The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 1 to 15.
Advanced biometric technologies and new market entries tackle fraud, chase digital ID billions
http://editors.cis-india.org/internet-governance/news/biometric-update-june-26-2021-chris-burt-advanced-biometric-technologies-and-new-market-entries-tackle-fraud-chase-digital-id-billions
<b>Amid forecasts of rapid growth and huge market potential, digital ID platforms launches by Techsign and Ping Identity, new services, features and even an investment fund have been launched.</b>
<p style="text-align: justify; ">The blog post by Chris Burt was <a class="external-link" href="https://www.biometricupdate.com/202106/advanced-biometric-technologies-and-new-market-entries-tackle-fraud-chase-digital-id-billions">published by Biometric Update</a> on June 26, 2021.</p>
<p style="text-align: justify; ">A new camera solution for under-display 3D face biometrics from Infineon and partners, and IPO filings by Clear and SenseTime show parallel investment activity in biometrics, meanwhile, and experts from Veridium and Intellicheck provide insight into the shifting technology and fraud landscapes, among the most widely-read stories this week on Biometric Update.</p>
<h2 style="text-align: justify; ">Top biometrics news of the week</h2>
<p style="text-align: justify; ">Several areas of the digital identity market continued to be very active, with a new investment fund launched to support startups in digital commerce and payments, Yoti joining a regulatory sandbox, Techsign launching a digital ID platform, and Mastercard and b.well reporting positive results from a recent pilot for their biometric healthcare platform. All this activity contributes to explaining Juniper Research’s <a href="https://www.biometricupdate.com/202106/digital-identity-verification-market-forecast-to-reach-16-7b-by-2026">forecast of rapid growth</a> in the sector to $16.7 billion in 2026, driven largely by spending on remote onboarding.</p>
<p style="text-align: justify; ">Okta CEO Todd McKinnon, meanwhile, told Barron’s that the total addressable market for identity and access management providers like Okta is something like <a href="https://www.biometricupdate.com/202106/okta-ceo-says-total-addressable-identity-and-access-management-market-near-80b">$80 billion</a>, as well as that effective integration is the key to solving biometrics challenges in the space. Entrust and Yubico formed an integration partnership, LoginRadius launched a new feature, Jamf launched a biometric tool for enterprises, and a certification program for IAM professionals was launched.</p>
<p style="text-align: justify; ">A list of goods for sale on the dark web includes a listing for <a href="https://www.biometricupdate.com/202106/biometric-selfies-and-forged-passports-identities-for-sale-on-the-dark-web">selfies holding an American ID credential</a>, which in theory could be used in a biometric spoofing attack. Cybersecurity researcher Luana Pascu helps guide readers through the report, and shares insights such as on the status of faked vaccination certificates on dark web marketplaces.</p>
<p style="text-align: justify; ">Ensuring the validity of the ID document a biometric identity verification process is based on, without adding too much friction, often means adopting <a href="https://www.biometricupdate.com/202106/intellicheck-ceo-on-building-the-foundations-for-biometric-verification-and-fraud-protection">layered risk profiling</a>, Intellicheck CEO Bryan Lewis tells <em>Biometric Update</em> in a sponsored post. The company has deep roots in detecting fraudulent documents and has found that even scanning the barcode on an identity document will not necessarily catch a fake if the unique security elements are not validated as part of the scan.</p>
<p style="text-align: justify; ">Fourthline Anti-Financial Crime Head Ro Paddock writes in a Biometric Update guest post about the ever-increasing sophistication of fraud attacks, which reached the level of computer-generated <a href="https://www.biometricupdate.com/202106/the-fraudsters-new-game-face">3D masks and deepfakes</a> during the pandemic,. In response, information-sharing between organizations will be necessary to understand the scope of these new threats, and how to defend against them.</p>
<p style="text-align: justify; ">Philippines’ election commission has launched an app to allow people to preregister for the <a href="https://www.biometricupdate.com/202106/philippines-launches-app-to-fast-track-biometric-voter-registration">voter roll online</a> before enrolling their biometrics in person, as the country continues digitizing its public services. Governments in Pakistan, Haiti and Nigeria are also making moves to improve the accessibility and trustworthiness of their electoral processes.</p>
<p style="text-align: justify; ">A partnership between Research ICT Africa and the Centre for Internet and Society, supported by the Omidyar Network, to explore the development of digital ID systems for the African context is explained in a <a href="https://researchictafrica.net/2021/06/21/why-digital-id-matters/" target="_blank">blog post</a>. The project will be based on an adaptation of the Evaluation Framework for Digital Identities which the CIS used to assess India’s Aadhaar system, with rule of law, rights and risk-based tests, and presented in a series of posts.</p>
<p style="text-align: justify; ">Details of Clear’s IPO plans emerged, including its intention to raise up to <a href="https://www.biometricupdate.com/202106/clear-ipo-could-raise-up-to-396m-in-hot-biometrics-investment-market">$396 million</a> on the NYSE. The $2.2 billion valuation aligns with some comparable companies, by revenue multiple, but the lower voting power of the shares on offer could be a restraining factor.</p>
<p style="text-align: justify; ">An even bigger IPO could be held by SenseTime later this year, with the Chinese AI firm looking to raise up to $2 billion <a href="https://www.biometricupdate.com/202106/not-smarting-from-us-sanctions-sensetime-says-its-ipo-is-on-again">on the Hong Kong exchange</a>. The company has been talking about a public stock launch since before the company was hit with restrictions to U.S. trade, which it indicates have had little impact.</p>
<p style="text-align: justify; ">The latest major funding round in digital identity is the largest yet, with <a href="https://www.biometricupdate.com/202106/transmit-security-raises-543m-to-grow-biometric-passwordless-authentication">Transmit Security raising $543 million</a> at a $2.2 billion valuation to expand the market reach of its passwordless biometric authentication technology. The company claims it is the highest ever Series A funding round in cybersecurity.</p>
<p style="text-align: justify; ">Bob Eckel, Aware CEO and International Biometrics + Identity Association (IBIA) Director and Board Member, discusses why people should own their own identity, identifying things and protecting supply chains, and his background in setting up air traffic control systems used all over the world with the Requis <a href="https://requis.com/podcasts/podcast-bob-eckel-biometrics-future-secured-identities/" target="_blank">Supply Chain Next podcast</a>. In the longer term Eckel sees biometric replacing passwords, and in the shorter term being used to make processes touchless.</p>
<p style="text-align: justify; ">Veridium CTO John Callahan guides Biometric Update through recent NIST guidance on the <a href="https://www.biometricupdate.com/202106/nist-touchless-fingerprint-biometrics-guidance-confirms-interoperability">interoperable use of contactless fingerprints</a> with contact-based back-end AFIS systems. The guidance, which changes definitions within the NIST ITL biometric container standard, but advises that the associated image quality metric does not apply to contactless prints, could spark further investment in the modality.</p>
<p style="text-align: justify; ">A new time-of-flight 3D imaging solution that could be used to implement facial authentication from <a href="https://www.biometricupdate.com/202106/under-display-camera-for-3d-face-biometrics-developed-by-infineon-pmd-arcsoft">under the display of mobile devices</a> without notches or bezels has been developed by partners Infineon, pmdtechnologies and ArcSoft. Based on the REAL3 sensor and ArcSoft’s computer vision algorithms, the solution is expected to reach availability in Q3 2021.</p>
<p style="text-align: justify; "><a href="https://www.biometricupdate.com/202106/ping-identity-adds-behavioral-biometrics-and-bot-detection-with-securedtouch-acquisition">Ping Identity has acquired SecuredTouch</a> in a deal with undisclosed financial details to integrate its behavioral biometrics-based continuous user authentication with the PingOne enterprise cloud platform. Ping also launched a consumer application for reusable credentials and added unified management features to its cloud platform at its Identiverse 2021 event.</p>
<p style="text-align: justify; ">Notre Dame-IBM Technology Ethics Lab Founding Director Elizabeth Renieris joins the MIT Sloan Management Review’s <a href="https://sloanreview.mit.edu/audio/starting-now-on-technology-ethics-elizabeth-renieris/" target="_blank">Me, Myself and AI podcast</a> to discuss the role of the lab, her path past and through some of the digital identity space’s key ethical developments, and the need to take the long view on technology to understand its ethical implications. Renieris makes a pitch for process-oriented regulations, based on the best understanding we have at the time.</p>
<p style="text-align: justify; ">ProctorU’s announcement that it will no longer sell fully-automated remote proctoring services is seen as a win in the battle against “the AI shell game” by the <a href="https://www.eff.org/deeplinks/2021/06/long-overdue-reckoning-online-proctoring-companies-may-finally-be-here" target="_blank">Electronic Frontier Foundation</a>. The descriptions of the balance between the automated and human decision-making by AI proctoring providers amount to doublespeak, the EFF says, before panning their human review processes, accuracy rates, and use of facial recognition.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/biometric-update-june-26-2021-chris-burt-advanced-biometric-technologies-and-new-market-entries-tackle-fraud-chase-digital-id-billions'>http://editors.cis-india.org/internet-governance/news/biometric-update-june-26-2021-chris-burt-advanced-biometric-technologies-and-new-market-entries-tackle-fraud-chase-digital-id-billions</a>
</p>
No publisherChris BurtPrivacyInternet GovernanceUIDAIBiometricsAadhaar2021-06-28T01:13:05ZNews ItemAre biometrics hack-proof?
http://editors.cis-india.org/internet-governance/news/livemint-june-11-2017-shaikh-zoaib-saleem-are-biometrics-hack-proof
<b>There are growing concerns over biometric security in India. We ask the experts if biometrics can really be hacked.</b>
<p style="text-align: justify; ">The article by Shaikh Zoaib Saleem was published by <a class="external-link" href="http://www.livemint.com/Money/YD7dqEVRJbrqoAs3h4PuJO/Are-biometrics-hackproof.html">Livemint</a> on June 11, 2017. Pranesh Prakash was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">There are growing concerns over biometric security. A compromised password can be changed but not a stolen biometric. We ask experts about biometrics security in India.</p>
<p style="text-align: justify; "><b>Pranesh Prakash, policy director, The Centre for Internet & Society </b></p>
<p style="text-align: justify; ">Biometric devices are not hack-proof. It depends on the ease with which this can be done. In Malaysia, thieves who stole a car with a fingerprint-based ignition system simply chopped off the owner's finger. When a biometric attendance system was introduced at the Institute of Chemical Technology (ICT) in Mumbai, students continued giving proxies by using moulds made from Fevicol.</p>
<p style="text-align: justify; ">Earlier this year, researchers at NYU and Michigan State University revealed that they were able to generate a "MasterPrint", which is a "partial fingerprint that can be used to impersonate a large number of users". While there are potential safeguards, they require re-capturing everyone's biometrics.</p>
<p style="text-align: justify; ">Even other technologies like iris scanner, gait recognition, face recognition, and others, are getting better, but all have problems. Our laws haven't evolved either, leaving many unanswered questions: who can demand your biometrics and under what circumstances? Can your biometrics be captured without your consent? Who is liable for failure? What remedies does one have?</p>
<p style="text-align: justify; ">This is an evolving area of technology studies, and every day new kinds of attacks are discovered. Further, they are probabilistic technologies unlike passwords. Given this, if you seek a reliable identity verification system, it doesn't make sense to deploy a system exclusively based on biometrics.</p>
<p style="text-align: justify; "><b>Umesh Panchal, vice-president, Biomatiques Identification Solutions </b></p>
<p style="text-align: justify; ">Biometric devices are instruments delivering added security check functions over traditional methods and these devices can be hack-proof, if the process of exploiting vulnerabilities to gain unauthorised access to systems or resources, is taken care of. With liveliness detection, iris biometric devices are far more hack-proof than fingerprint devices. Even Pentagon has been hacked. Theoretically, a biometric device can internally store or copy fingerprints or iris scans. Depending upon the use-case and ecosystem, a biometric device can internally store templates. However, the UID system (Unique Identification Authority of India) doesn’t permit storage of any biometric data in any biometric devices.</p>
<p style="text-align: justify; ">Several security measures can be incorporated to ensure strong transaction security and end-to-end traceability to prevent misuse. This can be achieved by implementing specification of authentication ecosystem. These include deploying signed application, host and operator authentication, usage of multi-factor authentication, SMS/email alerts, encryption of sensitive data, biometric locking, device identification with unique device identifier for analytics/fraud management, eliminating use of stored biometrics and so on.</p>
<p style="text-align: justify; ">For a consumer, the device security is determined by the certification it holds from the competent certification authority.</p>
<p style="text-align: justify; "><b>Bryce Boland, chief technology officer-Asia Pacific, FireEye</b></p>
<p style="text-align: justify; ">Biometrics take many forms. Most often people think biometrics are the actually measured biological feature, but they are actually measurements of a feature turned into a sequence of data that is compared against another set of data. You don’t actually need the physical feature, you need the measurements to generate the sequence of data to make a match. If you can inject that data into a biometric, bypassing the reader, you can potentially trick a biometric system.</p>
<p style="text-align: justify; ">Most successful biometric implementations have a controlled enrolment process where identity validation is undertaken, and have physically secured, tamperproof and closely monitored readers. Systems like those used for passport biometric enrolment with restricted deployments of readers at airports are an example. Self-enrollment is prone to fraud. Widely distributed readers are prone to tampering. Insecure paths from readers to central credential repositories are prone to credential theft.</p>
<p style="text-align: justify; ">Once biometric information is stolen, it usually cannot be changed. So stolen data can potentially be used for a long time, creating problems. This isn’t the case for airport fingerprint readers, but it is a problem for biometric devices in the hands of the public. The best way to check this is to keep the system’s environment physically secured, tamperproof and closely monitored.</p>
<p style="text-align: justify; "><b>Rajesh Babu, CEO, Mirox Cyber Security & Technology </b></p>
<p style="text-align: justify; ">Biometrics devices can be hacked. They have fingerprint sensors, which only check the pattern. It is possible to recreate these patterns through various techniques. Technically, it is difficult to recreate biometrics from a high-resolution picture. However, by using other image rendering tools we can recreate the patterns. Security experts and hackers have already proved that they can bypass mobile fingerprint scanners using a collection of high-resolution photographs taken from different angles using standard photo cameras to make a latex replica print.</p>
<p style="text-align: justify; ">Most of the biometric scanners have a date set of all fingerprints and other identities inside the device database. Not every manufacturer in India undergoes enough security auditing. Most of the companies manufacture low-cost biometric devices which are highly vulnerable. These devices are imported from China and other countries but they do not conduct or go through any security audits in our country. They may have kernel level back doors, which are highly vulnerable and can lead to launch of an any kind of attack, including compromising an organization’s network. Only a handful of companies conduct audits of their products as part of security practice.</p>
<p style="text-align: justify; ">Organizations and the government must have a clear and concise Security Devices Policy based on standard applicable laws and regulation framework.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-june-11-2017-shaikh-zoaib-saleem-are-biometrics-hack-proof'>http://editors.cis-india.org/internet-governance/news/livemint-june-11-2017-shaikh-zoaib-saleem-are-biometrics-hack-proof</a>
</p>
No publisherpraskrishnaBiometricsInternet GovernancePrivacy2017-06-12T01:39:14ZNews ItemDigital native: Look before you (digitally) leap
http://editors.cis-india.org/raw/indian-express-nishant-shah-may-28-2017-digital-native-look-before-you-digitally-leap
<b>Creating a digital future is great, but there’s a serious need to secure the infrastructure first.</b>
<p style="text-align: justify; ">The article was published in the <a class="external-link" href="http://indianexpress.com/article/technology/tech-news-technology/digital-native-look-before-you-digitally-leap-4676270/">Indian Express</a> on May 28, 2017.</p>
<hr />
<p style="text-align: justify; ">Digital technologies of connectivity have one unrelenting promise — they offer us new ways of doing things, augmenting existing practices, amplifying capacities and affording new possibilities of information and data transactions that accelerate the ways in which we live. This idea of the internet as infrastructure is central to India’s transition into an information technologies future.</p>
<p style="text-align: justify; ">Nandan Nilekani, almost a decade ago, in his book, Imagining India, had clearly charted how the digital is the basis for shaping the future of our communities, societies and governance. As one of the architects of Aadhaar, Nilekani had argued that the country of the 21st century will have to be one that seriously invests in the digital infrastructure.</p>
<p style="text-align: justify; ">In 10 short years, we have reached a point where we no longer question the enormous investment we make in digital systems of governance and functioning, and we appreciate the economic and networked values of projects like #DigitalIndia and #MakeInIndia that shape our markets and cities into becoming the new cyber-hubs.</p>
<p style="text-align: justify; ">There is no denying that digital offers a new way of consolidating a country as polyphonic, multicultural, expansive and diverse as India. We also have to appreciate that, even if selectively, the digitisation of public records, government services, and state support is clearly producing an administrative momentum that is reforming various practices of corruption and incompetence in the massive state machinery. The role of the digital as infrastructure has been a boon for many developing countries.</p>
<p style="text-align: justify; ">This positioning, however, masks the fact that infrastructure needs its own support and care systems. Take roads, for example. Roads allow for connectivity, movement and mobility between different spaces. They are one of the most important of state and public infrastructures and for all our jokes about pot-holes and eroding spaces for pedestrians, roads remain the life-line of our everyday life. A complex mechanism of planning, regulation and maintenance needs to be put into place in order to make roads survive.</p>
<p style="text-align: justify; ">The amount of attention we pay to roads — the material quality, the land that it occupies, the lanes for different vehicles, the traffic lights and zebra crossings, blockages and streamlines, authorising specific use of roads and disallowing certain activities to happen there — is staggering. A public planner would tell you that before the road comes into being, the idea of the road has to be formulated. The road needs protection and planning and its own infrastructure of support and creation.</p>
<p style="text-align: justify; ">When it comes to the information superhighway of the digital web, this remains forgotten. We are so focused on the digital as infrastructure that we seem to pay no attention to its infrastructure. Thus, when we proposed, deployed and now enforced a project like Aadhaar, the focus remained on its unfolding and its operations. Aadhaar as an aspiration of governance has its values and has the capacity to become a system that augments statecraft.</p>
<p style="text-align: justify; ">However, the infrastructure that is needed to make Aadhaar possible — rules and regulations around privacy, bills and acts about data sharing and ownership, contexts of informed consent and engagement, community awareness and data security protocol — have been missing from the debates. For years now, activists have been advising and warning the state that building this digital infrastructure without building the contexts within which they make sense is not just irresponsible, but downright dangerous.</p>
<p style="text-align: justify; ">Different governments have turned a deaf ear to these protests. Now, when the Aadhaar portals are found disclosing massive volumes of public data, making people vulnerable to data and identity theft and fraud, we are realising the massive projects we have started without thinking about the context of security.</p>
<p style="text-align: justify; ">With the ongoing controversies around #AadhaarLeaks, the question is not whether the disclosure of this information was a leak, a breach or an ignorant exposure of sensitive information. The response to it cannot be just about fixing the infrastructure and building more robust systems. The question that we need to confront is how do we stop thinking of the internet as infrastructure and start focusing on the infrastructure that needs to be set into place so that these digital systems promise safety, security, and protection for the lives they intersect with.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/raw/indian-express-nishant-shah-may-28-2017-digital-native-look-before-you-digitally-leap'>http://editors.cis-india.org/raw/indian-express-nishant-shah-may-28-2017-digital-native-look-before-you-digitally-leap</a>
</p>
No publishernishantBiometricsResearchers at WorkAadhaar2017-06-08T01:22:54ZBlog EntryIndia’s Supreme Court hears challenge to biometric authentication system
http://editors.cis-india.org/internet-governance/news/idg-news-service-john-riberio-may-3-2017-indias-supreme-court-hears-challenge-to-biometric-authentication-system
<b>Two lawsuits being heard this week before India’s Supreme Court question a requirement imposed by the government that individuals should quote a biometrics-based authentication number when filing their tax returns.</b>
<p style="text-align: justify; ">The <a class="external-link" href="http://www.itworld.com/article/3194272/security/india-s-supreme-court-hears-challenge-to-biometric-authentication-system.html">post by John Riberio, IDG News Service was mirrored by IT World </a>on May 3, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Civil rights groups have opposed the Aadhaar biometric system, which is based on centralized records of all ten fingerprints and iris scans, as their extensive use allegedly encroach on the privacy rights of Indians. “Aadhaar is surveillance technology masquerading as secure authentication technology,” said Sunil Abraham, executive director of Bangalore-based research organization, the Centre for Internet and Society.</p>
<p style="text-align: justify; ">The Indian government has in the meantime extended the use of Aadhaar, originally meant to identify beneficiaries of state schemes for the poor, to other areas such as filing of taxes, distribution of meals to school children and <a href="http://www.pcworld.com/article/3189977/internet/in-india-people-can-now-use-their-thumbs-to-pay-at-stores.html">payment systems</a>.</p>
<p style="text-align: justify; ">Hearings on the writ petitions, challenging the amendment to the Income Tax Act, are going on in Delhi before a Supreme Court bench consisting of Justices A.K. Sikri and Ashok Bhushan.</p>
<p style="text-align: justify; "><aside class="smartphone nativo-promo"> </aside></p>
<p style="text-align: justify; ">Tax payers are required to have the Aadhaar number in addition to their permanent account number (PAN), which they have previously used to file their tax returns. Their failure to produce the Aadhaar number would lead to invalidation of the PAN number, affecting people who are already required to quote this number for other transactions such as buying cars or opening bank accounts.</p>
<p style="text-align: justify; ">The stakes in this dispute are high. The petitioners have argued for Aadhaar being voluntary and question the manner in which the new amendment to the tax law has been introduced. The government has said both in court and in other public forums that it needs a reliable and mandatory biometric system to get around the issue of fake PAN numbers.</p>
<p style="text-align: justify; ">The lawyer for one of the plaintiffs, Shyam Divan, has argued for the individual’s absolute ownership of her body, citing Article 21 of the Indian Constitution, which protects a person from being “deprived of his life or personal liberty except according to procedure established by law.” The government has countered by saying that citizens do not have absolute rights over their bodies, citing the law against an individual committing suicide as an example.</p>
<p style="text-align: justify; ">The Supreme Court in another lawsuit looking into privacy issues and the constitutionality of the Aadhaar scheme had ruled in an interim order in 2015 that the biometric program had to be voluntary and could not be used to deprive the poor of benefits.</p>
<p style="text-align: justify; "><aside class="desktop tablet nativo-promo"> </aside></p>
<p style="text-align: justify; ">"The production of an Aadhaar card will not be condition for obtaining any benefits otherwise due to a citizen," the <a href="http://judis.nic.in/supremecourt/imgs1.aspx?filename=42841">top court ruled</a>.</p>
<p style="text-align: justify; ">The government holds that the Aadhaar Act, passed in Parliament last year, provides the legal backing for making the biometric identification compulsory.</p>
<p style="text-align: justify; ">The current lawsuits against Aadhaar have not been argued on grounds of privacy, reportedly because the court would not allow this line of argument, which is already being heard in the other case. The Supreme Court has made current petitioners <a href="https://indconlawphil.wordpress.com/2017/05/03/the-constitutional-challenge-to-s-139aa-of-the-it-act-aadhaarpan-petitioners-arguments/">“fight this battle with one arm tied behind their backs!,”</a> wrote lawyer Gautam Bhatia in a blog post Wednesday.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/idg-news-service-john-riberio-may-3-2017-indias-supreme-court-hears-challenge-to-biometric-authentication-system'>http://editors.cis-india.org/internet-governance/news/idg-news-service-john-riberio-may-3-2017-indias-supreme-court-hears-challenge-to-biometric-authentication-system</a>
</p>
No publisherpraskrishnaBiometricsAadhaarInternet GovernancePrivacy2017-05-20T06:44:02ZNews Item130 Million at Risk of Fraud After Massive Leak of Indian Biometric System Data
http://editors.cis-india.org/internet-governance/news/gizmodo-may-3-2017-130-million-at-risk-of-fraud-after-massive-leak-of-indian-biometric-system-data
<b>A series of potentially calamitous leaks in India leave as many as 130 million people at risk of fraud or worse after caches of biometric and other personal data became accessible online.</b>
<p style="text-align: justify; ">The article by Dell Cameron was published by Gizmodo on May 3, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">That’s according to <a href="https://drive.google.com/file/d/0BwsvF1X5umK4LVBmYW14UzJDdk0/view?usp=sharing" rel="noopener" target="_blank">a new report</a> from the Bangalore-based Centre for Internet and Society (CIS), which details breaches at four national- and state-run databases, all of which are said to contain purportedly “uniquely-identifying” Aadhaar numbers.</p>
<p style="text-align: justify; ">Launched in 2009, the Aadhaar system is an ambitious, albeit flawed program aimed at assigning unique identity numbers, not only to Indian citizens, but everyone who resides and works in the country. It is the largest program of its kind in the world. The 12-digit Aadhaar codes are assigned and maintained in a central database by the Unique Identification Authority of India (UIDAI) and link to biometric data of fingerprint and iris scans combined.</p>
<p style="text-align: justify; ">For security purposes, since 2002, all U.S. passports issued to international travelers at embassies and consulates around the world have contained biometric data, including a ten fingerprint scan, contained in a microchip embedded in the back cover. In 2007, the law was extended to cover U.S. citizens, and since at least 2013, so-called “e-passports” have been the standard.</p>
<p style="text-align: justify; ">With a very different intention in mind, the Aadhaar system was created to employ biometrics as a means to ensure that Indian residents have access to the social safety net, including programs for welfare, health, and education. But due to the sheer scale—again, the largest biometric project in history—the program has been fraught with controversy since day one. Since inception, more than 1.13 billion Aadhaar numbers have since been assigned, according to <a href="https://uidai.gov.in/images/state_wise_aadhaar_saturation_02052017.pdf" rel="noopener" target="_blank">UIDAI data</a>. (India has a population of roughly 1.32 billion.)</p>
<p style="text-align: justify; ">Former World Bank economist Salman Anees , a member of the Indian National Congress (INC), points to migrant laborers as an example of those the program is intended to help. The often carry no identification, he said, and therefore can rarely prove who they are when traveling from state to state. The purpose of the Aadhaar system, he said, is to provide every Indian with a “digital identity.”</p>
<p style="text-align: justify; ">“At least, that was the original idea,” adds Soz.</p>
<p style="text-align: justify; "><aside class="align--center pullquote"><span class="pullquote__content">“People aren’t aware of what their rights are. They have no idea what this thing can do.”</span></aside></p>
<p style="text-align: justify; ">After the INC was battered in the 2014 general election, plans were put forth to expand the scope of the Aadhaar program, inflaming public concern over security and privacy. “Basically, you take this Aadhaar number and you start seeding different [government] databases,” Soz says. “And that, in effect, creates this huge data structure that people are very uncomfortable with.”</p>
<div class="js_ad-video-desktop ad-top ad-wide row js_ad-video ad-container" style="text-align: justify; ">
<div class="ad-instream__initial instream-permalink ad-instream--elastic ad-instream">
<div class="elastic__wrapper">
<div class="js_ad-video ad-video js_ad-unit ad-unit"></div>
</div>
</div>
</div>
<div class="js_ad-video-mobile ad-top ad-wide row js_ad-video ad-container" style="text-align: justify; ">
<div class="ad-instream__initial instream-permalink ad-instream--elastic ad-instream">
<div class="elastic__wrapper">
<div class="js_ad-video ad-video js_ad-unit ad-unit">
<div class="js_ad-container ad-container" id="ad-container-71012847"><span class="js_instream-video-placeholder" id="js_instream_video-placeholder-71012847"> </span></div>
</div>
</div>
</div>
</div>
<p style="text-align: justify; ">“In some ways,” he continued, “what you have is this amazingly modern system with huge data collection potential—and of course, many positives can come from this, but in the wrong hands it can become a huge problem for India. At the same time, your legal framework, your regulatory framework, your policies and procedures are not there. People aren’t aware of what their rights are. They have no idea what this thing can do.”</p>
<p style="text-align: justify; ">One problem, Soz says, is that Aadhaar numbers are not always checked against a cardholder’s fingerprints or iris scans in all cases, defeating its purpose entirely. When someone provides an Aadhaar number to prove their identity online or by phone, for example, their identities cannot adequately verified. In this way, Aadhaar numbers are not wholly unlike Social Security numbers in the United States. Were 130 million Social Security numbers to be leaked online, confidence in the ability to use that number to confirm an Americans’ identities would be shaken, if not destroyed.</p>
<p style="text-align: justify; ">Last month, a central government database containing thousands of Aadhaar numbers—as well as dates of birth, addresses, and tax IDs (PAN)—reportedly leaked, exposing thousands of Indian residents to potential abuse. According to <a href="https://thewire.in/118250/government-expose-personal-data-thousands-indians/" rel="noopener" target="_blank">The Wire</a>, the information, which was contained in Microsoft Excel spreadsheets, could be easily located on Google.</p>
<div class="js_ad-video-desktop ad-top ad-wide row js_ad-video ad-container" style="text-align: justify; ">
<div class="ad-instream__initial instream-permalink ad-instream--elastic ad-instream">
<div class="elastic__wrapper">
<div class="js_ad-video ad-video js_ad-unit ad-unit"></div>
</div>
</div>
</div>
<p style="text-align: justify; ">According to CIS, roughly 130-135 million Aadhaar numbers have now been exposed in this most recent leak. With the growing use of the numbers in areas such as insurance and banking, and without proper mechanisms in place to biometrically confirm the identities of cardholders in every case, the threat of financial fraud is pervasive. “All of these leaks are symptomatic of a significant and potentially irreversible privacy harm,” the report says, noting that such incidents “create a ripe opportunity for financial fraud.”</p>
<p style="text-align: justify; ">While Aadhaar is not mandatory everywhere, CIS says, the Indian government continues collecting information about the participants under various social programs. Inevitably, that information is combined with other databases containing even more sensitive data. As that happens, there’s a heightened risk to those whose Aadhaar numbers have been compromised. How the Indian government will address its apparently inadequate security controls before fraud overwhelms the system remains unknown.</p>
<p style="text-align: justify; "><i>Read the full report: <a href="https://drive.google.com/file/d/0BwsvF1X5umK4LVBmYW14UzJDdk0/view?usp=sharing" rel="noopener" target="_blank">Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information</a></i></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/gizmodo-may-3-2017-130-million-at-risk-of-fraud-after-massive-leak-of-indian-biometric-system-data'>http://editors.cis-india.org/internet-governance/news/gizmodo-may-3-2017-130-million-at-risk-of-fraud-after-massive-leak-of-indian-biometric-system-data</a>
</p>
No publisherpraskrishnaBiometricsAadhaarInternet GovernancePrivacy2017-05-20T12:36:06ZNews ItemAadhaar: A widening net
http://editors.cis-india.org/internet-governance/news/livemint-april-21-2017-komal-gupta-apurva-vishwanath-suranjana-roy-aadhaar-a-widening-net
<b>As India makes Aadhaar compulsory for a range of services, concerns about potential data breaches remain more than six years after the govt started building the world’s largest biometric identification system.</b>
<p>The article by Komal Gupta, Apurva Vishwanath and Suranjana Roy was <a class="external-link" href="http://www.livemint.com/Politics/eTxrtAxzFq738LzFdx7yXK/Aadhaar-A-widening-net.html">published in Livemint</a> on April 21, 2017. Pranesh Prakash was quoted.</p>
<hr />
<p style="text-align: center; "><img alt="The Aadhaar project, under which a 12-digit identification number is to be allotted to every Indian resident, was originally supposed to be a way of plugging leakages in the delivery of state benefits such as subsidized grains to the poor. Photo: Priyanka Parashar/Mint" class="img-responsive" height="378" src="http://www.livemint.com/rf/Image-621x414/LiveMint/Period2/2017/04/21/Photos/Processed/asia-cover.JPG" title="The Aadhaar project, under which a 12-digit identification number is to be allotted to every Indian resident, was originally supposed to be a way of plugging leakages in the delivery of state benefits such as subsidized grains to the poor. Photo: Priyanka Parashar/Mint" width="582" /></p>
<p>On 29 March, a storm broke out on social media after private data that former Indian cricket captain M.S. Dhoni had furnished to get enrolled in India’s unique identity system, known as Aadhaar, were leaked online.</p>
<p style="text-align: justify; ">The popular cricketer’s wife, Sakshi, flagged the matter on Twitter, tagging information technology (IT) minister Ravi Shankar Prasad. “Is there any privacy left? Information of Aadhaar card, including application, is made public property,” Sakshi fumed on the microblogging site.</p>
<p>The minister replied: “Sharing personal information is illegal. Serious action will be taken against this.”</p>
<p style="text-align: justify; ">It turned out to be the fault of an overenthusiastic common services centre in Dhoni’s home town of Ranchi licensed to enrol people in Aadhaar. The centre was promptly blacklisted. “We have ordered further inquiry on the matter and action will be taken against all those involved in the leak,” said Ajay Bhushan Pandey, chief executive officer of the Unique Identification Authority of India (UIDAI), which administers Aadhaar.</p>
<p style="text-align: justify; ">The matter blew over soon enough, but it served to illustrate the lingering concerns about potential data breaches and privacy violations surrounding Aadhaar, which has become the world’s largest biometric identification database with 1.13 billion people enrolled in it in the past six years.</p>
<p style="text-align: justify; ">The project, under which a 12-digit identification number is to be allotted to every Indian resident, was originally supposed to be a way of plugging leakages in the delivery of state benefits such as subsidized grains to the poor.</p>
<p style="text-align: justify; ">It has now become mandatory for everything ranging from opening a bank account and getting a driver’s licence or a mobile phone connection to filing of income tax returns. Even government school students entitled to a free mid-day meal need an Aadhaar number.</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/AadhaarMint.jpg" alt="Aadhaar " class="image-inline" title="Aadhaar " /></p>
<p style="text-align: justify; ">The use of Aadhaar has only expanded with the government going on an overdrive to promote cashless transactions and payment systems linked to the biometric ID system after banning old, high-value bank notes in November in a crackdown on unaccounted wealth hidden away from the taxman.</p>
<p style="text-align: justify; ">For instance, the Aadhaar-Enabled Payment System (AEPS) empowers a bank customer to use Aadhaar as her identity to access her Aadhaar-enabled bank account and perform basic banking transactions like cash deposit or withdrawal through a bank agent or business correspondent.<br /><br />The customer can carry out transactions by scanning her fingerprint at any micro ATM or biometric point-of-sale (POS) terminal, and entering the Aadhaar number linked to the bank account. A merchant-led model of AEPS, called Aadhaar Pay, has also been launched.<br /><br />Last week, Prime Minister Narendra Modi launched the BHIM-Aadhaar platform—a merchant interface linking the unique identification number to the Bharat Interface for Money (BHIM) mobile application. This will enable merchants to receive payments through fingerprint scans of customers.<br /><br />“Any citizen without access to smartphones, Internet, debit or credit cards will be able to transact digitally through the BHIM-Aadhaar platform,” a government statement said.<br /><br />Aadhaar’s growing importance in the economy has only served to deepen concerns about potential data breaches. And there are other concerns as well.<br /><br />For instance, the Aadhaar biometric authentication failure rate in the rural job guarantee scheme, which assures 100 days of work a year to one member of every rural household, is as high as 36% in the southern state of Telangana, according to data released by the state government.<br /><br />“Aadhaar is supposed to be an enabler and it will happen only when it is made voluntary. Biometric authentications might fail due to poor data connectivity and transactions might not happen even though the Aadhaar number of the person is there; so, what’s the benefit,” asked Pranesh Prakash, policy director of the Centre for Internet and Society, a Bengaluru-based think tank.<br /><br />Aadhaar was the brainchild of the previous United Progressive Alliance (UPA) government, which lost power in the 2014 general election to the National Democratic Alliance (NDA). The first 10 Aadhaar numbers were handed over to residents of a small village called Tembhli in Maharashtra on 29 September 2010 in the presence of then prime minister Manmohan Singh, Congress party president Sonia Gandhi and Aadhaar’s chief architect Nandan Nilekani, a co-founder of software services giant Infosys Ltd.</p>
<p style="text-align: justify; ">After coming to power, the NDA systematically went about making Aadhaar the pivot of government welfare programmes. In March last year, Parliament passed the Aadhaar Bill to make the use of Aadhaar mandatory for availing of government subsidies despite resistance from opposition parties.<br /><br />Last month, finance minister Arun Jaitley said the 12-digit number would eventually become a single, monolithic proof of identity for every Indian, replacing every other identity card.<br /><br />To be sure, Aadhaar has helped the government better target beneficiaries of its welfare programmes, cutting out middlemen and corruption. For instance, the government claims to have saved about Rs50,000 crore in cooking gas subsidies by linking the Aadhaar number with bank accounts in which the subsidy is directly transferred.<br /><br />Yet, Aadhaar has its critics, who have challenged the project on grounds including potential compromise of national security, violation of the right to privacy and exclusion of people from welfare programmes. The Supreme Court has cautioned the government that no citizen can be denied access to welfare programmes for lack of an Aadhaar number.<br /><br />Before cricketer Dhoni’s data breach made the headlines, in February, UIDAI filed a complaint against Axis Bank Ltd, business correspondent Suvidhaa Infoserve and e-sign provider eMudhra, alleging they had attempted unauthorized authentication and impersonation by illegally storing Aadhaar biometrics. The breach was noticed after one individual performed 397 biometric transactions between 14 July 2016 and 19 February 2017. All three entities have been temporarily barred from offering Aadhaar-related services until UIDAI makes a final decision.</p>
<p style="text-align: justify; ">Pranesh Prakash of the Centre for Internet and Society said rules on the use of Aadhaar data are inadequate.<br /><br />“UIDAI is allowed to share the information of a person from its database on its website, after taking proper consent of that person. However, there is no law which states what should be done if any other party does that with the same individual. Such rules must be in place,” Prakash said.<br /><br />Four years after the Aadhaar project took off, a retired judge took the government to court. K. Puttaswamy, a former judge of the Karnataka high court, moved the Supreme Court in 2013, arguing that Aadhaar violated his fundamental right to privacy under the constitution. The case opened the gates for legal challenges to Aadhaar. Over the next few years till date, at least a dozen cases had questioned the legality of the project.<br /><br />Ramon Magsaysay award winner Aruna Roy brought a case on behalf of manual workers whose faint finger prints, she said, often go undetected. Currently, only 44 million out of the 101 million beneficiaries of India’s rural job entitlement are paid through Aadhaar.<br /><br />To be sure, India’s Constitution does not contain a black and white reference to a “fundamental right to privacy”, that the government cannot violate. The list of rights says “no person shall be deprived of his life or personal liberty except according to a procedure established by law”—often interpreted by courts as an all-encompassing right including right to live with dignity, right to speedy justice and even a right to clean air.<br /><br />Nilekani, the man behind Aadhaar, has cautioned that privacy is a broader issue involving how people retain their privacy in day-to-day life. “Privacy is an all-encompassing issue because of the rapid rate of digitization the world is seeing. Your smartphone has sensors, GPS and is generating more and more information about everything; voice-activated devices could also be recording your conversations. There’s a profusion of CCTV cameras at malls, restaurants, ATMs recording your movements,” Nilekani said in a recent interview with The Economic Times.<br /><br />But this is where a problem arises. Although there is concurrence on the need for a privacy law, there is a great reluctance on the part of the government to come out with one.<br /><br />“We don’t have a comprehensive privacy law; all our databases are unlinked. The government is trying to link the databases using Aadhaar for all schemes but a separate privacy law must be there for protecting any piece of information, whether or not linked to Aadhaar,” said Rahul Matthan, a partner at law firm Trilegal and a Mint columnist.</p>
<p style="text-align: justify; ">Matthan said first a privacy law must be put in place and then there has to be a discussion on what all it must include.<br /><br />The government on its part pointed out that India’s apex court itself has been indecisive on a right to privacy.<br /><br />“The larger question on privacy needs to be settled by the court. Till then, one cannot comment on secondary concerns,” attorney general Mukul Rohatgi said in an interview.<br /><br />In 2015, the Supreme Court decided that a bench of at least seven judges will rule on the privacy issue, while clarifying that the government cannot make Aadhaar a mandatory proof of identity for its welfare schemes. Twenty months after the judicial order, the larger bench is yet to be formed by the apex court. The passing of the Aadhaar Act in Parliament to provide statutory backing to Aadhaar also indicates a departure from the Indian government’s position of not taking a legislative stand while an issue is under the apex court’s consideration.<br /><br />For example, one of the reasons the Indian government has shown restraint in repealing a colonial law that criminalizes homosexuality is because the apex court is seized of the issue.<br /><br />In the absence of legislation and pending an authoritative ruling by the top court, whether 1.3 billion Indians are entitled to their privacy remains a grey area. Meanwhile, the government is seemingly in the final stretch of its Aadhaar enrolment drive.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-april-21-2017-komal-gupta-apurva-vishwanath-suranjana-roy-aadhaar-a-widening-net'>http://editors.cis-india.org/internet-governance/news/livemint-april-21-2017-komal-gupta-apurva-vishwanath-suranjana-roy-aadhaar-a-widening-net</a>
</p>
No publisherpraskrishnaBiometricsAadhaarInternet GovernancePrivacy2017-04-22T05:06:23ZNews ItemIndia’s National ID Program May Be Turning The Country Into A Surveillance State
http://editors.cis-india.org/internet-governance/news/buzzfeednews-pranav-dixit-april-4-2017-indias-national-id-program-may-be-turning-the-country-into-a-surveillance-state
<b> For seven years, India’s government has been scanning the irises and fingerprints of its citizens into a massive database. The once voluntary program was intended to fix the country’s corrupt welfare schemes, but critics worry about its Orwellian overtones. </b>
<p style="text-align: justify; ">The blog post by Pranav Dixit was <a class="external-link" href="https://www.buzzfeed.com/pranavdixit/one-id-to-rule-them-all-controversy-plagues-indias-aadhaar?utm_term=.ksRqWv6w#.vdnR3bQx">published by BuzzFeedNews</a> on April 4, 2017. Sunil Abraham was quoted.</p>
<hr style="text-align: justify; " />
<p><i>An abridged version of the blog post containing Sunil Abraham's quotes are reproduced below</i>:</p>
<h3 style="text-align: justify; ">“You can’t change your fingerprints”</h3>
<p style="text-align: justify; "><b>Sunil Abraham, the</b> CIS director, calls himself a “technological critic” of the Aadhaar platform. For years, he’s been warning of the security risks associated with a centralized repository of the demographic and biometric details of a billion or so people.</p>
<p style="text-align: justify; ">“Aadhaar is a sitting duck,” Abraham told BuzzFeed News. That’s not an unreasonable assessment considering that India’s track record for protecting people’s private data is <a href="https://www.buzzfeed.com/pranavdixit/the-medical-reports-of-43000-people-including-hiv-patients-w">far from stellar</a>. Earlier this year, for example, a security researcher discovered a website that was leaking the Aadhaar demographic data of more than 500,000 minors. The website was subsequently shut down, but the incident raised questions about Aadhaar’s security protocols — particularly those around data shared with third parties.</p>
<p style="text-align: justify; ">Abraham’s concerns are not without global precedent. In 2012, Ecuadorian police jailed blogger Paul Moreno for breaking <a href="https://www.wired.com/2012/12/security-post-lands-ecuadorian-blogger-in-jail/">into the country’s online national identity database</a> and registering himself as Ecuadorian President Rafael Correa. In April 2016, <a href="https://www.wired.com/2016/04/hack-brief-turkey-breach-spills-info-half-citizens/">hackers posted</a> a database containing names, national IDs, addresses, and birth dates of more than 50 million Turkish citizens, including Turkish President Recep Tayyip Erdogan; later that month, Mexico’s entire voter database — over 87 million national IDs, addresses, and more — <a href="http://www.in.techspot.com/news/security/mexicos-voter-database-containing-the-records-of-over-80-million-citizens-leaked-online/articleshow/51979787.cms"> was leaked</a> onto Amazon’s cloud servers by as-yet-untraced sources; and in the Philippines, more than 55 million voters had their private information — including fingerprints — <a href="http://www.wired.co.uk/article/philippines-data-breach-fingerprint-data">released on the Dark Web</a>.</p>
<div class="buzz_superlist_item_left_small longform_pullquote buzz-superlist-item buzz_superlist_item" id="superlist_4501688_10817551" style="text-align: justify; ">
<blockquote class="solid white_pullquote">
<p>“When this database is hacked — and it will be — it will be because someone breaches the computer security that protects the computers actually using the data.”</p>
</blockquote>
</div>
<p style="text-align: justify; ">“What is the price that we pay as a nation if our database of over a billion people — complete with all 10 fingerprints and iris scans — leaks?” Abraham asked. The consequences, he said, will be permanent. Unlike a password, which you can reset at any time, your biometrics, if compromised, are the ultimate privacy breach. “You can’t change your fingerprints.”</p>
<p style="text-align: justify; ">The UIDAI <a href="https://uidai.gov.in/images/aadhaar_question_and_answers.pdf">claims</a> that the Aadhaar database is protected using the “highest available public key cryptography encryption (PKI-2048 and AES-256)” and would take “billions of years” to crack.</p>
<p style="text-align: justify; ">“Encryption like this doesn’t typically get broken, it gets circumvented,” security researcher Troy Hunt told BuzzFeed News. “For example, the web application that sits in front of it is compromised and data is retrieved after decryption.” Or alternatively, he said, the encryption key itself is compromised. “Naturally, governments will offer all sorts of assurances on these things, but the simple, immutable fact is that once large volumes are centralized like this, there is a heightened risk of security incidents and of the data consequently being lost or exposed,” he added.</p>
<p style="text-align: justify; ">Cryptographer and cybersecurity expert Bruce Schneier echoed Hunt’s assessment. “When this database is hacked — and it will be — it will be because someone breaches the computer security that protects the computers actually using the data,” he said. “They will go around the encryption.”</p>
<p style="text-align: justify; ">Nilekani — who did not respond to BuzzFeed News’ requests for comment — recently dismissed concerns around the project’s privacy implications as “hand-waving.” In an <a href="http://cio.economictimes.indiatimes.com/news/corporate-news/show-me-even-one-example-of-data-theft-aadhaar-is-very-very-secure-nandan-nilekani/57982816">interview</a> with the <i>Economic Times</i>, he repeatedly stressed how secure Aadhaar’s “advanced encryption technology” was. “I can categorically say that it’s the most secure system in India and among the most secure systems in the world,” he said.</p>
<p style="text-align: justify; ">Abraham is unconvinced by such assurances. He believes Aadhaar fundamentally changes the equation between a citizen and a state. “There’s a big difference between you identifying yourself to the government, and the government identifying who you are,” he said.</p>
<p>Aadhaar’s opponents say the program’s implementation has left India’s poorest people with no choice but to use it. “If you link people’s food subsidies, wages, bank accounts, and other crucial things to Aadhaar, you hit them where it hurts the most,” Ramanathan argued. “You leave them with no choice but to sign up.”</p>
<p style="text-align: justify; ">“Can you imagine if the United States passed a law that said that every person who wished to get food stamps would need their fingerprints registered in a government-owned database?” a journalist turned Aadhaar activist who did not wished to be named told BuzzFeed News. “Imagine what a scandal that would be.”</p>
<p style="text-align: justify; ">For Nilekani, such criticism is just overstatement and drama. “I think this so-called anti-Aadhaar lobby is really just a small bunch of liberal elites who are in some echo chamber,” he said during a recent <a href="https://www.facebook.com/etnow/videos/1471268036248071/">interview</a> with Indian business news channel <i>ET Now</i>. “The reality is that a billion people are using Aadhaar. A lot of the accusations are just delusional. Aadhaar is not a system for surveillance. [The critics] live in a bubble and are not connected to reality.”</p>
<p style="text-align: justify; ">Abraham laughed off Nilekani’s comments. “The Unique Identification Authority of India will become the monopoly provider of identification and authentication services in India,” he said. “That sounds like a centrally planned communist state to me. I don’t know which left liberal elites he’s talking about.”</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/buzzfeednews-pranav-dixit-april-4-2017-indias-national-id-program-may-be-turning-the-country-into-a-surveillance-state'>http://editors.cis-india.org/internet-governance/news/buzzfeednews-pranav-dixit-april-4-2017-indias-national-id-program-may-be-turning-the-country-into-a-surveillance-state</a>
</p>
No publisherpraskrishnaBiometricsAadhaarInternet GovernancePrivacy2017-04-07T12:49:30ZNews ItemAadhaar marks a fundamental shift in citizen-state relations: From ‘We the People’ to ‘We the Government’
http://editors.cis-india.org/internet-governance/blog/hindustan-times-pranesh-prakash-april-3-2017-aadhaar-marks-a-fundamental-shift-in-citizen-state-relations
<b>Your fingerprints, iris scans, details of where you shop. Compulsory Aadhaar means all this data is out there. And it’s still not clear who can view or use it.</b>
<p>The article was published in the <a class="external-link" href="http://www.hindustantimes.com/india-news/what-s-really-happening-when-you-swipe-your-aadhaar-card-to-make-a-payment/story-2fLTO5oNPhq1wyvZrwgNgJ.html">Hindustan Times</a> on April 3, 2017.</p>
<hr />
<p> </p>
<p style="text-align: center; "><img src="http://editors.cis-india.org/home-images/Aaadhaar.png" alt="Aadhaar" class="image-inline" title="Aadhaar" /><br />Until recently, people were allowed to opt out of Aadhaar and withdraw consent to have their data stored. This is no longer going to be an option.<br />(Siddhant Jumde / HT Illustration)</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Imagine you’re walking down the street and you point the camera on your phone at a crowd of people in front of you. An app superimposes on each person’s face a partially-redacted name, date of birth, address, whether she’s undergone police verification, and, of course, an obscured Aadhaar number.<br /><br />OnGrid, a company that bills itself as a “trust platform” and offers “to deliver verifications and background checks”, used that very imagery in an advertisement last month. Its website notes that “As per Government regulations, it is mandatory to take consent of the individual while using OnGrid”, but that is a legal requirement, not a technical one.<br /><br />Since every instance of use of Aadhaar for authentication or for financial transactions leaves behind logs in the Unique Identification Authority of India’s (UIDAI) databases, the government can potentially have very detailed information about everything from the your medical purchases to your use of video-chatting software. The space for digital identities as divorced from legal identities gets removed. Clearly, Aadhaar has immense potential for profiling and surveillance. Our only defence: law that is weak at best and non-existent at worst.</p>
<p style="text-align: justify; ">The Aadhaar Act and Rules don’t limit the information that can be gathered from you by the enrolling agency; it doesn’t limit how Aadhaar can be used by third parties (a process called ‘seeding’) if they haven’t gathered their data from UIDAI; it doesn’t require your consent before third parties use your Aadhaar number to collate records about you (eg, a drug manufacturer buying data from various pharmacies, and creating profiles using Aadhaar).<br /><br />It even allows your biometrics to be shared if it is “in the interest of national security”. The law offers provisions for UIDAI to file cases (eg, for multiple enrollments), but it doesn’t allow citizens to file a case against private parties or the government for misuse of Aadhaar or identity fraud, or data breach.<br /><br />It is also clear that the government opposes any privacy-related improvements to the law. After debating the Aadhaar Bill in March 2016, the Rajya Sabha passed an amendment by MP Jairam Ramesh that allowed people to opt out of Aadhaar, and withdraw their consent to UIDAI storing their data, if they had other means of proving their identity (thus allowing Aadhaar to remain an enabler).</p>
<p style="text-align: justify; ">But that amendment, as with all amendments passed in the Rajya Sabha, was rejected by the Lok Sabha, allowing the government to make Aadhaar mandatory, and depriving citizens of consent. While the Aadhaar Act requires a person’s consent before collecting or using Aadhaar-provided details, it doesn’t allow for the revocation of that consent.<br /><br />In other countries, data security laws require that a person be notified if her data has been breached. In response to an RTI application asking whether UIDAI systems had ever been breached, the Authority responded that the information could not be disclosed for reasons of “national security”.<br /><br />The citizen must be transparent to the state, while the state will become more opaque to the citizen.</p>
<h2 style="text-align: justify; ">How Did Aadhaar Change?</h2>
<table class="invisible">
<tbody>
<tr>
<td style="text-align: justify; ">
<p> </p>
<p>How did Aadhaar become the behemoth it is today, with it being mandatory for hundreds of government programmes, and even software like Skype enabling support for it?</p>
<p>The first detailed look one had at the UID project was through an internal UIDAI document marked ‘Confidential’ that was leaked through WikiLeaks in November 2009. That 41-page dossier is markedly different from the 170-page ‘Technology and Architecture’ document that UIDAI has on its website now, but also similar in some ways.</p>
</td>
<td><img src="http://www.hindustantimes.com/rf/image_size_960x540/HT/p2/2017/04/01/Pictures/_36723476-16e4-11e7-85c6-0f0e633c038c.jpg" /></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">In neither of those is the need for Aadhaar properly established. Only in November 2012 — after scholars like Reetika Khera pointed out UIDAI’s fundamental misunderstanding of leakages in the welfare delivery system — was the first cost-benefit analysis commissioned, by when UIDAI had already spent ₹28 billion. That same month, Justice KS Puttaswamy, a retired High Court judge, filed a PIL in the Supreme Court challenging Aadhaar’s constitutionality, wherein the government has argued privacy isn’t a fundamental right.</p>
<blockquote class="pullquote" style="text-align: justify; ">Every time you use Aadhaar, you leave behind logs in the UIDAI databases. This means that the government can potentially have very detailed information about everything from the your medical purchases to your use of video-chatting software.</blockquote>
<p style="text-align: justify; ">Even today, whether the ‘deduplication’ process — using biometrics to ensure the same person can’t register twice — works properly is a mystery, since UIDAI hasn’t published data on this since 2012. Instead of welcoming researchers to try to find flaws in the system, UIDAI recently filed an FIR against a journalist doing so.</p>
<p style="text-align: justify; ">At least in 2009, UIDAI stated it sought to prevent anyone from “[e]ngaging in or facilitating profiling of any nature for anyone or providing information for profiling of any nature for anyone”, whereas the 2014 document doesn’t. As OnGrid’s services show, the very profiling that the UIDAI said it would prohibit is now seen as a feature that all, including private companies, may exploit.</p>
<p style="text-align: justify; ">UID has changed in other ways too. In 2009, it was as a system that never sent out any information other than ‘Yes’ or ‘No’, which it did in response to queries like ‘Is Pranesh Prakash the name attached to this UID number’ or ‘Is April 1, 1990 his date of birth’, or ‘Does this fingerprint match this UID number’.</p>
<p style="text-align: justify; ">With the addition of e-KYC (wherein UIDAI provides your demographic details to the requester) and Aadhaar-enabled payments to the plan in 2012, the fundamentals of Aadhaar changed. This has made Aadhaar less secure.</p>
<h3 style="text-align: justify; ">Security Concerns</h3>
<p style="text-align: justify; ">With Aadhaar Pay, due to be launched on April 14, a merchant will ask you to enter your Aadhaar number into her device, and then for your biometrics — typically a fingerprint, which will serve as your ‘password’, resulting in money transfer from your Aadhaar-linked bank account.</p>
<p style="text-align: justify; ">Basic information security theory requires that even if the identifier (username, Aadhaar number etc) is publicly known — millions of people names and Aadhaar numbers have been published on dozens of government portals — the password must be secret. That’s how most logins works, that’s how debit and credit cards work. How are you or UIDAI going to keep your biometrics secret?</p>
<p style="text-align: justify; ">In 2015, researchers in Carnegie Mellon captured the iris scans of a driver using car’s side-view mirror from distances of up to 40 feet. In 2013, German hackers fooled Apple iOS’s fingerprint sensors by replicating a fingerprint from a photo taken off a glass held by an individual. They even replicated the German Defence Minister’s fingerprints from photographs she herself had put online. Your biometrics can’t be kept secret.</p>
<blockquote class="pullquote" style="text-align: justify; ">Typically, even if your username (in this case, Aadhaar number) is publicly known, your password must be secret. That’s how most logins works, that’s how debit and credit cards work. How are you or UIDAI going to keep your biometrics secret?</blockquote>
<p style="text-align: justify; ">In the US, in a security breach of 21.5 million government employees’ personnel records in 2015, 5.2 million employees’ fingerprints were copied. If that breach had happened in India, those fingerprints could be used in conjunction with Aadhaar numbers not only for large-scale identity fraud, but also to steal money from people’s bank accounts.</p>
<p style="text-align: justify; ">All ‘passwords’ should be replaceable. If your credit card gets stolen, you can block it and get a new card. If your Aadhaar number and fingerprint are leaked, you can’t change it, you can’t block it.</p>
<p style="text-align: justify; ">The answer for Aadhaar too is to choose not to use biometrics alone for authentication and authorisation, and to remove the centralised biometrics database. And this requires a fundamental overhaul of the UID project.</p>
<p style="text-align: justify; ">Aadhaar marks a fundamental shift in citizen-state relations: from ‘We the People’ to ‘We the Government’. If the rampant misuse of electronic surveillance powers and wilful ignorance of the law by the state is any precedent, the future looks bleak. The only way to protect against us devolving into a total surveillance state is to improve rule of law, to strengthen our democratic institutions, and to fundamentally alter Aadhaar. Sadly, the political currents are not only not favourable, but dragging us in the opposite direction.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/hindustan-times-pranesh-prakash-april-3-2017-aadhaar-marks-a-fundamental-shift-in-citizen-state-relations'>http://editors.cis-india.org/internet-governance/blog/hindustan-times-pranesh-prakash-april-3-2017-aadhaar-marks-a-fundamental-shift-in-citizen-state-relations</a>
</p>
No publisherpraneshBiometricsAadhaarInternet GovernancePrivacy2017-04-04T16:10:06ZBlog EntryAnalysis of Key Provisions of the Aadhaar Act Regulations
http://editors.cis-india.org/internet-governance/blog/analysis-of-key-provisions-of-aadhaar-act-regulations
<b>In exercise of their powers under of the powers conferred by Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016, (Aadhaar Act) the UIDAI has come out with a set of five regulations in late 2016 last year. In this policy brief, we look at the five regulations, their key provisions and highlight point out the unresolved, issues, unaddressed, and created issues as result of these regulations. </b>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">This blog post was edited by Elonnai Hickok</p>
<hr style="text-align: justify; " />
<h3 style="text-align: justify; ">Introduction</h3>
<p style="text-align: justify; ">At the outset it is important to note that a concerning feature of these regulations is that they intend to govern the processes of a body which has been in existence for over six years, and has engaged in all the activities sought to be governed by these policies at a massive scale, considering the claims of over one billion Aadhaar number holders. However, the regulation do not acknowledge, let alone address past processes, practices, enrollments, authentications, use of technology etc. this fact, and there are no provisions that effectively address the past operations of the UIDAI. Below is an analysis of the five regulations issued thus far by the UIDAI.</p>
<h3 style="text-align: justify; ">Unique Identification Authority of India (Transactions of Business at Meetings of the Authority) Regulations<a href="#_ftn1" name="_ftnref1"><sup><sup>[1]</sup></sup></a></h3>
<p style="text-align: justify; ">These regulations framed under clause (h) of sub-section (2) of section 54 read with sub-section (1) of section 19 of the Aadhaar Act, deal with the meetings of the UIDAI, the process following up to each meeting, and the manner in which all meetings are to be conducted.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 3.</h4>
<p style="text-align: justify; ">Meetings of the Authority– (1) There shall be no less than three meetings of the Authority in a financial year on such dates and at such places as the Chairperson may direct and the interval between any two meetings shall not in any case, be longer than five months</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">The number of times that UIDAI would meet in a year is far too less, taking in account the significance of the responsibilities of UIDAI as the sole body for policy making for all issues related to Aadhaar. In contrast, the Telecom Regulatory Authority of India is required to meet at least once a month. Other bodies such as SEBI and IRDAI are also required to meet at least four times<a href="#_ftn2" name="_ftnref2"><sup><sup>[2]</sup></sup></a> and six times<a href="#_ftn3" name="_ftnref3"><sup><sup>[3]</sup></sup></a> in a year respectively.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 8 (5)</h4>
<p style="text-align: justify; ">Decisions taken at every meeting of the Authority shall be published on the website of Authority unless the Chairperson determines otherwise on grounds of ensuring confidentiality.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">The Chairperson has the power to determine withholding publication of the decisions of the meeting on the broad grounds of ‘confidentiality’. Given the fact that the decisions taken by UIDAI as a public body can have very real implications for the rights of residents, the ground of confidentiality is not sufficient to warrant withholding publication. It is curious that instead of referring to the clearly defined exceptions laid down in other similar provisions such as the exceptions in Section 8 of the Right to Information Act, 2005, the rules merely refer to vague and undefined criteria of ‘confidentiality’.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 14 (4)</h4>
<p style="text-align: justify; ">Members of the Authority and invitees shall sign an initial Declaration at the first meeting of the Authority for maintaining the confidentiality of the business transacted at meetings of the Authority in Schedule II.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">The above provision, combined with the fact that there is no provision regarding publication of the minutes of the meetings of UIDAI raise serious questions about the transparency of its functioning.</p>
<h3 style="text-align: justify; ">Unique Identification Authority of India (Enrolment and Update) Regulations<a href="#_ftn4" name="_ftnref4"><sup><sup>[4]</sup></sup></a></h3>
<p style="text-align: justify; ">These regulations, framed under sub-section (1), and sub-clauses (a), (b), (d,) (e), (j), (k), (l), (n), (r), (s), and (v) of sub-section (2), of Section 54 of the Aadhaar Act deals with the enrolment process, the generation of an Aadhaar number, updation of information and governs the conduct of enrolment agencies and associated third parties.</p>
<h4 style="text-align: justify; ">Provisions:</h4>
<p style="text-align: justify; ">Sub-Regulation 8 (2), (3) and (4)</p>
<p style="text-align: justify; ">The standard enrolment/update software shall have the security features as may be specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">All equipment used in enrolment, such as computers, printers, biometric devices and other accessories shall be as per the specifications issued by the Authority for this purpose.</p>
<p style="text-align: justify; ">The biometric devices used for enrolment shall meet the specifications, and shall be certified as per the procedure, as may be specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">Sub-Regulation 3 (2)</p>
<p style="text-align: justify; ">The standards for collecting the biometric information shall be as specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">Sub-Regulation 4 (5)</p>
<p style="text-align: justify; ">The standards of the above demographic information shall be as may be specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">Sub-Regulation 6 (2)</p>
<p style="text-align: justify; ">For residents who are unable to provide any biometric information contemplated by these regulations, the Authority shall provide for handling of such exceptions in the enrolment and update software, and such enrolment shall be carried out as per the procedure as may be specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">Sub-Regulation 14 (2)</p>
<p style="text-align: justify; ">In case of rejection due to duplicate enrolment, resident may be informed about the enrolment against which his Aadhaar number has been generated in the manner as may be specified by the Authority.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">Though in February 2017, the UIDAI published technical specifications for registered devices<a href="#_ftn5" name="_ftnref5"><sup><sup>[5]</sup></sup></a>, the regulations leave unaddressed issues such as lack of appropriately defined security safeguards in the Aadhaar. There is a general trend of continued deferrals in the regulations by stating that matters would be specified later on important aspects such as rejection of applications, uploading of the enrolment packet to the CIDR, the procedure for enrolling residents with biometric exceptions, the procedure for informing residents about acceptance/rejection of enrolment application, specifying the convenience fee for updation of residents’ information, the procedure for authenticating individuals across services etc.c. There is a clear failure to exercise the mandate delegated to UIDAI, leaving key matters to determined at a future unspecified date. The delay and ambiguity around when regulations will be defined is all the more problematic in light of the fact that the project has been implemented since 2010 and the Aadhaar number is now mandatory for availing a number of services.</p>
<p style="text-align: justify; ">Further it is important to note that a number of policies put out by the UIDAI predate these regulations, on which the regulations are completely silent, thus neither endorsing previous policies nor suggesting that they may be revisited. Further, the regulations choose to not engage with the question of operation of the Aadhaar project, enrolment and storage of data etc prior to the notification of these regulations, or the policies which these regulations may regularise. For instance, the regulations do not specify any measures to deal with issues arising out of enrolment devices used prior to the development of the February 2017 specifications.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 32</h4>
<p style="text-align: justify; ">The Authority shall set up a contact centre to act as a central point of contact for resolution of queries and grievances of residents, accessible to residents through toll free number(s) and/ or e-mail, as may be specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">(2) The contact centre shall:</p>
<ol style="text-align: justify; ">
<li>Provide a mechanism to log queries or grievances and provide residents with a unique reference number for further tracking till closure of the matter;</li>
<li>Provide regional language support to the extent possible;</li>
<li>Ensure safety of any information received from residents in relation to their identity information;</li>
<li>Comply with the procedures and processes as may be specified by the Authority for this purpose.</li>
</ol>
<p style="text-align: justify; ">(3) Residents may also raise grievances by visiting the regional offices of the Authority or through any other officers or channels as may be specified by the Authority.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">While the setting up of a grievance redressal mechanism under the regulations is a welcome move, there is little clarity about the procedure to be followed, nor is a timeline for it specified. The chapter on grievance redressal is in fact one of the shortest chapters in the regulations. The only provision in this chapter deals with the setting up of a contact centre, a curious choice of term for what is supposed to be the primary quasi judicial grievance redressal body for the Aadhaar project. In line with the indifferent and insouciant terminology of ‘contact centre’, the chapter is restricted to the matters of the logging of queries and grievances by the contact centre, and does not address the matter of procedure or timelines, and even the substantive provisions about the nature of redress available. Furthermore, the obligation on the contact centre to protect information received is limited to ‘ensuring safety’ an ambiguous standard that does not speak to any other standards in Indian law.</p>
<h3 style="text-align: justify; ">Aadhaar (Authentication) Regulations, 2016<a href="#_ftn6" name="_ftnref6"><sup><sup>[6]</sup></sup></a></h3>
<p style="text-align: justify; ">These regulations, framed under sub-section (1), and sub-clauses (f) and (w) of sub-section (2) of Section 54 of the Aadhaar Act deals with the authentication framework for Aadhaar numbers, the governance of authentication agencies and the procedure for collection, storage of authentication data and records.</p>
<h4 style="text-align: justify; ">Provisions:</h4>
<p style="text-align: justify; ">Sub-Regulation 5 (1)</p>
<p style="text-align: justify; ">At the time of authentication, a requesting entity shall inform the Aadhaar number holder of the following details:—</p>
<p style="text-align: justify; ">(a) the nature of information that will be shared by the Authority upon authentication;</p>
<p style="text-align: justify; ">(b) the uses to which the information received during authentication may be put; and</p>
<p style="text-align: justify; ">(c) alternatives to submission of identity information</p>
<p style="text-align: justify; ">Sub-Regulation 6 (2)</p>
<p style="text-align: justify; ">A requesting entity shall obtain the consent referred to in sub-regulation (1) above in physical or preferably in electronic form and maintain logs or records of the consent obtained in the manner and form as may be specified by the Authority for this purpose.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">Sub-regulation 5 mentions that at the time of authentication, requesting entities shall inform the Aadhaar number holder of alternatives to submission of identity information for the purpose of authentication. Similarly, sub-regulation 6 mentions that requesting entity shall obtain the consent of the Aadhaar number holder for the authentication. However, in neither of the above circumstances do the regulations specify the clearly defined options that must be made available to the Aadhaar number holder in case they do not wish submit identity information, nor do the regulations specify the procedure to be followed in case the Aadhaar number holder does not provide consent.</p>
<p style="text-align: justify; ">Most significantly, this provision does little by way of allaying the fears raised by the language in Section 8 (4) of the Aadhaar Act which states that UIDAI “shall respond to an authentication query with a positive, negative or any other appropriate response sharing such identity information.” This section gives a very wide discretion to UIDAI to share personal identity information with third parties, and the regulations do not temper or qualify this power in any way.</p>
<h4 style="text-align: justify; ">Sub-Regulation 11 (1) and (4)</h4>
<p style="text-align: justify; ">The Authority may enable an Aadhaar number holder to permanently lock his biometrics and temporarily unlock it when needed for biometric authentication.</p>
<p style="text-align: justify; ">The Authority may make provisions for Aadhaar number holders to remove such permanent locks at any point in a secure manner.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">A welcome provision in the regulation is that of biometric locking which allows Aadhaar number holders to permanently lock his biometrics and temporarily unlock it only when needed for biometric authentication. However, in the same breath, the regulation also provides for the UIDAI to make provisions to remove such locking without any specified grounds for doing so.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 18 (2), (3) and (4)</h4>
<p style="text-align: justify; ">The logs of authentication transactions shall be maintained by the requesting entity for a period of 2 (two) years, during which period an Aadhaar number holder shall have the right to access such logs, in accordance with the procedure as may be specified.</p>
<p style="text-align: justify; ">Upon expiry of the period specified in sub-regulation (2), the logs shall be archived for a period of five years or the number of years as required by the laws or regulations governing the entity, whichever is later, and upon expiry of the said period, the logs shall be deleted except those records required to be retained by a court or required to be retained for any pending disputes.</p>
<p style="text-align: justify; ">The requesting entity shall not share the authentication logs with any person other than the concerned Aadhaar number holder upon his request or for grievance redressal and resolution of disputes or with the Authority for audit purposes. The authentication logs shall not be used for any purpose other than stated in this sub-regulation.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">While it is specified that the authentication logs collected by the requesting entities shall not be shared with any person other than the concerned Aadhaar number holder upon their request or for grievance redressal and resolution of disputes or with the Authority for audit purposes, and that the authentication logs may not be used for any other purpose, the maintenance of the logs for a period of seven years seems excessive. Similarly, the UIDAI is also supposed to store Authentication transaction data for over five years. This is in violation of the widely recognized data minimisation principles which seeks that data collectors and data processors delete personal data records when the purpose for which it has been collected if fulfilled. While retention of data for audit and dispute-resolution purpose is legitimate, the lack of specification of security standards and the overall lack of transparency and inadequate grievance redressal mechanism greatly exacerbate the risks associated with data retention.</p>
<h3 style="text-align: justify; ">Aadhaar (Sharing of Information) Regulations, 2016 and Aadhaar (Data security) Regulations, 2016<a href="#_ftn7" name="_ftnref7"><sup><sup>[7]</sup></sup></a></h3>
<p style="text-align: justify; ">Framed under the powers conferred by sub-section (1), and sub-clause (o) of sub-section (2), of Section 54 read with sub-clause (k) of sub-section (2) of Section 23, and sub-sections</p>
<p style="text-align: justify; ">(2) and (4) of Section 29, of the Aadhaar Act, the Sharing of Information regulations look at the restrictions on sharing of identity information collected by the UIDAI and requesting entities. The Data Security regulation, framed under powers conferred by clause (p) of subsection (2) of section 54 of the Aadhaar Act, looks at security obligations of all service providers engaged by the UIDAI.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 6 (1)</h4>
<p style="text-align: justify; ">All agencies, consultants, advisors and other service providers engaged by the Authority, and ecosystem partners such as registrars, requesting entities, Authentication User Agencies and Authentication Service Agencies shall get their operations audited by an information systems auditor certified by a recognised body under the Information Technology Act, 2000 and furnish certified audit reports to the Authority, upon request or at time periods specified by the Authority.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">The regulation states that audits shall be conducted by an information systems auditor certified by a recognised body under the Information Technology Act, 2000. However, there is no such certifying body under the Information Technology Act. This suggests a lack of diligence in framing the rules, and will inevitably to lead to inordinate delays, or alternately, a lack of a clear procedure in the appointment of an auditor. Further, instead of prescribing a regular and proactive process of audits, the regulation only limits audits to when requested or as deemed appropriate by UIDAI. This is another, in line of many provisions, whose implication is power being concentrated in the hands of UIDAI, with little scope for accountability and transparency.</p>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">In conclusion, it must be stated that the regulations promulgated by the UIDAI leave a lot to be desired. Some of the most important issues raised against the Aadhaar Act, which were delegated to the UIDAI’s rule making powers have not been addressed at all. Some of the most important issues such as data security policies, right to access records of Aadhaar number holders, procedure to be followed by the grievance redressal bodies, uploading of the enrolment packet to the CIDR, procedure for enrolling residents with biometric exceptions, procedure for informing residents about acceptance/rejection of enrolment application have left unaddressed and ‘may be specified’ at a later data. These failures leave a gaping hole especially in light of the absence of a comprehensive data protection legislation in India, as well the speed and haste with the enrolment and seeding has been done by the UIDAI, and the number of services, both private and public, which are using or planning to use the Aadhaar number and the authentication process as a primary identifier for residents.</p>
<p style="text-align: justify; "><a href="#_ftnref1" name="_ftn1"><sup><sup>[1]</sup></sup></a> Available at <a href="https://uidai.gov.in/legal-framework/acts/regulations.html">https://uidai.gov.in/legal-framework/acts/regulations.html</a></p>
<p style="text-align: justify; "><a href="#_ftnref2" name="_ftn2"><sup><sup>[2]</sup></sup></a> <a href="https://www.irda.gov.in/ADMINCMS/cms/frmGeneral_Layout.aspx?page=PageNo62&flag=1">https://www.irda.gov.in/ADMINCMS/cms/frmGeneral_Layout.aspx?page=PageNo62&flag=1</a></p>
<p style="text-align: justify; "><a href="#_ftnref3" name="_ftn3"><sup><sup>[3]</sup></sup></a> <a href="http://www.sebi.gov.in/acts/boardregu.html">http://www.sebi.gov.in/acts/boardregu.html</a></p>
<p style="text-align: justify; "><a href="#_ftnref4" name="_ftn4"><sup><sup>[4]</sup></sup></a> Available at <a href="https://uidai.gov.in/legal-framework/acts/regulations.html">https://uidai.gov.in/legal-framework/acts/regulations.html</a></p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "><a href="#_ftnref5" name="_ftn5"><sup><sup>[5]</sup></sup></a> Available at: https://uidai.gov.in/images/resource/aadhaar_registered_devices_2_0_09112016.pdf</p>
<p style="text-align: justify; "><a href="#_ftnref6" name="_ftn6"><sup><sup>[6]</sup></sup></a> Available at <a href="https://uidai.gov.in/legal-framework/acts/regulations.html">https://uidai.gov.in/legal-framework/acts/regulations.html</a></p>
<p style="text-align: justify; "><a href="#_ftnref7" name="_ftn7"><sup><sup>[7]</sup></sup></a> Available at <a href="https://uidai.gov.in/legal-framework/acts/regulations.html">https://uidai.gov.in/legal-framework/acts/regulations.html</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/analysis-of-key-provisions-of-aadhaar-act-regulations'>http://editors.cis-india.org/internet-governance/blog/analysis-of-key-provisions-of-aadhaar-act-regulations</a>
</p>
No publisheramberUIDPrivacyInternet GovernanceUIDAIBiometricsAadhaar2017-04-03T14:05:01ZBlog EntryIt’s the technology, stupid
http://editors.cis-india.org/internet-governance/blog/the-hindu-businessline-march-31-2017-sunil-abraham-its-the-technology-stupid
<b>Eleven reasons why the Aadhaar is not just non-smart but also insecure.</b>
<p style="text-align: justify; ">The article was <a class="external-link" href="http://www.thehindubusinessline.com/blink/cover/11-reasons-why-aadhaar-is-not-just-nonsmart-but-also-insecure/article9608225.ece">published in Hindu Businessline</a> on March 31, 2017.</p>
<hr />
<p style="text-align: justify; ">Aadhaar is insecure because it is based on biometrics. Biometrics is surveillance technology, a necessity for any State. However, surveillance is much like salt in cooking: essential in tiny quantities, but counterproductive even if slightly in excess. Biometrics should be used for targeted surveillance, but this technology should not be used in e-governance for the following reasons:<br /><br />One, biometrics is becoming a remote technology. High-resolution cameras allow malicious actors to steal fingerprints and iris images from unsuspecting people. In a couple of years, governments will be able to identify citizens more accurately in a crowd with iris recognition than the current generation of facial recognition technology.<br /><br />Two, biometrics is covert technology. Thanks to sophisticated remote sensors, biometrics can be harvested without the knowledge of the citizen. This increases effectiveness from a surveillance perspective, but diminishes it from an e-governance perspective.<br /><br />Three, biometrics is non-consensual technology. There is a big difference between the State identifying citizens and citizens identifying themselves to the state. With biometrics, the State can identify citizens without seeking their consent. With a smart card, the citizen has to allow the State to identify them. Once you discard your smart card the State cannot easily identify you, but you cannot discard your biometrics.<br /><br />Four, biometrics is very similar to symmetric cryptography. Modern cryptography is asymmetric. Where there is both a public and a private key, the user always has the private key, which is never in transit and, therefore, intermediaries cannot intercept it. Biometrics, on the other hand, needs to be secured during transit. The UIDAI’s (Unique Identification Authority of India overseeing the rollout of Aadhaar) current fix for its erroneous choice of technology is the use of “registered devices”; but, unfortunately, the encryption is only at the software layer and cannot prevent hardware interception.<br /><br />Five, biometrics requires a centralised network; in contrast, cryptography for smart cards does not require a centralised store for all private keys. All centralised stores are honey pots — targeted by criminals, foreign States and terrorists.<br /><br />Six, biometrics is irrevocable. Once compromised, it cannot be secured again. Smart cards are based on asymmetric cryptography, which even the UIDAI uses to secure its servers from attacks. If cryptography is good for the State, then surely it is good for the citizen too.<br /><br />Seven, biometrics is based on probability. Cryptography in smart cards, on the other hand, allows for exact matching. Every biometric device comes with ratios for false positives and false negatives. These ratios are determined in near-perfect lab conditions. Going by press reports and even UIDAI’s claims, the field reality is unsurprisingly different from the lab. Imagine going to an ATM and not being sure if your debit card will match your bank’s records.<br /><br />Eight, biometric technology is proprietary and opaque. You cannot independently audit the proprietary technology used by the UIDAI for effectiveness and security. On the other hand, open smart card standards like SCOSTA (Smart Card Operating System for Transport Applications) are based on globally accepted cryptographic standards and allow researchers, scientists and mathematicians to independently confirm the claims of the government.<br /><br />Nine, biometrics is cheap and easy to defeat. Any Indian citizen, even children, can make gummy fingers at home using Fevicol and wax. You can buy fingerprint lifting kits from a toystore. To clone a smart card, on the other hand, you need a skimmer, a printer and knowledge of cryptography.<br /><br />Ten, biometrics undermines human dignity. In many media photographs — even on the @UIDAI’s Twitter stream — you can see the biometric device operator pressing the applicant’s fingers, especially in the case of underprivileged citizens, against the reader. Imagine service providers — say, a shopkeeper or a restaurant waiter — having to touch you every time you want to pay. Smart cards offer a more dignified user experience.<br /><br />Eleven, biometrics enables the shirking of responsibility, while cryptography requires a chain of trust.<br /><br />Each legitimate transaction has repudiable signatures of all parties responsible. With biometrics, the buck will be passed to an inscrutable black box every time things go wrong. The citizens or courts will have nobody to hold to account.</p>
<p style="text-align: justify; ">The precursor to Aadhaar was called MNIC (Multipurpose National Identification Card). Initiated by the NDA government headed by Atal Bihari Vajpayee, it was based on the open SCOSTA standard. This was the correct technological choice.<br /><br />Unfortunately, the promoters of Aadhaar chose biometrics in their belief that newer, costlier and complex technology is superior to an older, cheaper and simpler alternative.<br /><br />This erroneous technological choice is not a glitch or teething problem that can be dealt with legislative fixes such as an improved Aadhaar Act or an omnibus Privacy Act. It can only be fixed by destroying the centralised biometric database, like the UK did, and shifting to smart cards.<br /><br />In other words, you cannot fix using the law what you have broken using technology.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-hindu-businessline-march-31-2017-sunil-abraham-its-the-technology-stupid'>http://editors.cis-india.org/internet-governance/blog/the-hindu-businessline-march-31-2017-sunil-abraham-its-the-technology-stupid</a>
</p>
No publishersunilBiometricsAadhaarInternet GovernancePrivacy2017-04-07T12:53:21ZBlog EntryIndia’s biometric ID scans make sci-fi a reality
http://editors.cis-india.org/internet-governance/news/financial-times-march-27-2017-amy-kazmin-indias-biometric-id-scans-make-sci-fi-a-reality
<b>I have been thinking about my fingerprints and the secrets that may lie within my eyes — and whether I want to share them with the Indian government. I may not however have a choice.
</b>
<p style="text-align: justify; ">The article by Amy Kazmin was published in the <a class="external-link" href="https://www.ft.com/content/46dcb248-0fcb-11e7-a88c-50ba212dce4d">Financial Times</a> on March 27, 2017. Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; ">India has the world’s largest domestic biometric identification system, known as Aadhaar. Since 2010, the government has collected fingerprints and iris scans from more than 1bn residents, and each has been assigned a 12-digit <a class="external-link" href="https://uidai.gov.in/">identification number</a>.</p>
<p style="text-align: justify; ">The scheme is championed by Nandan Nilekani, the billionaire co-founder of IT company Infosys. It was initially conceived to ensure poor Indians received subsidised food entitlements and other welfare benefits that were previously siphoned off by unscrupulous intermediaries. It was also seen as offering poor Indians, many of whom lack birth certificates, with a portable ID that can be used anywhere in the country.</p>
<p style="text-align: justify; ">Until now, obtaining an Aadhaar number was voluntary, though most Indians enrolled without hesitation as they see its potential benefits. But New Delhi is now enlisting Aadhaar, which means “foundation” or “base” in Hindi, in more than just welfare schemes. This would mean sharing one’s biometric details isn’t really optional any more despite a Supreme Court ruling that it should be “purely voluntary”.</p>
<p style="text-align: justify; ">Last week, the government issued a rule requiring an Aadhaar number for filing tax returns, ostensibly to improve tax compliance. It has also decided that all cell phone numbers must be linked to an Aadhaar number by 2018. Even Indian Railways has plans to demand Aadhaar from those booking train tickets online.</p>
<p style="text-align: justify; ">What was once touted as an initiative to improve delivery of welfare suddenly now seems like the foundation of a surveillance state — and I admit the prospect of putting my own biometrics in the database leaves me uneasy.</p>
<p style="text-align: justify; ">As a US citizen, I’ve never had to give my biometric data to my government. Domestically, fingerprints are only taken from criminal suspects, or applicants for government jobs, though I know foreign citizens are fingerprinted on arrival.</p>
<p style="text-align: justify; ">To me, the idea of sharing eye scans evokes the dystopian Hollywood film, Minority Report, which depicts a near future in which optical-recognition cameras allow the authorities to identify anyone in any public place. The hero on the run, played by Tom Cruise, has an illegal eye transplant to avoid detection.</p>
<p style="text-align: justify; ">In recent days, many Indian academics and activists have raised concerns about Aadhaar data security, the lack of privacy rules and the absence of any accountability structure if data are misused.</p>
<p style="text-align: justify; ">"Biometrics is being weaponised," says Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society. "What you need to be worried about is that someone will clean out your bank account or frame you in a crime," he says.</p>
<p style="text-align: justify; ">Pratap Bhanu Mehta, director of the Centre for Policy Research, has written of the “conversion of Aadhaar from a tool of citizen empowerment to a tool of state surveillance and citizen vulnerability”.</p>
<p style="text-align: justify; ">I call <a class="external-link" href="https://www.ft.com/content/058c4b48-d43c-11e6-9341-7393bb2e1b51">Mr Nilekani</a>, of whose honourable intentions I have no doubt. After leaving Infosys in 2009, he spent five years in government, working to get Aadhaar off the ground. He says he is “extremely offended” when his project is accused of being part of a surveillance society, a narrative he says is “completely misrepresenting” the project. “I can steal your fingerprint off your glass. I don’t need this fancy technology,” he says. “Surveillance is far better done by following my phone, or when I use a map to order a taxi: the map knows where I am. Our internet companies know where you are.”</p>
<p style="text-align: justify; ">But in a society known for ingenious means of bypassing rules, such as having multiple taxpayer ID cards to aid evasion, Mr Nilekani says biometric authentication of individuals can bring discipline and reduce cheating. “It’s like you are creating a rule-based society,” he says, “it’s the transition that is going on right now.” I hang up, hardly reassured. To me, it seems clear that in India, as in so many places these days, Big Brother is increasingly watching.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/financial-times-march-27-2017-amy-kazmin-indias-biometric-id-scans-make-sci-fi-a-reality'>http://editors.cis-india.org/internet-governance/news/financial-times-march-27-2017-amy-kazmin-indias-biometric-id-scans-make-sci-fi-a-reality</a>
</p>
No publisherpraskrishnaBiometricsAadhaarInternet GovernancePrivacy2017-03-28T02:45:28ZNews ItemIs Your Aadhar Biometrics Safe? Firms Accused Of Storing Biometrics And Using Them Illegally
http://editors.cis-india.org/internet-governance/news/outlook-february-24-2017-is-your-aadhar-biometrics-safe-firms-accused-of-storing-biometrics-and-using-them-illegally
<b>Fears of Aadhar biometric security have been compounded as the government is sprinting towards the next phase of ‘cashless India’ and digitization</b>
<p style="text-align: justify; ">Pranesh Prakash and Sunil Abraham have been quoted in this article <a class="external-link" href="http://www.outlookindia.com/website/story/is-your-aadhar-biometrics-safe-firms-accused-of-storing-biometrics-and-using-the/298048">published by Outlook</a> on February 24, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The biggest fear regarding misuse of Aadhar biometrics and security loopholes are becoming real.</p>
<p style="text-align: justify; ">Three firms are being probed for attempting unauthorised authentication and impersonation by using stored Aadhaar biometrics, reported <i>The Times of India.</i></p>
<p style="text-align: justify; ">The paper reported that the Unique Identification Authority of India (UIDAI) has lodged a criminal complaint with the cyber cell of Delhi Police, saying it is a clear violation of the law.</p>
<p style="text-align: justify; ">“The firms are Axis Bank, Suvidhaa Infoserve and eMudhra. They have been served a “notice for action“ under Aadhaar regulations”.</p>
<p style="text-align: justify; ">The firms have been accused of storing biometrics and using them illegally.</p>
<p style="text-align: justify; ">The fears of biometric security have been compounded as the government is sprinting towards the next phase of ‘cashless India’ and digitization. They are preparing to launch Aadhaar Pay, an initiative that will supersede the need to use credit cards, debit cards, smartphones and PINs to make payments or transfer money.</p>
<p style="text-align: justify; ">The proposed system of payments will use a person’s biometric data and fingerprints to make payments through Aadhaar-linked bank accounts.</p>
<p style="text-align: justify; "><i>Outlook</i>’s Senior Associate Editor Arindam Mukherjee had in a clairvoyant <a href="http://www.outlookindia.com/magazine/story/no-genie-at-your-fingertips/298449" target="_blank">article</a> for the magazine raised the fears of biometrics being manipulated.</p>
<p style="text-align: justify; ">In the <a href="http://www.outlookindia.com/magazine/story/no-genie-at-your-fingertips/298449" target="_blank">article</a>, critics of Aadhaar and Aadhaar-based services raised the issue of privacy and security of biometric and personal data.</p>
<p style="text-align: justify; ">Pranesh Prakash, policy director with the Centre for Internet and Society (CIS), recently tweeted, “As long as Aadhar-Enabled Payment Services encourages biometric authorisation of transactions, it is bound to be a security nightmare, with widespread fraud.” Would you tell a shopkeeper your debit card’s PIN? No. Then why share your fingerprint? A fingerprint, in this system, becomes a kind of unchangeable Aadhaar Enabled Payment System PIN, he asks.</p>
<p style="text-align: justify; ">Pointing out a possible danger, Usha Ramanathan, an independent law researcher who has been following Aadhaar since its inception, says, “In many payments, biometric data is authenticated and then it remains in the system where there are leakages. Intermediaries then have access to the data, which is thus made insecure.”</p>
<p style="text-align: justify; ">According to the UIDAI, however, once biometric data is provided by the consumer while making Aadhaar-based payments, it gets encrypted and a merchant doesn’t get access to that data. The Aadhaar Act also prohibits any storing of biometric data in local devices.</p>
<p style="text-align: justify; ">And yet, there are many like CIS executive director Sunil Abraham who believe it is a mistake to use biometrics for authentication, especially when payments are concerned.</p>
<p style="text-align: justify; ">“Our concern with Aadhaar Pay is about the biometric component of the project,” says Abraham. “Biometrics is an identification technology. Unfortunately, it is being presented as an authentication technology. It is not a secure authentication technology as biometric data can be stolen easily. It is also irrevocable; once biometric data is stolen, it cannot be re-issued like a smart card.”</p>
<p style="text-align: justify; ">Then there is the problem of availability of fingerprints. In the case of many people from rural areas and the working class, fingerprints get affected due to the manual nature of their work. This makes it difficult for this target group of UIDAI to conduct transactions properly through Aadhaar Pay. “In Rajasthan, 30 per cent of the households are not even able to procure ration using fingerprints,” says Ramanathan.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/outlook-february-24-2017-is-your-aadhar-biometrics-safe-firms-accused-of-storing-biometrics-and-using-them-illegally'>http://editors.cis-india.org/internet-governance/news/outlook-february-24-2017-is-your-aadhar-biometrics-safe-firms-accused-of-storing-biometrics-and-using-them-illegally</a>
</p>
No publisherpraskrishnaBiometricsAadhaarInternet GovernancePrivacy2017-02-27T01:56:28ZNews ItemVidhi Doshi - Fingerprint Payments Prompt Privacy Fears in India (The Guardian)
http://editors.cis-india.org/internet-governance/news/vidhi-doshi-fingerprint-payments-prompt-privacy-fears-in-india-the-guardian
<b>This article by Vidhi Doshi on the use of Aadhaar-based payments by private companies in India was published by The Guardian on February 09, 2017. Sumandro Chattapadhyay is quoted in the article.</b>
<p>Originally published by <a href="https://www.theguardian.com/sustainable-business/2017/feb/09/fingerprint-payments-privacy-fears-india-banknotes">The Guardian</a>.</p>
<hr />
<p style="text-align: justify;">For two years, Indian officials have been trawling the country, from city slums to unelectrified villages, zapping eyeballs, scanning fingerprints and taking photographs.</p>
<p style="text-align: justify;">Last month, Indian shoppers started to see the results. With the launch of a government-backed fingerprint payment system, tied to India’s growing biometric data bank, registered citizens can – in theory at least – now pay for things with the touch of a finger.</p>
<p style="text-align: justify;">India’s extraordinary biometric database, named Aadhaar after a Hindi word for ‘foundation’, is the biggest of its kind in the world. It was initially sold to the public as a welfare delivery mechanism that would ensure the country’s 1.25bn citizens were each receiving the right quantity of subsidised rice or cooking fuel, while weeding out fraudsters.</p>
<p>But now this pool of more than a billion people’s biometric data is being used by banks, credit checking firms and other private companies to identify customers, raising questions about privacy and security.</p>
<p style="text-align: justify;">As one of his flagship policies, prime minister Narendra Modi pledged to create a “digital India” in which the country’s cash-centric economy would switch to credit and debit cards, squeezing the parallel economy of untaxed cash transactions and giving more citizens access to digital financial services.</p>
<p style="text-align: justify;">In a surprise television announcement last November, Modi announced the demonetisation of 500 and 1,000 rupee notes (around £6 and £12), wiping out 85% of the country’s circulating currency overnight.</p>
<p style="text-align: justify;">Two days later, when the banks reopened, long queues snaked around almost every branch, with millions lining up to open bank accounts for the first time. Many used their 12-digit Aadhaar number, linked to their biometric profile, to sign up. Within three weeks, 3m bank accounts had been opened using fingerprint verification, according to estimates.</p>
<p style="text-align: justify;">The moment marked a radical change for India’s banking system, under which applicants were traditionally required to file photocopies of passports or voter IDs. Banks could take weeks, sometimes months, to verify them. Now applicants’ encrypted biometric data can be sent to the Unique Identification Authority of India (UIDAI), a government agency, to be matched against their Aadhaar data, re-encrypted and sent back to the bank.</p>
<p style="text-align: justify;">Despite technical teething problems, the system is designed to allow very fast authorisation. “All this happens in a matter or two or three seconds,” explains Ajay Bhushan Pandey, UIDAI’s director general.</p>
<p style="text-align: justify;">For Pandey, the benefits are clear: paper documents are easy to forge and hard to verify, especially in India where until recently thousands of people still used handwritten passports. Not so biometric data.</p>
<h4>Privacy fears</h4>
<p style="text-align: justify;">Pandey emphasises that private banks and companies aren’t able to access the entire Aadhaar database, only to use the government interface, which allows them to verify identities.</p>
<p style="text-align: justify;">Nonetheless, many Indians are worried about the privacy implications. Sumandro Chattapadhyay, a director at the Centre for Internet and Society thinktank, is one of them.</p>
<p style="text-align: justify;">For starters, says Chattapadhyay, the law governing use of the biometric database, fast-tracked through parliament last year, is flimsy when it comes to the private sector. Since India lacks a general privacy or data protection law, this leaves corporate use of Aadhaar services effectively unregulated, he says.</p>
<p style="text-align: justify;">This is particularly worrying, says Chattapadhyay, because of the data-sharing possibilities opened up by Aadhaar. It makes it easier for companies not only to share information on individuals’ consumption and mobility habits, but also to link this data up with public records like the electoral register, he says. “Both lead to significant threats to privacy of individuals.”</p>
<p style="text-align: justify;">Chattapadhyay’s fear is that private companies could eventually gain access to government-held personal data, such as income or medical records, while the government could use company data like phone records to target specific individuals in political campaigns.</p>
<p style="text-align: justify;">Already companies are linking Aadhaar numbers with collected metadata. Credit-checking startup CreditVidya, for example, identifies clients using their biometric ID in combination with their internet browsing history and other data, to assign credit scores for users who have no record of loan repayments. Banks then store this processed metadata, for example whether or not someone’s Facebook name is consistent with the name on their bank account.</p>
<p style="text-align: justify;">Its founder Abhishek Agarwal admits there are risks for users: “[I]f someone managed to hack the bank’s security system, as well as the Aadhaar database, they could potentially be able to link your Facebook or LinkedIn data with your biometric information.” But he says this would be hard to do.</p>
<p style="text-align: justify;">Pandey insists the companies are carefully vetted before they can use Aadhaar authentication. But, like Agarwal, he acknowledges the system can never be 100% secure: ““I wouldn’t say it is impossible to break the system, but it is very, very difficult.”</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/vidhi-doshi-fingerprint-payments-prompt-privacy-fears-in-india-the-guardian'>http://editors.cis-india.org/internet-governance/news/vidhi-doshi-fingerprint-payments-prompt-privacy-fears-in-india-the-guardian</a>
</p>
No publisherVidhi DoshiDemonetisationDigital PaymentBig DataPrivacyInternet GovernanceAadhaarBiometrics2017-02-13T09:21:42ZBlog EntrySeminar on Understanding Financial Technology, Cashless India, and Forced Digitalisation (Delhi, January 24)
http://editors.cis-india.org/internet-governance/news/seminar-on-understanding-financial-technology-cashless-india-and-forced-digitalisation-delhi-jan-24-2017
<b>The Centre for Financial Accountability is organising a seminar on "Understanding Financial Technology, Cashless India, and Forced Digitalisation" on Tuesday, January 24, at YWCA, Ashoka Road, New Delhi. Sumandro Chattapadhyay will participate in the seminar and speak on the emerging architecture of FinTech in India, as being developed and deployed by UIDAI and NPCI.</b>
<p> </p>
<p><em>Cross-posted from <a href="https://letstalkfinancialaccountability.wordpress.com/2017/01/20/understanding-financial-technology-cashless-india-forced-digitalisation/">Centre for Financial Accountability</a>.</em></p>
<hr />
<h2>Programme Schedule</h2>
<h4>09.30 - Registration</h4>
<h4>10:00 - Introduction to the Seminar & Setting the Context</h4>
<p>Madhuresh Kumar, National Alliance of People’s Movements</p>
<h4>10:15–11:30 - Session 1 - Understanding the Political Context of FinTech</h4>
<p>B P Mathur, Former Dy CAG</p>
<p>Prabir Purkayastha, Free Software Movement of India and Knowledge Commons</p>
<p>C P Chandrasekhar, Centre for Economic Studies and Planning, JNU</p>
<h4>11:30-11:45 – Tea / Coffee break</h4>
<h4>11:45-13:15 - Session 2 - How will FinTech Impact the Poor, and Labour and Banking Sector?</h4>
<p>Ashim Roy, New Trade Union of India</p>
<p>Nikhil Dey, Mazdoor Kisan Shakti Sangathan</p>
<p>Ravinder Gupta, General Secretary, State Bank of India Officers Association</p>
<h4>13:15-14:00 – Lunch</h4>
<h4>14:00-15:30 - Session 3 - Understanding the Economic Context of FinTech</h4>
<p>Indira Rajaraman, Former Director, RBI</p>
<p>Tony Joseph, Sr. Journalist</p>
<h4>15:30-17:00 - Session 4 - Understanding the Architecture of FinTech: Linkages to Aadhaar, IndiaStack etc</h4>
<p>Sumandro Chattapadhyay, the Centre for Internet and Society</p>
<p>Gopal Krishna, ToxicsWatch</p>
<h4>17:00 – Tea</h4>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/seminar-on-understanding-financial-technology-cashless-india-and-forced-digitalisation-delhi-jan-24-2017'>http://editors.cis-india.org/internet-governance/news/seminar-on-understanding-financial-technology-cashless-india-and-forced-digitalisation-delhi-jan-24-2017</a>
</p>
No publishersumandroUnified Payments InterfaceFinancial TechnologyDigital IDBig DataDigital EconomyUIDInternet GovernanceDigital IndiaAadhaarFinancial InclusionBiometricsDigital Payment2017-01-23T13:17:19ZBlog EntryIndia’s Digital ID Rollout Collides With Rickety Reality
http://editors.cis-india.org/internet-governance/news/wall-street-journal-gabriele-parussini-january-13-2017-indias-digital-id-rollout-collides-with-rickety-reality
<b>India’s new digital identification system, years in the making and now being put into widespread use, has yet to deliver the new era of modern efficiency it promised for shop owner Om Prakash and customer Daya Chand.</b>
<p style="text-align: justify; ">The article by Gabriele Parussini was published in the <a class="external-link" href="http://www.wsj.com/articles/snags-multiply-in-indias-digital-id-rollout-1484237128?mod=e2fb">Wall Street Journal</a> on January 13, 2017. Hans Varghese Mathews was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">At first, it drove both men up a tree.<br /><br />The system, which relies on fingerprints and eye scans to eventually provide IDs to all 1.25 billion Indians, is also expected to improve the distribution of state food and fuel rations and eventually facilitate daily needs such as banking and buying train tickets.<br /><br />But Mr. Prakash couldn’t confirm his customers’ identities until he dragged them to a Java plum tree in a corner of his village near New Delhi’s international airport. That was the only place to get the phone signal needed to tap into the government database.</p>
<p style="text-align: justify; ">“I hopped on a chair and put my finger in the machine,” said Mr. Chand, a 60-year-old taxi driver. Getting his state food ration “used to be much easier,” he said.</p>
<p style="text-align: justify; ">In <a class="none icon" href="http://blogs.wsj.com/briefly/2017/01/13/indias-massive-aadhaar-biometric-identification-program-the-numbers/">a system so vast</a>, even small glitches can leave millions of people empty-handed.</p>
<p style="text-align: justify; "><a class="none icon" href="http://blogs.wsj.com/indiarealtime/2012/10/03/getting-indias-id-project-back-on-track/">The government began building the system</a>, called Aadhaar, or “foundation,” with great fanfare in 2009, led by a team of pioneering technology entrepreneurs. Since then, almost 90% of India’s population has been enrolled in what is now the world’s largest biometric data set.</p>
<p style="text-align: justify; ">Prime Minister Narendra Modi, who set aside early skepticism about the Aadhaar project after taking power in 2014, is betting that it can help India address critical problems such as poverty and corruption, while also saving money for the government.</p>
<p style="text-align: justify; ">But the technology is colliding with the rickety reality of India, where many people live off the grid or have fingerprints compromised by manual labor or age.</p>
<p style="text-align: justify; ">Panna Singh, a 55-year-old day laborer in the northwestern state of Rajasthan who breaks stones used to build walls, says the machine recognized his scuffed-up fingerprints only a couple of times.</p>
<p style="text-align: justify; ">“I’ve come twice today,” he said at a ration shop in the village of Devdungri. “That’s a full day of work, gone.”</p>
<p style="text-align: justify; ">Iris scans are meant to resolve situations where fingerprints don’t work, but shops don’t yet have iris scanners.</p>
<p style="text-align: justify; ">Ajay Bhushan Pandey, chief executive of the government agency that oversees Aadhaar, said kinks will be ironed out as the system is used, as is the case with software rollouts. It works 92% of the time, and that will rise to 95%, he said.</p>
<p style="text-align: justify; ">“On the scale of what [Aadhaar] has achieved, the rollout has been remarkably smooth,” said Nandan Nilekani, the Infosys co-founder who spearheaded the project. “I don’t see any issues that are disproportionate to the size of project.”</p>
<p style="text-align: justify; ">An Aadhaar ID is intended to be a great convenience, replacing the multitude of paperwork required by banks, merchants and government agencies. The benefits are only just beginning, backers say, as the biometric IDs are linked to programs and services.</p>
<p style="text-align: justify; ">But in rural areas, home to hundreds of millions of impoverished Indians dependent on subsidies, the impact of technical disruptions has already been evident.</p>
<p style="text-align: justify; ">After walking for two hours across rough underbrush in Rajasthan to get kerosene for the month, Hanja Devi left empty-handed because the machine couldn’t match her fingerprint with her Aadhaar number.</p>
<p style="text-align: justify; ">“It’s always so difficult” using the system, said Ms. Devi, who lives with her husband and a nephew on 1,500 rupees ($22) a month.</p>
<p style="text-align: justify; ">Ranjit Singh, who operates the shop, said five of the 37 customers before Ms. Devi also left the shop empty-handed, a failure rate of over 15%.</p>
<p style="text-align: justify; ">A shop manager in a neighboring village said identification had failed for a similar portion of his 500 customers.</p>
<p style="text-align: justify; ">Any biometric recognition system of Aadhaar’s size is bound to show duplicates, meaning some people’s biometric identifiers will match someone else’s when they try to enroll.The new system hasn’t eliminated attempts at fraud. In August, police in Rajasthan accused two shop managers of linking their fingerprints to a multitude of cards and stealing for months the rations of dozens of clients.</p>
<p style="text-align: justify; ">Hans Varghese Mathews, a mathematician at the Bangalore-based Center for Internet and Society, used the results of a test run by Aadhaar officials on a sample of 84 million people to extrapolate the figure for India’s total population. The error level is less than 1%, but in the world’s second-most populous country, the snag would still affect about 11 million people, he said.</p>
<p style="text-align: justify; ">Government officials disputed the calculation, saying the number of duplicates would be much smaller—and that it would take only seven analysts to manage the error caseload.</p>
<p style="text-align: justify; ">As for trouble connecting to the registry, better infrastructure, including steadier internet connections, will eventually also help, Mr. Pandey said.</p>
<p style="text-align: justify; ">For now, Mr. Prakash has found a way to cope without climbing trees. After scouring the village, he set up a shack in a spot with enough bandwidth for his fingerprint scanner to work. It is hardly efficient. He issues receipts in the morning at the shack, then goes back to his shop to hand out the grains. Customers have to line up twice, sometimes for hours.</p>
<p style="text-align: justify; ">Mr. Prakash has applied to the government to operate without biometric identification, but his request was turned down, he said. “They said: ‘You have to keep trying.’ ”</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/wall-street-journal-gabriele-parussini-january-13-2017-indias-digital-id-rollout-collides-with-rickety-reality'>http://editors.cis-india.org/internet-governance/news/wall-street-journal-gabriele-parussini-january-13-2017-indias-digital-id-rollout-collides-with-rickety-reality</a>
</p>
No publisherpraskrishnaBiometricsAadhaarInternet GovernancePrivacy2017-01-17T15:35:04ZNews Item