We are anonymous, we are legion

CIS' Statement on Sexual Harassment at ICANN55

Vidushi Marda — 2016-03-21T15:22:11Z

The Centre for Internet and Society

Statement on Sexual Harassment at ICANN55

The Centre for Internet and Society (“CIS”) strongly condemns the acts of sexual harassment that took place against one of our representatives, Ms. Padmini Baruah, during ICANN 55 in Marrakech. It is completely unacceptable that an event the scale of an ICANN meeting does not have in place a formal redressal system, a neutral point of contact or even a policy for complainants who have been put through the ordeal of sexual harassment. ICANN cannot claim to be inclusive or diverse if it does not formally recognise a specific procedure or recourse under such instances.

Ms. Baruah is by no means the first young woman to be subject to such treatment at an ICANN event, but she is the first to raise a formal complaint. Following the incident, she was given no immediate remedy or formal recourse, and that has left her with no option but to make the incident publicly known in the interim. The ombudsman’s office has been in touch with her, but this administrative process is simply inadequate for rights-violations.

Ms. Baruah has received support from various community, staff, and board members. While we are thankful for their support, we believe that this situation can be better dealt with through some positive measures. We ask that ICANN carry out the following steps in order to make its meetings a truly safe and inclusive space:

Institute a formal redressal system and policy with regard to sexual harassment within ICANN. The policy must be displayed on the ICANN website, at the venue of meetings and made available in delegate kits.
Institute an Anti Sexual Harassment Committee that is neutral and approachable. Merely having an ombudsman who is a white male, however well intentioned, is inadequate and completely unhelpful to the complainant. The present situation is one where the ombudsman has no effective power and only advises the board.
Conduct periodic gender and anti sexual harassment training of the ICANN board to help them better understand, recognise and address instances of sexual harassment.
Conduct periodic gender and anti sexual harassment training for the ombudsman even if he/she will not be the exclusive point of contact for complainants as the ombudsman forms an important part of community and participant engagement
Conduct periodic gender sensitisation for the ICANN community.

For more details visit https://cis-india.org/internet-governance/blog/cis-statement-on-sexual-harrasment-at-icann55

Aadhaar Bill 2016 Evaluated against the National Privacy Principles

Pooja Saxena and Amber Sinha — 2016-03-21T08:38:34Z

In this infographic, we evaluate the privacy provisions of the Aadhaar Bill 2016 against the national privacy principles developed by the Group of Experts on Privacy led by the Former Chief Justice A.P. Shah in 2012. The infographic is based on Vipul Kharbanda’s article 'Analysis of Aadhaar Act in the Context of A.P. Shah Committee Principles,' and is designed by Pooja Saxena, with inputs from Amber Sinha.

Download the infographic: PDF and PNG.

License: It is shared under Creative Commons Attribution 4.0 International License.

For more details visit https://cis-india.org/internet-governance/aadhaar-bill-2016-evaluated-against-the-national-privacy-principles

Vulnerabilities in the UIDAI Implementation Not Addressed by the Aadhaar Bill, 2016

Pooja Saxena and Amber Sinha — 2016-03-21T08:33:53Z

In this infographic, we document the various issues in the Aadhaar enrolment process implemented by the UIDAI, and highlight the vulnerabilities that the Aadhaar Bill, 2016 does not address. The infographic is based on Vidushi Marda’s article 'Data Flow in the Unique Identification Scheme of India,' and is designed by Pooja Saxena, with inputs from Amber Sinha.

Download the infographic: PDF and PNG.

Credits: The illustration uses the following icons from The Noun Project - Thumpbrint created by Daouna Jeong, Duplicate created by Pham Thi Dieu Linh, Copy created by Mahdi Ehsaei.

License: It is shared under Creative Commons Attribution 4.0 International License.

For more details visit https://cis-india.org/internet-governance/blog/vulnerabilities-in-the-uidai-implementation-not-addressed-by-the-aadhaar-bill-2016

Salient Points in the Aadhaar Bill and Concerns

Amber Sinha and Elonnai Hickok — 2016-03-21T04:37:48Z

Since the release of the Aadhaar Bill, the Centre for Internet and Society has been writing a number of posts analyzing the Bill and calling out problematic areas and the implications of the same. This post is meant to contribute to this growing body of writing and call out our major concerns with the Bill.

Use of Aadhaar Number

What the Bill says:

Used to establish identity: The Aadhaar number can be used by any government or private agency to validate a person’s identity for any lawful purpose, but it cannot be used as a proof of citizenship. (Sections 4, 6, and 57)
Mandatory for access to government services: The government can make it mandatory for a person to authenticate her/his identity using Aadhaar number before receiving any government subsidy, benefit, or service whose expenditure is incurred from the Consolidated Fund of India.
Those without a number, must apply for one: If someone attempting to access an applicable service does not have an Aadhaar number, he/she should make an application for enrolment, and will be allowed to use an alternative method of identification in the meantime. (Section 7)
Open to use by public and private bodies: The Bill does not prevent the use of Aadhaar number to establish identity for other lawful purposes by the State or other private bodies. (Section 57)

Concerns:

Aadhaar is not voluntary: Section 7 makes its mandatory to have an Aadhaar number to access services, subsidies and benefits, and stipulates that in case one does not have the Aadhaar number they must apply for it. This is counter to the repeated claims about Aadhaar being purely voluntary, and the Supreme Court order dated August 11, 2015 which prevents making Aadhaar mandatory, barring a few specified services. The Bill does not limit mandatory use of Aadhaar to those services, and leaves the door open for the government to route more benefits, subsidies and services through the Consolidated Fund of India and expand the scope of Aadhaar.
There are limited and unclear alternatives: While there is a proviso in the Act which speaks for “viable and alternative” means of identification where Aadhaar number is not issued, the language is not clear and speaks of cases where Aadhaar “is not assigned” rather than simply stating that it is applicable to anyone who does not have an Aadhaar number.
There is a conflict in the objects and actual scope of the Bill: There is a conflict between the objects of the Bill which is stated as identification of individuals for targeted delivery of entitlements and Section 57 which allows all entities, public or private, to use the Aadhaar number for authentication.

Enrollment Process

What the Bill says:

Enrolling agencies must provide notice: At the time of enrollment, the enrolling agency will inform the individual of the following details— i) how their information will be used; ii) what type of entities the information will be shared with; and iii) that they have a right to access their information, and also tell them how they can access their information. (Section 3)
Biometrics and demographics will be collected: Biometric information and demographic information will be collected at enrollment. Biometric information means photograph, fingerprint, Iris scan, or any other biological attributes specified by regulations. Demographic information includes information relating to the name, date of birth, address and other relevant information as specified by regulations. (Section 2)
Special measures to ensure enrollment for all: The UIDAI will take special measures to issue Aadhaar number to women, children, senior citizens, persons with disability, unskilled and unorganised workers, nomadic tribes or to such other persons who do not have any permanent residence and similar categories of individuals as specified by the regulations. (Section 5)

Concerns:

The Bill fails to address implementation issues: The Bill does not address issues that have arising during enrolment processes that have already been implemented. These include: the collection of additional and unnecessary information, unclear retention, storage, and destruction standards for data collected by enrollment agencies, abuse of methods used to ensure all have access to the enrollment process, inaccuracy in the collection of data. Detailed procedure and chain of custody for the enrollment process needs to be addressed through provisions in the Bill particularly as this process is undertaken by contracted third party registrars and enrolling agencies.
Definition of “Biometric Information” is broad and ambiguous: The Bill defines “biometric information” as “photograph, fingerprint, iris scan, or other such biological attributes of an individual.” This definition is broad and gives sweeping discretionary power to the UIDAI / Central Government to determine “other such biological attributes of an individual”. The definition should be precise and exhaustive in its scope. Any modification to this, and other terms in the Bill, should take place only through a legislative act.

Authentication Process

What the Bill says:

Consent and use limitation during authentication: The Bill states that any requesting entity will— (a) take consent from the individual before collecting his/her Adhaar information; (b) use the information only for authentication with the CIDR.
Notice during authentication: Further, the entity requesting authentication will also inform the individual of the following— (a) what type of information will be shared for authentication; (b) what will the information be used for; and (c) whether there is any alternative to submitting the Aadhaar information to the requesting entity. (Section 8)
Retention of authentication records: The UIDAI will maintain the authentication records in the manner and for as long as specified by regulations. (Section 32) The UIDAI will not collect, keep or maintain any information about the purpose of authentication. (Section 32)
Ability to obtain authentication records: Every Aadhaar number holder may obtain his authentication record as specified by regulations. (Section 32)
Requirement to update information: The UIDAI has the power to require residents to update their demographic and biometric information from time to time. (Section 6)

Concerns:

Lack of strong consent mechanism: While the Bill does provide for seeking consent for collecting and using an Aadhaar for authentication, the Bill does not specify that this must be informed consent with an ‘opt out’ mechanism and does not specify the manner in which such consent should be sought. This leaves it it in the hands of the UIDAI and possibly the third requesting entity to determine the form of consent that is to be taken. This could result in ambiguous, misleading, or inconsistent consent mechanisms being used.
Lack of strong notice mechanism: While the Bill does provide that individuals should be given notice of the type of information be shared and what the information will be used for, and any alternative identity that will be accepted during the authentication process this is a minimal notice and does not meet the standards in the (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 which require individuals to be notified of a) the fact that the information is being collected b) the purposes for which the information is being collected c) the intended recipients of the information d) the name and address of the agency collecting the information and the agency that will retain the information. Furthermore, the Bill does not require the UIDAI, contracted bodies, or requesting entities to notify individuals of any changes in organizational privacy policies.
“Obtaining” rather than the right to access: Instead of providing the individual with a clear right to access the information that the UIDAI holds about him or her, the Bill waters down this safeguard by giving the individual the ability to obtain only his authentication record. What ‘obtaining’ will entail and how one will go about it is delegated to regulations.
Lack of ability to opt out, withdraw consent and/or ‘exit’ Aadhaar: There are no opt-out mechanisms in the Aadhaar Act.This means that individuals cannot:

Opt out and leave the Aadhaar ‘ecosystem’ once enrolled and their information is not deleted.
Opt out of sharing of information at the enrollment stage or authentication stage.
Opt out of any use, disclosure, or retention of their information prescribed by the Act.

Security

What the Bill says:

Security measures for information with UIDAI: The UIDAI will take measures to ensure that all information with the UIDAI, including CIDR records is secured and protected against access, use or disclosure and against destruction, loss or damage. (Section 28)
Security measures through contract: The UIDAI will adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons. (Section 28)
Security protocol via regulations: The UIDAI has the power to prescribe via regulation various processes relating to data management, security protocol and other technology safeguards (Section 54)

Concerns:

Undefined security measures: The Bill specifies that appropriate technical and organisational security measures shall be put in place without elaborating upon what those measure should be or defining any standards that they will adhere to. The Bill gives the Authority the power to define broad regulations pertaining to security protocol.

Confidentiality

What the Bill says:

Restriction on Sharing, Disclosure, and Use: Unless otherwise provided, the UIDAI or its agents will not reveal any information in the CIDR to anyone. (Section 28) The core biometric information collected will not be a) shared with anyone for any reason, and b) used for any purpose other generation of Aadhaar numbers and authentication. (Section 29) Identity information, other than core biometric information, may be shared as per this Act and regulations specified under it. (Section 29) Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual’s consent. (Section 29) Aadhaar numbers or core biometric information will not be made public except as specified by regulations. (Section 30)
Application of Information Technology Act: All biometric information collected and stored in electronic form will be deemed to be “electronic record” and “sensitive personal data or information” under Information Technology Act, 2000 and its provisions and rules will apply to it in addition to this Act. (Section 30)

Concerns:

Aadhaar numbers and biometric information to be made public: It is unclear for what purposes it would be necessary for Aadhaar numbers and core biometric information to be made public and it is concerning that such circumstances are left to be defined by regulation. This is different from the Telegraph Act and the IT Act which define the circumstances for interception in the Act and define the procedure for carrying out interception orders in associated Rules. Defining circumstances for such information to be made public is against the disclosure standards in the 43A Rules - which would be applicable to the UIDAI and the disclosure of core biometric information.
Unclear application of Section 43 A Rules: The Bill characterises biometric information collected as ‘sensitive personal data or information’ under the Information Technology Act, 2000 and Section 43A Rules and states that the Act and Rules would be applicable to biometric information. If this is the case, than any body corporate (including the UIDAI) collecting, processing, or storing biometric information would need to follow the standards established in the Rules - including standards for collection, consent, disclosure, sharing, retention, and security. Yet, the Bill allows the UIDAI to make regulations for collection, disclosure, security etc.

Disclosure

What the Bill says:

Disclosure during authentication: During authentication, the UIDAI will respond to the authentication request with yes, no, or other appropriate response and share identity information about the Aadhaar number holder, but not share any biometric information. (Section 8)
Exceptions to confidentiality provisions: The UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. Any such order may only be made after UIDAI is allowed to appear in a hearing. (Section 33) The confidentiality provisions in Sections 28 and 29 will not apply with respect to disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose. (Section 33)
Oversight Committee: An Oversight Committee comprising Cabinet Secretary, and Secretaries of two departments — Department of Legal Affairs and DeitY— will review every direction under 33 B above. Any directions in the interest of national security above are valid for 3 months, after which they may be extended following a review by the Oversight Committee. (Section 33)

Concerns:

Unnecessary disclosure during authentication: Usually authentication would be a binary process leading to a yes or no result, however, Section 8 also allows sharing of identity information in certain cases. It is unclear why any additional information would need to be shared in the authentication process.
Lack of opportunity to data subject: In case of a court order identity information and authentication records of an individual can be revealed without any notice or opportunity of hearing to the individual affected. Aside from allowing the UIDAI a right to be heard, the Bill does not provide any means by which an individual can contest such an order or challenge it after it has been passed.
Lack of defined functions and responsibilities of oversight mechanisms: Section 33 currently specifies a procedure for oversight by a committee, however, there are no substantive provisions laid down as the guiding principles establishing the responsibilities and powers of the oversight mechanism.
Low standards for disclosure order: Though a court order from a District Judge is required to authorize disclosure of information, the Bill fails to define important standards that such an order must meeting including that the order is necessary and proportionate.
Sweeping exception of National Security: Disclosures that are made ‘in the interest of national security’ do not require authorization by a judge and instead can be authorized by the Joint Secretary of the Government of India - a standard lower than that established in the Telegraph Act and IT Act for the interception of communications.

Power of UIDAI to make rules and regulations

What the Bill says:

The matters on which the UIDAI may frame rules include:

The process of collecting information,
Verification of information,
Individual access to information,
Sharing and disclosure of information,
Alteration of information,
Request and response for authentication,
Defining use of Aadhaar numbers,
Defining privacy and security processes,
Specifying processes relating to data management, security protocols and other technology safeguards under this Act
Establishing redressal mechanisms.

Concerns:

Over delegation of powers to the UIDAI: This Bill follows in the tradition of laws like the Information Technology Act, which allows the executive a very high degree of discretionary power. As mentioned above, a number of important powers which should ideally be within the purview of the legislature are delegated to the UIDAI. The UIDAI has been administrating the project since its inception, and a number of problems have already been documented in process such as collection, verification, sharing of information, privacy and security processes. Rather than addressing these problems, the Bill allows the UIDAI to continue to have similar powers.
Lack of independence of grievance redressal mechanism: Within the text of the Bill there are no grievance redressal mechanism created under the Bill. The power to set up such a mechanism is delegated to the UIDAI under Section 23 (2) (s) of the Bill. However, making the entity administering a project, also responsible for providing for the frameworks to address the grievances arising from the project, severely compromises the independence of the grievance redressal body.

For more details visit https://cis-india.org/internet-governance/salient-points-in-the-aadhaar-bill-and-concerns

The Digital is Political

nishant — 2016-06-05T03:58:46Z

To speak of technology is to speak of human life and living.

The article was published in the Indian Express on March 20, 2016.

“You are supposed to write about the internet, why do you keep talking about all this politics?” I was taken aback when I was faced with this question. It is true – since the year has begun, I have talked about digital education and the ways in which it needs to account for unexpected and underserved communities, about net neutrality and why the Indian government needs to build a stronger, safer, and a more inclusive digital ecosystem. I have written about freedom of speech and expression and how this is going to be the year when we stand together to save the internet from vested interests that seek to convert it from a public commons into a private commodity.

In my head, all these questions — of inclusion, of access, of presence, of rights — are questions of human life and living, but they are also those that are being hugely restructured by the internet and digital technologies. When faced with the query, I was reminded of a deep-seated division that has been at the heart of digital cultures.

Way back in the ’90s, when the internet was still a space of science fiction and the World Wide Web was in its nascent stages, there was a distinction made between Virtual Reality (VR) and Real Life (RL). The presumption in the construction of these categories was that the digital is only an escape, the technological is merely a prosthesis, and the internet is just a thing that a few geeks engaged with in their free time. However, the last three decades have made this distinction between VR and RL redundant.

We live in digital times. The digital is not just something we use strategically and specifically to do a few tasks. Our very perception of who we are, how we connect to the world around us, and the ways in which we define our domains of life, labour, and language are hugely structured by the digital technologies. The digital is ubiquitous and hence, like air, invisible. We live within digital systems, we live with intimate gadgets, we interact through digital media, and even though we might all be equally digital natives, there is no denying the fact that the very presence and imagination of the digital has dramatically restructured our lives. The digital, far from being a tool, is a condition and context that defines the shapes and boundaries of our understanding of the self, the society, and the structures of governance.

The pervasive nature of the digital technologies and internet can be found at multiple levels. For instance, we do not think about going online anymore, because most of our devices are connected 24×7 to the digital web. Even when we are not online, sunk in a bad network connection, or protecting our precious data usage, we know that our avatars and digital identities are online and talking without us.

So established is this phenomenon that we even have a name for the anxiety it creates: FOMO — the Fear Of Missing Out. Similarly, the digital can be located at the level of human understanding. We are used to thinking of ourselves as digital systems. We talk about our primary identity as one marked by information overload. We often complain, when faced with too many demands on our time and space, that we don’t have enough bandwidth to deal with new problems, and we are not referring to digital connectivity.

The digital also has space at the level of policy and governance. If you, like the many millions of Indians, have registered for an Aadhaar card, you have already been marked by a digital identity whether or not you have broadband access. When our government launches Digital India campaigns, it is not merely about an economic model of growth, but it is suggesting that the digital is going to be at the foundations of the new India that we want to build for the future.

If the digital is so central to our fundamental understanding of the self, the society, and the state, then surely it is time to stop thinking that these technologies have nothing to do with politics? There remains a forced imagination of technologies as devices, as tools, as prostheses which do not have any other role than the performing of a function. However, this is a fallacy, because not only do technologies shape our sense of who we are, but they also prescribe new templates and models of who we are going to be. In the process, these technologies take political action, create social structures, mobilise cultural possibilities, and often, because they are technologies that are still elite and available to the privileged few in the country, they enable decisions which are not always fair, open, and just.

Hence, a technological decision cannot be read merely as a technical decisions but as human decisions. To speak of technology is to speak of human life and living. To write about technology is to write about politics, because a separation between the two is not only futile but downright dangerous.

For more details visit https://cis-india.org/internet-governance/blog/indian-express-march-20-2016-nishant-shah-digital-is-political

Adoption of Standards in Smart Cities - Way Forward for India

vanya — 2016-04-11T03:04:46Z

With a paradigm shift towards the concept of “Smart Cities’ globally, as well as India, such cities have been defined by several international standardization bodies and countries, however, there is no uniform definition adopted globally. The glue that allows infrastructures to link and operate efficiently is standards as they make technologies interoperable and efficient.

Click here to download the full file

Globally, the pace of urbanization is increasing exponentially. The world’s urban population is projected to rise from 3.6 billion to 6.3 billion between 2011 and 2050. A solution for the same has been development of sustainable cities by improving efficiency and integrating infrastructure and services [1]. It has been estimated that during the next 20 years, 30 Indians will leave rural India for urban areas every minute, necessitating smart and sustainable cities to accommodate them [2]. The Smart Cities Mission of the Ministry of Urban Development was announced in the year 2014, followed by selection of 100 cities in the year 2015 and 20 of them being selected for the first Phase of the project in the year 2016. The Mission [3] lists the “core infrastructural elements” that a smart city would incorporate like adequate water supply, assured electricity, sanitation, efficient public transport, affordable housing (especially for the poor), robust IT connectivity and digitisation, e-governance and citizen participation, sustainable environment, safety and security for citizens, health and education.

With a paradigm shift towards the concept of “Smart Cities’ globally, as well as India, such cities have been defined by several international standardization bodies and countries, however, there is no uniform definition adopted globally. The envisioned modern and smart city promises delivery of high quality services to the citizens and will harness data capture and communication management technologies. The performance of such cities would be monitored on the basis of physical as well as the social structure comprising of smart approaches and solution to utilities and transport.

The glue that allows infrastructures to link and operate efficiently is standards as they make technologies interoperable and efficient. Interoperability is essential and to ensure smart integration of various systems in a smart city, internationally agreed standards that include technical specifications and classifications must be adhered to. Development of international standards ensure seamless interaction between components from different suppliers and technologies [4].

Standardized indicators within standards benefit smart cities in the following ways:

Effective governance and efficient delivery of services.
International and Local targets, benchmarking and planning.
Informed decision making and policy formulation.
Leverage for funding and recognition in international entities.
Transparency and open data for investment attractiveness.
A reliable foundation for use of big data and the information explosion to assist cities in building core knowledge for city decision-making, and enable comparative insight.

The adoption of standards for smart cities has been advocated across the world as they are perceived to be an effective tool to foster development of the cities. The Director of the ITU Telecommunication Standardization Bureau Chaesub Lee is of the view that “Smart cities will employ an abundance of technologies in the family of the Internet of Things (IoT) and standards will assist the harmonized implementation of IoT data and applications , contributing to effective horizontal integration of a city’s subsystems” [5].

Smart Cities standards in India

National Association of Software and Services Companies (NASSCOM) partnered with Accenture [6] to prepare a report called ‘Integrated ICT and Geospatial Technologies Framework for 100 Smart Cities Mission’ [7] to explore the role of ICT in developing smart cities [8], after the announcement of the Mission by Indian Government. The report, released in May 2015, lists down 55 global standards, keeping in view several city sub-systems like urban planning, transport, governance, energy, climate and pollution management, etc which could be applicable to the smart cities in India.

Though NASSCOM is working closely with the Ministry of Urban Development to create a sustainable model for smart cities [9], due to lack of regulatory standards for smart cities, the Bureau of Indian Standards (BIS) in India has undertaken the task to formulate standardised guidelines for central and state authorities in planning, design and construction of smart cities by setting up a technical committee under the Civil engineering department of the Bureau. However, adoption of the standards by implementing agencies would be voluntary and intends to complement internationally available documents in this area [10].

Developing national standards in line with these international standards would enable interoperability (i.e. devices and systems working together) and provide a roadmap to address key issues like data protection, privacy and other inherent risks in the digital delivery and use of public services in the envisioned smart cities, which call for comprehensive data management standards in India to instill public confidence and trust [11].

Key International Smart Cities Standards

Following are the key internationally accepted and recognized Smart Cities standards developed by leading organisations and the national standardization bodies of several countries that India could adopt or develop national standards in line with these.

The International Organization for Standardization (ISO) - Smart Cities Standards

ISO is an instrumental body advocating and developing for smart cities to safeguard rights of the people against a liveable and sustainable environment. The ISO Smart Cities Strategic Advisory Group uses the following working definition: A ‘Smart City’ is one that dramatically increases the pace at which it improves its social, economic and environmental (sustainability) outcomes, responding to challenges such as climate change, rapid population growth, and political and economic instability by fundamentally improving how it engages society, how it applies collaborative leadership methods, how it works across disciplines and city systems, and how it uses data information and modern technologies in order to transform services and quality of life for those in and involved with the city (residents, businesses, visitors), now and for the foreseeable future, without unfair disadvantage of others or degradation of the natural environment. [For details see ISO/TMB Smart Cities Strategic Advisory Group Final Report, September 2015 ( ISO Definition, June 2015)].

The ISO Technical Committee 268 works on standardization in the field of Sustainable Development in Communities [12] to encourage the development and implementation of holistic, cross-sector and area-based approaches to sustainable development in communities. The Committee comprises of 3 Working Groups [13]:

Working Group 1: System Management ISO 37101- This standard sets requirements, guidance and supporting techniques for sustainable development in communities. It is designed to help all kinds of communities manage their sustainability, smartness and resilience to improve the contribution of communities to sustainable development and assess their performance in this area [14].
Working Group 2 : City Indicators- The key Smart Cities Standards developed by ISO TC 268 WG 2 (City Indicators) are:

ISO 37120 Sustainable Development of Communities — Indicators for City Services and Quality of Life

One of the key standards and an important step in this regard was ISO 37120:2014 under the ISO’s Technical Committee 268 (See Working on Standardization in the field of Sustainable Development in Communities) providing clearly defined city performance indicators (divided into core and supporting indicators) as a benchmark for city services and quality of life, along with a standard approach for measuring each for city leaders and citizens [15]. The standard is global in scope and can help cities prioritize city budgets, improve operational transparency, support open data and applications [16]. It follows the principles [17] set out and can be used in conjunction with ISO 37101.

ISO 37120 was the first ISO Standard on Global City Indicators published in the year 2014, developed on the basis of a set of indicators developed and extensively tested by the Global City Indicators Facility (a project by University of Toronto) and its 250+ member cities globally. GCIF is committed to build standardized city indicators for performance management including a database of comparable statistics that allow cities to track their effectiveness on everything from planning and economic growth to transportation, safety and education [18].

The World Council on City Data (WCCD) [19] - a sister organization of the GCI/GCIF - was established in the year 2014 to operationalize ISO 37120 across cities globally. The standards encompasses 100 indicators developed around 17 themes to support city services and quality of life, and is accessible through the WCCD Open City Data Portal which allows for cutting-edge visualizations and comparisons. Indian cities are not yet listed with WCCD [20].

The indicators are listed under the following heads [21]:

Economy
Education
Environment
Energy
Finance
Fire and Emergency Responses
Governance
Health
Safety
Shelter
Recreation
Solid Waste
Telecommunication and innovation
Transportation
Urban Planning
Waste water
Water and Sanitation

This International Standard is applicable to any city, municipality or local government that undertakes to measure its performance in a comparable and verifiable manner, irrespective of size and location or level of development. City indicators have the potential to be used as critical tools for city managers, politicians, researchers, business leaders, planners, designers and other professionals [22]. The WCCD forum highlights need for cities to have a set of globally standardized indicators to [23]:

Manage and make informed decisions through data analysis
Benchmark and target
Leverage Funding with senior levels of government
Plan and establish new frameworks for sustainable urban development
Evaluate the impact of infrastructure projects on the overall performance of a city.

ISO/DTR 37121- Inventory and Review of Existing Indicators on Sustainable Development and Resilience in Cities

The second standard under ISO TC 268 WG 2 is ISO 37121, which defines additional indicators related to sustainable development and resilience in cities. Some of the indicators include: Smart Cities, Smart Grid, Economic Resilience, Green Buildings, Political Resilience, Protection of biodiversity, etc. The complete list can be viewed on the Resilient Cities website [24].

Working Group 3: Terminology - There are no publicly available documents so far, giving details about the status of the activities of this group. The ISO Technical Committee 268 also includes Sub Committee 1 (Smart Community Infrastructure) [25], comprising of the following Working Groups: 1) WG 1 Infrastructure metrics, and 2) WG 2 Smart Community Infrastructure.

The key Smart Cities Standards developed by ISO under this are:

ISO 37151:2015 Smart community infrastructures — Principles and Requirements for Performance Metrics
In the year 2015, a new ISO technical specification for smart cities- 37151:2015 for Principles and requirements for performance metrics was released. The purpose of standardization in the field of smart community infrastructures such as energy, water, transportation, waste, information and communications technology (ICT), etc. is to promote the international trade of community infrastructure products and services and improve sustainability in communities by establishing harmonized product standards [26]. The metrics in this standard will support city and community managers in planning and measuring performance, and also compare and select procurement proposals for products and services geared at improving community infrastructures [27].
This Technical Specification gives principles and specifies requirements for the definition,identification, optimization, and harmonization of community infrastructure performance metrics, and gives recommendations for analysis, regarding interoperability, safety, security of community infrastructures [28]. This new Technical Specification supports the use of the ISO 37120 [29].
ISO/TR 37150:2014 Smart Community Infrastructures - Review of Existing Activities Relevant to Metrics
This standard addresses community infrastructures such as energy, water, transportation, waste and information and communications technology (ICT). Smart community infrastructures take into consideration environmental impact, economic efficiency and quality of life by using information and communications technology (ICT) and renewable energies to achieve integrated management and optimized control of infrastructures. Integrating smart community infrastructures for a community helps improve the lifestyles of its citizens by, for example: reducing costs, increasing mobility and accessibility, and reducing environmental pollutants.
ISO/TR 37150 reviews relevant metrics for smart community infrastructures and provides stakeholders with a better understanding of the smart community infrastructures available around the world to help promote international trade of community infrastructure products and give information about leading-edge technologies to improve sustainability in communities [30]. This standard, along with the above mentioned standards [31] supports the multi-billion dollar smart cities technology industry.

Several other ISO Working Groups developing standards applicable to smart and sustainable cities have been listed in our website [32].

The International Telecommunications Union (ITU)

The ITU is another global body working on development of standards regarding smart cities.

A study group was formed in the year 2015 to tackle standardization requirements for the Internet of Things, with an initial focus on IoT applications in smart cities to address urban development challenges [33], to enable the coordinated development of IoT technologies, including machine-to-machine communications and ubiquitous sensor networks. The group is titled “ITU-T Study Group 20: IoT and its applications, including smart cities and communities”, established to develop standards that leverage IoT technologies to address urban-development challenges and the mechanisms for the interoperability of IoT applications and datasets employed by various vertically oriented industry sectors [34].

ITU-T also concluded a focused study group looking at smart sustainable cities in May 2015, acting as an open platform for smart city stakeholders to exchange knowledge in the interests of identifying the standardized frameworks needed to support the integration of ICT services in smart cities. Its parent group is ITU-T Study Group 5, which has agreed on the following definition of a Smart Sustainable City:
"A smart sustainable city is an innovative city that uses information and communication technologies (ICTs) and other means to improve quality of life, efficiency of urban operation and services, and competitiveness, while ensuring that it meets the needs of present and future generations with respect to economic, social, environmental as well as cultural aspects".

UK - British Standards Institution

Apart from the global standards setting organisations, many countries have been looking at developing standards to address the growth of smart cities across the globe. In the UK, the British Standards Institution (BSI) has been commissioned by the UK Department of Business, Innovation and Skills (BIS) to conceive a Smart Cities Standards Strategy to identify vectors of smart city development where standards are needed. The standards would be developed through a consensus-driven process under the BSI to ensure good practise is shared between all the actors. The BIS launched the City's Standards Institute to bring together cities and key industry leaders and innovators to work together in identifying the challenges facing cities, providing solutions to common problems and defining the future of smart city standards [35].

PAS 181 Smart city framework- Guide to establishing strategies for smart cities and communities establishes a good practice framework for city leaders to develop, agree and deliver smart city strategies that can help transform their city’s ability to meet challenges faced in the future and meet the goals. The smart city framework (SCF) does not intend to describe a one-size-fits-all model for the future of UK cities but focuses on the enabling processes by which the innovative use of technology and data, together with organizational change, can help deliver the diverse visions for future UK cities in more efficient, effective and sustainable ways [36].
PD 8101 Smart cities- Guide to the role of the planning and development process gives guidance regarding planning for new development for smart city plans and provides an overview of the key issues to be considered and prioritized. The document is for use by local authority planning and regeneration officers to identify good practice in a UK context, and what tools they could use to implement this good practice. This aims to enable new developments to be built in a way that will support smart city aspirations at minimal cost [37].
PAS 182 Smart city concept model. Guide to establishing a model for data establishes an interoperability framework and data-sharing between agencies for smart cities for the following purposes:
1. To have a city where information can be shared and understood between organizations and people at each level
2. The derivation of data in each layer can be linked back to data in the previous layer
3. The impact of a decision can be observed back in operational data. The smart city concept model (SCCM) provides a framework that can normalize and classify information from many sources so that data sets can be discovered and combined to gain a better picture of the needs and behaviours of a city’s citizens (residents and businesses) to help identify issues and devise solutions. PAS 182 is aimed at organizations that provide services to communities in cities, and manage the resulting data, as well as decision-makers and policy developers in cities [38].
PAS 180 Smart cities Vocabulary helps build a strong foundation for future standardization and good practices by providing an industry-agreed understanding of smart city terms and definitions to be used in the UK. It provides a working definition of a Smart City- “Smart Cities” is a term denoting the effective integration of physical, digital and human systems in the built environment to deliver a sustainable, prosperous and inclusive future for its citizens [39]. This aims to help improve communication and understanding of smart cities by providing a common language for developers, designers, manufacturers and clients. The standard also defines smart city concepts across different infrastructure and systems’ elements used across all service delivery channels and is intended for city authorities and planners, buyers of smart city services and solutions [40], as well as product and service providers.

Endnotes

[1] See: http://www.iec.ch/whitepaper/pdf/iecWP-smartcities-LR-en.pdf.

[2] See: http://www.ibm.com/smarterplanet/in/en/sustainable_cities/ideas/.

[3] See: http://www.thehindubusinessline.com/economy/smart-cities-mission-welcome-to-tomorrows-world/article8163690.ece.

[4] See: http://www.iec.ch/whitepaper/pdf/iecWP-smartcities-LR-en.pdf.

[5] See: http://www.iso.org/iso/news.htm?refid=Ref2042.

[6] See: http://www.livemint.com/Companies/5Twmf8dUutLsJceegZ7I9K/Nasscom-partners-Accenture-to-form-ICT-framework-for-smart-c.html.

[7] See: http://www.nasscom.in/integrated-ict-and-geospatial-technologies-framework-100-smart-cities-mission.

[8] See: http://www.cxotoday.com/story/nasscom-creates-framework-for-smart-cities-project/.

[9] See: http://www.livemint.com/Companies/5Twmf8dUutLsJceegZ7I9K/Nasscom-partners-Accenture-to-form-ICT-framework-for-smart-c.html.

[10] See: http://www.business-standard.com/article/economy-policy/in-a-first-bis-to-come-up-with-standards-for-smart-cities-115060400931_1.html.

[11] See: http://www.longfinance.net/groups7/viewdiscussion/72-financing-financing-tomorrow-s-cities-how-standards-can-support-the-development-of-smart-cities.html?groupid=3.

[12] See: http://www.iso.org/iso/iso_technical_committee?commid=656906.

[13] See: http://cityminded.org/wp-content/uploads/2014/11/Patricia_McCarney_PDF.pdf.

[14] See: http://www.iso.org/iso/news.htm?refid=Ref1877.

[15] See: http://smartcitiescouncil.com/article/new-iso-standard-gives-cities-common-performance-yardstick.

[16] See: http://smartcitiescouncil.com/article/dissecting-iso-37120-why-new-smart-city-standard-good-news-cities.

[17] See: http://www.iso.org/iso/catalogue_detail?csnumber=62436.

[18] See: http://www.cityindicators.org/.

[19] See: http://www.dataforcities.org/.

[20] See: http://news.dataforcities.org/2015/12/world-council-on-city-data-and-hatch.html.

[21] See: http://news.dataforcities.org/2015/12/world-council-on-city-data-and-hatch.html.

[22] See: http://www.iso.org/iso/37120_briefing_note.pdf.

[23] See: http://www.dataforcities.org/wccd/.

[24] See: http://resilient-cities.iclei.org/fileadmin/sites/resilient-cities/files/Webinar_Series/HERNANDEZ_-_ICLEI_Resilient_Cities_Webinar__FINAL_.pdf.

[25] See: http://www.iso.org/iso/iso_technical_committee?commid=656967.

[26] See: https://www.iso.org/obp/ui/#iso:std:iso:ts:37151:ed-1:v1:en.

[27] See: http://www.iso.org/iso/home/news_index/news_archive/news.htm?refid=Ref2001&utm_medium=email&utm_campaign=ISO+Newsletter+November&utm_content=ISO+Newsletter+November+CID_4182720c31ca2e71fa93d7c1f1e66e2f&utm_source=Email%20marketing%20software&utm_term=Read%20more.

[28] See: http://www.iso.org/iso/37120_briefing_note.pdf.

[29] See: http://standardsforum.com/isots-37151-smart-cities-metrics/.

[30] See: http://www.iso.org/iso/executive_summary_iso_37150.pdf.

[31] See: http://standardsforum.com/isots-37151-smart-cities-metrics/.

[32] See: http://cis-india.org/internet-governance/blog/database-on-big-data-and-smart-cities-international-standards.

[33] See: http://smartcitiescouncil.com/article/itu-takes-internet-things-standards-smart-cities.

[34] See: https://www.itu.int/net/pressoffice/press_releases/2015/22.aspx.

[35] See: http://www.bsigroup.com/en-GB/smart-cities/.

[36] See: http://www.bsigroup.com/en-GB/smart-cities/Smart-Cities-Standards-and-Publication/PAS-181-smart-cities-framework/.

[37] See: http://www.bsigroup.com/en-GB/smart-cities/Smart-Cities-Standards-and-Publication/PD-8101-smart-cities-planning-guidelines/.

[38] See: http://www.bsigroup.com/en-GB/smart-cities/Smart-Cities-Standards-and-Publication/PAS-182-smart-cities-data-concept-model/.

[39] See: http://www.iso.org/iso/smart_cities_report-jtc1.pdf.

[40] See: http://www.bsigroup.com/en-GB/smart-cities/Smart-Cities-Standards-and-Publication/PAS-180-smart-cities-terminology/.

For more details visit https://cis-india.org/internet-governance/blog/adoption-of-standards-in-smart-cities-way-forward-for-india

Sexual Harassment at ICANN

padmini — 2016-04-06T14:40:55Z

Padmini Baruah represented the Centre for Internet & Society at ICANN in the month of March 2016. In a submission to ICANN she is calling upon the ICANN board for implementing a system for investigating cases related to sexual harassments.

On the 6th of March, 2016, Sunday, at about 10 am in the gNSO working session being conducted at the room Diamant, I was sexually harassed by someone from the private sector constituency named Khaled Fattal. He approached me, pulled at my name tag, and passed inappropriate remarks. I felt like my space and safety as a young woman in the ICANN community was at stake.

I had incidentally been in discussion with the ICANN Ombudsman on developing a clear and coherent sexual harassment policy and procedure for the specific purposes of ICANN’s public meetings. Needless to say, this incident pushed me to take forward what had hitherto been a mere academic interest with increased vigour. I was amazed, firstly that the office of the ombudsman only had two white male members manning it. I was initially inhibited by that very fact, but made two points before them:

With respect to action on my individual case.
With respect to the development of policy in general.

I would like to put on record that the ombudsman office was extremely sympathetic and gave me a thorough hearing. They assured me that my individual complaint would be recorded, and sought to discuss the possibility of me raising a public statement with respect to policy, as they believed that the Board would be likely to take this suggestion up from a member of the community. I was also informed, astoundingly, that this was the first harassment case reported in the history of ICANN.

I then, as a newcomer to the community, ran this idea of making a public statement by no means an easy task at all, given the attached stigma that comes with being branded a victim of a sexual crime by certain senior people within ICANN who had assured me that they would take my side in this regard. To my dismay, there were two strong stands of victim blaming and intimidation that I faced I was told, in some cases by extremely senior and well respected, prominent women in the ICANN community, that raising this issue up would demean my credibility, status and legitimacy in ICANN, and that my work would lose importance, and I would “...forever be branded as THAT woman.” My incident was also trivialised in offhand casual remarks such as “This happened because you are so pretty”, “Oh you filed a complaint, not against me I hope, ha ha” which all came from people who are very high up in the ICANN heirarchy. I was also asked if I was looking for money out of this. Click to read the full statement made to ICANN here.

For more details visit https://cis-india.org/internet-governance/blog/sexual-harassment-at-icann

Pratap Vikram Singh - Why Aadhaar is Baseless?

praskrishna — 2016-04-02T05:31:30Z

This article by Pratap Vikram Singh, Governance Now, discusses the problems emerging out of the UIDAI project due to its lack of mechanisms for informed and granular consent, and for seeking recourse in the case of denial of service. The article quotes Sumandro Chattapadhyay and mentions Hans Varghese Mathew's work on the biometric basis of UIDAI. It was written before the Aadhaar bill was passed in Lok Sabha.

Cross-posted from Governance Now.

It was no less than a roller-coaster ride for Aadhaar, a programme formulated by the UPA government to assign a 12-digit unique number to every Indian resident. From the time it came into being in 2009, Aadhaar drew a volley of criticism, thanks to the misgivings and apprehensions that various critics and civil society organisations had. It was criticised for lack of a clear purpose, degree of effectiveness and absence of a privacy law and was virtually thrown into the bin by a parliamentary panel headed by BJP’s Yashwant Sinha in December 2011.

When the finance minister Arun Jaitley, in his budget speech, announced that the government would introduce the Aadhaar bill during the budget session, expectations were already set high. The bill, giving statutory backing to the unique identification authority of India (UIDAI), the implementing authority, was passed by the Lok Sabha on March 11. While the privacy and voluntary versus mandatory provisions are under the consideration of the supreme court, the bill makes way for linking Aadhaar with all government subsidies, benefits and services. The law on Aadhaar, former UIIDAI chairman Nandan Nilekani wrote in the Indian Express, will help the government in going paperless, presence-less and cashless. The legislation, however, fails to deliver on several counts.

However, prior to evaluating the bill (yet to be passed by the Rajya Sabha at the time of this writing though it is a money bill), let us take a look at its major aspects. For those, who always wondered whether Aadhaar is mandatory or voluntary, the bill 2016 makes it mandatory to avail subsidy, benefit or a service from the government.

The bill has provisions related to information security and confidentiality (section 28) which not only extend to employees of the UIDAI but also consultants and external agencies working with the authority.

The proposed law restricts information sharing. It bars UIDAI from sharing core biometric information – the bill defines it as fingerprints and iris scan – with “anyone for any reason whatsoever” or “used for any purpose other than generation of Aadhaar numbers and authentication under this Act”. The section 32 of the bill entitles Aadhaar number holders to access her or his authentication record. It also bars the authority from collecting, keeping or maintaining information about the purpose of authentication.

Odd Drives the Bill

While the intent is clear and is aimed at streamlining welfare schemes to ensure it reaches the bottom of the pyramid, cutting through the long chain of pilferage and subversion, the bill, however, has several shortcomings. To begin with, the government should not have taken the money bill route to pass the legislation – tactfully avoiding any conclusive discussion and debate in the Rajya Sabha, where it is in minority.

The bill assumes that the technology and the biometric system used by the UIDAI are flawless and it doesn’t provide any recourse in case of denial of a service. “If your fingerprint is not matching and you lose out on service, then what is the alternative mechanism you have,” asks Sumandro Chattapadhyay, research director, centre for internet and society (CIS). The bill doesn’t provide for recourse. “What if the scanning machine fails? What if the identifiers of two people match?”

Based on experiments conducted in the initial days of the Aadhaar programme, Hans Verghese Mathews, another CIS researcher, did a study on the probability of matching of identifiers of two persons. “For the current population of 1.2 billion the expected proportion of duplicands (users whose identifiers match) is 1/121, a ratio which is far too high,” Mathews wrote in the Economic and Political Weekly in February.

“It is like putting the technology in a black box – which can’t be reviewed,” says Chattapadhyay. The bill doesn’t talk about setting up an independent body to review the logs and keep an eye on wrong and duplicate matches.

Who Defines National Security?

According to public policy experts, it is an attempt to seek “minimal legitimacy” from parliament and further adds to the unbridled power of the executive.

Although the bill restricts information sharing in section 29, sections 33 and 48 provide exemption in cases of national security and public emergency, respectively. The legislation, nevertheless, doesn’t elaborate on what constitutes national security and public emergency, leaving it to the executives. The section 33 reads: “Nothing contained in… shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security….”

Similarly, section 48 states that if, at any time, the central government is of the opinion that a public emergency exists, “the central government may, by notification, supersede the Authority for such period, not exceeding six months, as may be specified in the notification and appoint a person or persons as the president may direct to exercise powers and discharge functions under this Act”.

Says Jayati Ghosh, professor, centre for economic studies and planning, Jawaharlal Nehru University, “National security is a very opaque term. Who decides what national security is? Today, the whole JNU is being projected as a threat to national security.” Swagato Sarkar, associate professor and executive director, Jindal school of government and public policy, OP Jindal Global University, says, “The bill has provisions for oversight on the use of Aadhaar, but then it suspends those provisions in case of emergency in the later sections, giving the state the power to use biometric information for whatever it deems fit.”

Sarkar adds, “It seems the bill is simply an instrument for seeking minimum legitimacy from parliament. The bill tries to address the concern of privacy minimally and it hardly serves any purpose.” He believes that there is a need to define the broader contours of democratic control of the state and reassess the changing state-citizen relationship, instead of rejecting the whole idea on the basis of surveillance and privacy. In other words, there is a need for strong parliamentary oversight, and that the Aadhaar related matters shouldn’t be completely delegated to the executive.

In its recommendations on formulating Privacy Act, the justice AP Shah committee in 2012 provided for establishing the office of privacy commissioner at the regional and central levels, defining the role of self-regulating organisations and co-regulation, and creating a system of complaints and redressal for aggrieved individuals. Since the country still doesn’t have any legislation on privacy, people are left on their own in case of an infringement or violation of privacy. Moreover, section 47 states, “No court shall take cognizance of any offence punishable under this Act, save on a complaint made by the Authority or any officer or person authorised by it.”

In its report, the parliamentary committee headed by Yashwant Sinha notes that “enactment of national data protection law… is a prerequisite for any law that deals with large scale collection of information from individuals and its linkages across separate databases”. The committee notes that in absence of data protection legislation, it would be difficult to deal with issues of access, misuse of personal information, surveillance, profiling, linking and matching of databases and securing confidentiality of information.

Subsidy-Aadhaar Linkage

The Sinha committee also takes a cautious view of the role of Aadhaar in curbing leakages in subsidy distribution, as beneficiary identification is done by states. It notes, “Even if the Aadhaar number links entitlements to targeted beneficiaries, it may not even ensure that beneficiaries have been correctly identified. Thus, the present problem of proper identification would persist.”

According to Ghosh, the biggest danger in using Aadhaar for social welfare programmes is that the fingerprints of the rural working class is not always in good shape and hence Aadhaar will not be the best way of identification. “If I am misidentified, I can go to so many places for recourse. But what if a labourer in a remote Jharkhand village is misidentified? Where and whether he would go?” the economist asks. Besides, the bill doesn’t limit the use of Aadhaar and defines areas where it can be used. Section 57 says that the law will not prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, “whether by the state or anybody corporate or person, pursuant to any law, for the time being in force or any contract to this effect.”

According to a PRS Legislative review, since the bill also allows private persons to use Aadhaar as a proof of identity for any purpose, the provision will open a floodgate and enable private entities such as airlines, telecom, insurance and real estate companies to mandate Aadhaar as a proof of identity for availing their services.

Since the bill doesn’t restrict its application, people will not have a choice to identify themselves other than using Aadhaar when corporate organisations make it mandatory, says Chattapadhyay of the CIS. Adds Sarkar, “The bill should clearly mention sectors or services where Aadhaar will be potentially used (or made mandatory). Every time a new sector or service is added to the list, it is done after parliamentary approval.”

So far, 98 crore people have been assigned Aadhaar number. So far the project has costed Rs 8,000 crore.

For more details visit https://cis-india.org/internet-governance/news/gov-now-pratap-vikram-singh-17032016-why-aadhaar-is-baseless

Analysis of Aadhaar Act in the Context of A.P. Shah Committee Principles

Vipul Kharbanda — 2016-03-17T19:43:53Z

Whilst there are a number of controversies relating to the Aadhaar Act including the fact that it was introduced in a manner so as to circumvent the majority of the opposition in the upper house of the Parliament and that it was rushed through the Lok Sabha in a mere eight days, in this paper we shall discuss the substantial aspects of the Act in relation to privacy concerns which have been raised by a number of experts. In October 2012, the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee submitted its report which listed nine principles of privacy which all legislations, especially those dealing with personal should adhere to. In this paper, we shall discuss how the Aadhaar Act fares vis-à-vis these nine principles.

Introduction

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “Aadhaar Act”) was introduced in the Lok Sabha (lower house of the Parliament) by Minister of Finance, Mr. Arun Jaitley, in on March 3, 2016, and was passed by the Lok Sabha on March 11, 2016. It was sent back by the Rajya Sabha with suggestions but the Lok Sabha rejected those suggestions, which means that the Act is now deemed to have been passed by both houses as it was originally introduced as a Money Bill. Whilst there are a number of controversies relating to the Aadhaar Act including the fact that it was introduced in a manner so as to circumvent the majority of the opposition in the upper house of the Parliament and that it was rushed through the Lok Sabha in a mere eight days, in this paper we shall discuss the substantial aspects of the Act in relation to privacy concerns which have been raised by a number of experts. In October 2012, the Group of Experts on Privacy constituted by the Planning Commission under the chairmanship of Justice AP Shah Committee submitted its report which listed nine principles of privacy which all legislations, especially those dealing with personal should adhere to. In this paper, we shall discuss how the Aadhaar Act fares vis-à-vis these nine principles.

In order for the reader to better understand the frame of reference on which we shall analyse the Aadhaar Act, the nine principles contained in the report of the Group of Experts on Privacy are explained in brief below:

Principle 1: Notice - Does the legislation/regulation require that entities governed by the Act give simple to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them.
Principle 2: Choice and Consent - Does the legislation/regulation require that entities governed under the Act provide the individual with the option to opt in/opt out of providing their personal information.
Principle 3: Collection Limitation - Does the legislation/regulation require that entities governed under the Act collect personal information from individuals only as is necessary for a purpose identified.
Principle 4: Purpose Limitation - Does the legislation/regulation require that personal data collected and processed by entities governed by the Act be adequate and relevant to the purposes for which they are processed.
Principle 5: Access and Correction - Does the legislation/regulation allow individuals: access to personal information about them held by an entity governed by the Act; the ability to seek correction, amendments, or deletion of such information where it is inaccurate, etc.
Principle 6: Disclosure - Does the legislation ensure that information is only disclosed to third parties after notice and informed consent is obtained. Is disclosure allowed for law enforcement purposes done in accordance with laws in force.
Principle 7: Security - Does the legislation/regulation ensure that information that is collected and processed under that Act, is done so in a manner that protects against loss, unauthorized access, destruction, etc.
Principle 8: Openness - Does the legislation/regulation require that any entity processing data take all necessary steps to implement practices, procedures, policies and systems in a manner proportional to the scale, scope, and sensitivity to the data that is collected and processed and is this information made available to all individuals in an intelligible form, using clear and plain language?
Principle 9: Accountability - Does the legislation/regulation provide for measures that ensure compliance of the privacy principles? This would include measures such as mechanisms to implement privacy policies; including tools, training, and education; and external and internal audits.

Analysis of the Aadhaar Act

The Aadhaar Act has been brought about to give legislative backing to the most ambitious individual identity programme in the world which aims to provide a unique identity number to the entire population of India. The rationale behind this scheme is to correctly identify the beneficiaries of government schemes and subsidies so that leakages in government subsidies may be reduced. In furtherance of this rationale the Aadhaar Act gives the Unique Identification Authority of India (“UIDAI”) the power to enroll individuals by collecting their demographic and biometric information and issuing an Aadhaar number to them. Below is an analysis of the Act based on the privacy principles enumerated I the A.P. Shah Committee Report.

Collection Limitation

Collection of Biometric and Demographic Information: The Aadhaar Act entitles every “resident” [1] to obtain an Aadhaar number by submitting his/her biometric (photograph, finger print, Iris scan) and demographic information (name, date of birth, address [2]) [3]. It must be noted that the Act leaves scope for further information to be included in the collection process if so specified by regulations. It must be noted that although the Act specifically provides what information can be collected, it does not specifically prohibit the collection of further information. This becomes relevant because it makes it possible for enrolling agencies to collect extra information relating to individuals without any legal implications of such act.

Authentication Records: The UIDAI is mandated to maintain authentication records for a period which is yet to be specified (and shall be specified in the regulations) but it cannot collect or keep any information regarding the purpose for which the authentication request was made [4].

Unauthorized Collection: Any person who in not authorized to collect information under the Act, and pretends that he is authorized to do so, shall be punishable with imprisonment for a term which may extend to three years or with a fine which may extend to Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [5]. It must be noted that the section, as it is currently worded seems to criminalize the act of impersonation of authorized individuals and the actual collection of information is not required to complete this offence. It is not clear if this section will apply if a person who is authorized to collect information under the Act in general, collects some information that he/she is not authorized to collect.

Notice

Notice during Collection: The Aadhaar Act requires that the agencies enrolling people for distribution of Aadhaar numbers should give people notice regarding: (a) the manner in which the information shall be used; (b) the nature of recipients with whom the information is intended to be shared during authentication; and (c) the existence of a right to access information, the procedure for making requests for such access, and details of the person or department in-charge to whom such requests can be made [6]. A failure to comply with this requirement will make the agency liable for imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [7]. It must be noted that the Act leaves the manner of giving such notice in the realm of regulations and does not specify how this notice is to be provided, which leaves important specifics to the realm of the executive.

Notice during Authentication: The Aadhaar Act requires that authenticating agencies shall give information to the individuals whose information is to be authenticated regarding (a) the nature of information that may be shared upon authentication; (b) the uses to which the information received during authentication may be put by the requesting entity; and (c) alternatives to submission of identity information to the requesting entity [8]. A failure to comply with this requirement will make the agency liable for imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/- [9]. Just as in the case of notice during collection, the manner in which the notice is required to be given is left to regulations leaving an unclear picture as to how comprehensive, accessible, and frequent this notice must be.

Access and Correction

Updating Information: The Aadhaar Act give the UIDAI the power to require residents to update their demographic and biometric information from time to time so as to maintain its accuracy [10].

Access to Information: The Aadhaar Act provides that Aadhaar number holders may request the UIDAI to provide access to their identity information expect their core biometric information [11]. It is not clear why access to the core biometric information [12] is not provided to an individual. Further, since section 6 seems to place the responsibility of updation and accuracy of biometric information on the individual, it is not clear how a person is supposed to know that the biometric information contained in the database has changed if he/she does not have access to the same. It may also be noted that the Aadhaar Act provides only for a request to the UIDAI for access to the information and does not make access to the information a right of the individual, this would mean that it would be entirely upon the discretion of the UIDAI to refuse to grant access to the information once a request has been made.

Alteration of Information: The Aadhaar Act gives individuals the right to request the UIDAI to alter their demographic if the same is incorrect or has changed and biometric information if it is lost or has changed. Upon receipt of such a request, if the UIDAI is satisfied, then it may make the necessary alteration and inform the individual accordingly. The Act also provides that no identity information in the Central database shall be altered except as provided in the regulations [13]. This section provides for alteration of identity information but only in the circumstances given in the section, for example demographic information cannot be changed if it has been lost, similarly biometric information cannot be changed if it is inaccurate. Further, the section does not give a right to the individual to get the information altered but only entitles him/her to request the UIDAI to make a change and the final decision is left to the “satisfaction” of the UIDAI.

Access to Authentication Record: Every individual is given the right to obtain his/her authentication record in a manner to be specified by regulations. [14]

Disclosure

Sharing during Authentication: The UIDAI is entitled to reply to any authentication query with a positive, negative or any other response which may be appropriate and may share identity information except core biometric information with the requesting entity [15]. The language in this provision is ambiguous and it is unclear what 'identity information' may be shared and why it would be necessary to share such information as Aadhaar is meant to be only a means of authentication so as to remove duplication.

Potential Disclosure during Maintenance of CIDR: The UIDAI has been given the power to appoint any one or more entities to establish and maintain the Central Identities Data Repository (CIDR) [16]. If a private entity is involved in the maintenance and establishment of the CIDR it can be presumed that there is the possibilty that they would, to some degree, have access to the information stored in the CIDR, yet there are no clear standards in the Act regarding this potential access. And the process for appointing such entities. The fact that the UIDAI has been given the freedom to appoint an outside entity to maintain a sensitive asset such as the CIDR raises security concerns.

Restriction on Sharing Information: The Aadhaar Act creates a blanket prohibition on the usage of core biometric information for any purpose other than generation of Aadhaar numbers and also prohibits its sharing for any reason whatsoever [17]. Other identity information is allowed to be shared in the manner specified under the Act or as may be specified in the regulations [18]. The Act further provides that the requesting entities shall not disclose the identity information except with the prior consent of the individual to whom the information relates [19]. There is also a prohibition on publicly displaying Aadhaar number or core biometric information except as specified by regulations [20]. Officers or the UIDAI or the employees of the agencies employed to maintain the CIDR are prohibited from revealing the information stored in the CIDR or authentication record to anyone [21]. It is not clear why an exception has been carved out and what circumstances would require publicly displaying Aadhaar numbers and core biometric information, especially since the reasons for which such important information may be displayed has been left up to regulations which have relatively less oversight. The section also provides the requesting entities with an option to further disclose information if they take consent of the individuals. This may lead to a situation where a requesting entity, perhaps the of an essential service, may take the consent of the individual to disclose his/her information in a standard form contract, without the option of saying no to such a request. It may lead to situations where the option is between giving consent to disclosure or denial or service altogether. For this reason it is necessary that there should be an opt in and opt out provision wherever a requesting entity has the power to ask for disclosure of information, so that people are not coerced into giving consent.

Disclosure in Specific Cases: The prohibition on disclosure of information (except for core biometric information) does not apply in case of any disclosure made pursuant to an order of a court not below that of a District Judge [22]. There is another exception to the prohibition on disclosure of information (including core biometric information) in the interest of national security if so directed by an officer not below the rank of a Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government. Before any such direction can take effect, it will be reviewed by an oversight committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology. Any such direction shall be valid for a period of three months and may be extended by another three months after the review by the Oversight Committee [23]. Although this provision has been criticized, and rightly so, for the lack of accountability since the entire process is being handled within the executive and there is no independent oversight, however it must be mentioned that the level of oversight provided here is similar to that provided to interception requests, which involve a much graver if not the same level of invasion of privacy.

Penalty for Disclosure: Any person who intentionally and in an unauthorized manner discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication shall be punishable with imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/ [24]. Further any person who intentionally and in an unathorised manner, accesses information in the CIDR [25], downloads, copies or extracts any data from the CIDR [26], or reveals or shares or distributes any identity information, shall be punishable with imprisonment of upto 3 years and a fine of not less than Rs. 10,00,000/-.

Consent

Consent for Authentication: A requesting entity has to take the consent of the individual before collecting his/her identity information for the purposes of authentication and also has to inform the individual of the alternatives to submission of the identity information [27]. Although this provision requires entities to take consent from the individuals before collecting information for authentication, however how useful this requirement of consent would be, still remains to be seen. There may be instances where a requesting entity may take the consent of the individual in a standard form contract, without the individual realizing what he/she is consenting to.

Note: The Aadhaar Act provides no requirement or standard for the form of consent that must be taken during enrollment. This is significant as it is the point at which individuals are providing raw biometric material and during previous enrollment, has been a point of weakness as the consent taken is an enabler to function creep as it allows the UIDAI to share information with engaged in delivery of welfare services [28].

Purpose

Use of Information: The authenticating entities are allowed to use the identity information only for the purpose of submission to the CIDR for authentication [29]. Further, the Act specifies that identity information available with a requesting entity shall not be used for any purpose other than that specified to the individual at the time of submitting the information for authentication [30]. The Act also provides that any authentication entity which uses the information for any purpose not already specified will be liable to punishment of imprisonment of upto 3 years or a fine of Rs. 10,000/- or both. In case of companies the maximum fine amount would be increased to Rs. 10,00,000/ [31].

Security

Security and Confidentiality of Information: It is the responsibility of the UIDAI to ensure the security and confidentiality of the identity and authentication information and it is required to take all necessary action to ensure that the information in the CIDR is protected against unauthorized access, use or disclosure and against accidental or intentional destruction, loss or damage [32]. The UIDAI is required to adopt and implement appropriate technical and organisational security measures and also ensure that its contractors do the same [33]. It is also required to ensure that the agreements entered into with its contractors impose the same conditions as are imposed on the UIDAI under the Act and that they shall act only upon the instructions of the UIDAI [34].

Biometric Information to be Electronic Record: The biometric information collected by the UIDAI has been deemed to be an “electronic record” as well as “sensitive personal data or information”, which would mean that in addition to the provisions of the Aadhaar Act, the provisions contained in the Information Technology Act, 2000 will also apply to such information [35]. It must be noted that while the Act lays down the principle that UIDAI is required to ensure the saecurity of the information, it does not lay down any guidelines as to the minimum security standards to be implemented by the Authority. However, through this section the legislature has linked the security standards contained in the IT Act to the information contained in this Act. While this is a clean way of dealing with the issue, some people may argue that the extremely sensitive nature of the information contained in the CIDR requires the standards for security to be much stricter than those provided in the IT Act. However, a perusal of Rule 8 of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 shows that the Rules themselves provide that the standard of security must be commensurate with the information assets being protected. It would thus seem that the Act provides enough room to protect such important information, but perhaps leaves too much room for interpretation for such an important issue.

Penalty for Unauthorised Access: Apart from the security provisions included in the legislation, the Aadhaar Act also provides for punishment of imprisonment of upto 3 years and a fine which shall not be less than Rs. 10,00,000/-, in case of the following offences:

introduction of any virus or other computer contaminant in the CIDR [36];
causing damage to the data in the CIDR [37];
disruption of access to the CIDR [38];
denial of access to any person who is authorised to access the CIDR [39];
destruction, deletion or alteration of any information stored in any removable storage media or in the CIDR or diminishing its value or utility or affecting it injuriously by any means [40];
stealing, concealing, destroying or altering any computer source code used by the Authority with an intention to cause damage [41].

Further, unauthorized usage or tampering with the data in the CIDR or in any removable storage medium with the intent of modifying information relating to Aadhaar number holder or discovering any information thereof, is also punishable with imprisonment for a term which may extend to 3 years and also a fine which may extend to Rs. 10,000/- [42].

Accountability

Inspections and Audits: One of the functions listed in the powers and functions of the UIDAI is the power to call for information and records, conduct inspections, inquiries and audit of the operations of the CIDR, Registrars, enrolling agencies and other agencies appointed under the Aadhaar Act [43].

Grievance Redressal: Another function of the UIDAI is to set up facilitation centres and grievance redressal mechanisms for redressal of grievances of individuals, Registrars, enrolling agencies and other service providers [44]. It must be said here that considering the importance that the government has given to and intends to give to Aadhaar in the future, an essential task such as grievance redressal should not be left entirely to the discretion of the UIDAI and some grievance redressal mechanism should be incorporated into the Act itself.

Openness

There does not seem to be any provision in the Aadhaar Act which requires the UIDAI to make its privacy policies and procedure available to the public in general even though the UIDAI has the responsibility to maintain the security and confidentiality of the information.

Endnotes

[1] A resident is defined as any person who has resided in India for a period of atleasy 182 days in the previous 12 months.

[2] It has been specified that demographic information will not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.

[3] Section 3(1) of the Aadhaar Act.

[4] Section 32(1) and 32(3) of the Aadhaar Act.

[5] Section 36 of the Aadhaar Act.

[6] Section 3(2) of the Aadhaar Act.

[7] Section 41 of the Aadhaar Act.

[8] Section 8(3) of the Aadhaar Act.

[9] Section 41 of the Aadhaar Act.

[10] Section 6 of the Aadhaar Act.

[11] Section 28, proviso of the Aadhaar Act.

[12] Core biometric information is defined as fingerprints, iris scan or other biological attributes which may be specified by regulations.

[13] Section 31 of the Aadhaar Act.

[14] Section 32(2) of the Aadhaar Act.

[15] Section 8(4) of the Aadhaar Act.

[16] Section 10 of the Aadhaar Act.

[17] Section 29(1) of the Aadhaar Act.

[18] Section 29(2) of the Aadhaar Act.

[19] Section 29(3)(b) of the Aadhaar Act.

[20] Section 29(4) of the Aadhaar Act.

[21] Section 28(5) of the Aadhaar Act.

[22] Section 33(1) of the Aadhaar Act.

[23] Section 33(2) of the Aadhaar Act.

[24] Section 37 of the Aadhaar Act.

[25] Section 38(a) of the Aadhaar Act.

[26] Section 38(b) of the Aadhaar Act.

[27] Section 8(2)(a) and (c) of the Aadhaar Act.

[28] For example, see: http://www.karnataka.gov.in/aadhaar/Downloads /Application%20form%20-%20English.pdf.

[29] Section 8(2)(b) of the Aadhaar Act.

[30] Section 29(3)(a) of the Aadhaar Act.

[31] Section 37 of the Aadhaar Act.

[32] Section 28(1), (2) and (3) of the Aadhaar Act.

[33] Section 28(4)(a) and (b) of the Aadhaar Act.

[34] Section 28(4)(c) of the Aadhaar Act.

[35] Section 30 of the Aadhaar Act.

[36] Section 38(c) of the Aadhaar Act.

[37] Section 38(d) of the Aadhaar Act.

[38] Section 38(e) of the Aadhaar Act.

[39] Section 38(f) of the Aadhaar Act.

[40] Section 38(h) of the Aadhaar Act.

[41] Section 38(i) of the Aadhaar Act.

[42] Section 39 of the Aadhaar Act.

[43] Section 23(2)(l) of the Aadhaar Act.

[44] Section 23(2)(s) of the Aadhaar Act.

For more details visit https://cis-india.org/internet-governance/blog/analysis-of-aadhaar-act-in-context-of-shah-committee-principles

Privacy Concerns Overshadow Monetary Benefits of Aadhaar Scheme

Pranesh Prakash and Amber Sinha — 2016-03-17T16:12:26Z

Since its inception in 2009, the Aadhaar system has been shrouded in controversy over issues of privacy, security and viability. It has been implemented without a legislative mandate and has resulted in a PIL in the Supreme Court, which referred it to a Constitution bench. On Friday, it kicked up more dust when the Lok Sabha passed a Bill to give statutory backing to the unique identity number scheme.

The article was published in the Hindustan Times on March 12, 2016.

There was an earlier attempt to give legislative backing to this project by the UPA government, but a parliamentary standing committee, led by BJP leader Yashwant Sinha, had rejected the bill in 2011 on multiple grounds. In an about-turn, the BJP-led NDA government decided to continue with Aadhaar despite most of those grounds still remaining.

Separately, there have been orders passed by the Supreme Court that prohibit the government from making Aadhaar mandatory for availing government services whereas this Bill seeks to do precisely that, contrary to the government’s argument that Aadhaar is voluntary.

In some respects, the new Aadhaar Bill is a significant improvement over the previous version. It places stringent restrictions on when and how the UID Authority (UIDAI) can share the data, noting that biometric information — fingerprint and iris scans — will not be shared with anyone. It seeks prior consent for sharing data with third party. These are very welcome provisions.

But a second reading reveals the loopholes.

The government will get sweeping power to access the data collected, ostensibly for “efficient, transparent, and targeted delivery of subsidies, benefits and services” as it pleases “in the interests of national security”, thus confirming the suspicions that the UID database is a surveillance programme masquerading as a project to aid service delivery.

The safeguards related to accessing the identification information can be overridden by a district judge. Even the core biometric information may be disclosed in the interest of national security on directions of a joint secretary-level officer. Such loopholes nullify the privacy-protecting provisions.

Amongst the privacy concerns raised by the Aadhaar system are the powers it provides private third parties to use one’s UID number. This concern, which wouldn’t exist without a national ID squarely relates to Aadhaar and needs a more comprehensive data protection law to fix it. The supposed data protection under the Information Technology Act is laughable and inadequate.

The Bill was introduced as a Money Bill, normally reserved for matters related to taxation, borrowing and the Consolidated Fund of India (CFI), and it would be fair to question whether this was done to circumvent the Rajya Sabha.

None of the above arguments even get to the question of implementation.

Aadhaar hasn’t been working. When looking into reasons why 22% of PDS cardholders in Andhra Pradesh didn’t collect their rations it was found that there was fingerprint authentication failure in 290 of the 790 cardholders, and in 93 instances there was an ID mismatch. A recent paper in the Economic and Political Weekly by Hans Mathews, a mathematician with the CIS, shows the programme would fail to uniquely identify individuals in a country of 1.2 billion.

The debate shouldn’t be only about the Aadhaar Bill being passed off as a Money Bill and about the robustness of its privacy provisions, but about whether the Aadhaar project can actually meet its stated goals.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-amber-sinha-pranesh-prakash-march-12-2016-privacy-concerns-overshadow-monetary-benefits-of-aadhaar-scheme

India's billion-member biometric database raises privacy fears

praskrishna — 2016-03-17T15:25:45Z

India's parliament is set to pass legislation that gives federal agencies access to the world's biggest biometric database in the interests of national security, raising fears the privacy of a billion people could be compromised.

The article by Sanjeev Miglani and Manoj Kumar was published by Reuters on March 16, 2016. Sunil Abraham was quoted.

The move comes as the ruling Bharatiya Janata Party (BJP) cracks down on student protests and pushes a Hindu nationalist agenda in state elections, steps that some say erode India's traditions of tolerance and free speech.

It could also usher in surveillance far more intrusive than the U.S. telephone and Internet spying revealed by former National Security Agency (NSA) contractor Edward Snowden in 2013, some privacy advocates said.

The Aadhaar database scheme, started seven years ago, was set up to streamline payment of benefits and cut down on massive wastage and fraud, and already nearly a billion people have registered their finger prints and iris signatures.

Now the BJP, which inherited the scheme, wants to pass new provisions including those on national security, using a loophole to bypass the opposition in parliament.

"It has been showcased as a tool exclusively meant for disbursement of subsidies and we do not realize that it can also be used for mass surveillance," said Tathagata Satpathy, a lawmaker from the eastern state of Odisha.

"Can the government ... assure us that this Aadhaar card and the data that will be collected under it – biometric, biological, iris scan, finger print, everything put together – will not be misused as has been done by the NSA in the U.S.?"

Finance Minister Arun Jaitley has defended the legislation in parliament, saying Aadhaar saved the government an estimated 150 billion rupees ($2.2 billion) in the 2014-15 financial year alone.

A finance ministry spokesman added that the government had taken steps to ensure citizens' privacy would be respected and the authority to access data was exercised only in rare cases.

According to another government official, the new law is in fact more limited in scope than the decades-old Indian Telegraph Act, which permits national security agencies and tax authorities to intercept telephone conversations of individuals in the interest of public safety.

"POLICE STATE"

Those assurances have not satisfied political opponents and people from religious minorities, including India's sizeable Muslim community, who say the database could be used as a tool to silence them.

"We are midwifing a police state," said Asaduddin Owaisi, an opposition MP.

Raman Jit Singh Chima, global policy director at Access, an international digital rights organization, said the proposed Indian law lacked the transparency and oversight safeguards found in Europe or the United States, which last year reformed its bulk telephone surveillance program.

He pointed to the U.S. Foreign Intelligence Surveillance Court, which must approve many surveillance requests made by intelligence agencies, and European data protection authorities as oversight mechanisms not present in the Indian proposal.

The Indian government brought the Aadhaar legislation to the upper house of parliament on Wednesday in a bid to secure passage before lawmakers go into recess.

To get around its lack of a majority there, the BJP is presenting it as a financial bill, which the upper chamber cannot reject. It can return it to the lower house, where the ruling party has a majority.

In its assessment of the measure, New Delhi-based PRS Legislative Research said law enforcement agencies could use someone's Aadhaar number as a link across various datasets such as telephone and air travel records.

That would allow them to recognize patterns of behavior and detect potential illegal activities.

But it could also lead to harassment of individuals who are identified incorrectly as potential security threats, PRS said.

Sunil Abraham, executive director of the Bengaluru-based Centre for Internet and Society, said Aadhaar created a central repository of biometrics for almost every citizen of the world's most populous democracy that could be compromised.

"Maintaining a central database is akin to getting the keys of every house in Delhi and storing them at a central police station," he said.

"It is very easy to capture iris data of any individual with the use of next generation cameras. Imagine a situation where the police is secretly capturing the iris data of protesters and then identifying them through their biometric records.

For more details visit https://cis-india.org/internet-governance/news/reuters-march-16-2016-sanjeev-miglani-and-manoj-kumar-indias-billion-member-biometric-database-raises-privacy-fears

Forget privacy, Aadhaar Bill gives too much power to the executive

praskrishna — 2016-03-17T14:44:12Z

The government promotes the Aadhaar programme because it believes the 12-digit unique identification number will let them track every penny spent from the exchequer. But money is not all that the Aadhaar number can track.

The article by Aloke Tikku was published in the Hindustan Times on March 17, 2016. Sunil Abraham gave inputs.

It can help track people too with amazing efficiency. This is at the centre of the controversy around the programme, and the Aadhaar bill that requires every resident to get the number to access government subsidies and services.

Finance minister Arun Jaitley put up a spirited defence of the bill in the Rajya Sabha on Wednesday when the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 came up for passage. And he was right.

As far as privacy is concerned, the NDA government’s version is much more stringent than the creaky draft proposed by the UPA in 2010.

Jaitley said there were only two circumstances in which personal data collected by UIDAI could be shared under this bill.

One, if the Aadhaar number holder consents to his details being shared. Second, if a government agency wants to access this data on grounds of national security.

But the debate around privacy concerns – that neither the NDA nor the UPA governments addressed – and the new bill is much more fundamental.

The Aadhaar bill gives the executive too much power to decide how to administer the law.

Every law requires the government to frame rules to specify the nitty-gritty of its implementation.

But the Aadhaar bill passed by Parliament gives the Unique Identification Authority of India (UIDAI) the power to prescribe regulations for nearly every provision, right down to what biometric or biological attributes need to be captured.

“The law leaves too much power in the hands of the executive,” said Sunil Abraham, executive director of the Bengaluru-headquartered research advocacy group, Centre for Internet and Society.

For instance, the bill gives the Unique identification Authority of India (UIDAI) powers to determine if it should collect any biological attribute of people too. This means the government could at a later date mandate that DNA of all Aadhaar numbers too be collected.

The example echoed in the Rajya Sabha on Wednesday as well.

“No power should be delegated to the UID Authority because then the UID Authority will decide tomorrow that DNA is required, and they will then have the powers to take DNA information as well,” Congress MP Jairam Ramesh said.

The minister tried to explain the reliance on regulations issued by UIDAI – the word ‘regulations’ does appear some 50 times through the legislation – as compared to less than 10 in, say, the right to information law or the 2010 version of the bill.

He said MPs could still review notifications issued by UIDAI when they are placed for parliamentary approval.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-march-17-2016-aloke-tikku-forget-privacy-aadhaar-bill-gives-too-much-power-to-the-executive

A scheme in India to help the poor raises privacy concerns

praskrishna — 2016-03-17T03:08:33Z

India’s legislators are on Wednesday debating a law that would allow the government to collect biometric and demographic information from people in return for distributing to them government benefits and subsidies.

The article by John Ribeiro published by IDG News Service on March 16, 2016 was also mirrored on CSO.

A number of legislators and civil rights activists are concerned about the absence of strong privacy safeguards in the legislation and a provision in the law that allows the government to access the data collected for national security reasons. There is also concern that such a large centralized database of personal information could be hacked and critical information leaked.

Biometric information, once leaked cannot be 'revoked,' and identity fraud may in fact become harder to detect if Aadhaar is used for authentication of transactions, said Pranesh Prakash, policy director at the Centre for Internet and Society in Bangalore, in an email.

Activists are also wary that the program could be extended by the government to make it a mandatory digital ID card for people in the country. Already some telecommunications services and financial services companies use the biometric identity as an optional way for verifying customers. Currently, people can keep their personal information in silos, as for example their insurance company can't combine their database with that of a hospital, Prakash said. "However, with Aadhaar as a unique linking factor, they could, even without the person's consent," he added.

The biometric ID, which assigns a person a 12-digit number called the Aadhaar number, requires the collection of photos, fingerprints, iris scans and other information such as the name, date of birth and address of the individual. Every time a person has to be verified, he has to present the Aadhaar number, and his biometric information has to match the data stored in a centralized repository.

The digital identity is expected to provide proof of identification to the large number of poor Indians who do not have house addresses, school certificates, birth certificates or other documents that are usually used to prove identity in India.

The traditional paper ration books used in the country are notoriously stuffed with people who are nonexistent or who do not typically qualify for benefits, so the government hopes to save some money by linking the benefits to a digital identity. But the new scheme addresses only end-user fraud and not the large-scale theft prevalent in the entire supply chain, according to analysts.

Rajeev Chandrasekhar, a member of India’s Parliament, has proposed amendments to the bill that would ensure that Aadhaar numbers should not be used as proof of identity for purposes other than subsidies and benefits. Chandrasekhar also wants the Unique Identification Authority of India that manages the project to be responsible for ensuring the security and privacy of the biometric and demographic information of the account holder, with liability for damages in a civil court in the case of a breach.

The Aadhaar program has been allotting IDs for a number of years, even under a previous government, but the program was the offshoot of an executive order and had no legal sanction. The country’s Supreme Court ruled in 2013 in an interim order that people cannot be required to have Aadhaar identification to collect state subsidies. Aware of the legal minefield it was treading on, the government had said the scheme was voluntary.

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 passed recently in the Lok Sabha, one of the houses of India’s parliament, now aims to make the scheme mandatory. The bill sailed through the Lok Sabha where the government has a majority, but will likely meet with strong opposition from the other house, the Rajya Sabha. But the government has classified the bill as a money bill and the Rajya Sabha does not have the final say on such bills. So the legislation is likely to be passed in any case despite its limitations.

For more details visit https://cis-india.org/internet-governance/news/a-scheme-in-india-to-help-the-poor-raises-privacy-concerns

Aadhaar is actually surveillance tech: Sunil Abraham

praskrishna — 2016-03-16T17:07:39Z

On March 12, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, paving the way for giving legal status to Aadhaar, a 12-digit unique identification number generated after collecting biometric and other details of an Indian resident.

Sahil Makkar on behalf of Business Standard interviewed Sunil Abraham. The article was published on March 12, 2016.

The government intends to use Aadhaar to roll out more subsidy schemes and allay privacy concerns. However, activists are not convinced. Sunil Abraham, executive director of Bengaluru based-research organisation The Centre for Internet & Society, tells Sahil Makkar that the concept of Aadhaar is principally flawed and it doesn't substantially help in plugging leakages in government schemes. Edited excerpts:

What is your position on Aadhaar and the UIDAI Bill?

What technology has broken cannot be fixed by the law. Aadhaar is a broken technology; it is surveillance technology disguised as developmental intervention that identifies people without their consent and authenticates transactions on their behalf. The architecture is a disaster from the security perspective and there is no recourse in law for citizens whose rights have been infringed. The other objection should be to the subtitle of the Bill that mentions "services": it is unclear whether Aadhaar is to be provided to the residents or the citizens. A bulk of the government services is meant for citizens.

What are the repercussions of this "broken technology"?

Consent happens without conscious cooperation during the authentication process of getting access to a subsidy or a service. Also, the person providing the service is holding a biometric reader and he may say the device is not working and hence, refuse the subsidy. Yet the database will reflect that the subsidy has been availed of because authentication has already been completed. So you have to accept what the person is saying because only that person and the UIDAI have access to the information. Aadhaar makes the citizen transparent to the state but makes the state completely opaque and unaccountable to its citizens.

Will the beneficiary not receive a message about the transaction?

That will only happen when the banks are involved. At the subsidised ration shop the beneficiary will get nothing. The world over security professionals don't trust biometric-based authentication, relying rather on other revocable authentication factors. It is irrevocable if the biometric details are compromised. Instead, writable smart cards could be used to record details of government officers on the cards of beneficiaries and make both the state and the resident transparent to each other.

Hasn't the National Population Register under the Ministry of Home Affairs been advocating the use of smart cards?

In this case biometrics should be used only to link the individual to the smart card. Biometric information should be stored on smart cards and under no circumstances should there be a central repository of biometrics at one place. Maintaining a central database is akin to getting the keys of every house in Delhi and storing them at a central police station. The chances of getting a central database compromised depend on the nature of information stored in it. For the sake of security one can't create a honey pot to be attacked by many. The internet is secure because it doesn't have a central database. The other difference is that faking biometrics is much easier than faking smart cards.

So your principle opposition is to the setting up of a central repository of biometrics?

I am also opposed to the use of biometrics for identification and authentication; this is nothing but surveillance. It is very easy to capture iris data of any individual with the use of next generation cameras. Imagine a situation when the police is secretly capturing the iris data of protesters and then identifying them through their biometric records.

But if the security agencies are able to identify those who create law and order problems, what is the hitch?

It is exactly the same argument that Apple is giving while refusing back-door entry to intelligence and investigating agencies. Once you build surveillance capacity for good governance, it may be misused by a repressive government, a rogue corporation or by criminals. Fear of this type of surveillance will deter people from holding any protest.

Doesn't the Aadhaar or the UIDAI conform to safety and security provisions in the IT Act?

The standards in our IT Act are woefully inadequate in comparison to European regulators and courts. If it adhered to the highest standards, the European privacy commissioner and data protection authorities would have given India adequacy status. The second problem is that the current IT Act doesn't apply to the government. If the government holds your data, it is under no obligation to protect your rights.

You have been part of the Justice A P Shah Committee on privacy. How important is it to have a separate privacy law in the present context?

It is not only important for the purpose of safeguarding human rights, but also to protect the competitiveness of our BPO, ITeS and KPO sectors. We need a data protection law that is compliant with European Data Protection Regulation.

How will such a law help a common man whose data have been compromised?

It will provide clarity to an individual about where he or she stands with regard to privacy. It is strange that the government took diametrically opposite stands in two cases related to privacy in the Supreme Court. When some activists demanded that the UIDAI be scrapped, the government argued before the court that there was no Constitutional right to privacy. When the police asked for the biometric records from the UIDAI, the same government argued there was a right to privacy and that it couldn't divulge the details to the police. The government is not speaking in the same voice; even courts are not speaking in the same voice, because there have been conflicting judgements. So the proposed law will provide clarity on privacy and people will be able to seek compensation under it.

At the same time it cannot be denied that Aadhaar can plug leakages and save hundreds and thousands of rupees for the exchequer....

Aadhaar is only answering two questions: Is this particular biometric unique (enrolment) and does it match the template in the database? If you bring a Bangladeshi into the system, it will answer both the questions in the affirmative. The Aadhaar only eliminates the possibility of one person receiving the benefits twice. At the same time it is very easy to put a ghost beneficiary back into the system. If Aadhaar has to work, we need a publicly visible auditable trail of subsidy moving from Delhi to the villages. That will eliminate corruption in the supply chain.

Isn't it difficult for a large number of ghost beneficiaries to get into the system?

There is no way to check whether a genuine or a ghost beneficiary has been removed from the list. It is not a foolproof system because no one is vouching for anybody. In the current system it is difficult to find out who created this ghost beneficiary. Nobody loses a job for creating a ghost; in fact, here everyone has an incentive.

If there are problems with the UIDAI system, why is the government upbeat about it?

As techno-utopians our government wants technology to answer everything and solve all our problems. If anything goes wrong, it can easily be blamed on technology.

For more details visit https://cis-india.org/internet-governance/news/business-standard-sahil-makkar-march-12-2016-aadhaar-is-actually-surveillance-tech-sunil-abraham

Govt narrative on Aadhaar has not changed in the last six years: Sunil Abraham

praskrishna — 2016-03-16T16:37:19Z

The bill is basically the same as the UPA version, with some cosmetic changes, and some tokenism towards the right to privacy, says Abraham.

Shreeja Sen interviewed Sunil Abraham. The article was published in Livemint on March 8, 2016.

The government’s bid to push financial inclusiveness and access to government services has received a fresh boost, with finance minister Arun Jaitley introducing a proposed law to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).

This project, which uses a person’s biometric data like fingerprints and iris scans to authenticate identity of people receiving subsidies and other state benefits, will move India towards a cashless economy and help digital initiatives such as biometric attendance, Pradhan Mantri Jan Dhan Yojana, digital certificates, pension payments and the proposed introduction of payments banks.

Sunil Abraham, 42

Abraham is executive director of Centre for Internet and Society, a Bengaluru-based think tank focusing on accessibility, access to knowledge, telecom and Internet governance. He has written extensively on the UID scheme, and the intersection of privacy and security. He founded Mahiti—an enterprise that aims to reduce the cost and complexity of information and communications technology for the voluntary sector by using free software.

The Aadhaar project has faced its share of roadblocks with cases challenging it pending before the Supreme Court. A constitution bench of the court will decide whether the right to privacy is a fundamental right and if Aadhaar violates it.

Sunil Abraham, the executive director of Centre for Internet and Society, a Bengaluru-based policy research institute, is a critic of Aadhaar for several reasons. He explained his concerns in an interview. Edited excerpts:

Have any of the concerns regarding the Aadhaar project since its inception in 2009 been addressed?

Whatever we complained about six or seven years ago, whatever complaints were made by the civil society...all of those complaints remain in the exact same situation.

Nothing has changed.

What kind of concerns?

The first thing to remember is that privacy and security are just two sides of the same coin. You cannot have one without the other.

Our first concern with the project is centralization. Whenever you build an information system, and you create a central point of failure, then it will fail because the possibility of failure exists. The Internet has no central point of failure. That is why it is so difficult for you to bring the Internet down. Complaint number 2 is the opaque technology.

UIDAI keeps saying that “we have built a technology using a free software and open standard stack”. The first is a de-duplication software and the second one is the authentication software—those are the most important pieces of software.

This software is proprietary and nobody knows how they work and nobody can independently audit them.

The third complaint is the use of an irrevocable and non-consensual authentication factor. In the UID scheme, the biometrics serve two purposes: it can be used to identify a citizen and it can be used to authenticate a transaction. Authentication factors, commonly known as passwords, should always be revocable. That means if the password is compromised, you should be able to change the password or at least say that this password is no longer valid. The use of biometrics eliminates those two important requirements.

Further, in most other authentication, the process of authentication ensures that you are consenting. For example, PIN (personal identity number) authentications. But suppose I am authenticating you through your irises, then as long as your eyes are open, the machine will think you’re authenticating. There’s no way of saying I don’t want to authenticate. Or if you’re sleeping, somebody can hold your fingers over a biometric reader and open your iPhone. So that’s complaint number three.

The fourth complaint from the privacy perspective is: there is a very important database that they don’t talk about. I call it the transactions database. Suppose there is somebody who is using the UIDAI service to authenticate a transaction, then UIDAI should keep a record of that successful or unsuccessful transaction authentication. That means you have been registered into the database.

You go to a fair price shop to purchase subsidized grain and at that fair price shop or ration shop, you use your finger on the biometric reader, and then the UIDAI system says “yes you are indeed who you say you are”.

So, at that point, later the shop should not be able to say X never came here, or X came twice. So, in order for them to not say all those things, a record should be made on the UID database, that on this day, from this geographical location, this particular biometric reader sent us X’s biometric template and asked if the template matched against X’s UID number...the transaction database can be used for profiling. They never talk about it.

They never tell us what that database holds and how long they’re keeping all those records. None of that is clear.

Does Aadhaar bill help assuage your doubts about the project?

The government narrative has not changed in the last six years; the bill is basically the same as the UPA (United Progressive Alliance) version, with some cosmetic changes, and some tokenism towards the right to privacy. The proof that the technology is fallible is in the bill.

If the technology was infallible, as the UIDAI would like us to believe, then the bill would not criminalize the following: (1) impersonation at the time of enrolment; (2) unauthorized access to the Central Identities Data Repository.

Imagine that the bill admits that every Indian’s biometric can be stolen from one single centralized database. Now why don’t we have a similar offence for stealing all private keys from the Internet—we don’t because that is technical impossibility thanks to decentralization.

Therefore we don’t need a law to make (it) illegal. We’ve suggested changes to both the technology and the law. We’ve written seven open letters to the UIDAI, and we’ve never gotten any response. Very few of our concerns have been addressed. We’ve seen dogs getting UID, various other things getting UID, so there’s a lot of evidence that the system does not work. From Kerala we have stories of one person getting several UIDs, so we have no idea about technological feasibility of the project.

One of our distinguished fellows, Hans Varghese Mathews, has published an academic paper in the latest EPW (Economic and Political Weekly), by extrapolating UIDAI field trial data to national scale. He predicts that by the time the number crosses 1 billion, every time UIDAI tries to register someone new, they will match with about 850 people already in the database positively. So, the unique identification capability of the UIDAI will not scale above the billion. The consequence of the technology failing is not trivial. If someone replaces your biometrics in the central database, then the onus is on you to prove that you are a resident of India.

Previously, human beings determined the answer to this question, and they had to find proof that you were not a resident. Now, a fallible technology will be asked to answer this important question.

Isn’t the basic function of the Aadhaar project to ensure that benefits reach the person they are meant for, and it’s easier for people to get an identity proof for those who have no other ID, like migrant workers?

Two responses: is it good anti- corruption technology? Unfortunately not, because it is intended at retail fraud. The person under surveillance is very poor. But the person responsible for corruption is not poor. So, I believe you should be surveilling those responsible for corruption.

What I had said is UID should be first given to every single bureaucrat and every single politician in the country. From Delhi till the Panchayat office, till the ration shop in the village, that supply chain must be monitored and documented using cryptography, so that nobody can deny anything. We need non-repudiatable audit trail from New Delhi to the village because according to all analyses, that is where the theft is happening—in the supply chain. The villager who is taking false benefits, that is called retail fraud.

The bulk of the fraud is actually wholesale fraud. Please tackle wholesale fraud using non-repudiatable public audit trail from New Delhi to the village first, before you start surveilling the poor.

The second point is that people find it easy to get the UID. That is fine, but there is a problem; that it’s not uniquely identifying anybody. So, people will keep registering and the UID system will keep giving them more and more UIDs because there are no human checks and balances. Because you’ve gone with a pure technological solution, it’s very easy to fool (the system).

So, the ease of registration has not served the purpose.

For more details visit https://cis-india.org/internet-governance/news/livemint-march-8-2016-shreeja-sen-govt-narrative-on-aadhaar-has-not-changed-in-last-six-years-sunil-abraham