We are anonymous, we are legion

The Aadhaar Act is Not a Money Bill

Amber Sinha — 2016-04-25T10:51:37Z

While the authority of the Lok Sabha Speaker is final and binding, Jairam Ramesh’s writ petition may allow the Supreme Court to question an incorrect application of substantive principles. This article by Amber Sinha was published by The Wire on April 24, 2016.

Originally published by The Wire on April 24, 2016.

Since its introduction as a money bill in the Lok Sabha in the first week of March [1], the Aadhaar (Targeted delivery of Financial and other subsidies, benefits and services) Bill, 2016 has been embroiled in controversy. The Lok Sabha rejected the five recommendations of the Rajya Sabha and adopted the bill on March 16 and only presidential assent was required for it become to become valid law. However, former Union Minister Jairam Ramesh filed a writ petition contesting the decision to treat the Aadhaar Bill as a money bill. The petition is due to be heard before the Supreme Court on April 25, and should the court decide to entertain the petition, it could have far-reaching implications for the Aadhaar project and the manner in which money bills are passed by the Parliament.

There are three broad categories of bills (all legislations or Acts are known as ‘bills’ till they are passed by the Parliament) that the Parliament can pass. The first kind, Constitution Amendment Bills, are those that seek to amend a provision in the Constitution of India. The second are financial bills which contain provisions on matters of taxation and expenditure. Money bills are a subset of the financial bills which contain provisions only related to taxation, financial obligations of the government, expenditure from or receipt to the Consolidated Fund of India and any matters incidental to the above. The third category is of ordinary bills which includes all other bills. The process for the enactment of all these bills is different. Money bills are peculiar in that they can only be introduced in the Lok Sabha where it can be passed by simple majority. Following this, it is transmitted to the Rajya Sabha. The Rajya Sabha’s powers are restricted to giving recommendations on the Bill and sending it back to the Lok Sabha, which the Lok Sabha is under no obligation to accept. The decision to introduce the Aadhaar Bill as a money bill has been widely seen as an attempt to circumvent the Rajya Sabha where the ruling party is in a minority.

Article 110 (1) of the Constitution defines a money bill as one containing provisions only regarding the matters enumerated or any matters incidental to them. These are a) imposition, regulation and abolition of any tax, b) borrowing or other financial obligations of the Government of India, c) custody, withdrawal from or payment into the Consolidated Fund of India (CFI) or Contingent Fund of India, d) appropriation of money out of CFI, e) expenditure charged on the CFI or f) receipt or custody or audit of money into CFI or public account of India. Article 110 is modelled on Section 1(2) of the (UK) Parliament Act, 1911 which also defines the money bills as those only dealing with certain enumerated matters. The use of the word “only” was brought up by Ghanshyam Singh Gupta during the Constituent Assembly Debates. He pointed out that the use of the word “only” limits the scope of money bills to only those legislations which did not deal with other matters. His amendment to delete the word “only” was rejected clearly establishing the intent of the framers of the Constitution to keep the ambit of money bills extremely narrow.

While the Aadhaar Bill does make references to benefits, subsidies and services funded by the Consolidated Fund of India (CFI), even a cursory reading of the bill reveals its main objectives as creating a right to obtain a unique identification number and providing for a statutory apparatus to regulate the entire process. The mere fact of establishing the Aadhaar number as the identification mechanism for benefits and subsidies funded by the CFI does not give it the character of a money bill. The bill merely speaks of facilitating access to unspecified subsidies and benefits rather than their creation and provision being the primary object of the legislation. Erskine May’s seminal textbook, ‘Parliamentary Practice” is instructive in this respect and makes it clear that a legislation which simply makes a charge on the Consolidated Fund does not becomes a money bill if otherwise its character is not that of one.

PDT Achary, former secretary general of the Lok Sabha, has expressed concern about the use of Money Bills as a means to circumvent the Rajya Sabha. He has written here [2] and here [3], on what constitutes a money bill and how the attempts to pass off financial bills like the Aadhaar Bill as money bills could erode the supervisory role Rajya Sabha is supposed to play. This is especially true in the case of a legislation like the Aadhaar Bill which has far reaching implications for individual privacy as it governs the identification system conceptualised to provide a unique and lifelong identity to residents of India dealing with both the analog and digital machinery of the state and by virtue of Section 57 of any private entities. Already over 1 billion people have been enrolled under this identification scheme, and the project has been a subject of much debate and a petition before the Supreme Court. The project has been portrayed as both the last hope for a welfare state and surveillance infrastructure. Regardless of which of the two ends of spectrum one leans towards, it is undeniable that the law governing the Aadhaar project deserved a proper debate in the Parliament. Even those who are strong proponents of the project must accept the decision to pass it off as a money bill undermines the importance of democratic processes and is a travesty on the Constitution and a blatant abrogation of the constitutional duties of the speaker.

The petition by Jairam Ramesh would hinge largely on the powers of the judiciary to question the decision of the Speaker of the Lok Sabha. Article 110 (3) is very clear in pronouncing the authority of the Speaker as final and binding. Additionally, Article 122 prohibits the courts from questioning the validity of any proceedings in Parliament on the ground of any alleged irregularity of procedure. The powers of privilege that Parliamentarians enjoy are integral to the principle of separation of powers. However, the courts may be able to make a fine distinction between inquiring into procedural irregularity which is prohibited by the Constitution; and questioning an incorrect application of substantive principles, which I would argue, is the case with the Speaker decision.

References

[1] See: http://thewire.in/2016/03/07/arun-jaitley-introduces-money-bill-on-aadhar-in-lok-sabha-24115/.

[2] See: http://indianexpress.com/article/opinion/columns/show-me-the-money-4/.

[3] See: http://www.thehindu.com/opinion/lead/circumventing-the-rajya-sabha/article7531467.ece.

For more details visit https://cis-india.org/internet-governance/blog/the-aadhaar-act-is-not-a-money-bill

Can the Matters Dealt with in the Aadhaar Act be the Objects of a Money Bill?

Pooja Saxena — 2016-04-24T14:15:06Z

In this infographic, we highlight the matters dealt with in the Aadhaar Act 2016, recently tabled in and passed by the Lok Sabha as a money bill, and consider if these can be objects of a money bill. The infographic is designed by Pooja Saxena, based on information compiled by Sumandro Chattapadhyay and Amber Sinha.

Download the infographic: PDF and JPG.

License: It is shared under Creative Commons Attribution 4.0 International License.

For more details visit https://cis-india.org/internet-governance/blog/can-matters-dealt-with-in-aadhaar-act-be-objects-of-money-bill

Can the Aadhaar Act 2016 be Classified as a Money Bill?

Pooja Saxena — 2016-04-25T13:48:41Z

In this infographic, we show if the Aadhaar Act 2016, recently tabled in and passed by the Lok Sabha as a money bill, can be classified as a money bill. The infographic is designed by Pooja Saxena, based on information compiled by Amber Sinha and Sumandro Chattapadhyay.

Download the infographic: PDF and JPG.

License: It is shared under Creative Commons Attribution 4.0 International License.

For more details visit https://cis-india.org/internet-governance/blog/can-the-aadhaar-act-2016-be-classified-as-a-money-bill

Government keeps experts out of cyber security discussions

praskrishna — 2016-04-24T05:03:34Z

The article by Amrita Madhukalya was published in DNA on April 23, 2016. Pranesh Prakash was quoted.

During India's closed-door discussions on cyber security and Internet policies at the recently-concluded Russia-India-China (RIC) convention, Internet experts fear that the government may be trying to leave out discussions with social stakeholders like social activists, businessmen or the academia. It must be borne in mind that telecom minister Ravi Shankar Prasad in an ICAN meet last year stressed on the role of the government in cyber-security policy measures, despite the need to have an Internet largely unregulated by the government.

Anja Kovacs of the Internet Democracy project feels that India has given away too much, and that India's multi-stakeholder approach in the context of the role of the International Telecommunication Union (ITU) is not too clear. "Russia and China have traditionally, since the 90s, wanted a bigger role for the ITU, despite a pushback from the West. The ITU has had a positive role in the recent past. Yet, when they mention multilateralism, the scope for developing nations is not too wide. The US may have the scope to include several stakeholders from the business community, civil society and academia, but how much scope does a developing country have," says Anja, adding that the mention of internationalising, too, is problematic.

The grouping of the three countries could also be to signal an alliance to counter the US's efforts to ensure the exemption of the UK from the mutual legal assistance treaty (MLAT) system which is headquartered in the United States, says Chinmayi Arun, policy director at the Centre for Communication Governance at NLU Delhi. Under the MLAT process, any request about data that originates in case of a criminal breach from a country is usually routed via US's department of justice, which takes time while following due processes.

"The concerns expressed, understandably, on the growing concerns of cyber terrorism and the efforts to deal with it are needed, but there is no need to exclude other stakeholders in the process," said Chinmayi. "Russia and China have also been pushing for a growing role of the state in policing the government, and are keen to use the UN to facilitate that."

Nikhil Pahwa of Medianama, who steer-headed the net neutrality movement by engaging several stakeholders, says that the government's stance is unclear, as it speaks of both multilateralism and multiple stakeholders, as both are contradictory.

Pranesh Prakash of the Centre for Internet and Society says that he is sceptical of the sentiments expressed on internationalisation of internet governance.

"For instance, there's been a two-year process via which the US's oversight over ICANN and the IANA functions are nominally being removed. But Russia, India, and China have not really pushed for internationalisation, and ICANN and the Internet's root zone system is going to remain subject to US jurisdiction, including US sanctions. If the ministers truly meant what they say, they should intervene in that process and say that we need to internationalise ICANN in practice and spirit, not just in name," he said.

For more details visit https://cis-india.org/internet-governance/news/dna-amrita-madhukalya-april-23-2016-government-keeps-experts-out-of-cyber-security-discussions

CCTV plays Sherlock

praskrishna — 2016-04-24T04:51:04Z

Whether it's the Mercedes hit-and-run in Delhi or the antics of the chaddi baniyan gang in Mumbai, police are increasingly relying on CCTV footage to solve crimes. Sunday Times looks at how the small picture is getting bigger. .

The article by Raj Shekhar, Arun Dev, V Narayan & A Selvaraj with inputs from Sindhu Kannan and Somreet Bhattacharya was published by the Times of India on April 24, 2016. Pranesh Prakash was quoted.

In case after high-profile case, cameras have been the big stars of Delhi police investigations in recent months. After the Civil Lines hit-and-run case, where a 17-year-old driving a Mercedes was caught on camera speeding away from his victim, reliable witness to the crime came from a nearby CCTV. A few weeks ago, in the Vikaspuri lynching on Holi eve that threatened to take on communal colours, it was CCTV footage that clinched the case.

Across India, police officials reel off cases where CCTVs have made all the difference in identifying offenders and speeding up investigations. "Petty crimes like snatchings have been brought down by 50% in areas like Chandni Chowk since 2014," estimates Madhur Verma, DCP (north), Delhi Police. "Even if the face cannot be fully recognised, the timing shown on the CCTV grabs, and proof of the accused being present at the spot, can be useful corroborating evidence for the court," says DCP Dhananjay Kulkarni, explaining how CCTV helped nail the infamous "chaddi baniyan gang" in Borivli, Mumbai.

CCTV cameras have proliferated across our public spaces in the last few years, mutely observing our movements. It's not just the police; shops, companies and individuals install them too, and these come in handy for law enforcement. For instance, Delhi has about 1,79,000 CCTV cameras installed around the city, out of which 4,000 have been placed by the Delhi government, and the rest by private agencies who collaborate with the Delhi Police under its 'Eyes and Ears' scheme. "Cameras are a fact of life around the world, there's no going back for the police or for anyone else," says N Ramachandran, a former IPS officer, now president of the Indian Police Academy think-tank.

Whether London, Boston or Bengaluru, it is often a terrorist attack that shocks a city into ramping up its CCTV network. After the Church Street attacks, the police got cracking on surveillance, using crime-mapping techniques and shortlisting vantage points. While they currently use 300 cameras, the police believe the figure must be taken up to 2,500 to keep a better eye on the city.

But does CCTV control crime? To that question, there is only one unsatisfying answer — it depends. The debate is torn between those who see CCTVs as the embodiment of an eerie Orwellian warning, and those who believe that the more cameras there are, the less crime there will be. Studies, though, suggest that CCTV has specific and narrow uses.

Obviously, it helps catch people who have committed an offence, after the event. CCTV networks, though, have no noticeable impact on crime rates according to several reviews in the US and UK. The UK is the most monitored nation in the world, but as a Home Office study in 2005 concluded, there was no statistically significant reduction in crime, once other variables like seasonal and national trends, and other police initiatives, were factored in.

While CCTVs are not easy to isolate as a determining factor in crime control, they are demonstrably effective in some contexts. They can reduce some kinds of disorder and petty crime, particularly in car parks and public transit. Micro-level analyses of aspects like environmental features, camera line-of-sight, enforcement activity, and camera design suggest that the power to deter crime depends greatly on how the CCTV sites are chosen, and police operations designed.

The downsides are well known. The more mundane footage there is, the harder it is for police to sift through. There is often a displacement effect — the presence of a camera pushes the crime off-stage into other areas, or prompting criminals to change tactics in pursuit of the same ends (ie, rather than carry out a drug transaction on the street, arrange online and deliver). What's more, CCTVs can be gamed. In Mumbai, the police has found out that criminals apply toothpaste or flash a torchlight at the lens, or cover up with helmets and burqas, or even steal the digital video recorder in the CCTV. These cameras have to be constantly maintained. "Many believe that CCTV installation is a one-time investment, but it needs to be serviced to yield results," says S. David, who runs an electronics shop and sells CCTV cameras in Chennai's Ritchie Street.

If there is no overwhelming impact on crime prevention, why are India's security forces investing so heavily in CCTVs, and is it worth the inevitable tradeoff with privacy? More worryingly, it is doing so without any comprehensive regulation on their use.

Before this technology of databases and recording, "we seldom had situations where a police official or private detective was trailing you all day, recording your movements, which is more or less the situation with CCTVs now," says Pranesh Prakash of the Centre for Internet and Society. "Yes, you're in a public space, but that doesn't denude you of privacy".

But as Farhad Manjoo, a prominent tech blogger in the US, pointed out, the benefits outweigh our fears about privacy. "When you weigh cameras against other security measures, they emerge as the least costly and most effective choice. In the aftermath of 9/11, it's impossible for you to get into tall buildings, airports, many museums, concerts, and even public celebrations without being subjected to pat-downs and metal detectors. When combined with competent law enforcement, surveillance cameras are more effective, less intrusive, less psychologically draining, and much more pleasant than these alternatives," wrote Manjoo in Slate.

What we need is public oversight over the surveillance apparatus — in other words, we need to watch how they watch us. If there is clear respect for the principles of proportionality, accountability and transparency, "there need not be a conflict between ethical and effective use of these cameras," says Ramachandran.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-raj-shekhar-arun-dev-v-narayan-a-selvaraj-cctv-plays-sherlock

Will Facebook, Twitter relocate servers to India?

praskrishna — 2016-04-23T15:26:39Z

The debate to relocate offshore servers of internet and social media firms including Google, Facebook and Twitter has revived.

The article by Taru Bhatia was published in Governance Now on April 23, 2016. Pranesh Prakash gave inputs.

Home minister Rajnath Singh has requested the social media companies, located outside India, to maintain servers in the country, in order to expedite the process of getting information on accounts which spread mischievous messages posing a threat to law and order situation. The move has come in the backdrop of delayed or no response to the government’s requests to these companies, for extracting information of some of its users on security grounds.

In February, the minister claimed Jamaat-ud-Dawa chief Hafiz Saeed’s involvement in the anti-national slogans that were allegedly raised in the campus of Jawaharlal Nehru University (JNU). The claim was based on a tweet that appeared on a fake twitter account of Saeed (@HafeezSaeedJUD), which was later deactivated by Twitter. But the US-based social media company has still not replied to the Indian government as to who was running the account.

It is interesting to note here that India shares mutual legal assistance treaty with the US, wherein, the duo can share information for the purpose of criminal investigation, via judicial route. The process, however, is lengthy.

“Given the nature of the content, sometimes the government cannot afford to wait. The process of issuing direction to get information or blocking certain content from public view is lengthy. The Indian government under the IT law is empowered to ask these companies to maintain servers in India,” says senior advocate, supreme court, and cyber law expert, Pavan Duggal, terming it as a legitimate concern related to national security. As India is a big market for all these companies, it shouldn’t be a problem for them to have servers in India, he says.

“If the police or security agencies want information from these companies, it becomes tall orders since they are not operating from India. They step back and say they are not accountable,” says Virag Gupta, a senior supreme court lawyer, adding that ministries of telecom and finance must join the home ministry in its request and spearhead the matter.

Gupta has filed a petition in the Delhi high court asking such offshore companies to register themselves under the Indian law. On the other hand, Pranesh Prakash, policy director at center for internet and society (CIS), a non-government research organisation supported by Google, feels that instead of requesting these companies to maintain servers in India, it is best for the government to figure out ways to speed up judicial process of the treaty, when it comes to internet governance.

From July to December 2015, India issued 141 requests to Twitter to retrieve information of its users’ accounts for criminal investigation purpose, as per the company’s transparency report. But the compliance rate was only 42 percent, the report says.

While India seeks information on national security grounds, the law here does not clearly define national security, which is still vast and ambiguous.

“I do believe that there is a need for a much clear definition of national security. If the government really wants to have servers of these companies in India then appropriate guidelines must exist, so that companies should not be taken by surprise,” says Duggal.

Security concerns

Data localisation is witnessing a growing trend among many countries. Last year, Russia enforced law to mandate internet companies to store its citizens’ data within the country. The move is generally taken in fear of losing country’s data to hackers. It also means that it would be easier for the government to get information from these internet companies.

And so protecting data and privacy of individuals within the country is also a matter of concern. Not having a strong data privacy law in place could lead to violation of internet rights of citizens.

“Privacy is a legitimate concern but at the end of the day the government is well empowered in the interest of protecting cyber security under the IT Act. But it is necessary for the government to look at the issue from a holistic perspective. There is a need for balancing privacy and security of an individual on one hand and national security on the other hand,” adds Duggal.

For more details visit https://cis-india.org/internet-governance/news/governance-now-april-23-2016-taru-bhatia-will-facebook-twitter-relocate-servers-to-india

You will need a license to create a WhatsApp group in Kashmir

praskrishna — 2016-04-21T02:34:46Z

The internet rights activists have criticised the move stating it as unconstitutional.

The article was published by Governance Now on April 19, 2016. Pranesh Prakash tweeted on this.

Moving beyond internet ban, Kashmir’s Kupwara district issued a notice asking all admins of WhatsApp news groups to register their groups with the district authority within ten days.

With this move, the authorities are taking power in their hands to monitor WhatsApp news groups owned by private individuals. However, internet rights activists criticised it saying the move is unconstitutional as it breaches freedom of speech.

The circular is issued under the subject of ‘registering of WhatsApp news group and restrictions for spreading rumours thereof’. The district magistrate said that any spread of information by these WhatsApp news groups, “leading to untoward incidents will be dealt under the law”.

You may need a license in Kashmir to run a WhatsApp group

The valley witnessed five-day internet shutdown following the Handwara firing incident. Internet ban is a common phenomenon in Kashmir.

“For how long will the government decide whether we can communicate with each other or not? Actually, the authorities do not want us to spread the truth about the army’s atrocities far and wide,” said a resident of Handwara as quoted in Kashmir Reader.

Earlier, parts of Haryan and Gujarat also witnessed internet ban during Jat and Patidar agitation, respectively.

Blocking all internet access is clearly an unnecessary and disproportionate measure that cannot be countenanced as a ‘reasonable restriction’ on freedom of expression and the right to seek and receive information, which is an integral part of the freedom of expression,” said Pranesh Prakash.

For instance, he adds, a riot-affected woman seeking to find out the address of the nearest hospital cannot do so on her phone. “Instead of blocking access to the internet, the government should seek to quell rumours by using social networks to spread the truth, and by using social networks to warn potential rioters of the consequences,” he said.

Former Mumbai police commissioner Rakesh Maria used WhatsApp to counter rumours spread after circulation of a fake photo in January 2015.

“The way in which the ban is imposed is unreasonable. Problem is in the method that is being used in absence of guidelines, defining circumstances under which they can impose a restriction on internet sites,” says Arun Kumar, head of cyber initiatives at Observer Research Foundation (ORF).

If government formulates these rules or guidelines it will set a threshold for state or central authorities, which will define the urgency of imposing ban on internet services.

For more details visit https://cis-india.org/internet-governance/news/governance-now-april-19-2016-you-will-need-a-license-to-create-whatsapp-group-in-kashmir

RTI regarding Smart Cities Mission in India

Paul Thottan — 2016-04-21T02:25:28Z

Centre for Internet & Society (CIS) had filed an RTI on 3 February 2016 before the Ministry of Urban Development (MoUD) regarding the Smart Cities Mission in India. The RTI sought information regarding the role of various foreign governments, private industry, multilateral bodies that will provide technical and financial assistance for this project and information on Government agreements regarding PPP’s for financing the project.

A response to the RTI is here.

The various government, private industry and civil society actors involved in the Smart Cities Mission.
The various agreements the Government has undertaken through PPP’s for financing the mission.
Role of private companies in this project.
The process for selecting the cities for this mission and ministry responsible for this task.
The various international organisations, foreign governments and multilateral bodies that will provide technical and financial assistance for this project.

The MoUD sent its reply to the RTI application and the response is as follows:

With reference to the first query, the answer provided was that the mission statement and guidelines are available on the Missions website - smartcities.gov.in. This mission statement essentially envisages the role of citizens/citizen groups such as Resident Welfare Associations, Taxpayers Associations, Senior Citizens and Slum Dwellers Associations etc, apart from the government of India, States, Union Territories and Urban local bodies.
Regarding information about agreements for the purpose of financing the project, it has been provided in the response that the Ministry would facilitate the execution of MoU’s between Foreign Agencies and States/UT’s for assistance under this mission. The two agreements that have been executed include the MoU between the United States Trade and Development Agency (USTDA) and the French Agency for Development (AFD) for the States/UT’s of Andhra Pradesh, Uttar Pradesh, Rajasthan, Maharashtra, Chandigarh and Puducherry. They have also provided us with copies of the same and they have been summarised below. They also go on to state that various countries like Spain, Canada, Germany, China, Singapore, UK and South Korea have also shown interest in collaborating with the Ministry for the development of Smart Cities.
CIS sought the documents relating to role of private actors in this field. This information could not be provided by the Department since it was not available with them. Further, an application has been sent to the SC-III Division for providing the information directly to us.
As regards the fourth query, the information provided states that the role of the government, States/UT’s and Urban Local Bodies has been envisaged in para 13 of the Smart Cities Mission Statement - smartcities.gov.in
With respect to the query regarding the foreign actors involved, the information provided states that the documents relating to the involvement of the same are scattered in different files. Compilation of such information would divert the limited resources of the Public Authority disproportionately. Another application must be filed if any specific information is required.

Copies of several MoUs signed between Foreign Development Agencies and States (for the respective cities) that were shared with us are:

Memorandum of Understanding between the United States Trade and Development Agency(USTDA) and the Government of Andhra Pradesh of the Republic of India on Cooperation to support the development of Smart Cities in Andhra Pradesh-namely Visakhapatnam.
Memorandum of Understanding between the United States Trade and Development Agency (USTDA) and the Government of Rajasthan of the Republic of India on Cooperation to support the development of Smart Cities in Rajasthan- namely Ajmer.
Memorandum of Understanding between the United States Trade and Development Agency (USTDA) and the Government of Uttar Pradesh of the Republic of India on Cooperation to support the development of Smart Cities in Uttar Pradesh- namely Allahabad.
Memorandum of Understanding between the Agence Francaise De Developpement and the Government of the Union Territory of Chandigarh of the Republic of India on Technical Cooperation in the field of Sustainable Urban Development.
Memorandum of Understanding between the Agence Francaise De Developpement and the Government of Maharashtra on Technical Cooperation in the field of Sustainable Urban Development.
Memorandum of Understanding between the Agence Francaise De Developpement and the Government of the Union Territory of Puducherry of the Republic of India on Technical Cooperation in the field of Sustainable Urban Development.

Key clauses under the MoU between the United States Trade and Development Agency (USTDA) and the governments of Andhra Pradesh, Rajasthan and Uttar Pradesh are:

The MoU undertaken by the USTDA for the development of Visakhapatnam, Allahabad and Ajmer clearly establishes that the document only cements the intention of the body to assist in the development of these cities and funding must be addressed separately.
The USTDA intends to contribute specific funding for feasibility studies, study tours, workshops/training, and any other projects mutually determined, in furtherance of this interest. The USTDA will also fund advisory services for the same.
The USTDA will seek to bring in other US government agencies such as the Department of Commerce, the US Export Import Bank and other trade and economic agencies to encourage US-India infrastructure development cooperation and support the development of smart cities in Vishakhapatnam, Allahabad and Ajmer.
One of the key points the USTDA stresses on is the creation of a Smart Solutions for Smart Cities Reverse Trade Mission, where Indian delegates will get a chance to showcase their methodologies and inventions in the United States.
The MoU also talks about involving industry organisations in the development of Smart Cities, to address important aviation and energy related infrastructure connected to developing smart cities.
The respective State Governments of the cities will provide resources for the development of these smart cities, including technical information and data related to smart cities planning; staff, logistical and travel support, and state budgetary resources will be allocated accordingly.

Key clauses under the MoU between the Agency Francaise De Developpement (AFD) and the governments of Maharashtra, Chandigarh and Puducherry are:

The MoU with AFD is along the same lines but with more detail provided in the field of research in sustainable urban development. It comprises of four articles dealing with implementation, research, resource allocation and cooperation.
The AFD clearly states that it will adopt an active role in managing and implementing the project.
The AFD will equip the respective state governments with a technical cooperation programme which will include a pool of French experts from the public sector, complemented by experts from the private sector.
The MoU goes on to state the various vectors of sustainable urban development that will be the focal point of this project – urban transport, water and waste management, integrated development and urban planning, architecture and heritage, renewable energy, energy efficiency etc.
Apart from strategizing, the AFD looks to provide technical support as well. This technical expertise would be used to strengthen strategy and management of urban services in the city.
They would also play a key role in management through the creation of a Special Purpose Vehicle(SPV) to build strategic management (Human Resources, finance, potential market assessment) and capacity building for financial management.
As per Article II of the MoU, this support framework will be accompanied by annual reviews, a policy similar to the USTDA Smart Solutions for Smart Cities Reverse Mission with Indian and French counterparts, collaboration between academic and research institutions for the exchange of information, documentation and results of research in the field of smart cities (a key policy to establish firm research groundwork and increase cooperation and innovation), capacity building research and development.
Article III of the MoU deals with resource allocation wherein the respective State Governments will assist AFD by providing technical information and data related to smart cities planning, and also meet their logistical requirements.

For more details visit https://cis-india.org/internet-governance/blog/rti-on-smart-cities-mission-in-india

Aadhaar by Numbers

praskrishna — 2016-09-11T16:36:58Z

Sunil Abraham will be addressing a public seminar at an event organized by National Institute of Public Finance and Policy (NIPFP) in New Delhi on Friday, April 29, 2016.

This talk will reflect on several aspects of the Aadhaar project from a technical perspective. First, there will be a reflection on biometrics as a unique, identification and authentication technology. Second, there will be a critique of open washing by the UIDAI through their adoption of free software and open standards and finally there will be an analysis of alternative technical solutions and architecture which will allow India to harvest the benefits of identity management without the harms and risks of centralized biometrics.

Sunil Abraham

Sunil Abraham (an Ashoka Fellow) is the executive director of the Centre for Internet and Society (CIS), Bangalore/New Delhi. CIS is a 7 year old policy and academic research organisation that focuses on accessibility, access to knowledge, internet governance and telecommunications. He is also the founder and director of Mahiti, a 17 year old social enterprise that aims to reduce the cost and complexity of ICTs for the voluntary sector by using free software. Starting 2004, for 3 years, Sunil also managed the International Open Source Network, a project of UNDP's APDIP, serving 42 countries in the Asia-Pacific region. Sunil currently serves on the advisory boards of OSF – Information Programme, Mahiti and Samvada.

The talk reflected on several aspects of the Aadhaar project from a technical perspective. First, there is a reflection on biometrics as a unique, identification and authentication technology. Second, there is a critique of open washing by the UIDAI through their adoption of free software and open standards and finally there is an analysis of alternative technical solutions and architecture which will allow India to harvest the benefits of identity management without the harms and risks of centralized biometrics.

Video

For more details visit https://cis-india.org/internet-governance/news/aadhaar-by-numbers

2014 showed the power of Twitter, now every Indian politician wants a handle

praskrishna — 2016-04-20T02:33:00Z

Twitter is fast turning into an effective political tool. As political parties fight another round of electoral battles, a new survey on the 2014 general elections states that those who tweeted well, fared well.

The article by T.V. Jayan, Smitha Verma,Sonia Sarkar and V. Kumara Swamy quoted Sumandro Chattapadhyay. Click to read the original published by Telegraph on April 10.

Clean image? Tick. Right caste? Tick. Money to fund an election? Tick. Good rapport with the top brass? Tick. But no followers on Twitter or other social media sites? Sorry, then you are not going to get a ticket for the Uttar Pradesh Assembly polls next year, says Bharatiya Janata Party president Amit Shah.

There was a time when Twitter was what little old ladies – purportedly – did. Now it’s a veritable tool for politicians. As states go for Assembly elections this summer, politicians and their parties are tweeting like never before.

And perhaps rightly so, for a recently published study of the 2014 general elections indicates that the more you tweet, the brighter are your chances of winning. The BJP’s victory in 2014 – which came riding a social media wave – seems to have spurred other parties on.

Twitter, for those who came in late, is the micro-blogging social site that allows you to post, repost and comment on anything under the sun. These days, Twitter in India is abuzz with electoral comments and speculation.

Hashtags related to state elections have been dominating the site. The four major players in Bengal – the Trinamul Congress (TMC), the Communist Party of India (Marxist), the Congress and the BJP – have been giving updates about rallies, poll plans and issues. In Assam, the 81-year-old Congress chief minister, Tarun Gogoi, has started tweeting, too. His posts are mostly about his achievements and critical reviews of the BJP’s poll promises.

The CPI(M), which launched its Twitter handle only in February 2014, now has more than 20,000 followers, marginally more than the TMC’s approximately 19,500 followers. Party general secretary Sitaram Yechury is a relentless tweeter – posting comments on issues that range from fuel price hikes to drought and foreign policy. Other senior party leaders such as West Bengal state secretary Surya Kanta Mishra and Mohammad Salim in Bengal and Pinarayi Vijayan in Kerala have been giving regular updates of the party’s campaign on Twitter and Facebook.

“Twitter gives political organisations the ability to broadcast information on a worldwide stream (not just their subscribers), join any ongoing debates and discussions and have a two-way interaction with the public during political processes and campaigns,” notes the study – The 2014 Indian elections on Twitter: A comparison of campaign strategies of political parties. The study, conducted by researchers from the department of communications, University of California, Davis, and Nanyang Technological University, Singapore, was recently published online in the journal Telematics and Informatics.

India is the third largest user of Twitter in the world, with an estimated 23.2 million active users, up from 11.5 million in 2013. Market researcher group Emarketer estimates that Twitter will have around 40 million users in India by 2018.

That is a sizable number. No surprise then that political parties are reaching out to voters with the help of social media arms such as Twitter.

“Twitter is an important platform for the Congress to reach out to a certain section but the content has to be important,” agrees Congress leader Sachin Pilot, who joined Twitter in March 2014, but started tweeting actively four months ago. “We joined the medium late but we are using it positively and not to spread exaggerated promises or look at short-term gains,” he says.

Indeed, the Congress has been greatly outpaced by BJP in the race for tweets. According to the University of California study, the BJP posted 80,981 tweets during the 2014 elections, far ahead of any of the other political parties. The Aam Aadmi Party (AAP) came next with 7,980 tweets, followed by the TMC with 3,990 and the Congress with 2,890. The CPI(M) had 402 tweets.

“The 2014 general elections was the first time social media was being used for electoral campaigning in India and hence the disparity in usage between parties,” says Saifuddin Ahmed, the corresponding author of the study. “The next general elections would be a different game as most of the parties would be well-prepared going by the success of BJP’s 2014 social media campaign.”

The study found that the BJP’s Twitter feed dealt with campaign updates (28 per cent) and criticism of other political parties or moves (24 per cent). It also posted the second-highest in proportion and the highest in absolute numbers of self-promotion tweets (19 per cent as against AAP’s 35 per cent).

“We strongly believe that a message is effectively sent across when one has a credible message, a credible messenger and also a credible tool of communication. And Twitter is a credible tool,” asserts Dilip Pandey, AAP’s head of communications.

The study says the BJP often tweeted the words “thank you” while the Congress’s pet phrases included “Gandhi Gandhi” (in a single tweet). AAP used old emotional slogans such as ” Satyamev Jayate” and “Azaadi ladai”.

It concludes that the winning party’s electoral success [in 2014] is significantly associated with its use of Twitter for engaging voters.

“The BJP’s primary purpose was to use Twitter as a broadcasting medium, and they tweeted their party messages as shareable content, such as images, which users could share in their personal networks,” Ahmed points out.

Not surprisingly, others are embracing Twitter. In Maharashtra, the BJP state unit campaigned extensively on social media for Assembly elections – and ended up forming the government in the state.

“A tweet helps in changing mindset and perception. The urban population which never voted for BJP was targeted through Twitter to present the vision of our party,” says Jiten Gajaria, BJP social media head during Maharashtra elections.

Elsewhere, too, political leaders have been jumping on to the Twitter bandwagon. Nitish Kumar joined Twitter in May 2010, but remained almost inactive for most of his second term before springing back to life in 2015 before the elections. More than 95 per cent of his tweets were posted in the election year. There was even a question-answer-session with people on Twitter.

“Nitish ji in a way engaged with the media through his Twitter handle,” Janata Dal (United) spokesperson K.C. Tyagi says. “He would tweet something about the BJP or Modi and that became the talking point. The NDA was asked by the media to respond to the tweet.”

Modi joined Twitter in January 2009, and Kejriwal in 2011 before launching AAP. Among politicians, the two most active tweeters are Shashi Tharoor of the Congress and Derek O’Brien of the TMC. Rahul Gandhi’s first tweet was on May 7, 2015, about beginning a padayatra in Telangana’s Adilabad district.

Though a late entrant, the CPI(M), too, sees advantages of using the medium. “We don’t want to leave any stone unturned during the elections and being on Twitter is a part of the strategy,” says Rajya Sabha member Ritabrata Banerjee. “Although we don’t believe in hiring professionals, as the BJP does to prop itself up on Twitter, we believe people will follow us and listen to what we are saying.”

However, Sumandro Chattopadhyay, research director, Centre for Internet and Society, Bangalore, is sceptical about linking electoral victories to Twitter usage.

“There are many variables such as Internet penetration, media device availability and media exposure. Rich states always perform better in these parameters,” Chattopadhyay says.

Politicians also stress that Twitter is just one of the tools of a campaign. “The social media is one part of a 360-degree electoral strategy. Twitter probably is only 10 degrees of the overall electoral strategy,” O’Brien states.

And not all politicians look at Twitter as the virtual equivalent of traditional campaigns.

“What we see on Twitter is exaggerated hysteria,” says a BJP leader who is also active on Twitter. “Twitter is a double-edged sword. It is an effective tool for putting your message to an expanding and bigger audience. But at the same time, we don’t know if what we are being told is true because we cannot verify the source.”

A member of the CPI(M)’s communications team stresses that traditional modes of campaigning still outrank social media campaigns. “We believe that as far as our connection with the people is concerned, there is no alternative to the traditional way of reaching out to the masses,” he says. “Twitter can only publicise what we do on the ground.”

In the final analysis, does popularity on Twitter translate into votes? Shah seems to believe so – he is not giving away tickets to BJP members if they don’t have enough followers on Twitter or Facebook. But the Twitter-savvy BJP leader, who seeks anonymity, doesn’t agree.

“It could be one of the factors to influence voters. Maybe a fraction of voters form their opinion based on what they see on Twitter. But it is certainly not the most decisive factor,” he says.

Meanwhile, as politicians battle it out, Twitter is making the most of the poll fervour. The site has said it will launch an exclusive emoji for the Tamil Nadu Assembly elections, which will come up on counting day in May. Did we just hear Twitter crow?

– T.V. Jayan, Smitha Verma,Sonia Sarkar and V. Kumara Swamy report.

For more details visit https://cis-india.org/internet-governance/news/the-telegraph-april-10-2016-2014-showed-the-power-of-twitter

PMO’s no to smart cards, insists on Aadhaar

praskrishna — 2016-04-20T02:19:18Z

The government has decided to stop issuing new smart cards to beneficiaries of government schemes as Aadhaar is now backed by a law.

The article by Somesh Jha was published in the Hindu on April 10, 2016. Sunil Abraham was quoted.

The Prime Minister’s Office (PMO) has issued strict instructions to the Information Technology Ministry to ensure that States and the Central governmentstop issuing smart cards for new programmes for beneficiaries, and to rely on the Aadhaar-based Direct Benefit Transfer platform instead.

The move will impact ministries such as Labour, Social Justice and Health, which are in the process or have already rolled out smart cards.

The government had said earlier that over 100 crore people, constituting 93 per cent of the adult population, had a unique identification (UID) number under the Aadhaar platform.

“The undersigned is directed to request the department to examine the need for state and central government departments to issue separate smart cards in the light of the near universal coverage of Aadhaar and the delivery of the most public welfare benefits through Aadhaar enabled platforms,” according to a directive issued by Gulzar N, Director, PMO, to Aruna Sharma, Secretary, Department of Electronics and Information Technology.

“The undersigned is also directed to request the department to prepare policy on the delivery of various public services using Aadhaar, Jan Dhan Yojana and existing platforms without the issuance of new smart cards.”

Last month, Union Minister for Social Justice and Empowerment Thaawar Chand Gehlot had announced that all differently abled persons would soon get a unique identity card to avail welfare schemes. .

State governments had also planned to use smart card technology for welfare schemes. For instance, Odisha was mulling smart cards for construction workers in the State.

The PMO sent a separate communiqué to Labour Secretary Shankar Aggarwal in the context of a proposal to issue 40 crore smart cards to informal sector workers, called the Unorganised Workers’ Identification Number (U-WIN). The UWIN cards were to be used by these workers to access benefits under schemes such as Rashtriya Swasthya Bima Yojana , Aam Aadmi Bima Yojana , Atal Pension Yojana, Pradhan Mantri Suraksha Bima Yojana and Jeevan Jyoti Bima Yojana.

The PMO rejected the proposal noting that Aadhaar would act as a “universal unique identifier for each citizen.”

“Adding a UWIN number would not only duplicate work, but also introduce further problems in linking up with other databases which have already been linked with Aadhaar,” said the missive reviewed by The Hindu.

However, experts are sceptical of the government’s move.

“Smart cards are always better than biometrics. If that was not the case, the global financial infrastructure today will be working on biometrics and not on smart cards,” said Sunil Abraham, executive director of The Centre for Internet and Society.

“Why are these banks working on smart cards? Smart cards work using cryptography, which is more fool-proof than biometrics. Biometrics allow for remote, covert and non-consensual identification,” Mr. Abraham said.

Smart card vendors, however, said the move may not impact their market. “The demand for smart cards is massive in all the other segments such as for use in debit and credit cards or driving licenses and vehicle registration numbers,” said Deven Mehta, managing director of the Mumbai-based Smart Card IT Solutions.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-april-10-2016-somesh-jha-pmo-no-to-smart-cards-insists-aadhaar

The Last Chance for a Welfare State Doesn’t Rest in the Aadhaar System

sumandro — 2016-04-19T13:18:42Z

Boosting welfare is the message, which is how Aadhaar is being presented in India. The Aadhaar system as a medium, however, is one that enables tracking, surveillance, and data monetisation. This piece by Sumandro Chattapadhyay was published in The Wire on April 19, 2016.

Originally published in and cross-posted from The Wire.

Once upon a time, a king desired that his parrot should be taught all the ancient knowledge of the kingdom. The priests started feeding the pages of the great books to the parrot with much enthusiasm. One day, the king asked the priests if the parrot’s education has completed. The priests poked the belly of the parrot but it made no sound. Only the rustle of undigested pages inside the belly could be heard. The priests declared that the parrot is indeed a learned one now.

The fate of the welfare system in our country is quite similar to this parrot from Tagore’s parable. It has been forcefully fed identification cards and other official documents (often four copies of the same) for years, and always with the same justification of making it more effective and fixing the leaks. These identification regimes are in effect killing off the welfare system. And some may say that that has been the actual plan in any case.

The Aadhaar number has been recently offered as the ‘last chance’ for the ailing welfare system – a last identification regime that it needs to gulp down to survive. This argument wilfully overlooks the acute problems with the Aadhaar project.

Firstly, the ‘last chance’ for a welfare state in India is not provided by implementing a new and improved identification regime (Aadhaar numbers or otherwise), but by enabling citizens to effectively track, monitor, and ensure delivery of welfare, services, and benefits. This ‘opening up’ of the welfare bureaucracy has been most effectively initiated by the Right to Information Act. Instead of a centralised biometrics-linked identity verification platform, which gives the privilege of tracking and monitoring welfare flows only to a few expert groups, an effective welfare state requires the devolution of such privilege and responsibility.

We should harness the tracking capabilities of electronic financial systems to disclose how money belonging to the Consolidated Fund of India travel around state agencies and departmental levels. Instead, the Aadhaar system effectively stacks up a range of entry barriers to accessing welfare – from malfunctioning biometric scanners, to connectivity problems, to the burden of keeping one’s fingerprint digitally legible under all labouring and algorithmic circumstances.

Secondly, authentication of welfare recipients by Aadhaar number neither make the welfare delivery process free of techno-bureaucratic hurdles, nor does it exorcise away corruption. Anumeha Yadav has recently documented the emerging ‘unrest at the ration shop’ across Rajasthan, as authentication processes face technical and connectivity delays, people get ‘locked out’ of public services for not having or having Aadhaar number with incorrect demographic details, and no mechanisms exist to provide rapid and definitive recourse.

RTI activists at the Satark Nagrik Sangathan have highlighted that the Delhi ration shops, using Aadhaar-based authentication, maintain only two columns of data to describe people who have come to the shop – those who received their ration, and those who did not (without any indication of the reason). This leads to erasure-by-design of evidence of the number of welfare-seekers who are excluded from welfare services when the Aadhaar-based authentication process fails (for valid reasons, or otherwise).

Reetika Khera has made it very clear that using Aadhaar Payments Bridge to directly transfer cash to a beneficiary’s account, in the best case scenario, may only take care of one form of corruption: deception (a different person claiming to be the beneficiary). But it does not address the other two common forms of public corruption: collusion (government officials approving undue benefits and creating false beneficiaries) and extortion (forceful rent seeking after the cash has been transferred to the beneficiary’s account). Evidently, going after only deception does not make much sense in an environment where collusion and extortion are commonplace.

Thirdly, the ‘relevant privacy question’ for Aadhaar is not limited to how UIDAI protects the data collected by it, but expands to usage of Aadhaar numbers across the public and private sectors. The privacy problem created by the Aadhaar numbers does begin but surely not end with internal data management procedures and responsibilities of the UIDAI.

On one hand, the Aadhaar Bill 2016 has reduced the personal data sharing restrictions of the NIAI Bill 2010, and has allowed for sharing of all data except core biometrics (fingerprints and iris scan) with all agencies involved in authentication of a person through her/his Aadhaar number. These agencies have been asked to seek consent from the person who is being authenticated, and to inform her/him of the ways in which the provided data (by the person, and by UIDAI) will be used by the agency. In careful wording, the Bill only asks the agencies to inform the person about “alternatives to submission of identity information to the requesting entity” (Section 8.3) but not to provide any such alternatives. This facilitates and legalises a much wider collection of personal demographic data for offering of services by public agencies “or any body corporate or person” (Section 57), which is way beyond the scope of data management practices of UIDAI.

On the other hand, the Aadhaar number is being seeded to all government databases – from lists of HIV patients, of rural citizens being offered 100 days of work, of students getting scholarships meant for specific social groups, of people with a bank account. Now in some sectors, such as banking, inter-agency sharing of data about clients is strictly regulated. But we increasingly have non-financial agencies playing crucial roles in the financial sector – from mobile wallets to peer-to-peer transaction to innovative credit ratings. Seeding of Aadhaar into all government and private databases would allow for easy and direct joining up of these databases by anyone who has access to them, and not at all by security agencies only.

When it becomes publicly acceptable that the money bill route was a ‘remedial’ instrument to put the Rajya Sabha ‘back on track’, one cannot not wonder about what was being remedied by avoiding a public debate about the draft bill before it was presented in Lok Sabha. The answer is simple: welfare is the message, surveillance is the medium.

Acceptance and adoption of all medium requires a message, a content. The users are interested in the message. The message, however, is not the business. Think of Free Basics. Facebook wants people with none or limited access to internet to enjoy parts of the internet at zero data cost. Facebook does not provide the content that the users consume on such internet. The content is created by the users themselves, and also provided by other companies. Facebook own and control the medium, and makes money out of all content, including interactions, passing through it.

The UIDAI has set up a biometric data bank and related infrastructure to offer authentication-as-a-service. As the Bill clarifies, almost all agencies (public or private, national or global) can use this service to verify the identity of Indian residents. Unlike Facebook, the content of these services do not flow through the Aadhaar system. Nonetheless, Aadhaar keeps track of all ‘authentication records’, that is records of whose identity was authenticated by whom, when, and where. This database is gold (data) mine for security agencies in India, and elsewhere. Further, as more agencies use authentication based on Aadhaar numbers, it becomes easier for them to combine and compare databases with other agencies doing the same, by linking each line of transaction across databases using Aadhaar numbers.

Welfare is the message that the Aadhaar system is riding on. The message is only useful for the medium as far as it ensures that the majority of the user population are subscribing to it. Once the users are enrolled, or on-boarded, the medium enables flow of all kinds of messages, and tracking and monetisation (perhaps not so much in the case of UIDAI) of all those flows. It does not matter if the Aadhaar system is being introduced to remedy the broken parliamentary process, or the broken welfare distribution system. What matters is that the UIDAI is establishing the infrastructure for a universal surveillance system in India, and without a formal acknowledgement and legal framework for the same.

For more details visit https://cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system

Why is the UIDAI cracking down on individuals that hoard Aadhaar data?

praskrishna — 2016-04-17T16:16:26Z

Private firms' offer to print Aadhaar details on plastic card a breach of law.

The article by Alnoor Peermohamed was published by Business Standard on April 13, 2016. Sunil Abraham was quoted.

The billion-strong citizen identification system, Aadhaar, has given rise to businesses keen on illegal harnessing of this private data, say the authorities.

Outfits are offering services to print the Aadhaar details on plastic cards, something the Union information technology ministry warned against on Monday. These entities charge anywhere between Rs 50 and Rs 600, and are listed on e-commerce websites, apart from own online presence.

Under the Aadhaar law, collecting and storing of the data by private companies without the user’s consent is a crime. Monday’s warning from the ministry to e-commerce marketplaces such as Amazon, Flipkart and eBay to disallow merchants from collecting and printing such details was a result of this.

This newspaper could not find any listings of Aadhaar printing services on Flipkart but there was one on Amazon (taken down) and no less than five such listings on eBay.

PrintMyAadhaar is one of the more well organised outfits operating in this space. “Get your E-Aadhaar printed on a PVC card for easier handling,” reads their website. Users are prompted to fill their Aadhaar details on the website, pay Rs 50 and have the card sent to their houses. PrintMyAadhaar even offers discounts for bulk orders.

“Collecting such information or unauthorised printing of an Aadhaar card or aiding such persons in any manner may amount to a criminal offence, punishable with imprisonment under the Indian Penal Code and also Chapter VI of The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016,” read the statement from the ministry.

Currently, Aadhaar stores a person’s name, date of birth, sex and address, apart from their biometric data.

While the biometric data isn’t available to these PDF printing shops, the rest of the information is, according to Srikanth Nadhamuni, chief executive officer of Khosla Labs and a former head of technology at the Unique Identification Authority of India. However, collecting this data poses no security risk to the Aadhaar infrastructure, he added.

“Allowing somebody to accumulate large amounts of data from Aadhaar users in general is not a good practice. We should ensure that the Aadhaar details of people remain private and it should only be up to the discretion of the end-user to share this,” said Nadhamuni.

Some security experts say Aadhaar does pose a security risk, as it makes available an individual's details in the public domain. Several institutions are treating Aadhaar just like any other proof of identity.

“Transactions that should have been conducted using biometric authentication are being conducted just by presentation of paper documents. What is happening most commonly is that people are giving a printout or photocopy of their Aadhaar acknowledgement as their proof of identity to get a SIM card. The risk here is that somebody can get a mobile number against your name,” said Sunil Abraham, executive director of the non-profit Centre for Internet and Society.

He says the other technical issue with Aadhaar is the lack of a smart card that stores a person’s information, as in a digital signature. Due to the lack of this, people don’t know what information to keep private and what to make public. Conventional security techniques would have had a person keeping their PIN private (as with a bank account). If this personal PIN would have been saved on a smart card, which users wouldn’t have had much to worry about.

“In the case of Aadhaar, the authentication factor and the identification factor are in the public domain, because many people might have your UID number and people release their biometric data everywhere. Due to this broken technological solution, we are now through policy putting band-aids, saying people should not disclose their UID number unnecessarily,” added Abraham.

For more details visit https://cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-april-13-2016-why-is-uidai-cracking-down-on-individuals-that-hoard-aadhaar-data

Online Censorship on the Rise: Why I Prefer to Save Things Offline

nishant — 2016-06-05T03:26:50Z

As governments use their power to erase what they do not approve of from the web, cloud storage will not be enough.

The article was published in the Indian Express on April 17, 2016.

It took me some time to trust the cloud. Growing up with digital technologies that were neither resilient nor reliable — a floppy drive could go kaput without you having done anything, a CD once scratched could not be recovered, hard drives malfunctioned and it was a given that once every few months your PC would crash and need a re-install — I have always been paranoid about making backups and storing information. Once I kicked into my professional years, I developed a foolproof, albeit paranoid, system, where I backed up my machines to a common hard drive, made a mirror image of that hard drive, and for absolutely crucial documents, I would put them on to a separate DVD which would have the emergency documents. It was around 2006, when I discovered the cloud.

It began with Google’s unlimited email accounts where you could mail information to yourself and then it would stay there for a digital eternity. I noticed that the size of my digital storage began decreasing. I no longer download videos I find on the web. I don’t save information on a device and I have come to think of the web as one large cloud, relying on the fact that if something is online once, it will always be available to me.

However, over the last couple of months, I have started noticing something different in my usage patterns. These days, when I do come across interesting information, instead of merely indexing it, I find myself making an offline copy of that information. Tweets enter a Storify folder. YouTube videos get downloaded. I make PDF copies of blogs and take screenshots of digital medial updates. I have been wondering why I am suddenly so invested in archiving the web when, theoretically, it is always there.

When I voiced this to a group of young students, I was surprised to hear that I wasn’t alone. The web is becoming a space that is crowded with take-downs, deletions, removals, and retractions which leave no archival memory. The students quickly pointed out that these take-downs are not just personal redactions. In fact, what we personally choose to remove has very little chances of actually disappearing from the web. Instead, these are things that are removed by governments, private companies and intermediaries who are being largely held liable for the content of the information that they make available.

Turkey, recently, demanded that German authorities remove a satirical German video titled Erdowie, Erdowo, Erdogan mocking their President. In response, Germany reminded the Turkish diplomacy of that lovely little thing called freedom of speech, and in the meantime, Extra 3, the group that had released the video on YouTube, added English subtitles to the video. Just for perks. I hope you gave a brownie point to Germany, even as you scrambled to see the video.

On the home front, though, things are not as celebratory. The minister of state for information and broadcasting, Rajyavardhan Rathore, and the head of the BJP’s information and technology cell, Arvind Gupta, have called for action against journalist Raghav Chopra who tweeted a photoshopped image of PM Narendra Modi bending down to touch the feet of a man dressed in Saudi Arabia’s national dress, to make a political comment about the PM’s recent visit to SA.

The two politicos, who have not had much to say about the doctored videos that were used to convict innocent students in JNU or the photoshopping that the government’s Press Information Bureau had indulged in to give us that iconic image of the prime minister doing an aerial survey of #ChennaiFloods, have taken umbrage against an image because it seems (obviously) false, and are demanding its takedown.

My proclivity for saving things offline is perhaps fuelled by this web of partisan censorship and the atmosphere of precarious hostility that governments seem to be supporting. Increasingly, we have seen, in India and around the globe, a rush of political power that exercises its clout to remove information, images and stories that they do not approve of.

Instinctively, I am reacting to the fact that intellectual questioning or cultural critique is being removed from the web at the behest of these vested powers, and that the cloud, light and airy as it sounds, is prone to some incredible acts of censorship and removal. I have found myself facing too many removal notices and take-down errors when trying to revisit bookmarked sites, that I am beginning to feel that the only way to keep my information safe might be to archive the whole web on a personal server.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-nishant-shah-april-17-2016-online-censorship-on-the-rise

Aadhaar Act and its Non-compliance with Data Protection Law in India

vanya — 2016-04-18T11:43:02Z

This post compares the provisions of the Aadhaar Act, 2016, with India's data protection regime as articulated in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Download the file: PDF.

Amidst all the hue and cry, the Aadhaar Act 2016, which was introduced with the aim of providing statutory backing to the use of Aadhaar, was passed in the Lok Sabha in its original form on March 16, 2016, after rejecting the recommendations made by Rajya Sabha . Though the Act has been vehemently opposed on several grounds, one of the concerns that has been voiced is regarding privacy and protection of the demographic and biometric information collected for the purpose of issuing the Aadhaar number.

In India, for the purpose of data protection, a body corporate is subject to section 43A of the Information Technology Act, 2000 ("IT Act ") and subsequent Rules, i.e. -The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("IT Rules"). Section 43A of the IT Act, 2000 holds a body corporate, which is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, liable to compensate the affected person and pay damages.

Rule 3 of the IT Rules enlists personal information that would amount to Sensitive personal data or information of a person and includes the biometric information. Even the Aadhaar Act states under section 30 that the biometric information collected shall be deemed as "sensitive personal data or information", which shall have the same meaning as assigned to it in clause (iii) of the Explanation to section 43A of the IT Act; this reflects that biometric data collected in the Aadhaar scheme will receive the same level of protection as is provided to other sensitive personal data under Indian law. This implies that, the agencies contracted by the UIDAI (and not the UIDAI itself) to perform functions like collection, authentication, etc. like the Registrars, Enrolling Agencies and Requesting Entities, which meet the criteria of being a 'body corporate' as defined in section 43A, could be held responsible under this provision, as well as the Rules, to ensure security of the data and information of Aadhaar holder and could potentially be held liable for breach of information that results in loss to an individual if it can be proven that they failed to implement reasonable security practices and procedures.

In light of the fact that some actors in the Aadhaar scheme could be held accountable and liable under section 43A and associated Rules, this article compares the regulations regarding data security as found in section 43A and IT Rules 2011 with the provisions of Aadhaar Act 2016, and discusses the implications of the differences, if any.

1. Compensation and Penalty

Section 43A: Section 43A of the IT Act, 2000 (Amended in 2008) provides for compensation for failure to protect data. It states that a body corporate, which is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, is liable to compensate the affected person and pay damages not exceeding five crore rupees.

Aadhaar Act : Chapter VII of the Act provides for offences and penalties, but does not talk about damages to the affected party.

Section 37 states that intentional disclosure or dissemination of identity information, to any person not authorised under the Aadhaar Act, or in violation of any agreement entered into under the Act, will be punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).
Section 38 prescribes penalty with imprisonment up to three years and a fine not less than ten lakh rupees in case any of the acts listed under the provision are performed without authorisation from the UIDAI.
Section 39 prescribes penalty with imprisonment for a term which may extend to three years and fine which may extend to ten thousand rupees for tampering with data in Central Identities Data Repository.
Section 40 holds a requesting entity liable for penalty for use of identity information in violation of Section 8 (3) with imprisonment up to three years and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).
Section 41 holds a requesting entity or enrolling agency liable for penalty for violation of Section 8 (3) or Section 3 (2) with imprisonment up to one year and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).
Section 42 provides general penalty for any offence against the Act or regulations made under it, for which no specific penalty is provided, with imprisonment up to one year and/or a fine up to twenty five thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Though the Aadhaar Act prescribes penalty in case of unauthorised access, use or any other act contravening the Regulations, it fails to guarantee protection to the information and does not provide for compensation in case of violation of the provisions.

2. Privacy Policy

IT Rules: Rule 4 requires a body corporate to provide a privacy policy on their website, which is easily accessible, provides for the type and purpose of personal, sensitive personal information collected and used, and Reasonable security practices and procedures.

Aadhaar Act: Though in practise the contracting agencies (the body corporates under the Aadhaar ecosystem) may maintain a privacy policy on their website, the Aadhaar Act does not require a privacy policy for the UIDAI or other actors.

Implications: Because contracting agencies will be covered by the IT Rules if they are 'body corporates', the requirement to maintain a privacy policy will be applicable to them.

3. Consent

IT Rules: Rule 5 requires that prior to the collection of sensitive personal data, the body corporate must obtain consent, either in writing or through fax regarding the purpose of usage before collection of such information.

Aadhaar Act: The Act is silent regarding consent being acquired in case of the enrolling agency or registrars. However, section 8 provides that any requesting entity will take consent from the individual before collecting his/her Aadhaar information for authentication purposes, though it does not specify the nature (written/through fax).

Implications: If the enrolling agency is a body corporate, they will also be required to take consent prior to collecting and processing biometrics. It is possible that since the Aadhaar Act envisages a scheme which is quasi-compulsory in nature, a consent provision was deliberately left out. This circumstance would give the enrolling agencies an argument against taking consent, by saying that the Aadhaar Act is a specific legislation which is also later in point of time than the IT Rules, and a deliberate omission of consent coupled with the compulsory nature of the Aadhaar scheme would mean that they are not required to take consent of the individuals before enrolment.

4. Collection Limitation

IT Rules: Rule 5 (2) requires that a body corporate should only collect sensitive personal data if it is connected to a lawful purpose and is considered necessary for that purpose.

Aadhaar Act: Section 3(1) of the Act states that every resident shall be entitled to obtain an aadhaar number by submitting his demographic information and biometric information by undergoing the process of enrolment.

5. Notice

IT Rules: Rule 5(3) requires that while collecting information directly from an individual, the body corporate must provide the following information:

The fact that information is being collected
The purpose for which the information is being collected
The intended recipients of the information
The name and address of the agency that is collecting the information
The name and address of the agency that will retain the information

Aadhaar Act: Section 3 of the Act states that at the time of enrolment and collection of information, the enrolling agency shall notify the individual as to how their information will be used; what type of entities the information will be shared with; and that they have a right to see their information and also tell them how they can see their information. However, the Act is silent regarding notice of name and address of the agency collecting and retaining the information.

6. Retention Limitation

IT Rules: Rule 5(4) requires that body corporate must retain sensitive personal data only for as long as it takes to fulfil the stated purpose or otherwise required under law.

Aadhaar Act: The Act is silent regarding this and does not mention the duration for which the personal information of an individual shall be retained by the bodies/organisations contracted by UIDAI.

7. Purpose Limitation

IT Rules: Rule 5(5) requires that information must be used for the purpose that it was collected for.

Aadhaar Act Section 57 contravenes this and states that the Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies. Section 8 of the Act states that for the purpose of authentication, a requesting entity is required to take consent before collection of Aadhaar information and use it only for authentication with the CIDR. Section 29 of the Act states that the core biometric information collected will not be shared with anyone for any reason, and must not be used for any purpose other than generation of Aadhaar numbers and authentication. Also, the Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual's consent.

Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies.

8. Right to Access and Correct

IT Rules : Rule 5(6) requires a body corporate to provide individuals with the ability to review the information they have provided and access and correct their personal or sensitive personal information.

Aadhaar Act : The Act provides under section 3 that at the time of enrolment, the individual needs to be informed about the existence of a right to access information, the procedure for making requests for such access, and details of the person or department in-charge to whom such requests can be made. Section 28 of the Act provides that every aadhaar number holder may access his identity information except core biometric information. Section 32 provides that every Aadhaar number holder may obtain his authentication record. Also, if the demographic or biometric information about any Aadhaar number holder changes, is lost or is found to be incorrect, they may request the UIDAI to make changes to their record in the CIDR.

9. Right to 'Opt Out' and Withdraw Consent

IT Rules: Rule 5(7) requires that the individual must be provided with the option of 'opting out' of providing data or information sought by the body corporate. Also, they must have the right to withdraw consent at any point of time.

Aadhaar Act: The Aadhaar Act does not provide an opt- out provision and also does not provide an option to withdraw consent at any point of time. Section 7 of the Aadhaar Act actually implies that once the Central or State government makes aadhaar authentication mandatory for receiving a benefit then the individual has no other option but to apply for an Aadhaar number. The only concession that is made is that if an Aadhaar number is not assigned to an individual then s/he would be offered some alternative viable means of identification for receiving the benefit.

10. Grievance Officer

IT Rules: Rule 5(9) requires that body corporate must designate a grievance officer for redressal of grievances, details of which must be posted on the body corporate's website and grievances must be addressed within a month of receipt.

Aadhaar Act: The Aadhaar Act does not provide for any such mechanism for grievance redressal by the registrars, enrolling agencies or the requesting entities. However, since the contracting agencies will also get covered by the IT Rules if they are 'body corporates', the requirement to designate a grievance officer would be applicable to them as well due to the IT Rules.

11. Disclosure with Consent, Prohibition on Publishing and Further Disclosure

IT Rules: Rule 6 requires that body corporate must have consent before disclosing sensitive personal data to any third person or party, except in the case with Government agencies for the purpose of verification of identity, prevention, detection, investigation, on receipt of a written request. Also, the body corporate or any person on its behalf shall not publish the sensitive personal information and the third party receiving the sensitive personal information from body corporate or any person on its behalf shall not disclose it further.

Aadhaar Act: Regarding the requesting entities, the Act provides that they shall not disclose the identity information except with the prior consent of the individual to whom the information relates. The Act also states that the Authority shall take necessary measures to ensure confidentiality of information against disclosures. However, as an exception under section 33, the UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. The Act also allows disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose. The Act is silent on the issue of obtaining consent of the individual under these exceptions. Additionally, the Act also states that the Aadhaar number or any core biometric information collected or created regarding an individual under the Act shall not be published, displayed or posted publicly, except for the purposes specified by regulations.

12. Requirements for Transfer of Sensitive Personal Data

IT Rules : Rule 7 requires that body corporate may transfer sensitive personal data into another jurisdiction only if the country ensures the same level of protection and may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.

Aadhaar Act : The Act is silent regarding transfer of personal data into another jurisdiction by the any of the contracting bodies like the Registrar, Enrolling agencies or the requesting entities. However, if these agencies satisfy the requirement of being "body corporates" as defined under section 43A, then the above requirement regarding transfer of data to another jurisdiction under IT Rules would be applicable to them. However, considering the sensitive nature of the data involved, the lack of a prohibition of transferring data to another jurisdiction under the Aadhaar Act appears to be a serious lacuna.

13. Security of Information

IT Rules: Rule 8 requires that the body corporate must secure information in accordance with the ISO 27001 standard or any other best practices notified by Central Government. These practices must be audited annually or when the body corporate undertakes a significant up gradation of its process and computer resource.

Aadhaar Act: Section 28 of the Act states that the UIDAI must ensure the security and confidentiality of identity information and authentication records. It also states that the Authority shall adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons. However, it does not mention which standards/measures have to be adopted by all the actors in Aadhaar ecosystem for ensuring the security of information, though it can be argued that if the contractors employed by the UIDAI are body corporate then the standards prescribed under the IT Rules would be applicable to them.

Implications of the Differences for Body Corporates in Aadhaar Ecosystem

An analysis of the Rules in comparison to the data protection measures under the Aadhaar Act shows that the requirements regarding protection of personal or sensitive personal information differ and are not completely in line with each other.

Though the Aadhaar Act takes into account the provisions regarding consent of the individual, notice, restriction on sharing, etc., the Act is silent regarding many core measures like sharing of information across jurisdictions, taking consent before collection of information, adoption of security measures for protection of information, etc. which a body corporate in the Aadhaar ecosystem must adopt to be in compliance with section 43A of the IT Act. It is therefore important that the bodies collecting, handling, sharing the personal information and are governed by the Aadhaar Act, must adhere to section 43A and the IT Rules 2011. However, applicability of Aadhaar Act as well as section 43A and IT Rules 2011 would lead to ambiguity regarding interpretation and implementation of the Law. The differences must be duly taken into account and more clarity is required to make all the bodies under this Legislation like the enrolling agencies, Registrars and the Requesting Entities accountable under the correct provisions of Law. However, having two separate legislations governing the data protection standards in the Aadhaar scheme seems to have been overlooked. A harmonized and overarching privacy legislation is critical to avoid unclarity in the applicability of data protection standards and would also address many privacy concerns associated to the scheme.

Appendix I

The Rajya Sabha had proposed five amendments to the Aadhaar Act 2016, which are as follows:

i. Opt-out clause: A provision to allow a person to "opt out" of the Aadhaar system, even if already enrolled.

ii. Voluntary: To ensure that if a person chooses not to be part of the Aadhaar system, he/she would be provided "alternate and viable" means of identification for purposes of delivery of government subsidy, benefit or service.

iii. Amendment restricting the use of Aadhaar numbers only for targeting of government benefits or service and not for any other purpose.

iv. Amendment seeking change of the term "national security" to "public emergency or in the interest of public safety" in the provision specifying situations in which disclosure of identity information of an individual to certain law enforcement agencies can be allowed.

v. Oversight Committee: The oversight committee , which would oversee the possible disclosure of information, should include either the Central Vigilance Commissioner or the Comptroller and Auditor-General.

Sources:

Appendix II - Section 43A: Compensation for Failure to Protect Data

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

For the purposes of this section:

"body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;
"reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;
"sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.'.

The term 'body corporate' has been defined under section 43A as "any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities"

For more details visit https://cis-india.org/internet-governance/blog/aadhaar-act-and-its-non-compliance-with-data-protection-law-in-india