We are anonymous, we are legion

UIDAI says asked nobody to add the helpline number to contacts

Admin — 2018-08-13T15:47:57Z

UIDAI says the toll free number 1800-300-1947 in the contact list of Android phones is an ‘outdated and invalid number’

The article by Komal Gupta was published in Livemint on August 3, 2018. Amber Sinha was quoted.

After the Unique Identification Authority of India’s (UIDAI’s) helpline number was added to the contact list of users through an update available on the Android platform, the government agency in charge of the Aadhaar database of over one billion Indians, stepped in to defend the unique ID project, saying that “some vested interest are trying to create unwarranted confusion in the public”.

The toll free number 1800-300-1947 in the contact list of Android phones is an “outdated and invalid number,” UIDAI said on Friday.

UIDAI has not asked or advised anyone, including any telecom service provider or mobile manufacturer or Android, to include 18003001947 or 1947 in the default list of public service numbers, it said. “UIDAI’s valid toll free number is 1947, which is functional for more than the last two years.”

On Thursday, French security expert Elliot Alderson took to Twitter to ask: “Do you have @UIDAI in your contact list by default?”

The news stormed social media and people checked their phones to find UIDAI’s helpline number pre-saved on their device without their knowledge. Based on a series of tweets that followed, it was established that the number entered users’ phones through an update on the Android platform.

“We are aware of this and are looking into it,” said Google in response to queries from Mint. Calls to the Department of Telecommunications (DoT) seeking comments on the issue remained unanswered.

In an apparent dig at UIDAI and the telcos, Alderson tweeted on Friday: “People noticed that the @UIDAI number is saved by default on their phone: @UIDAI: This is not me! Telecom providers: No, this is not us! ... Do I have to ask to Harry Potter if he magically added this number to people phones?”

Giving a clean chit to the telcom companies, Cellular Operators Association of India (COAI) director general Rajan S. Mathews said: “The inclusion of a certain unknown number in the phonebooks of various mobile handsets is not from any telecom service provider.”

“This doesn’t seem to be a malware- or hacking-related instance,” said Amber Sinha, lawyer and senior programme manager at the Centre for Internet and Society (CIS), a Bengaluru-based think tank. “There are some pre-saved numbers, which comes with the operating system and its update. If the UIDAI claims that it did not ask telecom service providers or mobile manufacturers or Android to include the number, then only Google or the operating system developers can give clarity on this.”

This is not the first time that privacy warriors have launched a crusade against UIDAI and challenged the security framework put in place by it.

Last week, Twitter users publicly shared personal details, including bank accounts, email IDs, PAN and frequent flyer number of Telecom Regulatory Authority of India (Trai) chairman R.S. Sharma, after he posted his 12-digit Aadhaar number and dared people to harm him.

Sharma, himself a former chairman of UIDAI, had revealed his Aadhaar number on Twitter, prompting many of his followers to dig up information about him.

Following this, UIDAI on Tuesday advised people to refrain from revealing their Aadhaar numbers on public platforms, including on social media.

The draft Personal Data Protection Bill, 2018, submitted to the government on 27 July by the expert panel headed by former Supreme Court judge B.N. Srikrishna, categorises the Aadhaar number as sensitive personal information. There are more than 1.21 billion Aadhaar number holders in the country.

For more details visit https://cis-india.org/internet-governance/news/livemint-august-3-2018-uidai-says-asked-nobody-to-add-the-helpline-number-to-contacts

UIDAI remains silent on #Aadhaarleaks of 13 crore users through government portals

praskrishna — 2017-05-20T11:06:16Z

As the arguments for making Aadhaar mandatory go on, is there any way to stem the leaks and identify who exactly has all this information.

The blog post by Shruti Menon was published by Newslaundry on May 2, 2017

The verdict on linking Aadhaar with Permanent Account Number (PAN) and making it mandatory for filing income tax returns (ITRs) will be out soon. Attorney General Mukul Rohatgi had a tough challenge ahead of him in the Supreme Court as the state presented its argument today. Rohatgi defended the amendment in income tax law allowing this after senior lawyer Shyam Divan made a strong case against it on April 26 and 27. Divan became a hero to many overnight after he presented compelling arguments against the amendment citing facets of right to privacy - informational self-determination, personal autonomy, and bodily integrity - as he did so. Though the court has refused to entertain arguments pertaining to privacy, he managed to argue these concerns without couching them under right to privacy laws.

Advocate Gautam Bhatia posted minute-by-minute developments from the courtroom, and soon, #ThankYouMrDivan became one of the top trends on Twitter.

A day before the state presented its arguments, the Centre for Internet and Society (CIS) published a report titled “Information, Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information” late on Monday. Authored by Amber Sinha and Srinivas Kodali, the report documents the leaks of over 13 crore Aadhaar numbers and resulting information of beneficiaries through four government portals-two at the centre and two at the state. “We are primarily talking of lack of standards and data fact-checking, storage and how all of this information- account numbers, phone numbers plus, Aadhaar numbers- in public domain increases the nature of risk of the backbone of digital payments,” Kodali told Newslaundry.

The four portals studied by the two are National Social Assistance Programme (NSAP), National Rural Employment Guarantee Act (NREGA) and two databases of Andhra Pradesh- NREGA and their scheme called Chandranna Bima. The report claims that the aforementioned public portals compromised personally identifiable information (PII) including “Aadhaar numbers and financial details such as bank account numbers” of 13 crore people due to a lack of security controls.

“While the details were masked for public view, someone with login access could get the details,” the report read. “When one of the url query parameters of the website showing the masked personal details was modified from ‘nologin’ to ‘login’, that is, control access to login based pages were allowed providing unmasked details without the need for a password.” What this essentially means is that these portals allow people to explore lists organised by states, districts, area, sub-district, and municipalities which contain the personal information of the people who are enrolled into the schemes.

The report also cites legal framework under the Aadhaar Act that allows the government or private entities to store Aadhaar numbers on the grounds that they won’t be used for purposes other than those listed in the act. CIS’s study, however, reveals that information pertaining to religion, caste, race, tribe or even income is sometimes collected and published on such portals with little in the way of security checks.

Speaking to Newslaundry, Anupam Saraph, professor and former governance and IT advisor to Goa’s Chief Minister, Manohar Parrikar, said that the data exposed could be significantly more than what the report shows. “Many more Aadhaar numbers have been exposed on websites relating to Pension Schemes, PDS, Ministry of Water and Sanitation, Ministry of Human Resource Development, Scholarships, Schools, Colleges, Universities, Kendriya Sainik board, PM Avas Yojana to name a few,” he said. “Besides this Registrars to the UIDAI (State Governments and various ministries of the Central government, some Public Sector undertakings) were allowed to retain the Aadhaar number, demographic and biometric data (associated with the Aadhaar number). While this may not be exposed on websites, it is unsecured and possibly accessible to data brokers within and outside government,” said Saraph who has designed delivery channels and ID schemes for better governance.

What’s worth noting is that the people whose data has been breached are unaware that their information is available on public platforms and vulnerable to data theft. “It is UIDAI’s [Unique Identification Authority of India] job to investigate and inform them,” Kodali told Newslaundry. “At some point of time, everybody is going to have everybody’s information,” he added.

Currently, the government has an open data portal. It describes itself as a platform “intended to be used by Government Ministries/Departments and their organisation to publish datasets, documents, services, tools and applications collected by them for public use”.

So is it feasible to have open data portals for transparency and accountability? “Having certain government data being publicly accessible is certainly desirable.” Saraph continued that the problem was, data on public expenditure should ideally be openly accessible but it’s also where the most leakage occurs. “Making Aadhaar mandatory is meaningless,” he said, as India does not have a policy on open data portals yet, which can subject Aadhaar data to “misuse”.

Given that the UIDAI is responsible for investigating and making people aware of any data breach or theft, they have remained silent for an oddly long time. It is unclear whether the UIDAI is itself aware of who has accessed the data that is insecurely published on these government portals. “They’re letting everybody collect this information but they were not aware themselves that who had access to this information, that’s the main problem,” Kodali said. While the Aadhaar ecosystem was to ensure social inclusion and transparency, in its current form, the system looks so opaque that the people who are running it may not be aware themselves of what is going on.

What does it mean to have access to someone else’s Aadhaar?

With an increasing number of social welfare schemes being linked to Aadhaar, it was touted as an attempt to remove the middlemen, frauds and corruption with the government. According to the report, "A cumulative amount of Rs 1,78,694.75 has been transferred using DBT for 138 schemes under 27 ministries since 2013. Various financial frameworks like Aadhaar Payments Bridge (APB) and Aadhaar Enabled Payment Systems (AePS) have been built by National Payment Corporation of India to support DBT and also to allow individuals use Aadhaar for payments."

Given that such systems are in place to ensure easier and accessible banking, research shows that the Aadhaar seeding process led to government portals putting personal information of so many people under various schemes in the "absence of information security practices to handle so much PII", as per the research. This is not only a breach of privacy but also makes a person vulnerable to financial fraud in cases where their bank details are public. "One of the prime examples is individuals receiving phone calls from someone claiming to be from the bank. Aadhaar data makes this process much easier for fraud and increases the risk around transactions," the report reads.

UIDAI on silent mode

Unfortunately, UIDAI has not addressed this concern, let alone acknowledge it. It has been cracking down on people by filing first information reports (FIRs) against those tracking and exposing the vulnerabilities of the Aadhaar system. Recently, UIDAI’s Chief Executive Officer (CEO), ABP Pandey was accused of blocking twitter handles of prominent security researchers and analysts who have been extensively reporting about vulnerabilities in the Aadhaar system.

One of the handles was blocked was Saraph’s. “I do not know why they blocked me. I have been vocal about the problems associated with the UID and its use,” he said. He added that he served several notices of contempt of court to the CEO of UIDAI and has been questioning the verification and audit of UID database. “Perhaps [he] was annoyed with my efforts to make them accountable and responsible,” he said.

On April 18, however, in a response to Right to Information (RTI) query filed by Sushil Kambampati, UIDAI denied having blocked any twitter handles. Almost immediately, it was called out on twitter for ‘lying’ in the RTI response as many users claimed it had.

Saraph declared that such a move, the blocking of users asking questions, was indicative of UIDAI’s cluelessness. Apar Gupta, a Delhi-based lawyer working on cyber security, had told Newslaundry that it was unethical and unconstitutional of government bodies (such as the UIDAI) to block people. He reiterated that in one of his tweets recently.

Today, however, the Pandey’s individual twitter profile no longer exists. It has now been changed to “ceo_office”. CIS’s report states that the UIDAI has been pushing for more databases to get in sync with Aadhaar, but with little or no accountability. “While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take a little responsibility in ensuring the security and privacy of such data,” the report reads. Kodali, however, told Newslaundry that the report was not aimed at questioning the security of such seeding. “We’re not saying it is not really secure but we’re just saying it increases the risk factors,” he said.

UIDAI has also not responded to several queries filed by vulnerability testers.

Newslaundry reached out to the UIDAI with the following questions:

According to the report published, four government portals have personally identifiable information of about 13 crore people including their Aadhaar numbers and bank account details. What is being done about this?

If a person's privacy has been breached, what are the steps UIDAI would take for redressal?

Is UIDAI investigating the 13 crore Aadhaar leaks?

The report states "When one of the url query parameters of website showing the masked personal details was modified from “nologin” to “login”, that is control access to login based pages were allowed providing unmasked details without the need for a password." Is this true, and if so, what is your statement?

How do you ensure data security on open data portals?

This piece will be updated if and when they respond.

While UIDAI remains silent, A-G Rohatgi argued today that close to 10 lakh PAN cards were found to be fake. "Are they propagating a general public interest or propagating the fraud (fake PANs) which is going in," he said at the court today while suggesting that Aadhaar was the only way of preventing fake or duplicate cards.

Senior advocate Arvind Datar, who is also appearing for one of the three petitioners in the case said that the government could not take away his right to chose whether or nor to have an Aadhaar. "The Supreme Court had directed them that they cannot make it mandatory. The mandate of the Supreme Court can not be undone. My right of not to have an Aadhaar can not be taken away indirectly."

Though there are problems with the Aadhaar system and apparently very little redressal at the citizen’s end, Aadhaar is here to stay. As Divan and Rohatgi argue the constitutionality of making Aadhaar mandatory at the Supreme Court, the pertinent question that only the UIDAI can answer is whether they are technologically capable of keeping data secure given how aggressively Aadhaar linkage is being promoted.

However, Rohatgi's argument in court today, according to a Business Standard report was that the government cannot destroy the Aadhaar cards of people even after their death. Instead of being reassuring, this only seems to increase the possibilities for identity theft, as if there is little in the way of redressal mechanisms in life, what choices do the dead have?

The author can be contacted on Twitter @shrutimenon10.

For more details visit https://cis-india.org/internet-governance/news/newslaundry-shruti-menon-may-2-2017-uidai-remains-silent-on-aadhaar-leaks-of-users-through-govt-portals

UIDAI puts posers to CIS over Aadhaar data leak claim

praskrishna — 2017-05-19T09:28:33Z

Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were "leaked" and provide details of servers where they are stored.

The article originally published by PTI was also published by the Financial Express on May 19, 2017.

Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were “leaked” and provide details of servers where they are stored. In a precursor to initiating a probe into the matter, the Unique Identification Authority of India (UIDAI) also wants CIS to clarify just how much of such “sensitive data” are still with it or anyone else. The UIDAI — which has vehemently denied any breach of its database — shot off a letter to CIS yesterday asking for the details, including the servers where the downloaded “sensitive data” are residing and information about usage or sharing of such data.

Underscoring the importance of bringing to justice those involved in “hacking such sensitive information”, the UIDAI sought CIS’ “assistance” in this regard and has given it time till May 30 to revert on the issue. “Your report mentions 13 crore people’s data have been leaked. Please specify how much (of) this data have been downloaded by you or are in your possession, or in the possession of any other persons that you know,” the UIDAI said in its communication to CIS.

Interestingly, in what market watchers described as an apparent flip-flop, CIS has now clarified that there was no leak’ or ‘breach’ of Aadhaar numbers, but rather ‘public disclosure’. Meanwhile, the UIDAI has quoted sections of the Information Technology Act, 2000, and the Aadhaar Act to emphasise that violation of the clauses are punishable with rigorous imprisonment of up to 10 years. “While your report suggests that there is a need to strengthen IT security of the government websites, it is also important that persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law,” it said.

The UIDAI has also sought technical details on how access was gained for the National Social Assistance Programme (NSAP) site — one of the four portals where the alleged leak happened. When contacted, UIDAI CEO Ajay Bhushan Pandey said, “We do not comment on individual matters.” The UIDAI has also asked for details of systems that were involved in downloading and storing of the sensitive data so that forensic examination of such machines can be conducted to assess the quantum and extent of damage to privacy of data.

The UIDAI letter comes after a CIS’ report early this month which claimed that Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals due to lack of IT security practices. “Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report had said.

However, in a apparent course correction on May 16, a day before the UIDAI’s letter went out — CIS updated its report and clarified that although the term ‘leak’ was originally used 22 times in its report, it is “best characterised as an illegal data disclosure or publication and not a breach or a leak”. CIS has also claimed that some of its findings were “misunderstood or misinterpreted” by the media, and that it never suggested that the biometric database had been breached. “We completely agree with both Dr Pandey (UIDAI CEO) and Sharma (Trai Chairman R S Sharma) that CIDR (Aadhaar central repository) has not been breached, nor is it suggested anywhere in the report,” CIS said in its latest update.

For more details visit https://cis-india.org/internet-governance/news/financial-express-may-19-2017-pti-uidai-puts-posers-to-cis-over-aadhaar-data-leak-claim

UIDAI Practices and the Information Technology Act, Section 43A and Subsequent Rules

elonnai — 2014-03-06T07:00:21Z

UIDAI practices and section 43A of the IT Act are analyzed in this post.

In the 52^nd Report on Cyber Crime, Cyber Security, and the Right to Privacy – in evidence provided, the Department of Electronics and Information Technology stated “...Section 43A and the rules published under that Section cover the entire privacy in case of digital data. These are being followed by UIDAI also and other organisations...” (pg.46) [1]

This blog post explains the requirements found under Section 43A of the Information Technology Act 2000 and the subsequent Information Technology “ Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011[2] and analyses publicly available documents from the UIDAI website[3] as well as the UIDAI enrolment form[4] to demonstrate the ways in which:

UIDAI practices are in line with section 43A and the Rules,
UIDAI practices are not in line with section 43A and the Rules,
UIDAI practices are partially in with section 43A and the Rules
Where more information is needed to draw a conclusion.

Applicability and Scope

Section 43A of the Information Technology Act 2008 and subsequent Rules apply only to Body Corporate and to digital information.

Body Corporate under the Information Technology Act 2008 is defined as:

“Any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”

UIDAI Practices - not in line: The UIDAI is not a body corporate. The UIDAI is an attached office under the aegis of the Planning Commission that was set up by an executive order.[5]

The UIDAI collects, processes, stores, and shares both digital and non-digital information. As section 43A and subsequent Rules apply only to digital information, there is not sufficient protection provided over all the information collected, processed, stored, and used by the UIDAI.

Privacy Policy on Website

Rule 4 requires body corporate to provide a privacy policy on their website. The privacy policy must include:

Clear and easily accessible statements of its practices and policies
Type of personal or sensitive personal data or information collected
Purpose of collection and usage of such information
Disclosure of information including sensitive personal information
Reasonable security practices and procedures as provided under rule 8

UIDAI Practices - Partially in Line

Though the UIDAI has placed a privacy policy[6] on their website, the privacy policy only addresses the use of website and does not comprehensively provide clear and accessible statements about all of the UIDAI’s practices and policies.
The UIDAI privacy policy does not state the specific types of personal or sensitive data that could be collected, but instead states “As a general rule, this website does not collect Personal Information about you when you visit the site. You can generally visit the site without revealing Personal Information, unless you choose to provide such information.”

Features on the UIDAI website that require individuals to provide personal information and sensitive personal information include: Booking an appointment, checking aadhaar status, enrolling for e-aadhaar, enrolling for aadhaar, updating aadhaar data. Types of information required for these services include: mobile number, name, address, gender, date of birth, and enrolment ID.[7]

The privacy policy goes on to state: “If you are asked for any other Personal Information you will be informed how it will be used if you choose to give it. If at any time you believe the principles referred to in this privacy statement have not been followed, or have any other comments on these principles, please notify the webmaster through the Contact Us page. Note: The use of the term "Personal Information" in this privacy statement refers to any information from which your identity is apparent or can be reasonably ascertained.”
The UIDAI privacy policy does explain the purpose for collection of information on the website and the use of collected information.
The UIDAI privacy policy does not address the possibility of disclosure of information collected by the UIDAI from the use of its website, except in the case of when an individual provides his/her email at which point the privacy policy states “Your e-mail address will not be used for any other purpose, and will not be disclosed without your consent.”
The UIDAI privacy policy does not provide information about the security practices adopted by the UIDAI.

Consent

Rule 5 requires that prior to the collection of sensitive personal data, the body corporate must obtain consent, either in writing or through fax regarding the purpose of usage before collection of such information.

UIDAI Practices - in Line
The UIDAI collects written consent from individuals through the enrolment form for the issuance of an Aadhaar number.

Collection Limitation

Rule 5 (2) requires that body corporate only collect sensitive personal data if it is connected to a lawful purpose and if it is considered necessary for that purpose.

UIDAI Practices - in Line
The Aadhaar enrolment form requires only the necessary sensitive personal data for the issuance of an Aadhaar number. Individuals are given the option to provide banking and financial information.

Notice During Direct Collection

Rule 5(3) requires that while collecting information directly from an individual the body corporate must provide the following information:

The fact that the information is being collected
The purpose for which the information is being collected
The intended recipients of the information
The name and address of the agency that is collecting the information
The name and address of the agency that will retain the information

UIDAI Practices - Partially in Line
The Aadhaar enrolment form does not provide the following information:

The intended recipients of the information
The name and address of the agency collecting the information
The name and address of the agency that will retain the information

Retention Limitation

Rule 5(4) requires that body corporate must retain sensitive personal data only for as long as it takes to fulfil the stated purpose or otherwise required under law.

UIDAI Practices - Unclear
It is unclear from publicly available information what the UIDAI retention practices are.

Use Limitation

Rule 5(5) requires that information must be used for the purpose that it was collected for.

UIDAI Practices - Unclear
It is unclear from publicly available information if the UIDAI is using collected information only for the purpose for which it was collected for.

Right to Access and Correct

Rule 5(6) requires body corporate to provide individuals with the ability to review the information they have provided and access and correct personal or sensitive personal information.

UIDAI Practices - Partially in Line
Though the UIDAI provides individuals with the ability to access and correct personal information, as stated on the enrolment form, correction is free only if changed within 96 hours of enrolment. Additionally, as stated on the enrolment form, if an individual chooses to allow for the UIDAI to facilitate the opening of a bank account and link present bank accounts to the UID number, this information, after being provided, cannot be corrected. The UIDAI website has a portal for updating information, but only name, address, gender, data of birth, and mobile number can be updated through this method. [9]

Right to ‘Opt Out’ and Withdraw Consent

Rule 5(7) requires that body corporate must provide individuals with the option of 'opting out' of providing data or information sought. Individuals also have the right to withdraw consent at any point of time. Body corporate has the right to withdraw services if consent is withdrawn.

UIDAI Practices - Partially in Line
The UID enrolment form provides individuals with one ‘optional’ field - the option of having the UIDAI open a bank account and link it to the individuals UID number or having the UIDAI link present bank accounts to individuals UID number. No other option to ‘opt out’ or withdraw consent is present on the enrolment form or the UIDAI privacy policy, terms of use, or website.

Security of Information

Rule 8 requires that body corporate must secure information in accordance with the ISO 27001 standard. These practices must be audited on an annual basis or when the body corporate undertakes a significant up gradation of its process and computer resource.

UIDAI Practices - Unclear
The security practices adopted by the UIDAI are not mentioned in the website privacy policy, on the website, or on the enrolment form, thus it is unclear from publicly available information if the UID is compliant with ISO 27001 standards. Though the UIDAI has been functioning since 2010, and it is unclear from publicly available information if annual audits of the UIDAI security practices have been undertaken.

Disclosure with Consent

Rule 6 requires that body corporate must have consent before disclosing sensitive personal data to any third person or party, except in the case with Government agencies for the purpose of verification of identity, prevention, detection, investigation, including cyber incidents and prosecution and punishment of offenses, on receipt of a written request.

UIDAI Practices - Partially in Line
In the enrolment form, consent for disclosure is stated as ‘‘I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services.” This is a blanket statement and allows for all future possibilities of sharing and disclosure of information provided with any organization that the UIDAI deems as ‘engaged in the delivery of welfare services’.

The UIDAI privacy policy only addresses the disclosure of an individual’s email address with consent. Though not directly addressing disclosure, the UIDAI privacy policy also states “ We will not identify users or their browsing activities, except when a law enforcement agency may exercise a warrant to inspect the service provider's logs.”

Prohibition on Publishing and Further Disclosure

Rule 6(3) and 6(4) prohibit the body corporate from publishing sensitive personal data or information. Similarly, organizations receiving sensitive personal data are not allowed to disclose it further.

UIDAI Practices - in Line
The UDAI does not publish sensitive personal data. It is unclear what practices and standards registrars and enrolment agencies are functioning under.

Requirements for Transfer of Sensitive Personal Data

Rule 7 requires that body corporate may transfer sensitive personal data into another jurisdiction only if the country ensures the same level of protection.

UIDAI Practices - Unclear
It is unclear from publicly available information if information collected by the UIDAI is transferred outside of India.

Establishment of Grievance Officer

Rule 5(9) requires that body corporate must establish a grievance officer and the details must be posted on the body corporates website and grievances must be addressed within a month of receipt.

UIDAI Practices - in Line
The website of the UIDAI provides details of a grievance officer that individuals can contact.[10] It is unclear from publicly available information if grievances are addressed within a month.

[1]. http://164.100.47.134/lsscommittee/Information%20Technology/15_Information_Technology_52.pdf

[2]. http://dispur.nic.in/itact/it-procedures-sensitive-personal-data-rules-2011.pdf

[3]. http://uidai.gov.in/

[4]. http://www.jharkhand.gov.in/marpdf/Aadhar-enrolmentform.pdf

[5]. http://uidai.gov.in/organization-details.html

[6]. http://uidai.gov.in/privacy-policy.html

[7]. http://resident.uidai.net.in/home

[8]. http://www.jharkhand.gov.in/marpdf/Aadhar-enrolmentform.pdf

[9]. https://ssup.uidai.gov.in/web/guest/ssup-home

[10]. http://uidai.gov.in/contactus.html

For more details visit https://cis-india.org/internet-governance/blog/uid-practices-and-it-act-sec-43-a-and-subsequent-rules

UIDAI introduces new two-layer security system to improve Aadhaar privacy

Admin — 2018-01-16T23:08:34Z

The Unique Identification Authority of India (UIDAI) has introduced a system of virtual authentication for citizens enrolled on its database and limited the access available to service providers in a move aimed at allaying widespread concern over security breaches that have dogged the world's largest repository of citizen data.

The article was published in Economic Times on January 11, 2018.

In one of the most significant security upgrades by the eightyear old agency, the UIDAI announced the creation of a "virtual ID" which can be used in lieu of the 12-digit Aadhaar number at the time of authentication for any service.

The UIDAI has also limited access to stored personal information and mandated the use of unique tokens through which authenticating agencies can access required data. It claims that the measures will strengthen privacy and also prevent combining of databases linked to Aadhaar.

ET was the first to report about the UIDAI plan to introduce virtual numbers to address security concerns in its November 20 edition last year.

A top government official told ET that UIDAI has been working on this technology since July of 2016. "This is going to be one of the biggest innovations ever, people can change their virtual ID whenever they want or after every authentication or every 10 seconds." He added that this will silence most critics of Aadhaar.

"The Aadhaar number being the permanent ID for life, there is need to provide a mechanism to ensure its continued use while optimally protecting the collection and storage in many databases," the UIDAI said in a notification on Wednesday while announcing the new measures.

More Needed to be Done: Experts

"The collection and storage of Aadhaar number by various entities has heightened privacy concerns," it stated.

Under the new regime, for every Aadhaar number, the authority will issue a 16-digit virtual identity number which will be "temporary and revocable at any time."

This virtual ID can be generated only by the individual Aadhaar holder and can be replaced by a new one after a minimum validity period.

In addition, while some Authentication User Agencies (AUA) — categorised by the UIDAI as 'Global' — will have access to all the details or the e-KYC of a specific Aadhaar number, all other agencies will only have access to limited data through the virtual identity number.

"So this is a very very significant thing and I think this is a great step forward," said Nandan Nilekani, former chairman of UIDAI, in an interview to television channel ET Now on Wednesday.

Nilekani, widely regarded as the architect of Aadhaar, said that through these new security measures the possibility of the Aadhaar number being stored in many databases also goes away.

It will make a huge difference in allaying the concerns and it really "eliminates all the arguments against Aadhaar," he told ET Now.

Last week, Chandigarh-based daily The Tribune reported that demographic data from the Aadhaar database could be accessed for as little as Rs 500. The expose led to the UIDAI barring over 5,000 officials from accessing its portal through login ids and passwords. It also introduced biometric authentication for future access, as reported by ET on Tuesday.

The widespread fear of misuse of demographic data is heightened by the fact that India still does not have a data protection legislation. The country's apex court is scheduled to resume its hearing on the validity of the Aadhaar scheme next week on January 17.

Kamlesh Bajaj, former CEO of the Data Security Council of India said by limiting access to only those agencies mandated by law, the UIDAI has ensured that "someone will not be able to combine database. It's a positive development in my view and technologically feasible," he said

Expert Views

Privacy experts and activists were of the view that more needs to be done to ensure foolproof security for critical personal information.

The Bengaluru-based research organisation Centre for Internet and Society has suggested that all the Aadhaar seeding with all the existing databases should be revoked. "Until then, it is one step ahead and but not enough," said Sunil Abraham, executive director of CIS.

To enable a speedy rollout of the new safety standards, the UIDAI plans to release the required technical updates by March 1, 2018 and all the Authentication agencies using the Aadhaar database will need to upgrade their systems latest by June 1, 2018.

In its circular, UIDAI has also said that agencies not allowed to use or store the Aadhaar number should make changes inside their systems to replace Aadhaar number within their databases with UID Token.

"Unless there is complete revocation, some database with Aadhaar numbers will still float around and secondly there is no reason why some data controllers should be trusted, the tokenisation should be implemented for everyone," said CIS's Abraham.

The circular said that authentication using virtual ID will be performed in the same manner as the Aadhaar number and people can generate or retrieve their virtual numbers (in case they forget) at the UIDAI's resident portal, Aadhaar Enrolment Centers, or through the Aadhaar mobile application.

In addition to the virtual numbers, UIDAI will also provide "unique tokens" to each agency against an Aadhaar number to ensure that they are to establish the uniqueness of beneficiaries in their database such as for distributing government subsidies under cooking gas or scholarships.

Activists argue that most service providers — even digital ones — work with a paper ID card system. "They don't cross-check it with the UIDAI database. UIDAI is not issuing virtual ids for paper cards, and a new category of so called Global AUAs are exempted from using the virtual ids, so citizens are not protected almost anywhere that they need to use Aadhaar," said Kiran Jonnalagadda, co-founder of the Internet Freedom Foundation, who said the change doesn't help enough to secure the ecosystem.

For more details visit https://cis-india.org/internet-governance/news/economic-times-january-11-2018-uidai-introduces-new-two-layer-security-system-to-improve-aadhaar-privacy

UIDAI goes after org that disclosed government departments were releasing Aadhaar data

Nikhil Pahwa — 2017-05-20T10:46:36Z

If there was ever a case of shoot the messenger, it is this.

The blog post by Nikhil Pahwa was published by Medianama on May 19, 2017. Pranesh Prakash was quoted.

The UIDAI, the body which runs the Aadhaar project in India, has written to the Centre for Internet & Society suggesting that their disclosure of the fact that the data of 130 million Aadhaar users is being publicly disclosed on the Internet is owed to a hack-attack, reports the Times of India. On being contacted by MediaNama, Pranesh Prakash, Policy Director at CIS told MediaNama that “We are waiting for an official copy of the letter, and once we receive it we will decide on our future course of action.” The UIDAI told MediaNama that they’ll get back to us, and declined to share a copy of the letter with MediaNama.

Read the full story on Medianama

For more details visit https://cis-india.org/internet-governance/news/medianama-nikhil-pahwa-may-19-2017-uidai-cis-india-aadhaar

UIDAI denies any breach of Aadhaar database

Admin — 2018-01-07T12:03:13Z

Personal data, including biometric information, of citizens safe and secure, says UIDAI on Aadhaar data breach.

The article by Komal Gupta was published by Livemint on January 7, 2018

The Unique Identification Authority of India (UIDAI) on Thursday clarified that there has not been any breach in the Aadhaar database and the personal data of citizens, including biometric information, is safe and secure.

The clarification comes in response to a news report titled ‘Rs 500, 10 minutes, and you have access to a billion Aadhaar details’ published in The Tribune on Thursday. The report claims that a WhatsApp group sold all Aadhaar data available with UIDAI for a sum of Rs. 500.

UIDAI maintained that the reported case appeared to be an instance of misuse of the grievance redressal search facility. As UIDAI maintains complete logs and traceability of the facility, legal action including lodging of FIR against the persons involved in the case is being undertaken. UIDAI maintained that the reported case appeared to be an instance of misuse of the grievance redressal search facility. As UIDAI maintains complete logs and traceability of the facility, legal action including lodging of FIR against the persons involved in the case is being undertaken. UIDAI clarified in a press statement that displayed demographic information cannot be misused; it would need to be paired with an individual’s biometrics.

There are more than 1.19 billion Aadhaar card holders in the country.

“If it is not a data breach, then this means that some people who have legitimate access to the data are selling it illegitimately. This poses a greater problem,” said Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank.

For more details visit https://cis-india.org/internet-governance/news/livemint-komal-gupta-january-7-2018-uidai-denies-any-breach-of-aadhaar-database

UIDAI declining multiple requests by police to share Indian citizens’ biometrics

praskrishna — 2017-07-06T15:25:32Z

The Unique Identification Authority of India (UIDAI), the governing agency in charge of Aadhaar, has declined multiple requests from all law enforcement agencies, including the Delhi Police, for biometrics of citizens for criminal investigations, according to a report by The Indian Express.

The blog post by Justin Lee was published by Biometric Update on July 4, 2017.

Investigating agencies such as CBI and NIA have been repeatedly requesting the details of Aadhaar cardholders including their biometrics, UIDAI said.

UIDAI Deputy Director General Rajesh Kumar Singh has written to the heads of each agency, ordering them to stop asking for such details.

“This is regarding requests frequently received by the UIDAI from police and other law enforcement agencies, seeking demographic and biometric information of residents for facilitating identification of individuals in different cases,” Singh said in his letter. “In this regard, I would like to draw your kind attention to provisions under Sections 28 and 29 of the Aadhaar (Targeted delivery of financial and other subsidies, benefits and services) Act, 2016, which prohibits sharing of core biometric and identity related information with other authorities.”

Rather than asking forensic labs to match fingerprints, state police and investigating agencies are requesting biometrics data from UIDAI.

“Identity information cannot be shared by UIDAI,” Singh said. “The requests received from law enforcement agencies lead to avoidable delays in investigation by the police authorities and unnecessary increase in the workload of subordinate authorities.”

UIDAI is also concerned about data potentially leaking as the central government has confirmed that identities of individuals, including Aadhaar numbers and other private information, has been leaked to the public.

In May, the Centre for Internet and Society published a report that claimed between 130 to 135 million numbers in India’s Aadhaar biometric registry system, and around 100 million bank numbers of pensioners and rural jobs-for-work beneficiaries, have been leaked online by four key government programs.

For more details visit https://cis-india.org/internet-governance/news/biometric-update-july-4-2017-justin-lee-uidai-declining-multiple-requests-by-police-to-share-indian-citizens-biometrics

UIDAI asks Centre for Internet & Society to provide hacker details

praskrishna — 2017-06-07T12:21:47Z

The article by Mahendra Singh was published in the Times of India on May 18, 2017.

The Unique Identification Authority of India (UIDAI), the regulatory authority for Aadhaar, has written to a Bengaluru-based research organisation, Centre for Internet & Society (CIS), seeking details about a suspected hack attack on government websites that led to the leak of information about 13 crore users.

In a recent report, CIS had highlighted that websites run by various government departments, owing to a poor security framework, had publicly displayed sensitive personal financial information and Aadhaar numbers of beneficiaries of certainprojects.

In its letter, UIDAI argued that the data downloaded from one of the websites could not have been accessed unless the website was hacked. As hacking is a grave offence under the law, the UIDAI has asked CIS to provide details of the persons involved in the data theft.

According to a source, the UIDAI said that access to data on the website for the 'National Social Assistance Program' was only possible for someone in possession of authorised login details, or if the site (http://nsap.nic.in) was hacked or breached. The UIDAI said in its letter that such illegal access was against the provisions of the Aadhaar Act, 2016, and the IT Act, 2000, and that the persons involved had committed a grave offence.

Asking the CIS to reply before May 30, the UIDAI also said, "Aadhaar system is a protected system under Section 70 of the IT Act, 2000, the violation of which is punishable with rigorous imprisonment for a period up to 10 years." It added that the penalty clauses for violations are also provided in Section 36, Section 38 and Section 39 of the Aadhaar Act.
The UIDAI, however, maintained that even if the Aadhaar details were known to someone it did not pose a real threat to the people whose information was publicly available because the Aadhaar number could not be misused without biometrics.

The UIDAI letter said, "While, as your report suggests, there is a need to strengthen IT security of government websites, it is also important that the persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law."

"Your report mentions 13 crore people's data has been 'leaked'. Please specify how much of this data had been downloaded by you or are in your possession or in the possession of any other persons that you know. Please provide the details," the UIDAI added in its letter. The UIDAI also urged CIS to provide the details of the persons/organisations with whom it shared the data, if it did.

For more details visit https://cis-india.org/internet-governance/news/economic-times-may-18-2017-mahendra-singh-uidai-asks-centre-for-internet-and-society-to-provide-hacker-details

UIDAI and Welfare Services: Exclusion and Countermeasures (Bangalore, August 27)

sumandro — 2016-08-22T13:25:03Z

The Centre for Internet and Society (CIS) invites you to a one day workshop, on Saturday, August 27, 2016, to discuss, raise awareness of, and devise countermeasures to exclusion due to implementation of UID-based verification for and distribution of welfare services. We look forward to making this a forum for knowledge exchange and a learning opportunity for our friends and colleagues.

Invitation

Download (PDF)

Venue

Institution of Agricultural Technologists, No. 15, Queen’s Road, Bangalore, 560 052.

Location on Google Map: https://www.google.com/maps/place/Institution+of+Agricultural+Technologists/.

Agenda

10:00-10:30 Tea and Coffee

10:30-11:00 Introductions and Updates from Delhi Workshop

11:00-12:45 Reconfiguration of Welfare Governance by UIDAI

12:45-14:00 Lunch

14:00-15:00 Updates on Ongoing Cases against UIDAI

15:00-15:15 Tea and Coffee

15:15-16:45 Open Discussion on Countering Welfare Exclusion

16:45-17:00 Tea and Coffee

For more details visit https://cis-india.org/internet-governance/events/uidai-and-welfare-services-exclusion-and-countermeasures-aug-27

UIDAI admits 210 government websites made Aadhaar details public

Admin — 2017-11-21T16:03:29Z

The Unique Identification Authority of India (UIDAI) has admitted that Aadhaar details were leaked on over 200 central and state government websites.

The article was published in the Financial Express on November 20, 2017.

The Unique Identification Authority of India (UIDAI) has admitted that Aadhaar details were made public on over 200 central and state government websites. According to an RTI reply, these websites publicly displayed name, address and other details of Aadhaar beneficiaries, which was removed when the breach was identified.

However, UIDAI does not have information about the time of the breach. It also said that Aadhaar details have never been made public by UIDAI. “However, it was found that approximately 210 websites of the central government, state government departments including educational institutes were displaying the list of beneficiaries along with their name, address, other details and Aadhaar numbers for information of the general public,” it said.

UIDAI issues Aadhaar — a 12-digit unique identification number — which acts as a proof of identity and addresses anywhere in the country. Lately, Aadhaar has been creating furore for security and privacy reasons, especially after the Narendra Modi government began aggressively pushing the identification number to be linked with social benefits, banks, PAN, mobile number et al. In a landmark judgement this August, the Supreme Court ruled that privacy was a fundamental right of citizens, weakening the case for pushing Aadhar.

Currently, cases are being heard in the apex court on linking Aadhaar to banks and mobile numbers. In May, the Centre for Internet and Society had claimed that Aadhaar numbers of as many as 135 millions could have been leaked. “Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report by CIS had said. Further, as many as 100 million bank account numbers could have been “leaked” from the four portals, it had added.

UIDAI and the government had been vehemently denying that Aadhaar details can be leaked despite apprehension from different sections of society. Soon after the RTI reply appeared in media, UIDAI refuted the news of leaks, calling it a “skewed presentation of facts. “Such report is a skewed presentation of the facts and poses as if the Aadhaar data is breached or leaked which is not the true presentation. Aadhaar data is fully safe and secure and there has been no data leak or breach at UIDAI,” press release by PIB said.

It said that the data on these websites was placed in public domain as a measure of proactive disclosure under the RTI Act.

For more details visit https://cis-india.org/internet-governance/news/financial-express-november-20-2017-government-websites-made-aadhaar-details-public

UID: The World’s Largest Biometric Database

praskrishna — 2011-07-23T02:04:45Z

At the start of his presentation, Sunil Abraham pointed to two aerial drawings of cybercafes: one where each computer was part of a private booth, and one where the computers were in the open so the screens would be visible to any one. Which layout would be more friendly to women, and why, Abraham wanted to know. Some participants selected the first option, liking the idea of the privacy, while others liked the second option so that the cybercafe owner would be able to monitor users’ activities.

Abraham said he was surprised no one said option one looked like masturbation booths, adding that in May, India passed rules prohibiting the first design option to avoid just such an issue. This is despite a survey conducted of female college students, who liked the idea of privacy in cybercafés that typically are male-dominated.

Cybercafes are just one of the areas impacted by India’s plan for collecting and using biometrics to create unique individual identification cards.

Abraham focused his presentation on activists’ efforts to counter the government’s myths about a unique identification (UID) program.

One campaign image showed two soldiers on the border asking for an east-Asian looking person’s identification. The way to balance, or rectify, the drawing, Abraham said, would be to allow citizens to be able to ask the soldiers for the identification information.

The campaign, “Rethink UID Project,” included several images illustrating various problems with the plan. For example, one said: “Central storage of keys is a bad idea, so is central storage of our biometrics.” As Abraham explained, if storing a copy of your housekey at the police station does not make us feel more secure, then why wouldn’t storing our biometrics with the government also make us a little more scared?

In the Indian scheme, Abraham said, the government says biometrics will be used as an authentication factor in order to prove your identity, but from a computer science perspective, it’s a bad idea because it is so easy to steal biometrics. And, as Abraham pointed out, if your biometrics are stolen, it’s not possible for you to re-secure it—it’s not like getting a new ATM card and password, he said.

If this system of national UID was designed using digital keys instead of biometrics, then we would have a completely different configuration, Abraham said.

Centralized storage is nonnegotiable, and therefore the process of authentification is done through a centralized database, but with digital keys or digital signatures, authentification could be done on a peer basis, so citizen could authenticate border guards and vice versa.

Another image from the “Rethink UID Project” campaign pointed out that “Technology cannot solve corruption.” As Abraham said, problems of corruption in the subsidy system (food, loans, education, employment guarantee act in rural India, etc) won’t be fixed with biometrics. For example, if biometric equipment is installed at fair-price shops, before the shop owner gives the grain, the citizen would have to present biometrics, which would go through a centralized server and be authenticated, then the citizen would get the grain, and ultimately there would be a record saying this particular citizen collected this amount of subsidized grain at this particular time.

But there are a whole range of ways shop owners can compromise the system, Abraham said.

The first way: 30-50 percent of India is illiterate, so shop owner can say the biometrics were rejected by the server and the citizen would not know better. Or, the owner can say there was no connectivity so authentification didn’t go through, or the owner could say there was no electricity so the system won’t work, or the shop owner could give just part of the grain that the citizen is due.

Corruption innovates and terrorism innovates—if technology innovates, so does corruption, as it is not a static phenomenon, Abraham said. You can’t wish away human beings from technological configurations.

One village will have multiple biometric readers.

Abraham said they have proposed an alternative schema: remove readers from the shop, school, hospital, bank, etc., and have only one scanner at the local governance hall. Instead of the citizen becoming transparent to the government, the government should become transparent to the citizen. The shop owners should make transparent which IDs they have given how much grain to, and only if they are going to dispute the ID of a citizen, can they go to the local government administrative office to prove the ID.

Another image from the “Rethink UID Project” campaign said, “The poor and the rich: who do we track first?”

Abraham explained that one problem in India is “black money,” or money for which you don’t pay taxes because the accounts are in fake names in order to store money. Like creating fake bank accounts, he said it also would be easy to create fake biometrics by combining the handprints and eyes of multiple people to get a second fake ID. Also the system could be hacked into and iris images Photoshopped. Ghost ideas also could be created and then sold off. Because the rich will get their IDs behind closed doors, Abraham said, it will be easy for them to get multiple IDs, but the poor will not be able to.

Referring to “tailgating,” or when one ID is card swiped to gain entrance for multiple people, such as swiping one metro card and then two people walking through, Abraham noted that the problem is that the tailgating only is seen as a problem when it’s at the bottom of the pyramid, such as one woman goes to the fair-price shop to collect grain for five or six families so only one person has to lose a day’s wage instead of all five or six losing a day’s wages. Tailgating at the bottom if the pyramid is usually a question of survival, he said.

Thus, another image from the campaign showed a pyramid and said, “Transparency at the top first…before transparency at the bottom.”

The first principle is that expectations of privacy should be inversely proportional to power, so people who are really powerful, like NGOs, politicians, or heads of corporations, should have less privacy, and people who have very little power should have more privacy, Abraham said.

Also, from a business perspective, the nation gets greater return on its investment if surveillance equipment is trained on people at the top of the pyramid to catch big-time corruption, he said.

Most of the panic around the UID is over the transaction database. Beyond a databse storing everyone’s biometrics, another database will track transactions: every time you buy a mobile phone or purchase a ticket or access a cyber cafe or subsidies, thanks to UID, there will a record made in the transaction database, Abraham said.

Abraham said it is important to note that surveillance is not an intrinsic part of information systems, but once surveillance is engineered into information systems, both those with good intentions or bad intentions can take advantage of that surveillance capability.

The UID means there will be 22 databases available to 12 intelligence agencies, he said.

So when a girl enters into a cybercafé, first she will have to provide her UID, and then the café owner will photocopy the card, then the owner has the right to take a photo of the girl using his own camera, then the owner is supposed to maintain browser logs of her computer for a period of one year.

So the question then is how to assure accountability without surveillance?

The first possibility, Abraham said, is partial storage. The transaction database could store half the data, and the central database could store the other half, so the full 360-view of the data would not be available without a court order.

The second solution is a transaction escrow, where every time a record is put into the main database, it will be encrypted using 2-3 keys, and only if 3 agencies cooperate with keys, can the information be decrypted. Thus, it is targeted surveillance, not blanket surveillance.

To conclude his presentation, Abraham divided participants into four groups in order to design surveillance systems for internet surveillance, mobile technologies, CCTVs, and border control.

Sharon Strover spoke on behalf of the CCTV group, saying they ended up with more questions than anything else. They agreed there should be notices when cameras are in use, there should be public knowledge of who is doing surveillance and who has access to the footage, and the data shouldn’t be sold. But the group couldn’t decide which spaces warranted CCTVs and which not.

Abraham then pointed out that the next generation of CCTVs can read everybody’s irises as they pass the cameras—it’s in the lab now, and 2-3 years from the market, he said.

Next, Andy Carvin spoke on behalf of the mobile technologies surveillance group. Whether or not capturing metadata or content as well, the mobile phone company can collect it, but it shouldn’t be able to keep any identifiable information for the person – it should only be able to look at information in the aggregate. The rest of the information should be shipped to a non-governmental organization or government agency specialized in privacy, and 2 keys would be required: one from the judiciary and one from the NGO or governmental agency.

Smári McCarthy reported back for the Internet surveillance group, pointing out that data retention has been useful in criminal cases less than 0.2 percent of the time in one study, and another showed there has been no statistically significant increase in the number of criminal cases solved because of data retention. So, he said, the group concluded there should be no blanket surveillance, only court orders in certain criminal cases that define who will be under surveillance and for how long. Also, they wanted to see a transparency register available so the public could be informed about how many people are under surveillance currently and throughout year and other general information, such as the success rate—how many of these surveillances have led to criminal convictions or similar.

Finally, Summer Harlow spoke on behalf of the border control group, which said scanning of checked- and carry-on luggage is acceptable, but there should be no luggage searches without specific probable cause from intelligence agencies or if the scans pick up weapons or other contraband. Similarly, people could be subject to spectrum scans and drug/bomb sniffing dogs for weapons and contraband, but again they would not be physically searched by border agents without probable cause. Also, people and luggage could not randomly be searched based on the country of their passport or their flight destination or origin.

In summary, Abraham said, surveillance is like salt in food: it is essential in small amounts, but completely counter-productive if even slightly excessive.

Download Sunil's presentation here [PDF, 1389 kb]
Sunil Abraham made the presentation at the Gary Chapman International School on Digital Transformation on 21 July 2011. The original news published by International School on Digital Transformation can be read here
Read the schedule here

For more details visit https://cis-india.org/news/uid-worlds-largest-database

UID: Questions without Answers – A Talk by Usha Ramanathan

Natasha Vaz — 2011-11-24T04:41:41Z

UID enrolment is in full swing, providing an official identification to millions of Indians, yet there are numerous unanswered questions. A public talk on UID was held at the Institute of Science, Bangalore on September 6, 2011. Usha Ramanathan, an independent law researcher on jurisprudence, poverty and rights, discussed the questions that plague the UID project and the veil of silence enveloping the answers.

Ms. Ramanathan began her presentation by describing the progress and evolution of the UID project. She stated three adjectives that reflect the target goal of the Unique Identification Authority of India (UIDAI): unique, ubiquitous and universal. She demonstrated how their initial objectives and claims have been drastically altered in three major ways.

First and foremost, the UIDAI claimed that enrolment is voluntary, not mandatory, and hence, inclusive. Yet, Nandan Nilekani has consistently maintained that other agencies may make it compulsory. UID is becoming ubiquitous and is a prerequisite for access to a wide variety of welfare schemes and services such as PDS, MGNREGS, banks, public health, etc. It is thus clear that this could actually exclude those who do not have a number or whose biometrics doesn't work. Therefore, this undermines the inclusive nature of the project.

Second, the UIDAI claimed that the UID would enable inclusive growth. Ms. Ramanathan expressed a serious concern surrounding the risk of exclusion. Instead of facilitating inclusion, around two to five per cent of the Indian population would be excluded from the current process of authentication and potentially from having a UID number, as they do not have viable biometric data.[1] Physical or visual impairments such as corneal blindness, corneal scars, and malnourishment induced cataracts or ‘low-quality’ fingerprints from a lifetime of hard labour inhibit those from providing valid fingerprints or iris scans.[2]

Third, Ms. Ramanathan reiterated that the National Identification Authority India Bill prohibited sharing data, except by the consent of the resident, by a court order or for national security. However, UID information is being directly fed into the National Intelligence Grid (NATGRID) who will then provide information about people that is in 21 databases, to eleven security agencies, including the RAW and IB over which there is no superintendence or oversight.[3] She discussed the high likelihood of a breach of privacy as there are insufficient standards protecting an individual from unlawful invasion. Additionally, the UIDAI does not have mechanisms in place for an individual to be notified if there is a data breach.

Who owns this project?

A very important question asked is, “Who owns this project?” Ms. Ramanathan stated that the convergence of information especially during the ‘de-duplication process clearly reflects the corporatization of the project. She also questioned the background of some of the technological companies involved. For instance, L-1 Identity Solutions is well known for its links with the CIA. Additionally, Accenture is on a Smart Borders project with US Homeland Security. She explained that ownership also plays into the feasibility and financial cost of the project. Furthermore, the UIDAI has not conducted a feasibility study on the technology or the financial cost of the project.

International Experience

Lastly, Ms. Ramanathan discussed the international experience of a universal identity system. In the United Kingdom, their universal system of identification was labelled as ‘intrusive bullying’ as well as ‘an assault on personal liberties’. The United States and the United Kingdom both abandoned a universal identity system, as it was impractical, unjustified and dangerous.

Ms. Ramanathan raised many questions that evoked thought and discussion from the audience. She provided numerous examples of ambiguity, misconceptions and confusion surrounding the UID project. She urged the audience to exercise their civil liberties or risk losing them. Lastly, she believed that an informed debate involving the UIDAI and the public is long overdue.

“The UIDAI must clarify misconception and provide detailed answers to crucial questions, as there is a lack of understanding within the general population about the UID. Therefore, the UIDAI and the Government of India must increase and ensure transparency of the UID project”, she added.

Ms. Usha Ramanathan was speaking at an event organised by Concern, an IISc Student group. She was speaking in her personal capacity and the opinions reflected above are necessarily not those of CIS.

[1] Biometrics Design Standards for UID Applications (December 2009).

[2] Biometrics Design Standards for UID Applications (December 2009).

[3]Usha Ramanathan, The Myth of the Technology Fix, http://www.india-seminar.com/2011/617/617_usha_ramanathan.htm.

VIDEO

For more details visit https://cis-india.org/internet-governance/blog/UID_Questions_without_Answers

UID: Nothing to Hide, Nothing to Fear?

shilpa — 2011-09-28T11:44:21Z

Isn’t it interesting that authorities ask you about your identity and you end up showing your proof of existence! Isn’t this breaching into one’s personal life? Why so much transparency only from the public side? Why can’t the government be equally transparent to the public?, asks Shilpa Narani.

Before I get into an argument, I would like to share with you that my research is based on a comparative study of articles published on UID in leading newspapers like the Times of India, the Indian Express, the Hindustan Times, and its supplement LiveMint, Business Standard, Asian Age, DNA India, Bangalore Mirror, Deccan Chronicle and Deccan Herald. My research shows that the government officials and the individuals working for the UIDAI, who are involved in proposing identity system, are in fact hide their own identity from the public.

Background

A pan-India project to “identify” each resident was formally inaugurated in 2009, with the establishment of the Unique Identification Authority of India (UIDAI) as an office attached to the Planning Commission.[1] The goal of the Unique ID project is to issue a unique identity number to every resident in the country. The Unique Identification number (UID) will be linked to every resident’s basic demographic and biometric details, and stored in the UIDAI central database.[2] Now a 12 digit number will henceforth decide whether you exist or not? It will decide whether you remain a known or an unknown person? With this blog I would like to highlight the irony in the UIDAI's attempt to establish if a person is known or is unknown with a 12 digit number.

An identity card virus seems to be spreading across India. Everyone is praising the UID and the social, economic, and political improvements it will bring. “The aim of the UID scheme is to bring transparency in the system,'' says Sonia Gandhi.[3] One has to wonder though — if the aim of the UID is to bring transparency, why it is that government and UIDAI officials are not transparent themselves?

Findings

According to my research, in 55 news articles taken from different newspapers mentioned above, there are 66 persons who shared their views on UID only on the condition of anonymity. Most of these individuals were public servants who themselves did not wish to be identified. For instance, one individual was from the department of information technology, who is working on the UID project and with the UIDAI itself.

Total Anonymous

As one can see from the graph above, the total number of anonymous people sharing their perspectives on the UID are more than the total number of identified people sharing their perspective on the UID. Below is a detailed review of UID articles from each newspaper:

Times of India: Out of 13 articles, Times of India quoted nine anonymous sources in which there were HRD officials, civic sources, sources from census operation department, collectorate sources, senior postal officials, UIDAI officials, and unclassified individuals. Times of India only quoted four identified sources.

Indian Express: Out of 10 articles, the Indian Express quoted twelve anonymous sources including sources from senior officials of the AADHAR office, senior Delhi government officials and some unclassified sources. Again only four identified sources were quoted.

LiveMint: Out of 7 articles, the Live Mint quoted 15 anonymous sources including sources from the Information Regulatory and Development Authority (IRDA), UIDAI, Bank of India, a senior SEBI official, sources from ministry, etc. Only 11 sources revealed their identity.

Hindustan Times: Out of 3 articles, there were 6 anonymous sources, and 5 sources that were identified. Anonymous sources were from UIDAI, finance ministry, and other government officials.

Deccan Herald: Out of 11 articles, there were 14 anonymous sources and only 6 were identified. Anonymous sources included UIDAI officials, banks, senior officials from government, and unclassified sources as well.

Asian Age: Out of 4 articles, there were 5 anonymous sources. Anonymous sources included government officials and some unclassified officials.

Power of Identity: Why is anonymity important?

UID has the potential to threaten an individual’s ability to be anonymous in society. Anonymity results when the personal identity or personally identifiable information of a person is not known. As demonstrated above, a certain amount of anonymity already exists in India today, but with the coming of the UID there is the potential that this will be changed.

Conclusion

As Sonia Gandhi herself said, the UID's aim is to bring transparency in the system. Though the government is eager to make the Indian public transparent in their everyday lives, clearly from the analysis above, individuals working for the government and UIDAI are not comfortable being transparent to the public. It is ironic that the individuals developing and working for this scheme are not willing to voice their opinion and be identified, but private individuals are. Though the UID scheme is being promoted as a way to make the people accountable and visible in the eyes of the government, from the very start of the project the UIDAI and government have kept themselves under a cloud of secrecy. The government’s non-transparent attitude towards this project and the unawareness of its use on the people makes the whole scheme shady and unnecessary.

Notes

[1]http://uidai.gov.in/UID_PDF/Front_Page_Articles/Documents/Strategy_Overveiw-001.pdf

[2]http://uidai.gov.in/UID_PDF/Working_Papers/UID_and_iris_paper_final.pdf

[3]http://articles.timesofindia.indiatimes.com/2010-09-30/india/28243557_1_uid-number-unique-id-numbers-tembhli

Download the UID Summary Grid here [Excel, 19kb]

For the summary of articles in newspapers, click here

For more details visit https://cis-india.org/internet-governance/blog/privacy/uid-nothing-to-hide-fear

UID: Are your biometric I-cards stacked against you?

praskrishna — 2012-06-26T09:33:51Z

Imagine a rural family of five. Mom. Dad. Two kids. And Grandma. Assume too that they are below the poverty line. The day is coming when this family will have to give its biometrics out to myriad agencies.

This article by M Rajshekhar was published in the Economic Times on June 24, 2012

You know that Nandan Nilekani's Unique Identification Authority of India (UIDAI) or the Registrar General's National Population Register (NPR) has been collecting biometrics for a while now.

But a set of other departments have entered the fray. This ranges from the PDS department, ministry of rural development (MoRD), states' education departments, the Rashtriya Swasthya Bima Yojana (RSBY), banks, the department of social welfare, the post office...they are all collecting biometrics (see Agencies Collecting Biometrics Right Now).

This is the latest iteration in India's tryst with biometrics. From a beginning where only the NPR — and, a little later, the UIDAI — were to capture biometrics, we have now reached a point where myriad departments and ministries are camping in India's villages and towns, capturing fingerprints and iris images.

Identity Thieves

There was to be one large database. Now, we are moving to a system where multiple agencies capture and store biometrics data in myriad servers. This is amplifying the risk of biometric theft.

As Sunil Abraham, the head of Bangalore-based Centre for Internet and Society says, "If biometrics is used as authentication factor then it would be possible for a criminal to harvest your biometrics — such as using a glass to collect fingerprints — without your conscious cooperation. Or the registrar can cache your biometrics and duplicate transactions."

As the number of databases containing biometrics rises, the risk of this information leaking out increases. There have been complaints against an UIDAI enrolment agency called Madras Security Printers that it had sold data to private companies. There were also charges that enrolment agencies had outsourced the enrolment work to other companies, which they are not allowed to do.

What complicates matters further is there are not many safeguards. The country doesn't have a policy on how biometrics can be captured, used, stored and destroyed. But before we get deeper into that story, it is useful to understand why multiple departments have begun collecting biometrics.

Biometric Rush

According to a senior bureaucrat who recently retired from the ministry of planning, the answer lies in the 2014 elections. "For the government, cash transfers are the large reforms that they think UPA 2 can point towards in the next elections. For this reason, they need all this up and running before 2014."

However, over the past few months, parts of the government are increasingly unsure if UIDAI and NPR will meet their targets. "I do not think the 2014 target can be met at all," says a senior official in the National Informatics Centre (NIC). "We have to enroll another 800 million people. Then, we have to deduplicate them. Then, we have to make the cards and distribute them."

This is one reason why a set of government departments are configuring their own alternatives. Take the Department of Financial Services (DFS). It has been testing an online, biometric system for cash payments in Haryana's Mewat district for months now. Here, each bank will store its customers' biometric information in its own servers.

If a customer of bank A goes to a banking correspondent (BC) agent of bank B, his biometrics would be forwarded by bank B to bank A for authentication. Once authenticated, the transaction will be completed. "We should be rolling the new system out nationally from July or August," says the bureaucrat.

The rural development ministry is also testing its payment system. Once the local administration tells the ministry about who worked how many days, the ministry will be able to put money into their accounts automatically via a payment gateway. Right now, this is done manually with the block development officer and sarpanch making out the cheques.

This pilot, says DK Jain, joint secretary, MoRD, started 3-4 months ago in parts of Gujarat, Karnataka, Odisha and Rajasthan. In another six months, it will be available across the country. And then, there is the PDS.

Here, different states are putting different systems in place. Andhra, says a senior mandarin in the food ministry, is going with UID, Haryana is looking at smart cards, Jharkhand is going with Aadhaar, MP and Gujarat are testing food coupons, while Chhattisgarh has decided to use RSBY and Orissa has chosen NPR.

Apart from this, data is also being collected by the RSBY and BC companies on behalf of the banks handling welfare payments, or scrambling to meet their financial inclusion targets.

Sunil Abraham is quoted in this article.

For more details visit https://cis-india.org/news/are-your-biometric-i-cards-stacked-against-you