The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 51 to 65.
Social Activist Alleges Threat By Police Officer Over Possession of Aadhaar
http://editors.cis-india.org/internet-governance/news/the-wire-gaurav-vivek-bhatnagar-july-16-2017-social-activist-alleges-threat-by-police-officer-over-possession-of-aadhaar
<b>Social activist Shabnam Hashmi recorded a policeman telling her those without address proof and Aadhaar could be “eliminated”.</b>
<p style="text-align: justify; ">The article by Gaurav Vivek Bhatnagar was published in the <a class="external-link" href="https://thewire.in/158107/fear-around-misuse-of-aadhar/">Wire</a> on July 16, 2017. Pranesh Prakash was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Well-known social activist Shabnam Hashmi held a press conference to say she was threatened on the telephone by a police officer at the Lajpat Nagar police station warning her that the government had launched a ‘surround and eliminate’ campaign against people whose addresses are not known and who do not possess Aadhaar numbers or cards. This is now a standing instruction to all police stations, Hashmi was told. Moreover, the officer – accused of threatening and abusing Hashmi when she called him on the night of July 14 to know why the husband of a woman, who learns stitching at a training centre run by the NGO Pehchan at Jaitpur in south-east Delhi, had been summoned at a late hour – insisted that police personnel were well within their rights to act in this way.</p>
<p style="text-align: justify; ">The police may brush aside this assertion as the concerned officer’s personal opinion, or they may deny the veracity of the conversation, <a href="https://www.youtube.com/watch?v=Az2WR54QWTE" rel="external nofollow" target="_blank" title="which Hashmi recorded and shared with the media">which Hashmi recorded and shared with the media</a>; but she and other anti-Aadhaar activists say the interaction raises questions about the consequences – intended or unintended – of the Centre’s stress on making Aadhaar mandatory for the personal liberty and civil rights of ordinary residents.</p>
<p style="text-align: justify; ">Many Aadhaar critics have, in the past, expressed the fear that the irresponsible use or misuse of Aadhaar could lead to India becoming a ‘surveillance state’ or ‘police state’ by placing enormous discretionary powers in the hands of unscrupulous state officials.</p>
<p style="text-align: justify; "><b>Petitioners in SC had cautioned against misuse of Aadhaar</b></p>
<p style="text-align: justify; ">Earlier this year, Communist Party of India leader Binoy Viswam had filed a petition in the Supreme Court questioning the introduction of Section 139 AA of the IT Act to link Aadhaar cards with PAN cards. Subsequently, <a href="http://www.rediff.com/news/interview/aadhaar-is-very-dangerous-for-the-indian-nation/20170425.htm" rel="external nofollow" target="_blank" title="in an interview">in an interview</a> in April this year, he had noted that “the citizens are becoming instruments in the hands of the state” as “by taking fingerprints, iris scans and other details of the citizens of the country, the state is becoming the custodian of its people.” He had also expressed the fear that “the state can use this data according to its whims and fancies”.</p>
<p style="text-align: justify; ">Viswam could not have been more correct. Much before the use of data, “elements” of the state have started using the ruse of creation of data itself as a convenient tool to threaten and intimidate people and this is precisely what happened in the case of Hashmi.</p>
<p style="text-align: justify; ">Recalling the incident, Hashmi, who is the founding trustee of Pehchan, said the NGO runs a small centre in Jaitpur extension where it teaches school dropouts to appear for class 10 and 12 examinations and also runs sewing classes for women.</p>
<p style="text-align: justify; ">Hashmi said that at around 9 pm on July 14, Haseen, the husband of Mubina, one of the trainees, was summoned by a sub-inspector to the Lajpat Nagar police station regarding a complaint. When Hashmi called up the police station to find out what the summons was about, the policeman allegedly “hurled abuses”, and used “highly derogatory and uncivilised language” during the conversation.</p>
<p style="text-align: justify; ">Though Hashmi did not have a recorder in her phone at the time of the first call, she subsequently downloaded one and later recorded her conversation with the same officer.</p>
<p style="text-align: justify; ">In this conversation, the policeman is heard reasoning with Hashmi that he had not summoned Haseen at a late hour. He claimed that he used harsh language in the first conversation since she had not identified herself and had only proclaimed herself to be a social worker. It also comes across in the conversation that Hashmi had told the man in the earlier conversation that he was drunk while being on duty and that this had irked him. It emerged that the cop had got an inkling that she was recording the later conversation, because of which he apparently mellowed down.</p>
<p style="text-align: justify; ">The issue assumes significance as after declaring twice in the past that Aadhaar cannot be made mandatory for delivering services, the <a href="http://www.thehindu.com/news/national/supreme-court-upholds-aadhaar-pan-linkage/article18903048.ece" rel="external nofollow" target="_blank" title="Supreme Court had recently upheld">Supreme Court had recently upheld</a> the validity of an Income Tax law amendment linking PAN with Aadhaar for filing tax returns.</p>
<p style="text-align: justify; ">Former Attorney General Mukul Rohatgi had argued that the government was “entitled to have identification” and that “as constituents of society people can’t claim immunity from identification.” Rohatgi had insisted that “no right is absolute, right to body is not absolute. Under extreme cases even right to life can be taken away, under due process.”</p>
<p style="text-align: justify; "><b>Experts have often cautioned against Aadhaar misuse</b></p>
<p style="text-align: justify; ">According to legal experts, the illegalities related to Aadhaar do not just end with such arguments. Writing for <i>The Wire</i>, Prashant Reddy T., a research associate at the School of Law, Singapore Management University, <a href="https://thewire.in/148687/mandatory-aadhaar-bank-accounts-legality/" rel="noopener noreferrer" target="_blank" title="had noted that">had noted that</a> in the past couple of months the “Modi government has increasingly used its rule-making powers under various laws in a manner which is contrary to the law of the land.” He was referring to the Centre’s announcement to mandatorily link Aadhaar numbers to all non-small bank accounts, failing which, access to the bank accounts would be disabled after December 31.</p>
<p style="text-align: justify; ">“As is often the case with this government, the question now is whether this new mandatory Aadhaar requirement (and the threatened punishment) is legal,” the expert had asked.</p>
<p style="text-align: justify; ">Earlier this year, writing for the <i>Hindustan Times</i>, Pranesh Prakash, policy director at the Centre for Internet and Society, and an affiliated fellow at Yale Law School’s Information Society Project, <a href="http://www.hindustantimes.com/india-news/what-s-really-happening-when-you-swipe-your-aadhaar-card-to-make-a-payment/story-2fLTO5oNPhq1wyvZrwgNgJ.html" rel="external nofollow" target="_blank" title="had referred">had referred</a> to the immense potential of Aadhaar for profiling and surveillance. He had called for fundamentally altering Aadhaar, saying that if the rampant misuse of surveillance and wilful ignorance of the law by the state were anything to go by, the future looked bleak.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-wire-gaurav-vivek-bhatnagar-july-16-2017-social-activist-alleges-threat-by-police-officer-over-possession-of-aadhaar'>http://editors.cis-india.org/internet-governance/news/the-wire-gaurav-vivek-bhatnagar-july-16-2017-social-activist-alleges-threat-by-police-officer-over-possession-of-aadhaar</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2017-07-20T14:31:12ZNews ItemShould Aadhaar be mandatory?
http://editors.cis-india.org/internet-governance/blog/should-aadhaar-be-mandatory
<b>This week, a constitutional bench of the Supreme Court will adjudicate on limited questions of stay orders in the Aadhaar case. After numerous attempts by the petitioners in the Aadhaar case, the court has agreed to hear this matter, just shy of the looming deadline of December 31 for the linking of Aadhaar numbers to avail government services and benefits. </b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="http://www.deccanherald.com/content/647320/should-aadhaar-mandatory.html">Deccan Herald</a> on December 9, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Getting their day in the court to hear interim matters is but a small victory in what has been a long and frustrating fight for the petitioners. In 2012, Justice K S Puttaswamy, a former Karnataka High Court judge, filed a petition before the Supreme Court questioning the validity of the Aadhaar project due its lack of legislative basis (the Aadhaar Act was passed by Parliament in 2016) and its transgressions on our fundamental rights.</p>
<p style="text-align: justify; ">Over time, a number of other petitions also made their way to the apex court challenging different aspects of the Aadhaar project. Since then, five different interim orders of the Supreme Court have stated that no person should suffer because they do not have an Aadhaar number.<br /><br />Aadhaar, according to the Supreme Court, could not be made mandatory to avail benefits and services from government schemes. Further, the court has limited the use of Aadhaar to only specific schemes, namely LPG, PDS, MNREGA, National Social Assistance Program, the Pradhan Mantri Jan Dhan Yojna and EPFO.<br /><br />The then Attorney General, Mukul Rohatgi, in a hearing before the court in July 2015 stated that there is no constitutionally guaranteed right to privacy. But the judgement by the nine-judge bench earlier this year was an emphatic endorsement of the constitutional right to privacy.<br /><br />In the course of a 547-page judgement, the bench affirmed the fundamental nature of the right to privacy, reading it into the values of dignity and liberty.<br /><br />Yet months after the judgement, the Supreme Court has failed to hear arguments in the Aadhaar matter. The reference to a larger bench and subsequent deferrals have since delayed the entire matter, even as the government has moved to make Aadhaar mandatory for a number of government schemes.<br /><br />At this point, up to 140 government services have made linking with Aadhaar mandatory to avail these services. Chief Justice of India Dipak Misra has promised a constitution bench this week, likely to look only into interim matters of stay on the deadline of Aadhaar-linking. It is likely that the hearings for the final arguments are still some months away. The refusal of the court to adjudicate on this issue has been extremely disappointing, and a grave disservice to the court's intended role as the champion of individual rights.<br /><br />It is worth noting that the interim orders by the Supreme Court that no person should suffer because they do not have an Aadhaar number, and limiting its use only to specified schemes, still stand.<br /><br />However, since the passage of the Aadhaar Act, which allows the use of Aadhaar by both private and public parties, permits making it mandatory for availing any benefits, subsidies and services funded by the Consolidated Fund of India, the spate of services for which Aadhaar has been made mandatory suggests that as per the government, the Aadhaar Act has, in effect, nullified the orders by the Supreme Court.<br /><br />This was stated in so many words by Union Law Minister Ravi Shankar Prasad in the Rajya Sabha in April. This view is an erroneous one. While acts of Parliament can supersede previous judicial orders, they must do so either through an express statement in the objects of the Act, or implied when the two are mutually incompatible. In this case, the Aadhaar Act, while permitting the government authorities to make Aadhaar mandatory, does not impose a clear duty to do so.<br /><br />Therefore, reading the orders and the legislation together leads one to the conclusion that all instances of Aadhaar being made mandatory under the Aadhaar Act are void.<br /><br />The question may be more complicated for cases where Aadhaar has been made mandatory through other legislations, such as Prevention of Money Laundering Act, as they clearly mandate the linking of Aadhaar numbers, rather than merely allowing it. However, despite repeated appeals of the petitioners, the court has so far refused to engage with the question of the legality of such instances. <br /><br />How may the issues finally be resolved? When the court deigns to hear final arguments, the Aadhaar case will be instructive in how the court defines the contours of the right to privacy. The right to privacy judgement, while instructive in its exposition of the different aspects of privacy, does not delve deeply into the question of what may be legitimate limitations on this right.<br /><br />In one of the passages of the judgement, "ensuring that scarce public resources are not dissipated by the diversion of resources to persons who do not qualify as recipients" is mentioned as an example of a legitimate incursion into the right to privacy. However, it must be remembered that none of the opinions in the privacy judgement were majority judgements.<br /><br />Therefore, in future cases, lawyers and judges must parse through the various opinions to arrive at an understanding of the majority opinion, supported by five or more judges. While the privacy judgement was a landmark one, its actual impact on the rights discourse and on matters like Aadhaar will depend extensively on the how the judges choose to interpret it.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/should-aadhaar-be-mandatory'>http://editors.cis-india.org/internet-governance/blog/should-aadhaar-be-mandatory</a>
</p>
No publisheramberAadhaarInternet GovernancePrivacy2017-12-18T15:54:39ZBlog EntrySharad Sharma Apologises for Trolling Aadhaar Critics; Unmasking Ispirit's Controversial Trolling Program
http://editors.cis-india.org/internet-governance/news/inc42-may-23-2017-shweta-modgil-sharad-sharma-aplogises-for-trolling-aadhaar-critics
<b>Last weekend I was at Aditi Mittal’s standup comedy show in Mumbai where she made a cheeky remark that stayed with me – “Do you guys know what India’s soft power is today? It is trolling!” </b>
<p style="text-align: justify; ">The blog post by Shweta Modgil was <a class="external-link" href="https://inc42.com/buzz/sharad-sharma-trolling-aadhaar/">published by Inc 42</a> on May 23, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">While she was poking fun at the Snapchat-Snapdeal-Evan Spiegel controversy, in a bizarre coincidence those words came back to haunt me three days later. That was when one of biometric authentication system Aadhaar’s most vocal critics, Kiran Jonnalagadda, co-founder of Internet Freedom Foundation (IFF), an advocacy group, revealed in a series of tweets that @Confident_India, one of the anonymous accounts arguing in favour of Aadhaar and attacking its critics on Twitter, was being operated by none other than Sharad Sharma, the founder of software products think tank iSPIRT.</p>
<p style="text-align: justify; ">At the time, <b>Sharad had completely denied that he was tweeting from an anonymous account</b>. But today, on Twitter, Sharad apologised for the anonymous trolling <a class="external" href="https://twitter.com/sharads/status/866943195678035968/photo/1" rel="noopener noreferrer nofollow" target="_blank">on Twitter</a>.</p>
<p style="text-align: justify; ">In a tweet, Sharad stated that “There was a lapse of judgement on my part. I condoned tweets with uncivil comments. So I’d like to unreservedly apologise to everybody who was hurt by them.”</p>
<p style="text-align: justify; ">He added that “Anonymity seemed easier than propriety, and tired as I was by personal events and attacks on iSPIRT’s reputation, I slipped.” Furthermore, he stated that he would not be part of anything like this again or allow such behaviour to continue. He also revealed that an iSPIRT Guidelines and Compliance Committee (IGCC) has been set up to investigate the matter and recommend corrective action.</p>
<h3 style="text-align: justify; ">On Catching a Troll</h3>
<p style="text-align: justify; ">On 17 May, Kiran tweeted out a revelation, which shook a lot of people – “Have we caught an Aadhaar troll?” Kiran used Twitter’s account reset option on Confident_India with Sharad Sharma’s number to see if it is was accepted. And, as per a screenshot posted by him, it did.</p>
<p style="text-align: justify; ">This was further corroborated by many other Twitter users. Medianama’s Nikhil Pahwa (and co-founder of IFF) also confirmed the same, tweeting that the troll account does link to Sharad Sharma.</p>
<p style="text-align: justify; ">In a <a class="external-link" href="https://medium.com/@jackerhack/inside-the-mind-of-indias-chief-tech-stack-evangelist-ca01e7a507a9">detailed</a> Medium post, Kiran then revealed how he investigated the rise of anonymous Twitter accounts and trolls responding to critics of Aadhaar. But what he revealed next was the shocking part – that at the 27th Fellows meeting of the think tank, a plan was hatched to respond to critics of India Stack which involved the use of trolls. A group called Sudham, created earlier, divided people who were broadcasting different views on Aadhaar, into different categories and then underlined various proposals on dealing with them. One of the groups called “archers” was entrusted to carry out the mainstream debate, while another group of “swordsmen” was entrusted to challenge people who were categorised as informed yet “trolling.” Swordsmen would do this by coordinating on WhatsApp with quick responses and in numbers.</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/WhatCanYoDo.jpg" alt="Trolled" class="image-inline" title="Trolled" /></p>
<p style="text-align: justify; ">Kiran got a hold of the presentation and also shared how one controversial slide also showed a detractor matrix.</p>
<p style="text-align: justify; ">It is this slide which Kiran uses to illustrate the fact that: “ iSPIRT has an officially sanctioned trolling program where the trolls coordinate on WhatsApp and attack together on Twitter, exactly the behaviour seen in all the tweets above—and I’ve only covered the leader’s tweets. There are at least a dozen known troll accounts that attack in packs.”</p>
<h3 style="text-align: justify; ">First Denial</h3>
<p style="text-align: justify; ">Back when the information was first revealed, Sharad Sharma responded by denying that he was tweeting from the <a class="external" href="https://twitter.com/Confident_India" rel="nofollow" target="_blank">@<b>Confident_India</b></a> Twitter account.</p>
<p style="text-align: justify; ">He further added that he was in for a family emergency in the US. And that he was clueless as to why his number was linked with that account.</p>
<p style="text-align: justify; ">But, interestingly, what roused the investigator’s suspicions was that Sharad shared the same denial from another troll account @indiaforward2 – which was captured by another Twitter user before it was deleted.</p>
<p style="text-align: justify; ">The denial from Sharad’s true account came half an hour later. But the damage had been done and all fingers pointed in the direction of Sharad Sharma engaging in trolling from those accounts. Kiran then wrote another damning post on Sharad’s <a class="external-link" href="https://medium.com/@jackerhack/sharad-sharmas-dubious-denial-b0b9aa6c6b8f">dubious denial</a>.</p>
<p style="text-align: justify; ">As can be guessed, all the tweets related to this matter from Sharad’s and Indiaforward’s accounts have been deleted. The last tweet from Confident India’s account on 17 May professed that he is not Sharad Sharma.</p>
<p style="text-align: justify; ">Meanwhile, iSPIRT finally <a class="external-link" href="https://medium.com/@mtrajan/ispirt-response-to-kiran-jonnalagadda-3f977fb91df4">responded</a> to Kiran’s revelations on Medium –“We want to categorically state that the allegations against iSPIRT coordinating and/or promoting any troll campaign are false and the evidence presented is a deliberate misreading of our intent to engage with those speaking against India Stack.”</p>
<p style="text-align: justify; ">The post further explained that in its Fellows meeting held in February and April 2017, it did address the issue of the chatter around India Stack. It says, “Our volunteer, Tanuj Bhojwani, led the discussion and we outlined our strategy for dealing with our detractors. The slide in question is clearly titled “Detractor Matrix.” The slide outlines how we classify those speaking against India Stack, and how we are engaging with them. We called one category of people “informed yet trolling (IYT),” a category of people deliberately misleading people, despite understanding the nuance behind the debate.”</p>
<p style="text-align: justify; ">The post admitted that the think tank encouraged volunteers to respond to these IYT Twitter handles directly from their own personal handles. However, at no point did it endorse or recommend anonymous trolling.<br /><br />“We are aware that some volunteers and their friends have created an anonymous campaign to Support Aadhaar. This is not a troll campaign, but an informational one. It is also not an iSPIRT campaign.”<br /><br />It concluded with: “Kiran’s motivated misrepresentation of the slides perhaps speaks to his biases against iSPIRT.” The post added that it plans to investigate the confusion around the alleged mobile number and account link and clarify all outstanding questions.<br /><br />Meanwhile coming back to trolling from where we started. Though Sharad’s apology did not say directly whether he operated the two Twitter accounts — @Confident_ India and @Indiaforward2 — which he was suspected of using for trolling- he signs off by saying that he requests “those who I have disappointed to look at this as an exception.”</p>
<h3 style="text-align: justify; ">The Aadhaar Controversy</h3>
<p style="text-align: justify; ">While the series of incidents raises many doubts over an esteemed organisation such as iSPIRT, the controversy over Aadhaar, India’s massive biometric identification programme, has been raging for many months now.<br /><br />Over the last few months, it has come under fire for not addressing the privacy concerns of an individual and leaking individual data. Aadhaar critics have pointed out that it is more a mass surveillance tool, can lead to identity thefts, and linking basic services with it spells doom.<br /><br /><a class="external-link" href="http://timesofindia.indiatimes.com/business/india-business/aadhaar-numbers-of-135-mn-may-have-leaked-claims-cis-report/articleshow/58529002.cms">This month</a>, a CIS (Centre for Internet and Society ) report revealed that Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals, due to lack of IT security practices. The report claimed that the absence of “proper controls” in populating the databases could have disastrous results as it may divulge sensitive information about individuals, including details about the address, photographs, and financial data. It also added that as many as 100 Mn bank account numbers could have been “leaked.”</p>
<p style="text-align: justify; ">However, on May 16, the CIS <a class="external-link" href="http://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof/view">updated its report</a> and clarified that although the term ‘leak’ was originally used 22 times in its report, <b>it is at “best characterised as an illegal data disclosure or publication and not a breach or a leak.</b>” It also claimed that some of its findings were “misunderstood or misinterpreted” by the media and that it never suggested that the biometric database had been breached.</p>
<p style="text-align: justify; ">Meanwhile, the Aadhaar-issuing authority UIDAI has asked CIS to explain its sensational claim that 13 crore Aadhaar numbers were “leaked” and provide details of servers where they are stored. The UIDAI also wants CIS to clarify what kind of “sensitive data” is still with the Centre or anyone else. The UIDAI has strongly denied any breach of its database and has asked CIS to provide details such as the servers where the downloaded “sensitive data” is stored.<br /><br />While the security of the above-mentioned Aadhaar data is still being debated, the government’s push towards making it compulsory across industries has become a major topic of debate in India.<br /><br />From linking bank accounts, to PAN numbers, to obtaining free gas connections under the Pradhan Mantri Ujjwala Yojana, to linking scholarships to linking Aadhaar numbers to social welfare schemes for electronically disbursing money to specific beneficiaries, or the Aadhaar-enabled Payment System (AEPS), the government has been pushing on with Aadhaar to make it a mandatory ID rather than the voluntary one it was envisaged to be originally. India still does not have a data protection and privacy law and making Aadhaar mandatory in such a country is not without risks.<br /><br />Given the fact that the UIDAI cannot afford to carry out authentication-based rollouts across schemes in haste as the failure rate of AEPS can lead to denial of direct benefits, it makes more sense to retain Aadhaar as a voluntary authenticator, at least until the government solves on-ground issues around Aadhaar-based authentication. Because any failure can erode public faith in Aadhaar as the beneficiary would not get his rightful ration over authentication failure— and, to that extent, in the government itself. So, for beneficiaries who depend on public distribution systems (PDS) for rice, sugar, kerosene or oil, authentication failure is a serious problem.<br /><br />It is to this effect that PILs (public interest litigation suits) have been filed in the Supreme Court stating that making Aadhaar compulsory is illegal and would virtually convert citizens into “slaves” as they would be under the government’s surveillance all the time. The Supreme Court had itself stated in August 2015 that Aadhaar cards will not be mandatory for availing benefits of government’s welfare schemes and had also barred authorities from sharing personal biometric data collected for enrollment under the scheme.<br /><br />Last month too, it lambasted the Narendra Modi-led BJP government at the Centre for making Aadhaar card a mandatory prerequisite to avail government services. The court will examine all applications against Aadhaar on June 27 2017, while the government remains steadfast on not extending the deadline of June 30 by which various schemes such as the grant of scholarships, Sarva Shiksha Abhiyan and various other social welfare schemes were to seek mandatory Aadhaar number.<br /><br />While the debate rages on, controversies keep on piling up. Recently, linking people living with HIV/ AIDS with Aadhaar cards has allegedly driven away patients from hospitals and antiretroviral therapy (ATR) centres in Madhya Pradesh. As per health department sources, the MP State AIDS Control Society made Aadhaar card number compulsory from February this year for those affected by the virus to get free medicines and treatment in accordance with the Central government’s policy making Aadhaar mandatory to avail benefits of any government scheme.<br /><br />However, this led to negative fallout as many patients and suspected victims started avoiding ATR centres and district hospitals after the new rule came into effect. The patients feared that the compulsory submission of Aadhaar card to get free medicines and medical check-ups could lead to the disclosure of their identity, inviting social stigma.<br /><br />While there is no denying the fact that, in a welfare state, technology can play a big role in enabling the state to hand out entitlements more efficiently and distribute public services at scale. But doing the same at the cost of an individual citizen’s privacy and resting it all on one mandatory number whose authentication is still not completely foolproof, is hardly the way a welfare state would like to operate.</p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/inc42-may-23-2017-shweta-modgil-sharad-sharma-aplogises-for-trolling-aadhaar-critics'>http://editors.cis-india.org/internet-governance/news/inc42-may-23-2017-shweta-modgil-sharad-sharma-aplogises-for-trolling-aadhaar-critics</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-05-26T01:08:09ZNews ItemSeven reasons why Parliament should debate the Aadhaar bill (and not pass it in a rush)
http://editors.cis-india.org/internet-governance/news/scroll.in-anumeha-yadav-march-24-2016-seven-reasons-why-parliament-should-debate-the-aadhaar-bill-and-not-pass-it-in-a-rush
<b>Critics say the Aadhaar Bill does not address concerns over privacy, even as government is rushing the Bill without adequate parliamentary scrutiny.</b>
<p style="text-align: justify; ">The blog post by Anumeha Yadav was published in <a class="external-link" href="http://scroll.in/article/804922/seven-reasons-why-parliament-should-debate-the-aadhaar-bill-and-not-pass-it-in-a-rush">Scroll.in</a> on March 11, 2016. Pranesh Prakash was quoted.</p>
<hr />
<p style="text-align: justify; ">Since it was launched by the United Progressive Alliance government in 2009, the Unique Identification project called Aadhaar has functioned without a legal framework. The project, which aims to assign a biometric-based number to every Indian resident, has been run under an executive order, which means Parliament has no oversight over it.</p>
<p style="text-align: justify; ">An Aadhaar Bill was introduced in 2010 but it was rejected by a parliamentary committee over legislative, security, and privacy concerns.</p>
<p style="text-align: justify; ">For long, critics have expressed concerns over collecting and centralising citizens' biometric data ‒ such as fingerprints and retina scans ‒ on a mass scale in the absence of a privacy law. The Supreme Court in several orders in 2014 and 2015 affirmed that the government cannot require people to register for an Aadhaar number and no one can be deprived of a government service for not having an Aadhaar number. The Supreme Court is now set to form a constitution bench to examine the contours of the right to privacy flowing from the government's arguments in the Aadhaar case.</p>
<p style="text-align: justify; ">Before the bench begins its work, however, the Modi government has introduced a new Bill on Aadhaar, which could override the court's orders.</p>
<p style="text-align: justify; ">The <a class="link-external" rel="nofollow" href="http://www.prsindia.org/administrator/uploads/media/AADHAAR/Aadhaar%20Bill,%202016.pdf" target="_blank"><span>Aadhaar </span></a>(Target Delivery of Financial and Other Subsidies, Benefits and Services) Bill was introduced on March 3 in Lok Sabha. Finance minister Arun Jaitley said the new Bill addresses concerns over privacy and the security and confidentiality of information.</p>
<p style="text-align: justify; ">But a close examination of the Bill shows several questions remain.</p>
<p style="text-align: justify; "><strong>1. Does the Bill make it mandatory for you to get an Aadhaar number?<br /></strong>Yes, you may have to compulsorily enrol under Aadhaar, despite the privacy concerns explained in the sections below.</p>
<p style="text-align: justify; ">Four-time member of the Lok Sabha, Bhartruhari Mahtab of the Biju Janata Dal, was on the parliamentary committee on finance that examined the previous Aadhaar Bill introduced in 2010. He said the new Aadhaar Bill does not specify that it will <em>not</em> be made mandatory.</p>
<p style="text-align: justify; ">“There is duplicity over this issue,” said Mahtab. “Nandan Nilekani [the former chairperson of the Unique Identification Authority of India] repeatedly told us in the parliamentary committee that Aadhaar is not mandatory. The Supreme Court also said, 'You cannot make it mandatory.'”</p>
<p style="text-align: justify; ">But if a service agent asks for Aadhaar mandatorily, then as a beneficiary, citizens have no option but to get an Aadhaar number, Mahtab explained. “The government, or a private company, cannot force me to get an Aadhaar number," he said. "The government should bring a law that clearly says Aadhaar is not mandatory.”</p>
<p style="text-align: justify; ">A committee of experts on privacy, chaired by Justice AP Shah, had <a class="link-external" rel="nofollow" href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf" target="_blank"><span>recommended</span></a> in 2012 that the Bill should specify that individuals have the choice to opt-in or out-of providing their Aadhaar number, and a service should not be denied to individuals who do not provide their number. The Unique Identification Authority of India had then stated to the committee that the enrolment in Aadhaar is voluntary.</p>
<p style="text-align: justify; ">But the new Aadhaar Bill does not incorporate a categorical clause on opt-in and opt-out. Instead, it broadens the scope of Aadhaar. Jaitley said the Bill will allow the government to ask a citizen to produce an Aadhaar number to avail of any government subsidy. But section 7 of the Bill is phrased more broadly, and refers to not just subsidies but any “subsidy, benefit or service” for which expense is incurred on the Consolidated Fund of India, or the government treasury.</p>
<blockquote class="cms-block-quote cms-block" style="text-align: justify; ">
<p>7. The Central Government or, as the case may be, the State Government may, for the purpose of establishing identity of an individual as a condition for receipt of a subsidy, benefit or service for which the expenditure is incurred from, or the receipt therefrom forms part of, the Consolidated Fund of India, require that such individual undergo authentication, or furnish proof of possession of Aadhaar number or in the case of an individual to whom no Aadhaar number has been assigned, such individual makes an application for enrolment: Provided that if an Aadhaar number is not assigned to an individual, the individual shall be offered alternate and viable means of identification for delivery of the subsidy, benefit or service.</p>
</blockquote>
<p style="text-align: justify; ">As noted above, the proviso in section 7 is premised on the phrase: “if an Aadhaar number is not assigned”. This, along with language preceding in the section, indicates that a citizen may be compulsorily required to apply for enrolment.</p>
<p style="text-align: justify; ">Section 8 permits a “requesting entity” to utilise identity information for authentication with the Central Identities Data Repository. A “requesting entity” is defined under Section 2(u), and will include private entities.</p>
<p style="text-align: justify; "><strong>2. Does the Bill allow Aadhaar authorities to share your personal data?<br /></strong>Yes, in the "interest of national security", a term that remains undefined.</p>
<p style="text-align: justify; ">Both legal experts and members of Parliament have flagged the provisions in the Bill on the circumstances in which users' data, including core biometrics information, can be shared.</p>
<p style="text-align: justify; ">The debate centres over the interception provisions in section 33.</p>
<p style="text-align: justify; ">In a <a class="link-external" rel="nofollow" href="http://indianexpress.com/article/opinion/columns/aadhaar-bill-lpg-subsidy-mgnrega-paperless-govt-basis-of-a-revolution/#sthash.FJeqBNmJ.dpuf" target="_blank"><span>piece</span></a> in <em>The Indian Express</em>, Nandan Nilekani, the former chairperson of the issuing authority, stated that the Aadhaar Bill provides that no core biometric information can be shared, a principle without exception. “...Clause 29(1) is not overridden by Clause 33(2),” he noted.</p>
<p style="text-align: justify; ">However, a closer reading of the Bill shows this is not the case. Clause 33(2), in fact, does provide an exception to clause 29(1)(b):</p>
<blockquote class="cms-block-quote cms-block" style="text-align: justify; ">
<p>33(2) Nothing contained in sub-section (2) or sub-section (5) of section 28 and <strong>clause (b) of </strong><strong>sub-section (1), </strong>sub-section (2) or sub-section (3) <strong>of section 29</strong> shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security in pursuance of a direction of an officer not below the rank of Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government</p>
</blockquote>
<p style="text-align: justify; ">where, Section 29(1)(b) states:</p>
<blockquote class="cms-block-quote cms-block" style="text-align: justify; ">
<p>29. (1) No core biometric information, collected or created under this Act, shall be — (b) used for any purpose other than generation of Aadhaar numbers and authentication under this Act.</p>
</blockquote>
<p style="text-align: justify; ">Pranesh Prakash, a lawyer and policy director of the Centre for Internet and Society said: “This implies that the core biometric information, collected or created under the Aadhaar Act, may be used for purposes other than the generation of Aadhaar numbers and authentication <em>'in the interest of national security.</em>'"</p>
<p style="text-align: justify; ">Legal experts point out that the phrase “national security” is undefined in the present bill, as well as the General Clauses Act, and thus the circumstances in which an individual's information may be disclosed remains open to interpretation.</p>
<p style="text-align: justify; ">Section 33(1) permits the disclosure of an individual's demographic information (but not biometrics) following an order by a district judge. It says that no such order shall be made without giving an opportunity of hearing to the UIDAI , but <em>not to the person whose data is being disclosed</em>.</p>
<p style="text-align: justify; "><strong>3. Does the Bill protect you from interception and surveillance?<br /></strong>No, the Bill does not provide for transparency concerning covert surveillance.</p>
<p style="text-align: justify; ">Section 33(2), which permits disclosure of demographic and biometric pursuant to directions of the joint secretary in interest of national security, says such disclosures will be for three months initially, and a fresh renewal can be granted for another three months, without a limitation on the number of such renewals.</p>
<p style="text-align: justify; ">This can lead to a user being under continuous surveillance, and without any notification to the user even after the surveillance ceases, violating one of <a class="link-external" rel="nofollow" href="http://www.ohchr.org/Documents/Issues/Privacy/ElectronicFrontierFoundation.pdf" target="_blank"><span>necessary and proportionate principles on communications surveillance</span></a> related to user notification and right to effective remedy. In some countries, this principle has been incorporated in law. For example, in Canada, the law limits the time of wiretapping surveillance, and imposes an obligation to notify the person under surveillance within 90 days of the end of the surveillance, extendable to a maximum of three years at a time.</p>
<p style="text-align: justify; ">“The interception provisions are severely problematic," said Apar Gupta, a technology lawyer. "They are not open to independent scrutiny and even derogate from the already deficient practices which relate to phone tapping (Rule 419-A of the Telegraph Rules) and interception of data (Interception Rules, 2011).”</p>
<p style="text-align: justify; ">Legal scholar Usha Ramanathan pointed out that the Bill lacks provisions on giving notice to a person in case of breach of information, in case of third party use of data, or change in purpose of use of data – which were among provisions recommended by the Justice Shah Committee on Privacy in 2012.</p>
<p style="text-align: justify; "><strong>4. Does the Bill allow you to seek redress in case of breach of information?<br /></strong>Yes, but the provisions are weak.</p>
<p style="text-align: justify; ">Government officials overseeing the project said that the 2016 Bill is an improvement over the 2010 Bill as it safeguards the information of those enrolled as per sections of the Information Technology Act, 2000.</p>
<p style="text-align: justify; ">But technology law experts say the adjudicatory system for disclosure of sensitive personal data under the IT Act has structural flaws and is not functional.</p>
<p style="text-align: justify; ">“Initial complaints against the disclosure of sensitive personal data go to an adjudicating officer who is usually the IT Secretary of the state government and may not be trained in law,” said Gupta, the technology lawyer. “There is no court infrastructure and no permanent seat for such cases. The appellate body, the Cyber Appellate Tribunal, has not been made operational in the last three years. Hence, the civil remedies offered [in the Aadhaar Bill] are at best illusionary and unenforceable.”</p>
<p style="text-align: justify; "><strong>5. Does the Bill give you the right to alter your information?<br /></strong>No, it leaves you to the mercy of the Unique Identification Authority of India.</p>
<p style="text-align: justify; ">Imagine a situation where a user simply wants to change their first or last name, or say, not use their caste name. Under Section 31 of the Bill, individuals can only request the UID authority, which may do so “if it is satisfied”. There is no penalty on the authority if it fails to respond. The Bill does not provide for a user to even be able to approach a court to ask for their information relating to Aadhaar to be corrected.</p>
<p style="text-align: justify; ">International norms for data protection give individuals the right to correct and alter information, if their demographic data changes. They <a class="link-external" rel="nofollow" href="https://ico.org.uk/for-organisations/guide-to-data-protection/principle-6-rights/correcting-inaccurate-personal-data/" target="_blank"><span>provide</span></a> for individuals to have a copy of their information, and to approach courts for an order to rectify, block, erase inaccurate information.</p>
<p style="text-align: justify; ">In an <a class="link-external" rel="nofollow" href="http://www.livemint.com/Politics/l0H1RQZEM8EmPlRFwRc26H/Govt-narrative-on-Aadhaar-has-not-changed-in-the-last-six-ye.html" target="_blank"><span>interview</span></a> to <em>Mint</em>, Sunil Abraham, director of the Centre for Internet and Society, compared the rights of Aadhaar users to the rights we now take for granted as internet users. “Authentication factors [biometrics in the case of Aadhaar], commonly known as passwords, should always be revocable,” noted Abraham. “That means if the password is compromised, you should be able to change the password or at least say that this password is no longer valid.” In its current form, the Aadhaar Bill gives users no such rights.</p>
<p style="text-align: justify; "><strong>6. Is the current Bill an improvement over the previous one?<br /></strong>Not really.</p>
<p style="text-align: justify; ">The Aadhaar Bill 2016 provides that the renewals of requests for disclosure of data will be reviewed by an oversight committee consisting of the cabinet secretary and the secretaries in the department of legal affairs and the department of electronics and information technology.</p>
<p style="text-align: justify; ">This is a watered down version of the provisions in the previous Unique Identification Authority of India <a class="link-external" rel="nofollow" href="http://www.prsindia.org/uploads/media/UID/The%20National%20Identification%20Authority%20of%20India%20Bill,%202010." target="_blank"><span>2010 Bill</span></a>, said Chinmayi Arun, executive director, Centre for Communication Governance at the National Law University Delhi.</p>
<p style="text-align: justify; ">“The previous version or the 2010 Bill provided for a three-member review committee, consisting of the nominees of the prime minister, the leader of the opposition, and a third nominee of a union cabinet minister, with the restriction that these nominees could not be a member of parliament or a member of a political party,” Arun said. “This would be a more independent committee than the one proposed now, wherein there will be executive oversight for executive orders."</p>
<p style="text-align: justify; ">Regarding penalties, the previous 2010 Bill made copying, deleting, stealing, or altering information in the Central Identities Data Repository, punishable with a jail term of upto three years and a fine not less than Rs 1 crore.</p>
<p style="text-align: justify; ">Section 38 of the new Aadhaar Bill now makes the same offence punishable with a jail term of upto three years and reduces the upper limit of the fine to “not less than ten lakh rupees”.</p>
<p style="text-align: justify; "><strong>7. Finally, does the Aadhaar Bill have enough parliamentary scrutiny?<br /></strong>The government has introduced the legislation on Aadhaar in the form of a Money Bill, which means the power of the Rajya Sabha to review and amend the Bill is curtailed ‒ if the Speaker Sumitra Mahajan certifies that this is a Money Bill.</p>
<p style="text-align: justify; ">The parliamentary committee on finance under Bharatiya Janata Party MP Yashwant Sinha had rejected the previous Bill in December 2011 citing legislative, security, and privacy concerns. Despite this, two successive Prime Ministers – Manmohan Singh and Narendra Modi – have pushed ahead with Aadhaar project.</p>
<p style="text-align: justify; ">A common refrain has been that the unique biometric identity will resolve the problem of the poor in India to prove identity and overcome "one of the biggest barriers <a class="link-external" rel="nofollow" href="https://uidai.gov.in/UID_PDF/Front_Page_Articles/Documents/Strategy_Overveiw-001.pdf" target="_blank"><span>preventing the poor</span></a> from accessing benefits and subsidies." But last April, the UIDAI in <a class="link-external" rel="nofollow" href="http://i1.wp.com/128.199.141.55/wp-content/uploads/2015/06/Enrolment-through-introducer.jpg" target="_blank"><span>response</span></a> to an RTI application revealed that of 83.5 crore Aadhaar numbers issued till then, 99.97% were issued to people who already had at least two existing identification documents, only 0.21 million (<a class="link-external" rel="nofollow" href="http://thewire.in/2015/06/03/most-aadhar-cards-issued-to-those-who-already-have-ids-3108/" target="_blank"><span>0.03%</span></a>) used the "introducer system" that provides an exception to those lacking identity proof.</p>
<p style="text-align: justify; ">More recently, there has been no public consultation by the government over the latest Bill.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/scroll.in-anumeha-yadav-march-24-2016-seven-reasons-why-parliament-should-debate-the-aadhaar-bill-and-not-pass-it-in-a-rush'>http://editors.cis-india.org/internet-governance/news/scroll.in-anumeha-yadav-march-24-2016-seven-reasons-why-parliament-should-debate-the-aadhaar-bill-and-not-pass-it-in-a-rush</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-03-24T02:25:24ZNews ItemSeminar on Understanding Financial Technology, Cashless India, and Forced Digitalisation (Delhi, January 24)
http://editors.cis-india.org/internet-governance/news/seminar-on-understanding-financial-technology-cashless-india-and-forced-digitalisation-delhi-jan-24-2017
<b>The Centre for Financial Accountability is organising a seminar on "Understanding Financial Technology, Cashless India, and Forced Digitalisation" on Tuesday, January 24, at YWCA, Ashoka Road, New Delhi. Sumandro Chattapadhyay will participate in the seminar and speak on the emerging architecture of FinTech in India, as being developed and deployed by UIDAI and NPCI.</b>
<p> </p>
<p><em>Cross-posted from <a href="https://letstalkfinancialaccountability.wordpress.com/2017/01/20/understanding-financial-technology-cashless-india-forced-digitalisation/">Centre for Financial Accountability</a>.</em></p>
<hr />
<h2>Programme Schedule</h2>
<h4>09.30 - Registration</h4>
<h4>10:00 - Introduction to the Seminar & Setting the Context</h4>
<p>Madhuresh Kumar, National Alliance of People’s Movements</p>
<h4>10:15–11:30 - Session 1 - Understanding the Political Context of FinTech</h4>
<p>B P Mathur, Former Dy CAG</p>
<p>Prabir Purkayastha, Free Software Movement of India and Knowledge Commons</p>
<p>C P Chandrasekhar, Centre for Economic Studies and Planning, JNU</p>
<h4>11:30-11:45 – Tea / Coffee break</h4>
<h4>11:45-13:15 - Session 2 - How will FinTech Impact the Poor, and Labour and Banking Sector?</h4>
<p>Ashim Roy, New Trade Union of India</p>
<p>Nikhil Dey, Mazdoor Kisan Shakti Sangathan</p>
<p>Ravinder Gupta, General Secretary, State Bank of India Officers Association</p>
<h4>13:15-14:00 – Lunch</h4>
<h4>14:00-15:30 - Session 3 - Understanding the Economic Context of FinTech</h4>
<p>Indira Rajaraman, Former Director, RBI</p>
<p>Tony Joseph, Sr. Journalist</p>
<h4>15:30-17:00 - Session 4 - Understanding the Architecture of FinTech: Linkages to Aadhaar, IndiaStack etc</h4>
<p>Sumandro Chattapadhyay, the Centre for Internet and Society</p>
<p>Gopal Krishna, ToxicsWatch</p>
<h4>17:00 – Tea</h4>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/seminar-on-understanding-financial-technology-cashless-india-and-forced-digitalisation-delhi-jan-24-2017'>http://editors.cis-india.org/internet-governance/news/seminar-on-understanding-financial-technology-cashless-india-and-forced-digitalisation-delhi-jan-24-2017</a>
</p>
No publishersumandroUnified Payments InterfaceFinancial TechnologyDigital IDBig DataDigital EconomyUIDInternet GovernanceDigital IndiaAadhaarFinancial InclusionBiometricsDigital Payment2017-01-23T13:17:19ZBlog EntrySecurity experts say need to secure Aadhaar ecosystem, warn about third party leaks
http://editors.cis-india.org/internet-governance/news/economic-times-march-26-2018-nilesh-christopher-security-experts-say-need-to-secure-aadhaar-ecosystem-warn-about-third-party-leaks
<b>The public reckoning of data leaks in India’s national ID database, Aadhaar is still on hold while reports of data leakage through third-parties keep coming. </b>
<p style="text-align: justify; ">The article by Nilesh Christopher was published in <a class="external-link" href="https://economictimes.indiatimes.com/news/politics-and-nation/there-is-a-need-to-secure-full-aadhaar-ecosystem-experts/articleshow/63459367.cms">Economic Times</a> on March 26, 2018. Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; ">While the Unique Identification Authority of India (UIDAI) has maintained that its database is secure and there are no breaches of <a class="external-link" href="https://economictimes.indiatimes.com/topic/Aadhaar">Aadhaar</a> data from its system, security researchers warn that leaks are happening in third-party sites and it is important for the agency to ensure that its ecosystem adopts measures to keep data safe.</p>
<p style="text-align: justify; ">While the Unique Identification Authority of India (<a class="external-link" href="https://economictimes.indiatimes.com/topic/UIDAI">UIDAI</a>) has maintained that its database is secure and there are no breaches of Aadhaar data from its system, security researchers warn that leaks are happening in third-party sites and it is important for the agency to ensure that its ecosystem adopts measures to keep data safe.</p>
<p style="text-align: justify; ">“Securing an entire ecosystem is more important than secure individual databases,” said security researcher Srinivas Kodali. Over the weekend, technology publication <a class="external-link" href="https://economictimes.indiatimes.com/topic/ZDnet">ZDnet </a>citing an Indian security researcher said that it identified Aadhaar data leaks on a system run by a state-owned utility company <a class="external-link" href="https://economictimes.indiatimes.com/topic/Indane">Indane</a> that allowed anyone to access sensitive information like a name, Aadhar number, bank details. The leak was plugged soon after the report appeared.</p>
<p style="text-align: justify; ">UIDAI came out with a strong statement denying the breach. “There is no truth in the story as there has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure,” the government agency said.</p>
<p style="text-align: justify; ">There have been no reports of any breach in the core database so far. However, it is the third-parties that have acted as weak links.</p>
<p style="text-align: justify; ">“The simple parallel that can be drawn is, though Facebook’s core database of users information was secure, the data leak happened through third-party developers and organisation like Cambridge Analytica that have allegedly misused it,” Kodali said.</p>
<p style="text-align: justify; ">In case of Aadhar too, the allegations of breaches have not been on ‘Aadhaar database’ but rather at insecure government websites and third-parties with API access to the database. “In this aspect, the issue in Facebook and Aadhaar is similar. In both the cases there was no breach of database, but it was third parties that acted as the weakest link. In both cases, it was a legitimate means of access through API that was open for abuse,” said Sunil Abraham, executive director, Center for Internet and Society.</p>
<p style="text-align: justify; ">UIDAI could take a leaf from Indian Space Research Organisation while handling <a class="external-link" href="https://economictimes.indiatimes.com/topic/data-breach">data breach</a> reports. The state-run space agency put out a note appreciating security researches for their efforts. An email ID to report flaws is more important than summoning people regarding data breaches.</p>
<p style="text-align: justify; ">“The fear of criminal prosecution hanging over the heads of ethical hackers would not help us develop a robust and strong security architecture,” said Karan Saini, a Delhi-based security researcher who first highlighted the Aadhaar leak at Indane.</p>
<p style="text-align: justify; ">“UIDAI is working on a policy to enable security experts to report issues in a legal and safe manner,” tweeted Ajay Bhushan Pandey, chief executive of India's Unique Identification Authority (UIDAI), the government department that administers the Aadhaar database. Seven months after the tweet, Pandey’s promise of a bug-reporting mechanism has still has not fructified.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/economic-times-march-26-2018-nilesh-christopher-security-experts-say-need-to-secure-aadhaar-ecosystem-warn-about-third-party-leaks'>http://editors.cis-india.org/internet-governance/news/economic-times-march-26-2018-nilesh-christopher-security-experts-say-need-to-secure-aadhaar-ecosystem-warn-about-third-party-leaks</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-03-26T22:37:30ZNews ItemSalient Points in the Aadhaar Bill and Concerns
http://editors.cis-india.org/internet-governance/salient-points-in-the-aadhaar-bill-and-concerns
<b>Since the release of the Aadhaar Bill, the Centre for Internet and Society has been writing a number of posts analyzing the Bill and calling out problematic areas and the implications of the same. This post is meant to contribute to this growing body of writing and call out our major concerns with the Bill. </b>
<p id="docs-internal-guid-7301bf10-976a-ed8c-7f3d-7dde76418a24" dir="ltr"><strong>Use of Aadhaar Number</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<ul id="docs-internal-guid-7301bf10-9771-2472-c5e8-991b7fefebd0"><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Used to establish identity: The Aadhaar number can be used by any government or private agency to validate a person’s identity for any lawful purpose, but it cannot be used as a proof of citizenship. (Sections 4, 6, and 57)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Mandatory for access to government services: The government can make it mandatory for a person to authenticate her/his identity using Aadhaar number before receiving any government subsidy, benefit, or service whose expenditure is incurred from the Consolidated Fund of India.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Those without a number, must apply for one: If someone attempting to access an applicable service does not have an Aadhaar number, he/she should make an application for enrolment, and will be allowed to use an alternative method of identification in the meantime. (Section 7)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Open to use by public and private bodies: The Bill does not prevent the use of Aadhaar number to establish identity for other lawful purposes by the State or other private bodies. (Section 57)</p>
</li></ul>
<em>Concerns:</em>
<ul id="docs-internal-guid-7301bf10-9773-5f01-28d6-bc08ffea2788"><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Aadhaar is not voluntary: Section 7 makes its mandatory to have an Aadhaar number to access services, subsidies and benefits, and stipulates that in case one does not have the Aadhaar number they must apply for it. This is counter to the repeated claims about Aadhaar being purely voluntary, and the Supreme Court order dated August 11, 2015 which prevents making Aadhaar mandatory, barring a few specified services. The Bill does not limit mandatory use of Aadhaar to those services, and leaves the door open for the government to route more benefits, subsidies and services through the Consolidated Fund of India and expand the scope of Aadhaar.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">There are limited and unclear alternatives: While there is a proviso in the Act which speaks for “viable and alternative” means of identification where Aadhaar number is not issued, the language is not clear and speaks of cases where Aadhaar “is not assigned” rather than simply stating that it is applicable to anyone who does not have an Aadhaar number.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">There is a conflict in the objects and actual scope of the Bill: There is a conflict between the objects of the Bill which is stated as identification of individuals for targeted delivery of entitlements and Section 57 which allows all entities, public or private, to use the Aadhaar number for authentication.</p>
</li></ul>
<p dir="ltr"><strong><br /></strong></p>
<p dir="ltr"><strong>Enrollment Process</strong></p>
<strong>
</strong>
<p dir="ltr"><em>What the Bill says:</em></p>
<em>
</em>
<ul id="docs-internal-guid-7301bf10-9772-9fda-b2a1-8587dbdd816b"><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Enrolling agencies must provide notice: At the time of enrollment, the enrolling agency will inform the individual of the following details— i) how their information will be used; ii) what type of entities the information will be shared with; and iii) that they have a right to access their information, and also tell them how they can access their information. (Section 3)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Biometrics and demographics will be collected: Biometric information and demographic information will be collected at enrollment. Biometric information means photograph, fingerprint, Iris scan, or any other biological attributes specified by regulations. Demographic information includes information relating to the name, date of birth, address and other relevant information as specified by regulations. (Section 2)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Special measures to ensure enrollment for all: The UIDAI will take special measures to issue Aadhaar number to women, children, senior citizens, persons with disability, unskilled and unorganised workers, nomadic tribes or to such other persons who do not have any permanent residence and similar categories of individuals as specified by the regulations. (Section 5)</p>
</li></ul>
<p dir="ltr"><em>Concerns:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">The Bill fails to address implementation issues: The Bill does not address issues that have arising during enrolment processes that have already been implemented. These include: the collection of additional and unnecessary information, unclear retention, storage, and destruction standards for data collected by enrollment agencies, abuse of methods used to ensure all have access to the enrollment process, inaccuracy in the collection of data. Detailed procedure and chain of custody for the enrollment process needs to be addressed through provisions in the Bill particularly as this process is undertaken by contracted third party registrars and enrolling agencies.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Definition of “Biometric Information” is broad and ambiguous: The Bill defines “biometric information” as “photograph, fingerprint, iris scan, or other such biological attributes of an individual.” This definition is broad and gives sweeping discretionary power to the UIDAI / Central Government to determine “other such biological attributes of an individual”. The definition should be precise and exhaustive in its scope. Any modification to this, and other terms in the Bill, should take place only through a legislative act.</p>
</li></ul>
<p> </p>
<p dir="ltr"><strong>Authentication Process</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Consent and use limitation during authentication: The Bill states that any requesting entity will— (a) take consent from the individual before collecting his/her Adhaar information; (b) use the information only for authentication with the CIDR.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Notice during authentication: Further, the entity requesting authentication will also inform the individual of the following— (a) what type of information will be shared for authentication; (b) what will the information be used for; and (c) whether there is any alternative to submitting the Aadhaar information to the requesting entity. (Section 8)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Retention of authentication records: The UIDAI will maintain the authentication records in the manner and for as long as specified by regulations. (Section 32) The UIDAI will not collect, keep or maintain any information about the purpose of authentication. (Section 32)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Ability to obtain authentication records: Every Aadhaar number holder may obtain his authentication record as specified by regulations. (Section 32)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Requirement to update information: The UIDAI has the power to require residents to update their demographic and biometric information from time to time. (Section 6)</p>
</li></ul>
<p dir="ltr"><em>Concerns:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of strong consent mechanism: While the Bill does provide for seeking consent for collecting and using an Aadhaar for authentication, the Bill does not specify that this must be informed consent with an ‘opt out’ mechanism and does not specify the manner in which such consent should be sought. This leaves it it in the hands of the UIDAI and possibly the third requesting entity to determine the form of consent that is to be taken. This could result in ambiguous, misleading, or inconsistent consent mechanisms being used. </p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of strong notice mechanism: While the Bill does provide that individuals should be given notice of the type of information be shared and what the information will be used for, and any alternative identity that will be accepted during the authentication process this is a minimal notice and does not meet the standards in the (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 which require individuals to be notified of a) the fact that the information is being collected b) the purposes for which the information is being collected c) the intended recipients of the information d) the name and address of the agency collecting the information and the agency that will retain the information. Furthermore, the Bill does not require the UIDAI, contracted bodies, or requesting entities to notify individuals of any changes in organizational privacy policies. </p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">“Obtaining” rather than the right to access: Instead of providing the individual with a clear right to access the information that the UIDAI holds about him or her, the Bill waters down this safeguard by giving the individual the ability to obtain only his authentication record. What ‘obtaining’ will entail and how one will go about it is delegated to regulations. </p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of ability to opt out, withdraw consent and/or ‘exit’ Aadhaar: There are no opt-out mechanisms in the Aadhaar Act.This means that individuals cannot:</p>
</li>
<ul><li style="list-style-type: circle;" dir="ltr">
<p dir="ltr">Opt out and leave the Aadhaar ‘ecosystem’ once enrolled and their information is not deleted.</p>
</li><li style="list-style-type: circle;" dir="ltr">
<p dir="ltr">Opt out of sharing of information at the enrollment stage or authentication stage.</p>
</li><li style="list-style-type: circle;" dir="ltr">
<p dir="ltr">Opt out of any use, disclosure, or retention of their information prescribed by the Act.</p>
</li></ul>
</ul>
<p> </p>
<p dir="ltr"><strong>Security</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Security measures for information with UIDAI: The UIDAI will take measures to ensure that all information with the UIDAI, including CIDR records is secured and protected against access, use or disclosure and against destruction, loss or damage. (Section 28)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Security measures through contract: The UIDAI will adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons. (Section 28)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Security protocol via regulations: The UIDAI has the power to prescribe via regulation various processes relating to data management, security protocol and other technology safeguards (Section 54) </p>
</li></ul>
<p dir="ltr"><em>Concerns:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Undefined security measures: The Bill specifies that appropriate technical and organisational security measures shall be put in place without elaborating upon what those measure should be or defining any standards that they will adhere to. The Bill gives the Authority the power to define broad regulations pertaining to security protocol.</p>
</li></ul>
<p> </p>
<p dir="ltr"><strong>Confidentiality</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Restriction on Sharing, Disclosure, and Use: Unless otherwise provided, the UIDAI or its agents will not reveal any information in the CIDR to anyone. (Section 28) The core biometric information collected will not be a) shared with anyone for any reason, and b) used for any purpose other generation of Aadhaar numbers and authentication. (Section 29) Identity information, other than core biometric information, may be shared as per this Act and regulations specified under it. (Section 29) Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual’s consent. (Section 29) Aadhaar numbers or core biometric information will not be made public except as specified by regulations. (Section 30)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Application of Information Technology Act: All biometric information collected and stored in electronic form will be deemed to be “electronic record” and “sensitive personal data or information” under Information Technology Act, 2000 and its provisions and rules will apply to it in addition to this Act. (Section 30)</p>
</li></ul>
<p dir="ltr"><em>Concerns:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Aadhaar numbers and biometric information to be made public: It is unclear for what purposes it would be necessary for Aadhaar numbers and core biometric information to be made public and it is concerning that such circumstances are left to be defined by regulation. This is different from the Telegraph Act and the IT Act which define the circumstances for interception in the Act and define the procedure for carrying out interception orders in associated Rules. Defining circumstances for such information to be made public is against the disclosure standards in the 43A Rules - which would be applicable to the UIDAI and the disclosure of core biometric information.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Unclear application of Section 43 A Rules: The Bill characterises biometric information collected as ‘sensitive personal data or information’ under the Information Technology Act, 2000 and Section 43A Rules and states that the Act and Rules would be applicable to biometric information. If this is the case, than any body corporate (including the UIDAI) collecting, processing, or storing biometric information would need to follow the standards established in the Rules - including standards for collection, consent, disclosure, sharing, retention, and security. Yet, the Bill allows the UIDAI to make regulations for collection, disclosure, security etc.</p>
</li></ul>
<p> </p>
<p dir="ltr"><strong>Disclosure</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Disclosure during authentication: During authentication, the UIDAI will respond to the authentication request with yes, no, or other appropriate response and share identity information about the Aadhaar number holder, but not share any biometric information. (Section 8)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Exceptions to confidentiality provisions: The UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. Any such order may only be made after UIDAI is allowed to appear in a hearing. (Section 33) The confidentiality provisions in Sections 28 and 29 will not apply with respect to disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose. (Section 33)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Oversight Committee: An Oversight Committee comprising Cabinet Secretary, and Secretaries of two departments — Department of Legal Affairs and DeitY— will review every direction under 33 B above. Any directions in the interest of national security above are valid for 3 months, after which they may be extended following a review by the Oversight Committee. (Section 33) </p>
</li></ul>
<p dir="ltr"><em>Concerns:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Unnecessary disclosure during authentication: Usually authentication would be a binary process leading to a yes or no result, however, Section 8 also allows sharing of identity information in certain cases. It is unclear why any additional information would need to be shared in the authentication process.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of opportunity to data subject: In case of a court order identity information and authentication records of an individual can be revealed without any notice or opportunity of hearing to the individual affected. Aside from allowing the UIDAI a right to be heard, the Bill does not provide any means by which an individual can contest such an order or challenge it after it has been passed.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of defined functions and responsibilities of oversight mechanisms: Section 33 currently specifies a procedure for oversight by a committee, however, there are no substantive provisions laid down as the guiding principles establishing the responsibilities and powers of the oversight mechanism.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Low standards for disclosure order: Though a court order from a District Judge is required to authorize disclosure of information, the Bill fails to define important standards that such an order must meeting including that the order is necessary and proportionate.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Sweeping exception of National Security: Disclosures that are made ‘in the interest of national security’ do not require authorization by a judge and instead can be authorized by the Joint Secretary of the Government of India - a standard lower than that established in the Telegraph Act and IT Act for the interception of communications.</p>
</li></ul>
<p> </p>
<p dir="ltr"><strong>Power of UIDAI to make rules and regulations</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<p dir="ltr">The matters on which the UIDAI may frame rules include:</p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">The process of collecting information,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Verification of information,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Individual access to information,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Sharing and disclosure of information,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Alteration of information,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Request and response for authentication,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Defining use of Aadhaar numbers,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Defining privacy and security processes,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Specifying processes relating to data management, security protocols and other technology safeguards under this Act</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Establishing redressal mechanisms.</p>
</li></ul>
<p dir="ltr"><em>Concerns</em>:</p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Over delegation of powers to the UIDAI: This Bill follows in the tradition of laws like the Information Technology Act, which allows the executive a very high degree of discretionary power. As mentioned above, a number of important powers which should ideally be within the purview of the legislature are delegated to the UIDAI. The UIDAI has been administrating the project since its inception, and a number of problems have already been documented in process such as collection, verification, sharing of information, privacy and security processes. Rather than addressing these problems, the Bill allows the UIDAI to continue to have similar powers.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of independence of grievance redressal mechanism: Within the text of the Bill there are no grievance redressal mechanism created under the Bill. The power to set up such a mechanism is delegated to the UIDAI under Section 23 (2) (s) of the Bill. However, making the entity administering a project, also responsible for providing for the frameworks to address the grievances arising from the project, severely compromises the independence of the grievance redressal body.</p>
</li></ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/salient-points-in-the-aadhaar-bill-and-concerns'>http://editors.cis-india.org/internet-governance/salient-points-in-the-aadhaar-bill-and-concerns</a>
</p>
No publisherAmber Sinha and Elonnai HickokUIDPrivacyInternet GovernanceAadhaarBiometrics2016-03-21T04:37:48ZBlog EntryRight to Food Campaign, Ranchi Convention, 2016
http://editors.cis-india.org/internet-governance/news/right-to-food-campaign-ranchi-convention-2016
<b>The Right to Food Campaign held its 2016 Convention in Ranchi during September 23-25, 2016. While three years have elapsed since the passage of the National Food Security Act, despite improvements in the Public Distribution System (PDS), large implementation gaps remain. This is what the Convention focused on, and gathered researchers and campaigners from across the country to share experiences and case studies on effectiveness and exclusions from the PDS. Sumandro Chattapadhyay took part in a session of the Convention to discuss how UID-linked welfare delivery is being rolled out across key programmes like provision of pension and rationed distribution of essential commodities, and their impact on people's right to welfare services.</b>
<p> </p>
<h4>Right to Food Campaign: <a href="http://www.righttofoodcampaign.in/">Website</a>.</h4>
<h4>Right to Food Campaign: <a href="https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnxoYXFyb3ppcm90aXxneDo3MmQ3MTMyZjU2N2FjOGU">Cash Transfers and UID: Our Main Demands</a>.</h4>
<h4>Ranchi Convention, 2016: <a href="https://docs.google.com/document/d/110_asJ1t14IWALbhWN1RjDiOV8WE-fIK2xJC5Yltyc4/edit">Programme</a>.</h4>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/right-to-food-campaign-ranchi-convention-2016'>http://editors.cis-india.org/internet-governance/news/right-to-food-campaign-ranchi-convention-2016</a>
</p>
No publishersumandroBig DataData SystemsInternet GovernanceSurveillanceAadhaarWelfare GovernanceBiometricsBig Data for DevelopmentUID2019-03-16T04:40:52ZBlog EntryRevisiting Aadhaar: Law, Tech and Beyond
http://editors.cis-india.org/internet-governance/news/revisiting-aadhaar-law-tech-and-beyond
<b>Udbhav Tiwari attended a panel on "Revisiting Aadhaar: Law, Tech and Beyond" held at the India International Centre Annexe on May 9, 2017 in New Delhi, organised by the Software Freedom Law Centre (SFLC.in) in collaboration with Digital Empowerment Foundation and IT for Change.</b>
<div style="text-align: justify; ">The panel consisted of:</div>
<div style="text-align: justify; ">
<ul>
<li>Saikat Datta; Policy Director, Centre for Internet and Society (Moderator) </li>
<li>Anivar Aravind; Founder/Director at Indic Project </li>
<li>Anupam Saraph; Professor and Future Designer </li>
<li>Prasanna S; Advocate </li>
<li>Shyam Divan; Senior Advocate, Supreme Court </li>
<li>Srinivas Kodali; Co-founder at Open Stats </li>
<li>Osama Manzar; Founder and Director, Digital Empowerment Foundation </li>
<li>Usha Ramanathan; Legal Researcher</li>
</ul>
</div>
<p style="text-align: justify; ">The panel was quite enlightening (and Saikat was a stellar moderator), with Mr. Divan's elucidation on the arguments made in the court for the Aadhaar case in particular being a great learning experience. Benjamin and Sheetal (both interns in the Delhi office) along with Sumandro also attended the event.</p>
<p style="text-align: justify; ">The other learning was that for people who have attended multiple such panels/seminars and meetings on Aadhaar, they can have a lot of repeated content. I passed on the feedback to SFLC about how they could possibly include a small 10 to 15 minute session in future such panels on developments since the previous such event on the Aadhaar and include practical aspects about what people can do about minimising the harms that we are all slowly being co opted into facing with the system.</p>
<p style="text-align: justify; ">More info about the event <a class="external-link" href="http://sflc.in/panel-discussion-revisiting-aadhaar-law-tech-and-beyond-may-9-2017-new-delhi/">here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/revisiting-aadhaar-law-tech-and-beyond'>http://editors.cis-india.org/internet-governance/news/revisiting-aadhaar-law-tech-and-beyond</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-05-19T14:47:32ZNews ItemRequest for Specifics: Rebuttal to UIDAI
http://editors.cis-india.org/internet-governance/blog/economic-and-political-weekly-journal-vol-51-issue-36-september-3-2016-hans-varghese-mathews-request-for-specifics
<b>Responding to the Unique Identification Authority of India’s article that found “serious mathematical errors” in “Flaws in the UIDAI Process” (EPW 12 March 2016), the main mathematical argument used to arrive at the number of duplicates in the biometric database is explained.</b>
<p style="text-align: justify; ">The article was published in the <a class="external-link" href="http://www.epw.in/journal/2016/36/documents/request-specifics-rebuttal-uidai.html">Economic & Political Weekly</a> on September 3, 2016, Vol.51, Issue No.36.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The author of a technical paper will be alarmed when he is convicted of “serious mathematical errors” by someone who has not bothered himself with “going too deep into the mathematics” used. The man must possess miraculous powers of divination one feels: fears rather. The UIDAI seems to have even such formidable diviners in their employ: who have dismissed just so peremptorily, in their rebuttal, the calculations made in my paper titled Flaws in the UIDAI process. The paper appeared in the issue of this journal dated to February 27 of this year. The rebuttal was published in the issue dated to the 12th of March. The interested reader can confirm that I have only repeated what was said there. The rebuttal does not specify, in any way, the mathematical mistakes I am supposed to have made. So I shall rehearse the relevant calculations very broadly: and the experts of the UIDAI will then exhibit, I trust, the specific mistakes they impute to me.<a href="#ftn*">[*]</a></p>
<hr />
<p style="text-align: justify; "><a name="ftn*">[*]</a>My reply to the UIDAIs attempted rebuttal was sent in to the EPW a few days after that appeared in print: and published as a “web exclusive” article in Volume 51, Issue Number 36 of the EPW, on 03/09/2016.</p>
<p style="text-align: justify; "><b><a class="external-link" href="http://cis-india.org/internet-governance/files/requestForSpecifics.pdf">Read the Full Article</a></b></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/economic-and-political-weekly-journal-vol-51-issue-36-september-3-2016-hans-varghese-mathews-request-for-specifics'>http://editors.cis-india.org/internet-governance/blog/economic-and-political-weekly-journal-vol-51-issue-36-september-3-2016-hans-varghese-mathews-request-for-specifics</a>
</p>
No publisherhansUIDAadhaarInternet GovernancePrivacy2016-10-30T15:06:31ZBlog EntryReport on Understanding Aadhaar and its New Challenges
http://editors.cis-india.org/internet-governance/blog/report-on-understanding-aadhaar-and-its-new-challenges
<b>The Trans-disciplinary Research Cluster on Sustainability Studies at Jawaharlal Nehru University collaborated with the Centre for Internet and Society, and other individuals and organisations to organise a two day workshop on “Understanding Aadhaar and its New Challenges” at the Centre for Studies in Science Policy, JNU on May 26 and 27, 2016. The objective of the workshop was to bring together experts from various fields, who have been rigorously following the developments in the Unique Identification (UID) Project and align their perspectives and develop a shared understanding of the status of the UID Project and its impact. Through this exercise, it was also sought to develop a plan of action to address the welfare exclusion issues that have arisen due to implementation of the UID Project.</b>
<p> </p>
<h4>Report: <a href="http://editors.cis-india.org/internet-governance/files/report-on-understanding-aadhaar-and-its-new-challenges/at_download/file">Download</a> (PDF)</h4>
<hr />
<p style="text-align: justify;">This Report is a compilation of the observations made by participants at the workshop relating to myriad issues under the UID Project and various strategies that could be pursued to address these issues. In this Report we have classified the observations and discussions into following themes:</p>
<p><strong>1.</strong> <a href="#1">Brief Background of the UID Project</a></p>
<p><strong>2.</strong> <a href="#2">Legal Status of the UIDAI Project</a></p>
<ul>
<li><a href="#21">Procedural issues with passage of the Act</a></li>
<li><a href="#22">Status of related litigation</a></li></ul>
<p><strong>3.</strong> <a href="#3">National Identity Projects in Other Jurisdictions</a></p>
<ul>
<li><a href="#31">Pakistan</a></li>
<li><a href="#32">United Kingdom</a></li>
<li><a href="#33">Estonia</a></li>
<li><a href="#34">France</a></li>
<li><a href="#35">Argentina</a></li></ul>
<p><strong>4.</strong> <a href="#4">Technologies of Identification and Authentication</a></p>
<ul>
<li><a href="#41">Use of Biometric Information for Identification and Authentication</a></li>
<li><a href="#42">Architectures of Identification</a></li>
<li><a href="#43">Security Infrastructure of CIDR</a></li></ul>
<p><strong>5.</strong> <a href="#5">Aadhaar for Welfare?</a></p>
<ul>
<li><a href="#51">Social Welfare: Modes of Access and Exclusion</a></li>
<li><a href="#52">Financial Inclusion and Direct Benefits Transfer</a></li></ul>
<p><strong>6.</strong> <a href="#6">Surveillance and UIDAI</a></p>
<p><strong>7.</strong> <a href="#7">Strategies for Future Action</a></p>
<p><strong>Annexure A</strong> <a href="#AA">Workshop Agenda</a></p>
<p><strong>Annexure B</strong> <a href="#AB">Workshop Participants</a></p>
<hr />
<h3 id="1" style="text-align: justify;"><strong>1. Brief Background of the UID Project</strong></h3>
<p style="text-align: justify;">In the year 2009, the UIDAI was established and the UID project was conceived by the Planning Commission under the UPA government to provide unique identification for each resident in India and to be used for delivery of welfare government services in an efficient and transparent manner, along with using it as a tool to monitor government schemes. The objective of the scheme has been to issue a unique identification number by the Unique Identification Authority of India, which can be authenticated and verified online. It was conceptualized and implemented as a platform to facilitate identification and avoid fake identity issues and delivery of government benefits based on the demographic and biometric data available with the Authority.</p>
<p style="text-align: justify;">The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “<strong>Act</strong>”) was passed as a money bill on March 16, 2016 and was notified in the gazette March 25, 2016 upon receiving the assent of the President. However, the enforceability date has not been mentioned due to which the bill has not come into force.</p>
<p style="text-align: justify;">The Act provides that the Aadhaar number can be used to validate a person’s identity, but it cannot be used as a proof of citizenship. Also, the government can make it mandatory for a person to authenticate her/his identity using Aadhaar number before receiving any government subsidy, benefit, or service. At the time of enrolment, the enrolling agency is required to provide notice to the individual regarding how the information will be used, the type of entities the information will be shared with and their right to access their information. Consent of an individual would be obtained for using his/her identity information during enrolment as well as authentication, and would be informed of the nature of information that may be shared. The Act clearly lays that the identity information of a resident shall not be sued for any purpose other than specified at the time of authentication and disclosure of information can be made only pursuant to an order of a court not inferior to that of a District Judge and/or disclosure made in the interest of national security.</p>
<h3 id="2" style="text-align: justify;"><strong>2. Legal Status of the UIDAI Project</strong></h3>
<p style="text-align: justify;">In this section, we have summarised the discussions on the procedural issues with the passage of the Act. The participants had criticised the passage of the Act as a money bill in the Parliament. The participants also assessed the litigation pending in the Supreme Court of India that would be affected by this law. These discussions took place in the session titled, ‘Current Status of Aadhaar’ and have been summarised below.</p>
<h3 id="21" style="text-align: justify;">Procedural Issues with Passage of the Act</h3>
<p style="text-align: justify;">The participants contested the introduction of the Act in the form of a money bill. The rationale behind this was explained at the session and is briefly explained here. Article 110 (1) of the Constitution of India defines a money bill as one containing provisions only regarding the matters enumerated or any matters incidental to the following: a) imposition, regulation and abolition of any tax, b) borrowing or other financial obligations of the Government of India, c) custody, withdrawal from or payment into the Consolidated Fund of India (CFI) or Contingent Fund of India, d) appropriation of money out of CFI, e) expenditure charged on the CFI or f) receipt or custody or audit of money into CFI or public account of India. The Act makes references to benefits, subsidies and services which are funded by the Consolidated Fund of India (CFI), however the main objectives of the Act is to create a right to obtain a unique identification number and provide for a statutory mechanism to regulate this process. The Act only establishes an identification mechanism which facilitates distribution of benefits and subsidies funded by the CFI and this identification mechanism (Aadhaar number) does not give it the character of a money bill. Further, money bills can be introduced only in the Lok Sabha, and the Rajya Sabha cannot make amendments to such bills passed by the Lok Sabha. The Rajya Sabha can suggest amendments, but it is the Lok Sabha’s choice to accept or reject them. This leaves the Rajya Sabha with no effective role to play in the passage of the bill.</p>
<p style="text-align: justify;">The participants also briefly examined the writ petition that has been filed by former Union minister Jairam Ramesh challenging the constitutionality and legality of the treatment of this Act as a money bill which has raised the question of judiciary’s power to review the decisions of the speaker. Article 122 of the Constitution of India provides that this power of judicial review can be exercised to look into procedural irregularities. The question remains whether the Supreme Court will rule that it can determine the constitutionality of the decision made by the speaker relating to the manner in which the Act was introduced in the Lok Sabha. A few participants mentioned that similar circumstances had arisen in the case of Mohd. Saeed Siddiqui v. State of U.P. <a href="#ftn1">[1]</a>.</p>
<p style="text-align: justify;">where the Supreme Court refused to interfere with the decision of the Uttar Pradesh legislative assembly speaker certifying an amendment bill to increase the tenure of the Lokayukta as a money bill, despite the fact that the bill amended the Uttar Pradesh Lokayukta and Up-Lokayuktas Act, 1975, which was passed as an ordinary bill by both houses. The Court in this case held that the decision of the speaker was final and that the proceedings of the legislature being important legislative privilege could not be inquired into by courts. The Court added, “the question whether a bill is a money bill or not can be raised only in the state legislative assembly by a member thereof when the bill is pending in the state legislature and before it becomes an Act.”</p>
<p style="text-align: justify;">However, it is necessary to carve a distinction between Rajya Sabha and State Legislature. Unlike the State Legislature, constitution of Rajya Sabha is not optional therefore significance of the two bodies in the parliamentary process cannot be considered the same. Participants also made another significant observation about a similar bill on the UID project (National Identification Authority of India (NIDAI) Bill) that was introduced before by the UPA government in 2010 and was deemed unacceptable by the standing committee on finance, headed by Yashwant Sinha. This bill was subsequently withdrawn.</p>
<h3 id="22" style="text-align: justify;">Status of Related Litigation</h3>
<p style="text-align: justify;">A panellist in this session briefly summarised all the litigation that was related to or would be affected by the Act. The panellist also highlighted several Supreme Court orders in the case of <em>KS Puttuswamy v. Union of India</em> <a href="#ftn2">[2]</a> which limited the use of Aadhaar. We have reproduced the presentation below.</p>
<ul>
<li style="text-align: justify;"><em>KS Puttuswamy v. Union of India</em> - This petition was filed in 2012 with primary concern about providing Aadhaar numbers to illegal immigrants in India. It was contended that this could not be done without a law establishing the UIDAI and amendment to the Citizenship laws. The petitioner raised concerns about privacy and fallibility of biometrics.</li>
<li style="text-align: justify;"> Sudhir Vombatkere & Bezwada Wilson <a href="#ftn3">[3]</a> - This petition was filed in 2013 on grounds of infringement of right to privacy guaranteed under Article 21 of the Constitution of India and the security threat on account of data convergence.</li>
<li style="text-align: justify;">Aruna Roy & Nikhil Dey <a href="#ftn4">[4]</a> - This petition was filed in 2013 on the grounds of large scale exclusion of people from access to basic welfare services caused by UID. After their petition, no. of intervention applications were filed. These were the following:</li>
<li style="text-align: justify;">Col. Mathew Thomas <a href="#ftn5">[5]</a> - This petition was filed on the grounds of threat to national security posed by the UID project particularly in relation to arrangements for data sharing with foreign companies (with links to foreign intelligence agencies).</li>
<li style="text-align: justify;">Nagrik Chetna Manch <a href="#ftn6">[6]</a> - This petition was filed in 2013 and led by Dr. Anupam Saraph on the grounds that the UID project was detrimental to financial service regulation and financial <em>inclusion.</em></li>
<li style="text-align: justify;">S. Raju <a href="#ftn7">[7] </a> - This petition was filed on the grounds that the UID project had implications on the federal structure of the State and was detrimental to financial inclusion.</li>
<li style="text-align: justify;"><em>Beghar Foundation</em> - This petition was filed in 2013 in the Delhi High Court on the grounds invasion of privacy and exclusion specifically in relation to the homeless. It subsequently joined the petition filed by Aruna Roy and Nikhil Dey as an intervener.</li>
<li style="text-align: justify;">Vickram Crishna – This petition was originally filed in the Bombay High Court in 2013 on the grounds of surveillance and invasion of privacy. It was later transferred to the Supreme Court.</li>
<li style="text-align: justify;">Somasekhar – This petition was filed on the grounds of procedural unreasonableness of the UID project and also exclusion & privacy. The petitioner later intervened in the petition filed by Aruna Roy and Nikhil Dey in 2013.</li>
<li style="text-align: justify;">Rajeev Chandrashekhar– This petition was filed on the ground of lack of legal sanction for the UID project. He later intervened in the petition filed by Aruna Roy and Nikhil Dey in 2013. His position has changed now.</li>
<li style="text-align: justify;">Further, a petition was filed by Mr. Jairam Ramesh initially challenging the passage of the Act as a money bill but subsequently, it has been amended to include issues of violation of right to privacy and exclusion of the poor and has advocated for five amendments that were suggested to the Aadhaar Bill by the Rajya Sabha.</li></ul>
<h3 id="23" style="text-align: justify;">Relevant Orders of the Supreme Court</h3>
<p>There are six orders of the Supreme Court which are noteworthy.</p>
<ul>
<li style="text-align: justify;">Order of Sept. 23, 2013 - The Supreme court directed that: 1) no person shall suffer for not having an aadhaar number despite the fact that a circular by an authority makes it mandatory; 2) it should be checked if a person applying for aadhaar number voluntarily is entitled to it under the law; and 3) precaution should be taken that it is not be issued to illegal immigrants.</li>
<li style="text-align: justify;">Order of 26th November, 2013 – Applications were filed by UIDAI, Ministry of Petroleum & Natural Gas, Govt of India, Indian Oil Corporation, BPCL and HPCL for modifying the September 23rd order and sought permission from the Supreme Court to make aadhaar number mandatory. The Supreme Court held that the order of September 23rd would continue to be effective.</li>
<li style="text-align: justify;">Order of 24th March, 2014 – This order was passed by the Supreme Court in a special leave petition filed in the case of <em>UIDAI v CBI</em> <a href="#ftn8">[8] </a> wherein UIDAI was asked to UIDAI to share biometric information of all residents of a particular place in Goa to facilitate a criminal investigation involving charges of rape and sexual assault. The Supreme Court restrained UIDAI from transferring any biometric information of an individual without to any other agency without his consent in writing. The Supreme Court also directed all the authorities to modify their forms/circulars/likes so as to not make aadhaar number mandatory.</li>
<li style="text-align: justify;">Order of 16th March, 2015 - The SC took notice of widespread violations of the order passed on September 23rd, 2013 and directed the Centre and the states to adhere to these orders to not make aadhaar compulsory.</li>
<li style="text-align: justify;">Orders of August 11, 2015 – In the first order, the Central Government was directed to publicise the fact that aadhaar was voluntary. The Supreme Court further held that provision of benefits due to a citizen of India would not be made conditional upon obtaining an aadhaar number and restricted the use of aadhaar to the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene and the LPG Distribution Scheme. The Supreme Court also held that information of an individual that was collected in order to issue an aadhaar number would not be used for any purpose except when directed by the Court for criminal investigations. Separately, the status of fundamental right to privacy was contested and accordingly the Supreme Court directed that the issue be taken up before the Chief Justice of India.</li>
<li style="text-align: justify;">Orders of October 16, 2015 – The Union of India, the states of Gujarat, Maharashtra, Himachal Pradesh and Rajasthan, and authorities including SEBI, TRAI, CBDT, IRDA , RBI applied for a hearing before the Constitution Bench for modification of the order passed by the Supreme Court on August 11 and allow use of aadhaar number schemes like The Mahatma Gandhi National Rural Employment Guarantee Scheme MGNREGS), National Social Assistance Programme (Old Age Pensions, Widow Pensions, Disability Pensions) Prime Minister's Jan Dhan Yojana (PMJDY) and Employees' Providend Fund Organisation (EPFO). The Bench allowed the use of aadhaar number for these schemes but stressed upon the need to keep aadhaar scheme voluntary until the matter was finally decided.</li></ul>
<p style="text-align: justify;">Status of these orders<br />The participants discussed the possible impact of the law on the operation of these orders. A participant pointed out that matters in the Supreme Court had not become infructuous because fundamental issues that were being heard in the Supreme Court had not been resolved by the passage of the Act. Several participants believed that the aforementioned orders were effective because the law had not come into force. Therefore, aadhaar number could only be used for purposes specified by the Supreme Court and it could not be made mandatory. Participants also highlighted that when the Act was implemented, it would not nullify the orders of the Supreme Court unless Union of India asked the Supreme Court for it specifically and the Supreme Court sanctioned that.</p>
<h3 id="3" style="text-align: justify;"><strong>3. National Identity Projects in Other Jurisdictions</strong></h3>
<p style="text-align: justify;">A panellist had provided a brief overview of similar programs on identification that have been launched in other jurisdictions including Pakistan, United Kingdom, France, Estonia and Argentina in the recent past in the session titled ‘Aadhaar - International Dimensions’. This presentation mainly sought to assess the incentives that drove the governments in these jurisdictions to formulate these projects, mandatory nature of their adoption and their popularity. The Report has reproduced the presentation here.</p>
<h3 id="31" style="text-align: justify;">Pakistan</h3>
<p style="text-align: justify;">The Second Amendment to the Constitution of Pakistan in 2000 established the National Database and Regulation Authority in the country, which regulates government databases and statistically manages the sensitive registration database of the citizens of Pakistan. It is also responsible for issuing national identity cards to the citizens of Pakistan. Although the card is not legally compulsory for a Pakistani citizen, it is mandatory for:</p>
<ul>
<li>Voting</li>
<li>Obtaining a passport</li>
<li>Purchasing vehicles and land</li>
<li>Obtaining a driver licence</li>
<li>Purchasing a plane or train ticket</li>
<li>Obtaining a mobile phone SIM card</li>
<li>Obtaining electricity, gas, and water</li>
<li>Securing admission to college and other post-graduate institutes</li>
<li>Conducting major financial transactions</li></ul>
<p style="text-align: justify;">Therefore, it is pretty much necessary for basic civic life in the country. In 2012, NADRA introduced the Smart National Identity Card, an electronic identity card, which implements 36 security features. The following information can be found on the card and subsequently the central database: Legal Name, Gender (male, female, or transgender), Father's name (Husband's name for married females), Identification Mark, Date of Birth, National Identity Card Number, Family Tree ID Number, Current Address, Permanent Address, Date of Issue, Date of Expiry, Signature, Photo, and Fingerprint (Thumbprint). NADRA also records the applicant's religion, but this is not noted on the card itself. (This system has not been removed yet and is still operational in Pakistan.)</p>
<h3 id="32" style="text-align: justify;">United Kingdom</h3>
<p style="text-align: justify;">The Identity Cards Act was introduced in the wake of the terrorist attacks on 11th September, 2001, amidst rising concerns about identity theft and the misuse of public services. The card was to be used to obtain social security services, but the ability to properly identify a person to their true identity was central to the proposal, with wider implications for prevention of crime and terrorism. The cards were linked to a central database (the National Identity Register), which would store information about all of the holders of the cards. The concerns raised by human rights lawyers, activists, security professionals and IT experts, as well as politicians were not to do with the cards as much as with the NIR. The Act specified 50 categories of information that the NIR could hold, including up to 10 fingerprints, digitised facial scan and iris scan, current and past UK and overseas places of residence of all residents of the UK throughout their lives. The central database was purported to be a prime target for cyber attacks, and was also said to be a violation of the right to privacy of UK citizens. The Act was passed by the Labour Government in 2006, and repealed by the Conservative-Liberal Democrat Coalition Government as part of their measures to “reverse the substantial erosion of civil liberties under the Labour Government and roll back state intrusion.”</p>
<h3 id="33" style="text-align: justify;">Estonia</h3>
<p style="text-align: justify;">The Estonian i-card is a smart card issued to Estonian citizens by the Police and Border Guard Board. All Estonian citizens and permanent residents are legally obliged to possess this card from the age of 15. The card stores data such as the user's full name, gender, national identification number, and cryptographic keys and public key certificates. The cryptographic signature in the card is legally equivalent to a manual signature, since 15 December 2000. The following are a few examples of what the card is used for:</p>
<ul>
<li>As a national ID card for legal travel within the EU for Estonian citizens</li>
<li>As the national health insurance card</li>
<li>As proof of identification when logging into bank accounts from a home computer</li>
<li>For digital signatures</li>
<li>For i-voting</li>
<li>For accessing government databases to check one’s medical records, file taxes, etc.</li>
<li>For picking up e-Prescriptions</li>
<li>(This system is also operational in the country and has not been removed)</li></ul>
<h3 id="34" style="text-align: justify;">France</h3>
<p style="text-align: justify;">The biometric ID card was to include a compulsory chip containing personal information, such as fingerprints, a photograph, home address, height, and eye colour. A second, optional chip was to be implemented for online authentication and electronic signatures, to be used for e-government services and e-commerce. The law was passed with the purpose of combating “identity fraud”. It was referred to the Constitutional Council by more than 200 members of the French Parliament, who challenged the compatibility of the bill with the citizens’ fundamental rights, including the right to privacy and the presumption of innocence. The Council struck down the law, citing the issue of proportionality. “Regarding the nature of the recorded data, the range of the treatment, the technical characteristics and conditions of the consultation, the provisions of article 5 touch the right to privacy in a way that cannot be considered as proportional to the meant purpose”.</p>
<h3 id="35" style="text-align: justify;">Argentina</h3>
<p style="text-align: justify;">Documento Nacional de Identidad or DNI (which means National Identity Document) is the main identity document for Argentine citizens, as well as temporary or permanent resident aliens. It is issued at a person's birth, and updated at 8 and 14 years of age simultaneously in one format: a card (DNI tarjeta); it's valid if identification is required, and is required for voting. The front side of the card states the name, sex, nationality, specimen issue, date of birth, date of issue, date of expiry, and transaction number along with the DNI number and portrait and signature of the card's bearer. The back side of the card shows the address of the card's bearer along with their right thumb fingerprint. The front side of the DNI also shows a barcode while the back shows machine-readable information. The DNI is a valid travel document for entering Argentina, Bolivia, Brazil, Chile, Colombia, Ecuador, Paraguay, Peru, Uruguay, and Venezuela. (System still operational in the country)</p>
<h3 id="4" style="text-align: justify;"><strong>4. Technologies of Identification and Authentication</strong></h3>
<p style="text-align: justify;">The panel in the session titled ‘Aadhaar: Science, Technology, and Security’ explained the technical aspects of use of biometrics and privacy concerns, technology architecture for identification and inadequacy of infrastructure for information security. In this section, we have summarised the presentation and the ensuing discussions on these issues.</p>
<h3 id="41" style="text-align: justify;">Use of Biometric Information for Identification and Authentication</h3>
<p style="text-align: justify;">The panelists explained with examples that identification and authentication were different things. Identity provides an answer to the question “who are you?” while authentication is a challenge-response process that provides a proof of the claim of identity. Common examples of identity are User ID (Login ID), cryptographic public keys and ATM or Smart cards while common authenticators are passwords (including OTPs), PINs and cryptographic private keys. Identity is public information but an authenticator must be private and known only to the user. Authentication must necessarily be a conscious process and active participation by the user is a must. It should also always be possible to revoke an authenticator. After providing this understanding of the two processes the panellist then explained if biometric information could be used for identification or authentication under the UID Project. Biometric information is clearly public information and it is questionable if it can be revoked. Therefore it should never be used for authentication, but only for identity verification. There is a possibility of authentication by fingerprints under the UID Project, without conscious participation of the user. One could trace the fingerprints of an individual from any place the individual has been in contact with. Therefore, authentication must certainly be done by other means. The panellist pointed out that there were five kinds of authentication under the UID Project, out of which two-factor authentication and one time password were considered suitable but use of biometric information and demographic information was extremely threatening and must be withdrawn.</p>
<h3 id="42" style="text-align: justify;">Architectures of Identification</h3>
<p style="text-align: justify;">The panelists explained the architecture of the UID Project that has been designed for identification purposes, highlighted its limitations and suggested alternatives. His explanations are reproduced below.</p>
<p style="text-align: justify;">Under the UID Project, there is a centralised means of identification i.e. the aadhaar number and biometric information stored in one place, Central Identification Data Repository (CIDR). It is better to have multiple means of identification than one (as contemplated under the UID Project) for preservation of our civil liberties. The question is what the available alternatives are. Web of trust is a way for operationalizing distributed identification but the challenge is how one brings people from all social levels to participate in it. There is a need for registrars who will sign keys and public databases for this purpose.</p>
<p style="text-align: justify;">The aadhaar number functions as a common index and facilitates correlation of data across Government databases. While this is tremendously attractive it raises several privacy concerns as more and more information relating to an individual is available to others and is likely to be abused.</p>
<p style="text-align: justify;">The aadhaar number is available in human readable form. This raises the risk of identification without consent and unauthorised profiling. It cannot be revoked. Potential for damage in case of identity theft increases manifold.</p>
<p style="text-align: justify;">Under the UID Project, for the purpose of information security, Authentication User Agencies (“<strong>AUA</strong>”) are required to use local identifiers instead of aadhaar numbers but they are also required to map these local identifiers to the aadhaar numbers. Aadhaar numbers are not cryptographically secured; in fact they are publicly available. Hence this exercise for securing information is useless. An alternative would be to issue different identifiers for different domains and cryptographically embed a “master identifier” (in this case, equivalent of aadhaar number) into each local identifier.</p>
<p style="text-align: justify;">All field devices (for example POS machines) should be registered and must communicate directly with UIDAI. In fact, UIDAI must verify the authenticity (tamper proof) of the field device during run time and a UIDAI approved authenticity certificate must be issued for field devices. This certificate must be made available to users on demand. Further, the security and privacy frameworks within which AUAs work must be appropriately defined by legal and technical means.</p>
<h3 id="43" style="text-align: justify;">Security Infrastructure of CIDR</h3>
<p style="text-align: justify;">The panelists also enumerated the security features of the UID Project and highlighted the flaws in these features. These have been summarised below.</p>
<p>The security and privacy infrastructure of UIDAI has the following main features:</p>
<ul>
<li>2048 bit PKI encryption of biometric data in transit</li>
<li>End-to-end encryption from enrolment/POS to CIDR</li>
<li>HMAC based tamper detection of PID blocks</li>
<li>Registration and authentication of AUAs</li>
<li>Within CIDR only a SHA 1 Hash of Aadhaar number is stored</li>
<li>Audit trails are stored SHA 1 encrypted. Tamper detection?</li>
<li>Only hashes of passwords and PINs are stored. (biometric data stored in original form though!)</li>
<li>Authentication requests have unique session keys and HMAC</li>
<li>Resident data stored using 100 way sharding (vertical partitioning). First two digits of Aadhaar number as shard keys</li>
<li>All enrolment and update requests link to partitioned databases using Ref IDs (coded indices)</li>
<li>All accesses through a hardware security module</li>
<li>All analytics carried out on anonymised data</li></ul>
<p style="text-align: justify;">The panellists pointed out the concerns about information security on account of design flaws, lack of procedural safeguards, openness of the system and too much trust imposed on multiple players. All symmetric and private keys and hashes are stored somewhere within UIDAI. This indicates that trust is implicitly assumed which is a glaring design flaw. There is no well-defined approval procedure for data inspection, whether it is for the purpose of investigation or for data analytics. There is a likelihood of system hacks, insider leaks, and tampering of authentication records and audit trails. The ensuing discussions highlighted that the UIDAI had admitted to these security risks. The enrolment agencies and the enrolment devices cannot be trusted. AUAs cannot be trusted with biometric and demographic data; neither can they be trusted with sensitive user data of private nature. There is a need for an independent third party auditor for distributed key management, auditing and approving UIDAI programs, including those for data inspection and analytics, whitebox cryptographic compilation of critical parts of the UIDAI programs, issue of cryptographic keys to UIDAI programs for functional encryption, challenge-response for run-time authentication and certification of UIDAI programs. The panellist recommended that there was a need to to put a suitable legal framework to execute this.</p>
<p style="text-align: justify;">The participants also discussed that information infrastructure must not be made of proprietary software (possibility for backdoors for US) and there must be a third party audit with a non-negotiable clause for public audit.</p>
<h3 id="5" style="text-align: justify;"><strong>5. Aadhaar for Welfare?</strong></h3>
<p style="text-align: justify;">The Report has summarised the discussions that took place in the sessions on ‘Direct Benefits Transfers’ and ‘Aadhaar: Broad Issues - II’ where the panellists critically analysed the claims of benefits and inclusion of Aadhaar made by the government in light of the ground realities in states where Aadhaar has been adopted for social welfare schemes.</p>
<h3 id="51" style="text-align: justify;">Social Welfare: Modes of Access and Exclusion</h3>
<p style="text-align: justify;">Under the Act, a person may be required to authenticate or give proof of the aadhaar number in order to receive subsidy from the government (Section 7). A person is required to punch their fingerprints on POS machines in order to receive their entitlement under the social welfare schemes such as LPG and PDS. It was pointed out in the discussions that various states including Rajasthan and Delhi had witnessed fingerprint errors while doling out benefits at ration shops under the PDS scheme. People have failed to receive their entitled benefits because of these fingerprint errors thus resulting in exclusion of beneficiaries <a href="#ftn9">[9]</a>. A panellist pointed out that in Rajasthan, dysfunctional biometrics had led to further corruption in ration shops. Ration shop owners often lied to the beneficiaries about functioning of the biometric machines (POS Machines) and kept the ration for sale in the market therefore making a lot of money at the expense of uninformed beneficiaries and depriving them of their entitlements.</p>
<p style="text-align: justify;">Another participant organisation also pointed out similar circumstances in the ration shops in Patparganj and New Delhi constituencies. Here, the dealers had maintained the records of beneficiaries who had been categorized as follows: beneficiaries whose biometrics did not match, beneficiaries whose biometrics matched and entitlements were provided, beneficiaries who never visited the ration shop. It had been observed that there were no entries in the category of beneficiaries whose biometrics did not match however, the beneficiaries had a different story to tell. They complained that their biometrics did not match despite trying several times and there was no mechanism for a manual override. Consequently, they had not been able to receive any entitlements for months. The discussions also pointed out that the food authorities had placed complete reliance on authenticity of the POS machines and claim that this system would weed out families who were not entitled to the benefits. The MIS was also running technical glitches as a result there was a problem with registering information about these transactions hence, no records had been created with the State authority about these problems. A participant also discussed the plight of 30,000 widows in Delhi, who were entitled to pension and used to collect their entitlement from post offices, faced exclusion due to transition problems under the Jan Dhan Yojana (after the Jandhan was launched the money was transferred to their bank accounts in order to resolve the problem of misappropriation of money at the hands of post office officials). These widows were asked to open bank accounts to receive their entitlements and those who did not open these accounts and did not inform the post office were considered bogus.</p>
<p style="text-align: justify;">In the discussions, the participants also noted that this unreliability of fingerprints as a means of authentication of an individual’s identity was highlighted at the meeting of Empowered Group of Ministers in 2011 by J Dsouza, a biometrics scientist. He used his wife’s fingerprints to demonstrate that fingerprints may change overtime and in such an event, one would not be able to use the POS machine anymore as the machine would continue to identify the impressions collected initially.</p>
<p style="text-align: justify;">The participants who had been working in the field had contributed to the discussions by busting the myth that the UID Project helped to identify who was poor and resolve the problem of exclusion due to leakages in the social welfare programs. These discussions have been summarised below.</p>
<ul>
<li style="text-align: justify;">It is important to understand that the UID Project is merely an identification and authentication system. It only helps in verifying if an individual is entitled to benefits under a social security scheme. It does not ensure plugging of leakages and reducing corruption in social security schemes as has been claimed by the Government. The reduction in leakage of PDS, for instance, should be attributed to digitization and not UID. The Government claims, that it has saved INR 15000 crore in provision of LPG on identification of 3.34 crore inactive accounts on account of the UID Project. This is untrue because the accounts were weeded by using mechanisms completely unrelated to the UID Project. Consequently, the savings on account of UID are only of INR 120 crore and not 15000 crore.</li>
<li style="text-align: justify;">The UID Project has resulted in exclusion of people either because they do not have an aadhaar number, or they have a wrong identification, or there are errors of classification or wilful misclassification. About 99.7% people who were given aadhaar numbers already had an identification document. In fact, during enrolment a person is required to produce one of 14 identification documents listed under the law in order to get an aadhaar number which makes it very difficult for a person with no identity to become entitled to a social welfare scheme.</li></ul>
<p style="text-align: justify;">A participant condemned the Government’s claim that the UID Project had helped in removing fake, bogus and duplicate cards and said that these terms could not be used synonymously and the authorities had no clarity about the difference between the meanings of these terms. The UID Project had only helped in removal of duplicate cards but had not helped in combating the use of fake and bogus cards.</p>
<h3 id="52" style="text-align: justify;">Financial Inclusion and Direct Benefits Transfer</h3>
<p style="text-align: justify;">The participants also engaged in the discussions about the impact of the UID project on financial inclusion in India in the sessions titled ‘Aadhaar: Broad Issues - I & II’. We have summarised these discussions below.</p>
<p style="text-align: justify;">The UID Project seeks to directly transfer money to a bank account in order to combat corruption. The discussions highlighted that this was nothing but introducing a neo liberal thrust in social policy and that it was not feasible for various reasons. First, 95% of rural India did not have functioning banks and banks are quite far away. Second, in order to combat this dearth of banks the idea of business correspondents, who handled banking transactions and helped in opening of bank accounts, had been introduced which had created various problems. The Reserve Bank of India reported that there was dearth of business correspondents as there was very little incentive to become one; their salary is merely INR 4000. Third, there were concerns about how an aadhaar number was considered a valid document for Know Your Customer (KYC) checks. There was a requirement for scrutiny and auditing of documents submitted during the time of enrolment which, in the present scheme of things, could not be verified. Fourth, there were no restrictions on number of bank accounts that could be opened with a single aadhaar number which gave rise to a possibility of opening multiple and shell accounts on a single aadhaar number. Therefore, records only showed transactions when money was transferred from an aadhaar number to another aadhaar number as opposed to an account-to-account transfer. The discussion relied on NPCI data which shows which bank an aadhaar number is associated with but does not show if a transaction by an aadhaar number is overwritten by another bank account belonging to the same aadhaar number.</p>
<h3 id="6" style="text-align: justify;"><strong>6. Surveillance and UIDAI</strong></h3>
<p style="text-align: justify;">The participants had discussed the possibility of an alternative purpose for enrolling Aadhaar in the session titled ‘Privacy, Surveillance, and Ethical Dimensions of Aadhaar’. The discussion traced the history of this project to gain insight on this issue. We have summarised below the key take aways from this discussion.</p>
<p style="text-align: justify;">There are claims that the main objective of launching the UID Project is not to facilitate implementation of social security schemes but to collect personal (financial and non-financial) information of the citizens and residents of the country to build a data monopoly. For this purpose, PDS was chosen as a suitable social security scheme as it has the largest coverage. Several participants suggested that numerous reports authored by FICCI, KPMG and ASSOCHAM contained proposals for establishing a national identity authority which threw some light on the commercial intentions behind information collection under the UID Project.</p>
<p style="text-align: justify;">It was also pointed out that there was documented proof that information collected under the UID Project might have been shared with foreign companies. There are suggestions about links established between proponents of the UID Project and companies backed by CIA or the French Government which run security projects and deal in data sharing in several jurisdictions.</p>
<h3 id="7" style="text-align: justify;"><strong>7. Strategies for Future Action</strong></h3>
<p>The participants laid down a list of measures that must be taken to take the discussions forward. We have enumerated these recommendations below.</p>
<ul>
<li>Prepare and compile an anthology of articles as an output of this workshop. </li>
<li>Prepare position papers on specific issues related to the UID Project </li>
<li>Prepare pamphlets/brochures on issues with the UID Project for public consumption </li>
<li>Prepare counter-advertisements for Aadhaar</li>
<li>Publish existing empirical evidence on the flaws in Aadhaar.</li>
<li>Set up an online portal dedicated to providing updates on the UID Project and allows discussions on specific issues related to Aadhaar.</li>
<li>Use Social Media to reach out to the public. Regularly track and comment on social media pages of relevant departments of the government.</li>
<li>Create groups dedicated to research and advocacy of specific aspects of the UID Project. </li>
<li>Create a Coordination Committee preferably based in Delhi which would be responsible for regularly holding meetings and for preparing a coordinated plan of action. Employ permanent to staff to run the Committee.</li>
<li>Organise an advocacy campaign against use of Aadhaar in collaboration with other organisations and build public domain acceptance. </li>
<li>The campaign must specifically focus on the unfettered scope of UID and expanse, misrepresentation of the success of Aadhaar by highlighting real savings, technological flaws, status of pilot programs and increasing corruption on account of the UID Project</li>
<li>Prepare a statement of public concern regarding the UID Project and collect signatures from eminent persons including academics, technical experts, civil society groups and members of parliament.</li>
<li>Organise events and discussions on issues relating to Aadhaar and invite members og government departments to speak and discuss the issues. </li>
<li style="text-align: justify;">Write to Members of Parliament and Members of Legislative Assemblies raising questions on their or their parties’ support for Aadhaar and silence on the problems created by the UID Project. </li>
<li style="text-align: justify;">Organise public hearings in states like Rajasthan to observe and document ground realities of the UID Project and share these outcomes with the state government and media. </li>
<li>Plan a national social audit and public hearing on the working of UID Project in the country. </li>
<li style="text-align: justify;">File Contempt Petitions in the Supreme Court and High Courts against mandatory use of Aadhaar number for services not allowed by the Supreme Court. </li>
<li style="text-align: justify;">Reach out to and engage with various foreign citizens and organisations that have been fighting on similar issues. The organisations and individuals who could be approached would include EPIC, Electronic Frontier foundation, David Moss, UK, Roger Clarke, Australia, Prof. Ian Angel, Snowden, Assange and Chomsky.</li>
<li style="text-align: justify;">Work towards increasing awareness about the UID Project and gaining support from the student and research community, student organisations, trade unions, and other associations and networks in the unorganised sector.</li></ul>
<h3 id="AA" style="text-align: justify;"><strong>Annexure A – Workshop Agenda</strong></h3>
<h4>May 26, 2016</h4>
<table>
<tbody>
<tr>
<td>
<p>9:00-9:30</p>
</td>
<td>
<p><strong>Registration</strong></p>
</td>
</tr>
<tr>
<td>
<p>9:30-10:00</p>
</td>
<td>
<p>Prof. Dinesh Abrol - <em>Welcome</em><br />
<em>Self-introduction and expectations of participants</em><br />
Dr. Usha Ramanathan - <em>Overview of the Workshop</em></p>
</td>
</tr>
<tr>
<td>
<p>10:00-11:00</p>
</td>
<td>
<p><strong>Session 1: Current Status of Aadhaar</strong><br />
Dr. Usha Ramanathan, Legal Researcher, New Delhi - <em>What the 2016 Law Says, and How it Came into Being</em><br />
S. Prasanna, Advocate, New Delhi - <em>Status and Force of Supreme Court Orders on Aadhaar</em><br /> <em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>11:00-11:30</p>
</td>
<td>
<p><strong>Tea Break</strong></p>
</td>
</tr>
<tr>
<td>
<p>11:30-13:30</p>
</td>
<td>
<p><strong>Session 2: Direct Benefits Transfers</strong><br />
Prof. Reetika Khera, Indian Institute of Technology, Delhi - <em>Welfare Needs Aadhaar like a Fish Needs a Bicycle</em><br />
Prof. R. Ramakumar, Tata Institute of Social Sciences, Mumbai - <em>Aadhaar and the Social Sector: A critical analysis of the claims of benefits and inclusion</em><br />
Ashok Rao, Delhi Science Forum - <em>Cash Transfers Study</em><br />
<em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>13:30-14:30</p>
</td>
<td>
<p><strong>Lunch</strong></p>
</td>
</tr>
<tr>
<td>
<p>14:30-16:00</p>
</td>
<td>
<p><strong>Session 3: Aadhaar: Science, Technology, and Security</strong><br />
Prof. Subashis Banerjee, Dept of Computer Science & Engineering, IIT, Delhi - <em>Privacy and Security Issues Related to the Aadhaar Act</em><br />
Pukhraj Singh, Former National Cyber Security Manager, Aadhaar, New Delhi - <em>Aadhaar: Security and Surveillance Dimensions</em><br />
<em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>16:00-16:30</p>
</td>
<td>
<p><strong>Tea Break</strong></p>
</td>
</tr>
<tr>
<td>
<p>16:30-17:30</p>
</td>
<td>
<p><strong>Session 4: Aadhaar - International Dimensions</strong><br />
Joshita Pai, Center for Communication Governance, National Law University, Delhi - <em>Biometrics and Mandatory IDs in Other Parts of the World</em><br />
Dr. Gopal Krishna, Citizens Forum for Civil Liberties - <em>International Dimensions of Aadhaar</em><br />
<em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>17:30-18:00</p>
</td>
<td>
<p><strong>High Tea</strong></p>
</td>
</tr>
</tbody>
</table>
<h4>May 27, 2016</h4>
<table>
<tbody>
<tr>
<td>
<p>9:30-11:00</p>
</td>
<td>
<p><strong>Session 5: Privacy, Surveillance and Ethical Dimensions of Aadhaar</strong><br />
Prabir Purkayastha, Free Software Movement of India, New Delhi - <em>Surveillance Capitalism and the Commodification of Personal Data</em><br />
Arjun Jayakumar, SFLC - <em>Surveillance Projects Amalgamated</em><br />
Col Mathew Thomas, Bengaluru - <em>The Deceit of Aadhaar<em></em><br />
<em>Discussion</em></em></p>
<em>
</em></td>
</tr>
<tr>
<td>
<p>11:00-11:30</p>
</td>
<td>
<p><strong>Tea Break</strong></p>
</td>
</tr>
<tr>
<td>
<p><em>11:30-13:00</em></p>
</td>
<td>
<p><strong>Session 6: Aadhaar - Broad Issues I</strong><br />
Prof. G Nagarjuna, Homi Bhabha Center for Science Education, Tata Institute of Fundamental Research, Mumbai - <em>How to prevent linked data in the context of Aadhaar</em><br />
Dr. Anupam Saraph, Pune - <em>Aadhaar and Moneylaundering</em><br />
<em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>13:00-14:00</p>
</td>
<td>
<p><strong>Lunch</strong></p>
</td>
</tr>
<tr>
<td>
<p>14:00-15:30</p>
</td>
<td>
<p><strong>Session 7: Aadhaar - Broad Issues II</strong><br />
Prof. MS Sriram, Visiting Faculty, Indian Institute of Management, Bangalore - <em>Financial lnclusion</em><br />
Nikhil Dey, MKSS, Rajasthan - <em>Field witness: Technology on the Ground</em><br />
Prof. Himanshu, Centre for Economic Studies & Planning, JNU - <em>UID Process and Financial Inclusion</em><br />
<em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>15:30-16:00</p>
</td>
<td>
<p><strong>Session 8: Conclusion</strong></p>
</td>
</tr>
<tr>
<td>
<p>16:00-18:00</p>
</td>
<td>
<p><strong>Informal Meetings</strong></p>
</td>
</tr>
</tbody>
</table>
<h3 id="AB" style="text-align: justify;"><strong>Annexure B – Workshop Participants</strong></h3>
<p>Anjali Bhardwaj, Satark Nagrik Sangathan</p>
<p>Dr. Anupam Saraph</p>
<p>Arjun Jayakumar, Software Freedom Law Centre</p>
<p>Ashok Rao, Delhi Science Forum</p>
<p>Prof. Chinmayi Arun, National Law University, Delhi</p>
<p>Prof. Dinesh Abrol, Jawaharlal Nehru University</p>
<p>Prof. G Nagarjuna, Homi Bhabha Center for Science Education, Tata Institute of Fundamental Research, Mumbai</p>
<p>Dr. Gopal Krishna, Citizens Forum for Civil Liberties</p>
<p>Prof. Himanshu, Jawaharlal Nehru University</p>
<p>Japreet Grewal, the Centre for Internet and Society</p>
<p>Joshita Pai, National Law University, Delhi</p>
<p>Malini Chakravarty, Centre for Budget and Governance Accountability</p>
<p>Col. Mathew Thomas</p>
<p>Prof. MS Sriram, Indian Institute of Management, Bangalore</p>
<p>Nikhil Dey, Mazdoor Kisan Shakti Sangathan</p>
<p>Prabir Purkayastha, Knowledge Commons and Free Software Movement of India</p>
<p>Pukhraj Singh, Bhujang</p>
<p>Rajiv Mishra, Jawaharlal Nehru University</p>
<p>Prof. R Ramakumar, Tata Institute of Social Sciences, Mumbai</p>
<p>Dr. Reetika Khera, Indian Institute of Technology, Delhi</p>
<p>Dr. Ritajyoti Bandyopadhyay, Indian Institute of Science Education and Research, Mohali</p>
<p>S. Prasanna, Advocate</p>
<p>Sanjay Kumar, Science Journalist</p>
<p>Sharath, Software Freedom Law Centre</p>
<p>Shivangi Narayan, Jawaharlal Nehru University</p>
<p>Prof. Subhashis Banerjee, Indian Institute of Technology, Delhi</p>
<p>Sumandro Chattapadhyay, the Centre for Internet and Society</p>
<p>Dr. Usha Ramanathan, Legal Researcher</p>
<p><em>Note: This list is only indicative, and not exhaustive.</em></p>
<hr />
<p><a name="ftn1"><strong>[1]</strong></a> Civil Appeal No. 4853 of 2014</p>
<p><a name="ftn2"><strong>[2]</strong></a> WP(C) 494/2012</p>
<p><a name="ftn3"><strong>[3]</strong> </a>. WP(C) 829/2013</p>
<p><a name="ftn4"><strong>[4]</strong></a> WP(C) 833/2013</p>
<p><a name="ftn5"><strong>[5]</strong></a> WP (C) 37/2015; (Earlier intervened in the Aruna Roy petition in 2013)</p>
<p><a name="ftn6"><strong>[6]</strong></a> WP (C) 932/2015</p>
<p><a name="ftn7"><strong>[7]</strong></a> Transferred from Madras HC 2013.</p>
<p style="text-align: justify;"><a name="ftn8"><strong>[8]</strong></a> SLP (Crl) 2524/2014 filed against the order of the Goa Bench of the Bombay HC in CRLWP 10/2014 wherein the High Court had directed UIDAI to share biometric information held by them of all residents of a particular place in Goa to help with a criminal investigation in a case involving charges of rape and sexual assault.</p>
<p><a name="ftn9"><strong>[9]</strong></a> See :http://scroll.in/article/806243/rajasthan-presses-on-with-aadhaar-after-fingerprint-readers-fail-well-buy-iris-scanners</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/report-on-understanding-aadhaar-and-its-new-challenges'>http://editors.cis-india.org/internet-governance/blog/report-on-understanding-aadhaar-and-its-new-challenges</a>
</p>
No publisherJapreet Grewal, Vanya Rakesh, Sumandro Chattapadhyay, and Elonnai HickockBig DataData SystemsPrivacyResearchers at WorkInternet GovernanceAadhaarWelfare GovernanceBiometricsBig Data for DevelopmentUID2019-03-16T04:42:52ZBlog EntryReply to RTI Application under RTI Act of 2005 from Vanya Rakesh
http://editors.cis-india.org/internet-governance/blog/reply-to-rti-application-under-rti-act-of-2005-from-vanya-rakesh
<b>Unique Identification Authority of India replied to the RTI application filed by Vanya Rakesh. </b>
<p style="text-align: justify; ">Madam,</p>
<ol style="text-align: justify; ">
<li>Please refer to your RTI application dated 3.12.2015 received in the Division on 10.12.2015 on the subject mentioned above requesting to provide the information in electronic form via the email address vanya@cis-india.org, copies of the artwork in print media released by UIDAI to create awareness about use of Aadhaar not being mandatory.</li>
<li>I am directed to furnish herewith in electronic form, copy of the artwork in print media released / published in the epapers edition of the Times of India and Dainik Jagran in their respective editions of dated 29.8.2015 in a soft copy, about obtaining of Aadhaar not being mandatory for a citizen, as desired.</li>
<li>In case, you want to go for an appeal in connection with the information provided, you may appeal to the Appellate Authority indicated below within thirty days from the date of receipt of this letter.<br />Shri Harish Lal Verma,<br />Deputy Director (Media),<br />Unique Identification Authority of India<br />3nd Floor, Tower – II, Jeevan Bharati Building,<br />New Delhi – 110001.</li>
</ol>
<p style="text-align: justify; "><br />Yours faithfully,<br /><br />(T Gou Khangin)<br />Section Officer & CPIO Media Division<br /><br />Copy for information to: Deputy Director (Establishment) & Nodal CPIO</p>
<hr />
<p>Below scanned copies:</p>
<table class="plain">
<tbody>
<tr>
<th>RTI Reply</th>
</tr>
<tr>
<td><img src="http://editors.cis-india.org/home-images/RTIReplytoSh.VanyaRakesh.jpg" alt="RTI Reply" class="image-inline" title="RTI Reply" /></td>
</tr>
</tbody>
</table>
<table class="plain">
<tbody>
<tr>
<th>Coverage in Dainik Jagran<br /></th>
</tr>
<tr>
<td><img src="http://editors.cis-india.org/home-images/DainikJagran29.08.2015.png" alt="Dainik Jagran" class="image-inline" title="Dainik Jagran" /></td>
</tr>
</tbody>
</table>
<p><b><a href="http://editors.cis-india.org/internet-governance/blog/uid-ad" class="internal-link">Download the coverage in the Times of India here</a></b>. Read the earlier blog entry <a class="external-link" href="http://cis-india.org/internet-governance/blog/rti-response-regarding-the-uidai">here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/reply-to-rti-application-under-rti-act-of-2005-from-vanya-rakesh'>http://editors.cis-india.org/internet-governance/blog/reply-to-rti-application-under-rti-act-of-2005-from-vanya-rakesh</a>
</p>
No publishervanyaAadhaarInternet GovernancePrivacy2016-01-13T02:40:57ZBlog EntryReliance Jio data leaked on website : report
http://editors.cis-india.org/internet-governance/news/livemint-july-10-2017-reliance-jio-data-leaked-on-website-report
<b>Reliance Jio customer data was leaked on independent website magicapk.com, including details such as names, mobile numbers and email IDs , said a report.</b>
<p style="text-align: justify; ">The article was <a class="external-link" href="http://www.livemint.com/Industry/ucK2SJDM4Ws8k36ovZVj6H/Reliance-Jio-customer-data-allegedly-compromised-report.html">published by Livemint</a> on July 10, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Reliance Jio Infocomm Ltd’s customer data was allegedly leaked on an independent website, magicapk.com, a report said. Jio, which crossed the 100 million mark in February, barely six months after it was launched, ended the financial year with <b><a href="http://www.livemint.com/Industry/wVDwB0wKqaXxqVFqEWp4kK/Reliance-Jio-crosses-108-million-subscribers-claims-to-be-l.html" target="_blank">108.9 million subscribers </a></b>as of 31 March.</p>
<p style="text-align: justify; ">The report, published first in a late-night article on Sunday on <b><a href="http://www.fonearena.com/blog/224741/jio-customer-database-of-over-120-million-users-leaked-could-be-biggest-data-breach-in-india.html#more-224741" target="_blank">Fonearena.com</a></b>, alleged that “several sensitive details” were exposed, including customers’ first and last names, mobile numbers, email IDs, circles, SIM activation dates and even the Aadhaar numbers. The Aadhaar numbers, however, were redacted on magicapk.</p>
<p style="text-align: justify; ">“To my disbelief I found my own details in the database and also couple of my colleagues are affected too,” wrote Varun Krish, the author of the article. However, if you now click on Magicapk.com, it reads: “This Account has been <a href="http://magicapk.com/cgi-sys/suspendedpage.cgi" target="_blank">suspended</a> .” The Registrar of the site, according to the <b><a href="https://www.whois.com/whois/magicapk.com">whois database</a></b>, is Godaddy.com, LLC.</p>
<p style="text-align: justify; ">When contacted, a Reliance Jio spokesperson said, “We have come across the unverified and unsubstantiated claims of the website and are investigating it. Prima facie, the data appears to be unauthentic. We want to assure our subscribers that their data is safe and maintained with highest security. Data is only shared with authorities as per their requirement. We have informed law enforcement agencies about the claims of the website and will follow through to ensure strict action is taken.”</p>
<p style="text-align: justify; ">Fonearena.com, on its site, has responded with a: “We still stand by our story.”</p>
<p style="text-align: justify; ">The report assumes significance because the site exposed redacted Aadhaar card details. There are nearly 1.2 billion Aadhaar number holders in the country. Aadhaar aims to plug leakages in the delivery of state benefits, such as subsidized grains to the poor, and aid in generating a savings of about Rs70,000 crore a year for the government. But data breaches have rattled citizens, especially since India does not have a Privacy Act.</p>
<p style="text-align: justify; ">In March, the Unique Identification Authority of India (UIDAI) blacklisted a common services centre for 10 years after it shared the Aadhaar details of former cricket captain Mahendra Singh Dhoni. On 25 April, <i>Mint </i>reported that many government departments, including the ministry of drinking water and sanitation, the Jharkhand Directorate of Social Security, and the Kerala government’s pension department, had published Aadhaar numbers of beneficiaries of the schemes they run in <b><a href="http://www.livemint.com/Politics/bM6xWCw8rt6Si4seV43C2H/Govt-departments-breach-Aadhaar-Act-leak-details-of-benefic.html" target="_blank">violation of the Aadhaar Act</a></b> .</p>
<p style="text-align: justify; ">On 1 May, Bengaluru-based think tank Centre for Internet and Society (CIS) reported that a Central government ministry and a state government may have <b><a href="https://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1">made public up to 135 million Aadhaar numbers</a></b> .</p>
<p style="text-align: justify; ">Under the Aadhaar (Targeted Delivery of Financial Subsidies, Benefits and Services) Act, 2016, the unique identity number is mandatory only to receive social welfare benefits. However, tagging of the Aadhaar number is being made mandatory by the government for various schemes including PAN (permanent account number) accounts for taxation. On 7 July, the Supreme Court refused to pass any interim order against the mandatory use of Aadhaar for various government schemes. It, instead, suggested that petitioners call for<a href="http://www.livemint.com/Politics/5bZrxjf4FpfbxZFhc9inbI/Aadhaarlinked-issues-to-be-decided-by-constitution-bench-S.html" target="_blank"> immediate formation of a Constitution bench </a>to decide on the case .</p>
<p style="text-align: justify; ">News of the alleged data leak also comes at a time when there have been a spate of cyber hacks.</p>
<p style="text-align: justify; ">For instance, just when companies started believing that WannaCry—the malware that held over 200,000 individuals across 10,000 organizations in nearly 100 countries to ransom—was on the wane, a virus christened GoldenEye (a variant of the Petya ransomware) by security firm Bitdefender Labs attacked companies, mostly in Ukraine. And while the target primarily appeared to be European countries, the <b><a href="http://www.livemint.com/Technology/IUkweIPadyeIHRW7lFTysI/GoldenEye-ransomware-follows-in-WannaCrys-footsteps.html" target="_blank">ransomware was also reported</a></b> to be making inroads in countries like India.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-july-10-2017-reliance-jio-data-leaked-on-website-report'>http://editors.cis-india.org/internet-governance/news/livemint-july-10-2017-reliance-jio-data-leaked-on-website-report</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-07-10T14:53:42ZNews ItemRegistering for Aadhaar in 2019
http://editors.cis-india.org/internet-governance/blog/business-standard-january-2-2019-registering-for-aadhaar-in-2019
<b>It is a lot less scary registering for Aadhaar in 2019 than it was in 2010, given how the authentication modalities have since evolved.</b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="https://www.business-standard.com/article/opinion/registering-for-aadhaar-in-2019-119010201018_1.html">Business Standard</a> on January 2, 2019.</p>
<hr />
<p style="text-align: justify; ">Last November, a global committee of lawmakers from nine countries the UK, Canada, Ireland, Brazil, Argentina, Singapore, Belgium, France and Latvia summoned Mark Zuckerberg to what they called an “international grand committee” in London. Mr. Zuckerberg was too spooked to show up, but Ashkan Soltani, former CTO of the FTC was among those who testified against Facebook. He said “in the US, a lot of the reticence to pass strong policy has been about killing the golden goose” referring to the innovative technology sector. Mr. Soltani went on to argue that “smart legislation will incentivise innovation”. This could be done either intentionally or unintentionally by governments. For example, a poorly thought through blocking of pornography can result in innovative censorship circumvention technologies. On other occasions, this can happen intentionally. I hope to use my inaugural column in these pages to provide an Indian example of such intentional regulatory innovation.<br /><br />Eight years ago, almost to this date, my colleague Elonnai Hickok wrote an open letter to the Parliamentary Finance Committee on what was then called the UID or Unique Identity. She compared Aadhaar to the digital identity project started by the National Democratic Alliance (NDA) government in 2001. Like the Vajpayee administration which was working in response to the Kargil War, she advocated a decentralised authentication architecture using smart cards based on public key cryptography. Last year, even before the five-judge constitutional bench struck down Section 57 of the Aadhaar Act, the UIDAI preemptively responded to this regulatory development by launching offline Aadhaar cards. This was to be expected especially since from the A.P. Shah Committee report, the Puttaswamy Judgment, the B.N. Srikrishna Committee consultation paper, report and bill, the principle of “privacy by design” was emerging as a key Indian regulatory principle in the domain of data protection.<br /><br />The introduction of the offline Aadhaar mechanism eliminates the need for biometrics during authentication. I have previously provided 11 reasons why biometrics is inappropriate technology for e-governance applications by democratic governments, and this comes as a massive relief for both human rights activists and security researchers. Second, it decentralises authentication, meaning that there is a no longer a central database that holds a 360-degree view of all incidents of identification and authentication. Third, it dramatically reduces the attack surface for Aadhaar numbers, since only the last four digits remain unmasked on the card. Each data controller using Aadhaar will have to generate his/her own series of unique identifiers to distinguish between residents. If those databases leak or get breached, it won’t tarnish the credibility of Aadhaar or the UIDAI to the same degree. Fourth, it increases the probability of attribution in case a data breach were to occur; if the breached or leaked data contains identifiers issued by a particular data controller, it would become easier to hold them accountable and liable for the associated harms. Fifth, unlike the previous iteration of the Aadhaar “card”, on which the QR code was easy to forge and alter, this mechanism provides for integrity and tamper detection because the demographic information contained within the QR code is digitally signed by the UIDAI. Finally, it retains the earlier benefit of being very cheap to issue, unlike smart cards.<br /><br />Thanks to the UIDAI, the private sector is also being forced to implement privacy by design. Previously, since everyone was responsible for protecting Aadhaar numbers, nobody was. Data controllers would gladly share the Aadhaar number with their contractors, that is, data processors, since nobody could be held responsible. Now, since their own unique identifiers could be used to trace liability back to them, data controllers will start using tokenisation when they outsource any work that involves processing of the collected data. Skin in the game immediately breeds more responsible behaviour in the ecosystem.<br /><br />The fintech sector has been rightfully complaining about regulatory and technological uncertainty from last year’s developments. This should be addressed by developing open standards and free software to allow for rapid yet secure implementation of these changes. The QR code standard itself should be an open standard developed by the UIDAI using some of the best practices common to international standard setting organisations like the World Wide Web Consortium, Internet Engineers Task Force and the Institute of Electrical and Electronics Engineers. While the UIDAI might still choose to take the final decision when it comes to various technological choices, it should allow stakeholders to make contributions through comments, mailing lists, wikis and face-to-face meetings. Once a standard has been approved, a reference implementation must be developed by the UIDAI under liberal licences, like the BSD licence that allows for both free software and proprietary software derivative works. For example, a software that can read the QR code as well as send and receive the OTP to authenticate the resident. This would ensure that smaller fintech companies with limited resources can develop secure systems.<br /><br />Since Justice Dhananjaya Y. Chandrachud’s excellent dissent had no other takers on the bench, holdouts like me must finally register for an Aadhaar number since we cannot delay filing taxes any further. While I would still have preferred a physical digital artefact like a smart card (built on an open standard), I must say it is a lot less scary registering for Aadhaar in 2019 than it was in 2010, given how the authentication modalities have since evolved.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/business-standard-january-2-2019-registering-for-aadhaar-in-2019'>http://editors.cis-india.org/internet-governance/blog/business-standard-january-2-2019-registering-for-aadhaar-in-2019</a>
</p>
No publishersunilAadhaarInternet GovernancePrivacy2019-01-03T14:59:04ZBlog EntryProvide hacker details, outfit that claimed data leak told
http://editors.cis-india.org/internet-governance/news/the-times-of-india-mahendra-singh-may-18-2017-provide-hacker-details-outfit-that-claimed-data-leak-told
<b>The Unique Identification Authority of India (UIDAI), the regulatory authority for Aadhaar, has written to a Bengaluru-based research organisation, Centre for Internet & Society (CIS), seeking details about a suspected hack attack on government websites that led to the leak of information about 13 crore users.</b>
<p style="text-align: justify; ">The article by Mahendra Singh was <a class="external-link" href="http://timesofindia.indiatimes.com/india/provide-hacker-details-outfit-that-claimed-data-leak-told/articleshow/58725132.cms">published in the Times of India</a> on May 18, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">In a recent report, CIS had highlighted that websites run by various government departments, owing to a poor security framework, had publicly displayed sensitive personal financial information and Aadhaar numbers of beneficiaries of certainprojects. <br /> <br /> In its letter, UIDAI argued that the data downloaded from one of the websites could not have been accessed unless the website was hacked. As hacking is a grave offence under the law, the UIDAI has asked CIS to provide details of the persons involved in the data theft. <br /> <br /> According to a source, the UIDAI said that access to data on the website for the 'National Social Assistance Program' was only possible for someone in possession of authorised login details, or if the site (http://nsap.nic.in) was hacked or breached. The UIDAI said in its letter that such illegal access was against the provisions of the Aadhaar Act, 2016, and the IT Act, 2000, and that the persons involved had committed a grave offence.</p>
<p style="text-align: justify; ">Asking the CIS to reply before May 30, the UIDAI also said, "Aadhaar system is a protected system under Section 70 of the IT Act, 2000, the violation of which is punishable with rigorous imprisonment for a period up to 10 years." It added that the penalty clauses for violations are also provided in Section 36, Section 38 and Section 39 of the Aadhaar Act.</p>
<p style="text-align: justify; ">The UIDAI, however, maintained that even if the Aadhaar details were known to someone it did not pose a real threat to the people whose information was publicly available because the Aadhaar number could not be misused without biometrics.</p>
<p style="text-align: justify; ">The UIDAI letter said, "While, as your report suggests, there is a need to strengthen IT security of government websites, it is also important that the persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law."</p>
<p style="text-align: justify; ">"Your report mentions 13 crore people's data has been 'leaked'. Please specify how much of this data had been downloaded by you or are in your possession or in the possession of any other persons that you know. Please provide the details," the UIDAI added in its letter. The UIDAI also urged CIS to provide the details of the persons/organisations with whom it shared the data, if it did.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-times-of-india-mahendra-singh-may-18-2017-provide-hacker-details-outfit-that-claimed-data-leak-told'>http://editors.cis-india.org/internet-governance/news/the-times-of-india-mahendra-singh-may-18-2017-provide-hacker-details-outfit-that-claimed-data-leak-told</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-06-07T12:14:13ZNews Item