lead to harassment of individuals who are identified incorrectly as potential security threats, PRS said.

Sunil Abraham, executive director of the Bengaluru-based Centre for Internet and Society, said Aadhaar created a central repository of biometrics for almost every citizen of the world's most populous democracy that could be compromised.

"Maintaining a central database is akin to getting the keys of every house in Delhi and storing them at a central police station," he said.

"It is very easy to capture iris data of any individual with the use of next generation cameras. Imagine a situation where the police is secretly capturing the iris data of protesters and then identifying them through their biometric records.

For more details visit http://editors.cis-india.org/internet-governance/news/reuters-march-16-2016-sanjeev-miglani-and-manoj-kumar-indias-billion-member-biometric-database-raises-privacy-fears

Forget privacy, Aadhaar Bill gives too much power to the executive

praskrishna — 2016-03-17T14:44:12Z

The government promotes the Aadhaar programme because it believes the 12-digit unique identification number will let them track every penny spent from the exchequer. But money is not all that the Aadhaar number can track.

The article by Aloke Tikku was published in the Hindustan Times on March 17, 2016. Sunil Abraham gave inputs.

It can help track people too with amazing efficiency. This is at the centre of the controversy around the programme, and the Aadhaar bill that requires every resident to get the number to access government subsidies and services.

Finance minister Arun Jaitley put up a spirited defence of the bill in the Rajya Sabha on Wednesday when the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 came up for passage. And he was right.

As far as privacy is concerned, the NDA government’s version is much more stringent than the creaky draft proposed by the UPA in 2010.

Jaitley said there were only two circumstances in which personal data collected by UIDAI could be shared under this bill.

One, if the Aadhaar number holder consents to his details being shared. Second, if a government agency wants to access this data on grounds of national security.

But the debate around privacy concerns – that neither the NDA nor the UPA governments addressed – and the new bill is much more fundamental.

The Aadhaar bill gives the executive too much power to decide how to administer the law.

Every law requires the government to frame rules to specify the nitty-gritty of its implementation.

But the Aadhaar bill passed by Parliament gives the Unique Identification Authority of India (UIDAI) the power to prescribe regulations for nearly every provision, right down to what biometric or biological attributes need to be captured.

“The law leaves too much power in the hands of the executive,” said Sunil Abraham, executive director of the Bengaluru-headquartered research advocacy group, Centre for Internet and Society.

For instance, the bill gives the Unique identification Authority of India (UIDAI) powers to determine if it should collect any biological attribute of people too. This means the government could at a later date mandate that DNA of all Aadhaar numbers too be collected.

The example echoed in the Rajya Sabha on Wednesday as well.

“No power should be delegated to the UID Authority because then the UID Authority will decide tomorrow that DNA is required, and they will then have the powers to take DNA information as well,” Congress MP Jairam Ramesh said.

The minister tried to explain the reliance on regulations issued by UIDAI – the word ‘regulations’ does appear some 50 times through the legislation – as compared to less than 10 in, say, the right to information law or the 2010 version of the bill.

He said MPs could still review notifications issued by UIDAI when they are placed for parliamentary approval.

For more details visit http://editors.cis-india.org/internet-governance/news/hindustan-times-march-17-2016-aloke-tikku-forget-privacy-aadhaar-bill-gives-too-much-power-to-the-executive

A scheme in India to help the poor raises privacy concerns

praskrishna — 2016-03-17T03:08:33Z

India’s legislators are on Wednesday debating a law that would allow the government to collect biometric and demographic information from people in return for distributing to them government benefits and subsidies.

The article by John Ribeiro published by IDG News Service on March 16, 2016 was also mirrored on CSO.

A number of legislators and civil rights activists are concerned about the absence of strong privacy safeguards in the legislation and a provision in the law that allows the government to access the data collected for national security reasons. There is also concern that such a large centralized database of personal information could be hacked and critical information leaked.

Biometric information, once leaked cannot be 'revoked,' and identity fraud may in fact become harder to detect if Aadhaar is used for authentication of transactions, said Pranesh Prakash, policy director at the Centre for Internet and Society in Bangalore, in an email.

Activists are also wary that the program could be extended by the government to make it a mandatory digital ID card for people in the country. Already some telecommunications services and financial services companies use the biometric identity as an optional way for verifying customers. Currently, people can keep their personal information in silos, as for example their insurance company can't combine their database with that of a hospital, Prakash said. "However, with Aadhaar as a unique linking factor, they could, even without the person's consent," he added.

The biometric ID, which assigns a person a 12-digit number called the Aadhaar number, requires the collection of photos, fingerprints, iris scans and other information such as the name, date of birth and address of the individual. Every time a person has to be verified, he has to present the Aadhaar number, and his biometric information has to match the data stored in a centralized repository.

The digital identity is expected to provide proof of identification to the large number of poor Indians who do not have house addresses, school certificates, birth certificates or other documents that are usually used to prove identity in India.

The traditional paper ration books used in the country are notoriously stuffed with people who are nonexistent or who do not typically qualify for benefits, so the government hopes to save some money by linking the benefits to a digital identity. But the new scheme addresses only end-user fraud and not the large-scale theft prevalent in the entire supply chain, according to analysts.

Rajeev Chandrasekhar, a member of India’s Parliament, has proposed amendments to the bill that would ensure that Aadhaar numbers should not be used as proof of identity for purposes other than subsidies and benefits. Chandrasekhar also wants the Unique Identification Authority of India that manages the project to be responsible for ensuring the security and privacy of the biometric and demographic information of the account holder, with liability for damages in a civil court in the case of a breach.

The Aadhaar program has been allotting IDs for a number of years, even under a previous government, but the program was the offshoot of an executive order and had no legal sanction. The country’s Supreme Court ruled in 2013 in an interim order that people cannot be required to have Aadhaar identification to collect state subsidies. Aware of the legal minefield it was treading on, the government had said the scheme was voluntary.

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 passed recently in the Lok Sabha, one of the houses of India’s parliament, now aims to make the scheme mandatory. The bill sailed through the Lok Sabha where the government has a majority, but will likely meet with strong opposition from the other house, the Rajya Sabha. But the government has classified the bill as a money bill and the Rajya Sabha does not have the final say on such bills. So the legislation is likely to be passed in any case despite its limitations.

For more details visit http://editors.cis-india.org/internet-governance/news/a-scheme-in-india-to-help-the-poor-raises-privacy-concerns

Aadhaar is actually surveillance tech: Sunil Abraham

praskrishna — 2016-03-16T17:07:39Z

On March 12, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, paving the way for giving legal status to Aadhaar, a 12-digit unique identification number generated after collecting biometric and other details of an Indian resident.

Sahil Makkar on behalf of Business Standard interviewed Sunil Abraham. The article was published on March 12, 2016.

The government intends to use Aadhaar to roll out more subsidy schemes and allay privacy concerns. However, activists are not convinced. Sunil Abraham, executive director of Bengaluru based-research organisation The Centre for Internet & Society, tells Sahil Makkar that the concept of Aadhaar is principally flawed and it doesn't substantially help in plugging leakages in government schemes. Edited excerpts:

What is your position on Aadhaar and the UIDAI Bill?

What technology has broken cannot be fixed by the law. Aadhaar is a broken technology; it is surveillance technology disguised as developmental intervention that identifies people without their consent and authenticates transactions on their behalf. The architecture is a disaster from the security perspective and there is no recourse in law for citizens whose rights have been infringed. The other objection should be to the subtitle of the Bill that mentions "services": it is unclear whether Aadhaar is to be provided to the residents or the citizens. A bulk of the government services is meant for citizens.

What are the repercussions of this "broken technology"?

Consent happens without conscious cooperation during the authentication process of getting access to a subsidy or a service. Also, the person providing the service is holding a biometric reader and he may say the device is not working and hence, refuse the subsidy. Yet the database will reflect that the subsidy has been availed of because authentication has already been completed. So you have to accept what the person is saying because only that person and the UIDAI have access to the information. Aadhaar makes the citizen transparent to the state but makes the state completely opaque and unaccountable to its citizens.

Will the beneficiary not receive a message about the transaction?

That will only happen when the banks are involved. At the subsidised ration shop the beneficiary will get nothing. The world over security professionals don't trust biometric-based authentication, relying rather on other revocable authentication factors. It is irrevocable if the biometric details are compromised. Instead, writable smart cards could be used to record details of government officers on the cards of beneficiaries and make both the state and the resident transparent to each other.

Hasn't the National Population Register under the Ministry of Home Affairs been advocating the use of smart cards?

In this case biometrics should be used only to link the individual to the smart card. Biometric information should be stored on smart cards and under no circumstances should there be a central repository of biometrics at one place. Maintaining a central database is akin to getting the keys of every house in Delhi and storing them at a central police station. The chances of getting a central database compromised depend on the nature of information stored in it. For the sake of security one can't create a honey pot to be attacked by many. The internet is secure because it doesn't have a central database. The other difference is that faking biometrics is much easier than faking smart cards.

So your principle opposition is to the setting up of a central repository of biometrics?

I am also opposed to the use of biometrics for identification and authentication; this is nothing but surveillance. It is very easy to capture iris data of any individual with the use of next generation cameras. Imagine a situation when the police is secretly capturing the iris data of protesters and then identifying them through their biometric records.

But if the security agencies are able to identify those who create law and order problems, what is the hitch?

It is exactly the same argument that Apple is giving while refusing back-door entry to intelligence and investigating agencies. Once you build surveillance capacity for good governance, it may be misused by a repressive government, a rogue corporation or by criminals. Fear of this type of surveillance will deter people from holding any protest.

Doesn't the Aadhaar or the UIDAI conform to safety and security provisions in the IT Act?

The standards in our IT Act are woefully inadequate in comparison to European regulators and courts. If it adhered to the highest standards, the European privacy commissioner and data protection authorities would have given India adequacy status. The second problem is that the current IT Act doesn't apply to the government. If the government holds your data, it is under no obligation to protect your rights.

You have been part of the Justice A P Shah Committee on privacy. How important is it to have a separate privacy law in the present context?

It is not only important for the purpose of safeguarding human rights, but also to protect the competitiveness of our BPO, ITeS and KPO sectors. We need a data protection law that is compliant with European Data Protection Regulation.

How will such a law help a common man whose data have been compromised?

It will provide clarity to an individual about where he or she stands with regard to privacy. It is strange that the government took diametrically opposite stands in two cases related to privacy in the Supreme Court. When some activists demanded that the UIDAI be scrapped, the government argued before the court that there was no Constitutional right to privacy. When the police asked for the biometric records from the UIDAI, the same government argued there was a right to privacy and that it couldn't divulge the details to the police. The government is not speaking in the same voice; even courts are not speaking in the same voice, because there have been conflicting judgements. So the proposed law will provide clarity on privacy and people will be able to seek compensation under it.

At the same time it cannot be denied that Aadhaar can plug leakages and save hundreds and thousands of rupees for the exchequer....

Aadhaar is only answering two questions: Is this particular biometric unique (enrolment) and does it match the template in the database? If you bring a Bangladeshi into the system, it will answer both the questions in the affirmative. The Aadhaar only eliminates the possibility of one person receiving the benefits twice. At the same time it is very easy to put a ghost beneficiary back into the system. If Aadhaar has to work, we need a publicly visible auditable trail of subsidy moving from Delhi to the villages. That will eliminate corruption in the supply chain.

Isn't it difficult for a large number of ghost beneficiaries to get into the system?

There is no way to check whether a genuine or a ghost beneficiary has been removed from the list. It is not a foolproof system because no one is vouching for anybody. In the current system it is difficult to find out who created this ghost beneficiary. Nobody loses a job for creating a ghost; in fact, here everyone has an incentive.

If there are problems with the UIDAI system, why is the government upbeat about it?

As techno-utopians our government wants technology to answer everything and solve all our problems. If anything goes wrong, it can easily be blamed on technology.

For more details visit http://editors.cis-india.org/internet-governance/news/business-standard-sahil-makkar-march-12-2016-aadhaar-is-actually-surveillance-tech-sunil-abraham