We are anonymous, we are legion

UID: A Debate on Fundamental rights

radha — 2011-04-02T12:33:44Z

UID: A debate on the Fundamental Rights - was jointly organized by the Citizen Action Forum, People's Union for Civil Liberties - Karnataka, Alternative Law Forum and the Centre for Internet and Society on April 16th at IAT, Queens Road, Bangalore - An article in the Prajavani news paper - April 17th.

For more details visit https://cis-india.org/news/uid-a-debate-on-fundamental-rights

UID: A Data Subject's Registration Tale

Mukta Batra — 2014-09-11T09:05:07Z

A person who registered for UIDAI shares their experience of registering for the UID Number, on the condition of anonymity.

The registration process begins with filling a form, which has a verification clause at the end. This is a statement that the data, including biometric data, is correct and is that of the registrant. The presence of the word ‘biometric’ in relation to the verification creates tacit consent in the collection of biometric data.

The data subject registered for the UID number as several utilities were being linked to the UID number at that time.

The data subject pointed out three areas for concern: (i) optional data was being collected under protest; (ii) the subjects documents were being taken out of their sight for scanning; (iii) the ownership of data.

While registering for the UID number, data subjects have a choice not to link their bank numbers to bank accounts and to utilities such as gas connections. This data subject noticed that the data operator linked these by default and the data subject had to specifically request the de-linking. The data operator did not inform the data subject of the choice not to link the UID with these services. If this is the state of affairs for the conscious registrant, it is unlikely that those who cannot read will be informed of their right to choice. Their information will then be inadvertently linked and they will be denied the right to opt out of the linkage.

This data subject additionally noted that their right to refuse to provide optional data on the registration form was blatantly disregarded by the enrolling agency. Despite protests against providing this information, the enroller forcibly entered information such as ‘ward number’, which was optional. The enroller justified these actions - stating: the company will cut our salary. Unfortunately, registrants do not know who the data collection company is.

Where the data subjects do not know who collects their data and where it is going, there can be no accountability.

This incident seems to show that the rules on personal information are being violated. The right to know: the identity and address of the entity collecting the data,[1] the purpose of data collection,[2] the restrictions on data use[3] and the right not to disclose sensitive personal data [4] are all granted by the Information Technology Rules. Data subjects also have the right to be informed about the intended recipients[5] and the entities that will retain the data. [6] The data collector has failed to perform its corresponding duty to make such disclosures and has arguably limited the control of data subjects over their privacy.

If this is what other UID registrations are like, then perhaps it is time to modify the process of data handling and processing. The law should be implemented better and amended to enable better implementation either through greater state intervention or severe liability when personal information is improperly handled.

[1] R.4(3)(d) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

[2] R. 4(3)(b) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

[3] R. 4(7) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

[4] R. 4 (7) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

[5] R. 4 (3) (c) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

[6] R.4(3)(d) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

For more details visit https://cis-india.org/internet-governance/blog/uid-a-data-subjects-registration-tale

UID Research

vanya — 2016-01-03T09:59:27Z

The Centre Internet and Society, India has been researching privacy policy in India since the year 2010 with the following objectives.

Researching the vision and implementation of the UID Scheme - both from a technical and regulatory perspective.
Understanding the validity and legality of collection, usage and storage of Biometric information for this scheme.
Raising public awareness around issues concerning privacy, data security and the objectives of the UID Scheme.

The UID scheme seeks to provide all residents of India an identity number based on their biometrics that can be used to authenticate individuals for the purpose of Government benefits and services. A 2015 Supreme Court ruling has clarified that the UID can only be used in the PDS and LPG Schemes.

Concerns with the scheme include the broad consent taken at the time of enrolment, the lack of clarity as to what happens with transactional metadata, the centralized storage of the biometric information in the CIDR, the seeding of the aadhaar number into service providers’ databases, and the possibility of function creep. Also, there are concerns due to absence of a legislation to look into the privacy and security concerns.

UID Research -

1. Ramifications of Aadhar and UID schemes -

The UID and Aadhar systems have been bombarded with criticisms and plagued with issues ranging from privacy concerns to security risks. The following articles deal with the many problems and drawbacks of these systems.

§ UID and NPR: Towards Common Ground http://cis-india.org/internet-governance/blog/uid-npr-towards-common-ground

§ Public Statement to Final Draft of UID Bill http://bit.ly/1aGf1NN

§ UID Project in India - Some Possible Ramifications http://cis-india.org/internet-governance/blog/uid-in-india

§ Aadhaar Number vs the Social Security Number http://cis-india.org/internet-governance/blog/aadhaar-vs-social-security-number

§ Feedback to the NIA Bill http://cis-india.org/internet-governance/blog/cis-feedback-to-nia-bill

§ Unique ID System: Pros and Cons http://bit.ly/1jmxbZS

§ Submitted seven open letters to the Parliamentary Finance Committee on the UID covering the following aspects: SCOSTA Standards (http://bit.ly/1hq5Rqd), Centralized Database (http://bit.ly/1hsHJDg), Biometrics (http://bit.ly/196drke), UID Budget (http://bit.ly/1e4c2Op), Operational Design (http://bit.ly/JXR61S), UID and Transactions (http://bit.ly/1gY6B8r), and Deduplication (http://bit.ly/1c9TkSg)

§ Comments on Finance Committee Statements to Open Letters on Unique Identity: The Parliamentary Finance Committee responded to the open letters sent by CIS through an email on 12 October 2011. CIS has commented on the points raised by the Committee: http://bit.ly/1kz4H0F

§ Unique Identification Scheme (UID) & National Population Register (NPR), and Governance http://cis-india.org/internet-governance/blog/uid-and-npr-a-background-note

§ Financial Inclusion and the UID http://cis-india.org/internet-governance/privacy_uidfinancialinclusion

§ The Aadhaar Case http://cis-india.org/internet-governance/blog/the-aadhaar-case

§ Do we need the Aadhaar scheme http://bit.ly/1850wAz

§ 4 Popular Myths about UID http://bit.ly/1bWFoQg

§ Does the UID Reflect India? http://cis-india.org/internet-governance/blog/privacy/uid-reflects-india

§ Would it be a unique identity crisis? http://cis-india.org/news/unique-identity-crisis

§ UID: Nothing to Hide, Nothing to Fear? http://cis-india.org/internet-governance/blog/privacy/uid-nothing-to-hide-fear

2. Right to Privacy and UID -

The UID system has been hit by many privacy concerns from NGOs, private individuals and others. The sharing of one's information, especially fingerprints and retinal scans to a system that is controlled by the government and is not vetted as having good security irks most people. These issues are dealt with the in the following articles.

§ India Fears of Privacy Loss Pursue Ambitious ID Project http://cis-india.org/news/india-fears-of-privacy-loss

§ Analysing the Right to Privacy and Dignity with Respect to the UID http://bit.ly/1bWFoQg

§ Analysing the Right to Privacy and Dignity with Respect to the UID http://cis-india.org/internet-governance/blog/privacy/privacy-uiddevaprasad

§ Supreme Court order is a good start, but is seeding necessary? http://cis-india.org/internet-governance/blog/supreme-court-order-is-a-good-start-but-is-seeding-necessary

§ Right to Privacy in Peril http://cis-india.org/internet-governance/blog/right-to-privacy-in-peril

3. Data Flow in the UID -

The articles below deal with the manner in which data is moved around and handled in the UID system in India.

§ UIDAI Practices and the Information Technology Act, Section 43A and Subsequent Rules http://cis-india.org/internet-governance/blog/uid-practices-and-it-act-sec-43-a-and-subsequent-rules

§ Data flow in the Unique Identification Scheme of India http://cis-india.org/internet-governance/blog/data-flow-in-unique-identification-scheme-of-india

For more details visit https://cis-india.org/internet-governance/blog/uid-research

UID Project in India - Some Possible Ramifications

Liliyan — 2012-03-21T10:13:27Z

Having a standard for decentralized ID verification rather than a centralized database that would more often than not be misused by various authorities will solve ID problems, writes Liliyan in this blog entry. These blog posts to be published in a series will voice the expert opinions of researchers and critics on the UID project and present its unique shortcomings to the reader.

Researchers at CIS have been grappling with the UID project from research, advocacy, and legal standpoints though all approach it from their own perspective and opinions are rarely duplicated. In an attempt to make their expert opinions more accessible to readers, a series of blog posts, this being the first, will be put up. These posts will not, and cannot because of its length and format, try to address all the possible issues the UID poses. However, they will present the bare bones of the arguments and research questions that the independent voices at CIS see as crucial. These posts will also ask many more questions than they answer, in an attempt to spur further dialogue about the UID project.

Central to understanding the nature of the UID project and its possible ramifications is the idea that technology is not merely a tool to be used by an unchanging, monolithic state. In fact, its very adoption can create ripple effects throughout the apparatus of the state. When the state adoptsa mainstream and ubiquitous technology, the structure of the government and methods of governance change. These changes are not always so dramatic as to be immediately noticeable without some informed inspection, but if one considers the way the state and the citizen interact the significance of these changes becomes starkly apparent. Can we trust the government to use touch screen voting machines like the ones we see every day at the bank? Do government surveillance cameras make us safer or introduce worrisome intrusion into our privacy, or both? Technology is not as neutral as it appears. That is not to say that it is inherently good or bad, but that it is not inert, it is transformative in nature.

The nation state as we know it is built on the printed word, or at least analogue technology. The ways in which we codify, distribute, and assimilate information have, for centuries, been dominated by the printing press. With the introduction of “database governance” there will inevitably be a shift, and a radical one at that. The Indian government has announced its intention to move towards “SMART” (simple, moral, accountable, responsive and transparent) governance, and this implies both an acceptance of the neo-liberal philosophy of government and techno-governance. To achieve a new level of transparency, accountability, and responsiveness, the move towards e-governance could be a major turning point, but how does this shift complicate and change the citizen-state relationship in India? How does this change shift the relationship of India with the rest of the international community?

The UID and Shifts in the Citizen-State Relationship

One way that the citizen-state relationship will change with the shift towards techno-governance, specifically in regard to the UID project, is that the UID posits the state as both the safe-keeper and arbiter of identity. Proponents of the UID project are adamant that it is a voluntary program, but even the UID website states that “in time, certain service providers may require a person to have a UID to deliver services”. As the UID becomes increasingly ubiquitous, could not having a number mean being cut off from some or many of the basic privileges of citizenship if one's identity is becoming more difficult to verify? If having a UID number is the most prominent marker of identity, then it is through state definition, arbitration and upon the state's technical capacity that all will rely.

Moreover, how do we begin to address the privacy issues raised by technological advances in relation to non-changing legal structures? What does it mean to capture all this identity data without introducing a new privacy legislation to protect the citizen? Without new legal accommodation, otherwise benign processes like a statistical census can become a potent tool in a shift towards a police state. As state apparatus's shift, there must be some paradigmatic shift in law to accompany these new technologies and government roles.

If the state transforms through the integration of e-governance forms, then there will inevitably be a recalibration of the relationship between the state, the market, and the citizen. Traditionally the separation of these entities creates arbitration and within a development paradigm there is dynamic, active triangulation. One way we can see this triangulation is through government intervention in markets on behalf of the citizen. There are certain spaces of consumption, for example, such as a cinema where state intervention against discrimination creates a marker for citizenship. That is, because I am able to access a cinema without discrimination, as one of my constitutional rights, this demonstrates my citizenship. However, with the introduction of public- private partnerships, or PPPs, the fact of having multiple stake-holders of political economy allows for the state to disinvest in the production and delivery of certain public services. Satisfying the needs of the citizen for services like sanitation, public education, delivery of power and clean water, maintenance of infrastructure like roads and bridges, can be handed over to corporate entities. The Indian government has enthusiastically embraced PPPs as a way to bring needed capital to the infrastructure demands that accompany their economic growth goals. However, how does this kind of task delegation affect transparency and accountability? If the state decides to stop producing or supplying a good or service, and instead turns this over to a corporation, can the mechanisms for state oversight realistically be trusted to make sure quality and accountability are not adversely affected and rectify the situation if they are? Where does the citizen come into all of this, in terms of what they stand to gain and lose?

The Definition of Citizenship and the UID

As the state and the market enters into new relationships the definition of citizenship changes. If the citizen is seen as the intended beneficiary of state programs, this new relationship between state and market begs the question “Who is subject to (or the subject of) the state?” When the corporate sphere creates micro-financing that helps farmers, they may help the people at the bottom of the economic pyramid manage their debt, but does it necessarily address the problems that created the debt in the first place? How does the market mediate the citizen-state dialogue? As the state and the market enter into new relationships there is a recalibration of the citizen-government relationship. Do market demands for an e-literate consumer put pressure on the state to create one where one did not exist before, and if so, can this not have profound implications for the definition of citizenship?

Part of the movement towards e-governance is signalled by the fact that there has been a shift away from state-sponsored literacy campaigns to e-literacy programs. Does this use of information and communications technology for development (or ITC4D) alienate significant portions of the population? Can such programs in fact widen the digital divide? With the introduction of e-governance the state asks the citizen to participate in governance by creating new avenues for civic participation, such as providing databases of information pertaining to the state that is freely accessible for analysis and manipulation by anyone with the skills to do so. But, if this makes it impossible for some portions of the citizenry to communicate effectively with the state, does this run the risk of making certain, traditional forms of citizenship redundant? How are people with low literacy and little or no access to the necessary technologies supposed to communicate with this new high-tech bureaucracy? Will those who cannot navigate the new systems be inadvertently relegated to second-class status?

This is of particular concern when thinking about the UID project. To properly manage and distribute social services, ID management in some form is crucial. However, when trying to make sure services are properly delivered to the uneducated poor the danger for digital-analogue slippage that is not in their favour increases, and accountability is not necessarily adequately addressed. For example, if I am an illiterate farmer entitled to a certain ration and the person conducting the transaction decides to defraud me, they can easily ask me to authenticate my biometrics, make it appear that they have been simply checking my identity when they have actually fooled me into authenticating the “completed” transaction and simply tell me the computer says, I've already received my share, that I'm only entitled to half of the normal amount, or some other such lie. In this scenario, how would I know this person wasn't telling me the truth? If they lie using a simple ledger, I can take the ledger itself or a copy of it to a literate friend and have them help me navigate the situation. I can seek redress and substantiate my claims more easily if I am not alienated by the technologies being used. Technologies can be empowering or dis-empowering depending on their application. How then, do we balance the demands of the market and the duties of the state against the rights of the citizen? Or rather, how do we apply technology in such a way that the demands of the market and the duties of the state mutually balance each other?

Centralization and Cost-effectiveness of the UID

While ID management is indisputably important, it does not require a centralized database. In the US there are multiple pieces of information, stored in separate databases that can be used to authenticate a transaction. No one can open a bank account with just a social security insurance number. You also need a separate form of ID, often two, that can be used to verify identity. In this way, the SSI number is a bit like a “username” and the other forms of ID, driver's license or passport, function like a corresponding “password”. With the UID project, however, the “username” (the number itself) and the “password” (the number holder's biometrics) are stored in the same place. Thereby, should the database be in some way compromised, all the information needed to verify and complete transactions would be available. If storing this information in a central database is really a good idea, then one must also accept the premise that merging all existing email servers into one monolithic server is also a good idea. Furthermore, centralization is not only more dangerous, it is totally unnecessary. Trillions of dollars worth of trade take place every year using PIN numbers issued by banks and verified without the verifying data being centralized. Having a standard for decentralized ID verification, rather than a centralized database would solve ID problems without creating a database that would be vulnerable to attack.

There are lots of examples of governments implementing costly safety measures that don't actually make anyone safer. Take for example the cameras put up all over London to monitor the movements of people. Unfortunately, something as low-tech as a hooded sweatshirt can thwart these attempts at surveillance. Moreover, if I am a criminal, I am going to make it a priority to know where the cameras are so that I can strategically avoid them. Another example is the millions of dollar the U.S. government spent on putting an armed Federal Air Marshal on every flight, post 9/11. While traditional intelligence gather has thwarted other attempted attacks since 9/11, Air Marshals have not been responsible for stopping any. Simply because the UID project is more technologically advanced does not make it more effective. It seems to greatly increase the risk of fraud that there can be so many separate biometrics machines scattered in different places to verify so many transactions. Having the machines sequestered in private businesses where they will not be constantly monitored or regulated seems to be both costly and easily subject to tampering. It seems to make more sense to have, say, one central, monitored machine per so many people that could be used to settle identity disputes when they arise rather than making the technology a part of every transaction.

Infallibility and Circumvention of the UID

The UID is not infallible and circumvention will certainly be a problem with the project. We find an analogy in the field of digital rights management. If I copy an mp3 without permission or payment, that is illegal. Digital rights management law was introduced to stop this practice, but it was circumvented. This legislation has not stopped the first crime. It has merely created a second, that of circumventing the law. The UID, in so far as it may be used to try to stop the crime of illegally siphoning resources such as, for example, grain intended to go to the poor, cannot stop people from circumventing the system. Circumventing the UID will be a crime. If doing so were truly impossible there would be no need to criminalize it. So, instead of preventing the initial crime of siphoning may not prevent the first crime, while introducing another.

There are basically two possible types of circumvention that are possible, though they might present themselves in various different forms. “Type A” or “the Mission Impossible” kind of fraud might involve fake thumb prints and contact lenses being worn by someone trying to fool the person conducting the biometric authentication. “Type B” occurs when the person operating the biometrics machine is working to defraud the system, most likely with one or many accomplices.

“Type A” involves one dishonest person, who is trying to access someone else's account or a ghost account, and there are various proposed methods to prevent against this type of fraud. To prevent against people using fake thumb prints, the biometrics machines will measure the heat of the thumb as well as the image of the thumb. With the iris scan, there will be a pulse of light to cause contraction in the iris so that a contact lens, which cannot adjust for light, can be detected. All of this will drastically raise the price of the machines in question. It is hard to imagine farmers and labourers defrauding the system with elaborate biometric defrauding devices, so these expensive machines are much more appropriate for monitoring the top of the economic pyramid, who steal in larger sums and have more sophisticated technology at their disposal.

“Type B” involves dishonesty either by the person in control of the biometric authentication, or both that person and others. This seems to be a much more likely and problematic scenario. Right now, bank accounts that are not connected to a name are regularly created so that people can cheat the tax man. Since the bank profits from these accounts, it's in the bank's interest to help people set up such accounts. Ghost ID numbers, and things like bank accounts that are connected to them, can still be produced with biometrics. How is this possible? Well, to make it possible for so many biometric authentications to happen every day, the whole set of ten finger prints won't be sent. That would be way too much data. So, instead of overwhelming the channels, only one thumb print will be sent. Even that many thumb prints would be an information overload, so each thumb print's image will be reduced to a set of 30 data points that will be compared against the original scans. So, where is there a possibility for fraud? When the scan of the finger is taken, and image is rendered. If someone wants to create a ghost ID they only have to manipulate this image, like with a Photoshop filter, and alter the data points. Once I've created a set of biometric markers that doesn't connect to anyone, I can conduct transactions for a ghost. One can easily imagine a market emerging for ghost IDs. People might start trying to pay foreign tourists for their biometric information, which could be sold to a local office. There are certain settings where biometrics works well, for example, at an airport. There, everything is under constant video surveillance. If someone were to tamper with or try to replace the machinery it would be quickly noticed by the cameras. Even if it weren't, different people would routinely be operating the same machine and this would be an added safe guard against fraud. However, at a bank, or any place where the machines used for verification are operated behind closed doors it is quite likely that the technology will be abused. This abuse could easily go unnoticed, because the draft UID bill has proposed strict accountability measures for the Authority, and has conveniently overlooked extending these to collecting and enrolling agencies.

Digital/Analogue Slippage

There is always the possibility of digital/analogue slippage or, more simply put, the computer records not reflecting what actually happened even if no fake identity was used. This happens all the time in IT buildings in the form of tailgating. Four people go out to lunch together and as they re-enter the building they're supposed to each swipe their ID card individually. It is easier and faster for one person to swipe for everyone so, despite signs discouraging this behaviour, this is a common occurrence. If you were to try to analyse the data collected after a day of such comings and goings it would be indecipherable.

I can also authenticate my biometrics, in order to authorize a transaction, without the transaction actually being complete. Let's say I'm a poor farmer entitled to a ration of 10 kilos of grain. The person who is supposed to give me the grain is not an honest person and insists that I authenticate the transaction before he or she gives me my ration. I do what I'm told but only receive 5 kilos. The computer record shows that I have gotten my full ration, so I have no grounds to contest. In this scenario, more complex technology does not necessarily mean greater accountability. Furthermore, even if I am illiterate, if there is a simple ledger that has recorded the transaction, I can physically take the ledger or a copy of it and show it to some literate person willing to help me. If the only record of the transaction is in a database that I can't access or can't understand it will be even more difficult for me to seek help. Moreover, if I don't understand the technology and the shop owner decides not to give me the grain at all they can simply say “Oh, I'm sorry, your account has been denied” or “The computer says you've already been given your ration” and I have little chance of successfully negotiating that situation. Built in to this example is the disadvantage that the illiterate and the computer illiterate face when dealing with this technology but, this is not necessarily always present in cases where digital/analogue slippage causes confusion or complication.

Commonly, things are bought by or registered to one person and used by another. For example, in a small office building, all the phone lines and computers may have been bought in the name of one person. Each office worker will not buy their own computer or equipment, but instead the computers will be bought in the name of the person who runs the organization or an administrator with financial authority. If someone in the office uses their computer to make a bomb or store child pornography, who is accountable? This is the problem when there is digital/analogue slippage. There is the digital record of events and then things as they really are, which are not always identical, and there is no accountability or safeguard against mistake. In the context of the UID, the possibility of such slippage is too high, and will work against the goal of delivering benefits to the poor instead of facilitating it.

For more details visit https://cis-india.org/internet-governance/blog/uid-in-india

UID project draws flak from civil rights activists

praskrishna — 2011-04-02T12:26:20Z

The unique identification project is drawing a flak from civil rights activists.

The unique identification project drew flak from civil liberties activists in the city on Wednesday. "Unique identification is an encroachment of privacy. With the new technology, it will be easy to track people," members of Citizens Against UID / Aashar, a forum floated by those opposing the project, including PUCL and SICHREM, said. They said the project should not be implemented until people's participation was ensured.

Read the original article in DNA

For more details visit https://cis-india.org/news/UID-project-draws-flak

UID is an invasion of privacy: Experts

radha — 2011-04-02T12:33:19Z

The Nandan Nilekani headed Unique Identification Authority of India (UIDAI) came in for much criricism at the first of a series of debates on the issue organised in the city on Friday - Deccan Chronicle, April 17th.

Bengaluru, April 16: Legal experts and several ordinary people find the move to give all citizens of the country an identity number an invasion of their privacy. The Nandan Nilekani headed Unique Identification Authority of India (UIDAI) came in for much criricism at the first of a series of debates on the issue organised in the city on Friday.

Participants found the idea of concentrating so much power in one authority frightening. One of the panelists Usha Ramanathan of the Centre for the Study of Developing Societies said that in two or three years people would not be able to travel without carrying their identity numbers on them. "The logic behind this is that if you don't have a number, you don't exist. Our personal information will be fed into the systems of various agencies with a certain set of people handling that data. Allowing so much power in the guise of security is handing too much control to the State," Ms Ramanathan said.

Malavika Jayaram of the Centre for internet and Society, described the UID as “a technological solution to a problem that isn't even technological in nature.”

Gautam John of Pratham Books, however, felt that a mechanism such as the UID could help identify school dropouts and in tracking quality of education.

But most complained about a lack of clarity on the issue

Link to the original article.

For more details visit https://cis-india.org/news/uid-is-an-invasion-of-privacy-experts

UID info can be misused

praskrishna — 2011-04-02T12:26:27Z

Public organisations, NGOs and concerned citizens feel UID may become an easy database for anti-social elements.

The Unique Identification number (UID) could become an easy database for anti-social elements, according to public organisations, NGOs and concerned citizens. They felt that the UID should be discouraged till more transparency and accountability was introduced in the system.

They were speaking during a discussion on the UID here on Wednesday.

"Including so many details of individuals into a Central database could be dangerous," said Sunil Abraham, executive director, the centre for internet and society. He said various users of the data such as banks, telecom companies, government departments could potentially make it dangerous.

There are concerns that this will also lead to a police raj in the state. "As it is now there are so many anti-establishment movements, it will become very easy for the cops to arrest people and put them behind bars on the pretext of biometric mismatch. And nobody can question the technology," said Jagadish Chandra.

See the original article in the Deccan Chronicle

For more details visit https://cis-india.org/news/uid-info-can-be-misused

UID has no legal sanctity, says lawyer-activist

praskrishna — 2013-03-11T06:08:32Z

‘Iris scanning adopted for the UID project is flawed as the iris keeps changing’

This article was published in the Hindu on March 3, 2013. CIS organized a workshop at the event.

Unique Identification Authority of India (UIDAI) and the UID project have no legal sanctity, said independent law researcher and human rights activist Usha Ramanathan on Saturday.

Speaking at a workshop on the UID, the National Population Register and Governance, organised by the Centre for Internet and Society, Ms. Ramanathan said the UIDAI has “no clear legal status.” “The fact that there are no limits placed on its functioning is deeply worrying,” she remarked.

Ms. Ramanathan pointed out that an agency, which was created by a mere executive order in 2009, now “owns” the data obtained from Indian citizens. Although the UIDAI has said enrolment is not mandatory, a host of providers of essential services – from ration shops to LPG distributors and now even railway tickets – require Aadhaar authentication.

The idea of using biometric validation of identities was adopted despite there “being no evidence of its viability anywhere in the world,” Ms. Ramanathan said. In fact, several reports have established the failure of biometrics as a means of validating identities, she claimed. The iris scanning, which has been adopted for the UID project is flawed because the iris does change over time, she said.

Anant Maringati, a geographer from Hyderabad, said the “positive” potential of the project have been usurped by entities such as microfinance institutions, which sue them to track those who have defaulted on loans.

‘An agency, which was created by a mere executive order in 2009, now owns the data obtained from Indian citizens’

‘Although the UIDAI has said enrolment is not mandatory, providers of essential services seek Aadhaar authentication’

For more details visit https://cis-india.org/news/the-hindu-march-3-2013-uid-has-no-legal-sanctity

UID elicits mixed response

praskrishna — 2011-04-02T06:32:44Z

Which is the root cause for pilferage of welfare funds in India: fake identity or corruption?

Can the Unique Identity Card (UID) project solve this problem or will it create other more serious issues like infringement of constitutional rights, etc? These were the points fiercely debated at a panel discussion on UID organised by the Centre for Internet Society and Citizens' Action forum.

Chief Electoral Officer M N Vidyashankar, who made a presentation on the progress of the UID project in the State, at times, struggled to convince the audience on the necessity and feasibility of the project.

According to Mathews Thomas of the Citizens' Action Forum, the UID project creates more problems than it is expected to resolve.

“First, it was launched bypassing Parliament. It will only store biometric and other data of all citizens. This could result in illegal migrants claiming citizenship. Further, it will not prevent corruption in Public Distribution System or other schemes. The huge expenditure it will incur is also a matter of grave concern,” he said.

Defending the project, Vidyashankar said it was necessary to weed out discrepancies in multiple identity documents.

“It's well known that inconsistencies in a person's name, father's name, address, etc, creep in multiple documents. For instance, there will be different spellings of a person on a voter ID card, a driving Licence, a passport, and a PAN card. The UID will help in checking such discrepancies,” he asserted.

No operator will be able to tamper with the data. The laptops will have two screens to help the applicant see the entries. Data will first go to the Grameen Business Centre from where it will head to the Central Identity Database Repository which will issue a randomly generated number, he added.

Former Minister Prof B K Chandrashekhar said that there were several concerns in the UID project which need to be addressed properly.

Read the original in Deccan Herald

For more details visit https://cis-india.org/news/uid-mixed-response

UID coverage in Udayavani

praskrishna — 2011-04-02T11:13:24Z

A press conference was held at the Press Club in Bangalore on 26 July, 2010. It was co-organised by Citizen's Action Forum, Alternate Law Forum and the Centre for Internet and Society. Mathew Thomas and Vinay Baindur were the speakers. Leading Kannada newspaper Udayavani covered this event.

UID coverage in Udayavani

For reading the original click here.

For more details visit https://cis-india.org/news/uid-udayavani-news

UID and NPR: Towards Common Ground

Mukta Batra — 2014-10-15T13:06:40Z

The UID (Unique Identification) and NPR (National Population Register) are both government identity schemes that aggregate personal data, including biometric data for the provision of an identification factor, and aim to link them with the delivery of public utility services.

The differences between the two exist in terms of collection of data, the type of identification factor issued, authorities involved and the outcome.

Despite the differences, there has been talk of combining the two schemes because of the overlap.[1] In the same breath, it has been argued that the two schemes are incompatible. [2]

One of the UIDAI’s (Unique Identification Authority of India) functions is to harmonize the two schemes. [3]

As it stands, the schemes are distinct. Enrolment for a UID does not lead to automatic enrolment in the NPR. The NPR website expressly states that even if a data subject has undergone census or has been granted a UID Number, it is necessary to visit a data collection centre to provide biometric data for the NPR.[4]

UID and NPR: The Differences

The Basis of identity/ Unit of Survey

The most striking difference between the UID and NPR Schemes is their notion of identity. The UID is individual based, whereas the NPR scheme focuses on the household or the family as a composite unit. Thus, the UID seeks to enroll individuals while the NPR seeks to gather data of the members of a household or family as a composite unit during the census and later register each person for an NPR Card, on the basis of the census data. To this extent, analysis of the data gathered from the two schemes will be different and will require differing analytical tools. The definition of the data subject and the population is different. In one scheme, the unit is an individual; in the other it is the household/family. Though the family is the composite unit in the NPR, the data is finally extracted it is unpaired to provide individuals NPR cards, but the family based association is not lost and it is argued that this household association of NPR should be used to calculate and provide subsidies. Some states have put on hold transfer of cooking gas subsidy, which is calculated for each household, through Aadhar-linked bank accounts.[5] If both schemes were merged, the basis for determining entitlement to subsidies would be non-uniform.

Differences in Information Collection

The UID and NPR have different procedures for collection of information. In the UID scheme, all data is collected in data collection centres whereas NPR data is collected door to door in part and in collection centres for the other part.

UID data is collected by the UIDAI themselves or by private parties, under contract. These contractors are private parties: often, online marketing service providers.[6] The data subjects were initially allowed registration through an introducer and without any documentation. This was replaced with the verification system where documents were to be produced for registration for UID.

The NPR involves a dual collection process- the first stage is the door-to-door collection of data as part of the Census. This information is collected through questionnaire. No supporting documents/ proof is produced to verify this data. The verification happens at a later stage, through public display of the information. This data is digitized. The data subjects are then to give their biometric data at the data collection centres, on the production of the census slip. The biometric data collectors are parties who are empanelled by the UIDAI and are eligible to collect data under the UID Scheme. A subject’ s data is aggregated and then de-duplicated by the UIDAI. [7]

This shows two points of merger. It can be suggested that when data is collected for the UID number, then the subject should not have to give their biometrics for the NPR Scheme again. The sharing of biometrics across the schemes will reduce cost and redundancy. While sharing of UID data with NPR is feasible, the reverse is not true, since UID is optional and NPR is not. If NPR data is to be shared with UID, then the subject has the right to refuse. However, the consent for using NPR data for the UID is a default YES in the UID form. [8] Prohibiting the information sharing is no option.

Differences in Stated Purposes

The NPR is linked to citizenship status. The NPR exercise is being conducted to create a national citizen register and to assist in identifying and preventing illegal immigration. The NPR card, a desired outcome, is aimed to be a conduit for transactions relating to subsidies and public utilities.[9] So is the UID Number, which was created to provide the residents of India an identity. The linkage and provision of subsidies through the NPR and UID cards have not taken off on a large scale and there is a debate as to which will be more appropriate for direct benefit transfer, with some leaders proclaiming that the NPR scheme is more suited to direct benefit transfer.[10] Since the UID Number is linked to direct benefit transfer, but not to citizenship, benefits such as those under the MNREGA scheme, may be availed by non-citizens as well, though only citizens are eligible for the scheme.[11]

C. Chandramouli, the Registrar General and Census Commissioner of India, states that the conflict between the two schemes is only perceived, and results from a poor understanding of the differences in objective. The NPR, he states is created to provide national security through the creation of a citizen register, starting with a register of residents after authentication and verification of the residence of the subjects. On the other hand, the UID exercise is to provide a number that will be used to correctly identify a person.[12]

Difference in Legal Sanctity

The UIDAI was set up through an executive notification, which dictates a few of its responsibility, including: assigning a UID number, collating the UID and NPR schemes, laying down standards for interlinking with partner databases and so on. However, the UIDAI has not expressed responsibility to collect, or authorize collection of data under this scheme. The power to authorize the collection of biometrics is vested with the National Identification Authority of India (NIAI), which will be set up under the National Identification Authority of India Bill, (NIAI Bill, which is at times referred to as the UID Bill).

The NPR Scheme has been created pursuant to the 2004 Amendment of the Citizenship Act. Under S. 14A of the Citizenship Act, the central government has the power to compulsorily register citizens for an Identity Card. This gives the NPR exercise sanctity. However, no authority to collect biometric information has been given either under this Act or Rules framed under it.

Future of Aadhaar

The existence of both the UID and NPR Schemes leads to redundancy. Therefore, many have advocated for their merger. This seems impractical, as the standards in collection and management of data are not the same.

For some time, it was thought that the Aadhaar Scheme would be scrapped. This belief was based on the present government’s opposition to the scheme during and before the election. This was further strengthened by the fact that they did not expressly mention the continuance of the scheme in their manifesto. The Cabinet Committee on UIDAI was disbanded and the enrolment for the UID Number was stopped, only to be resumed a short while later.[13]

However, recent events show that the Aadhaar scheme will continue. First, the new government has stated that the UID scheme will continue. In support of the UID Scheme, the government has made budgetary allocation for the scheme to enable, inter-alia, it being sped-up. The Government even intends to enact a law to give the scheme sanctity. [14]

Second, the Government is assigning the UID Number new uses. To track attendance of government employees, the Government shall use a biometric attendance system, which is linked to the employees UID Number. [15] The attendance will be uploaded onto a website, to boost transparency.

Third, direct benefit transfers under the UID will become more vigorous.

The UID is already necessary for registration under the NPR, which is compulsory.

Providing one’s UID Number for utilities such as cooking gas is also compulsory in several areas, despite the Courts diktat that it should not be so.[16]

Conclusion

The government is in favour of continuing both the schemes. Therefore, it is unlikely that either scheme will be scrapped or that the two schemes will be combined. The registration for UID is becoming compulsory by implication as it is required for direct benefit transfers and for utilities. Data collected under NPR is being shared with the UIDAI by default, when one registers for a UID number. However, the reverse is unlikely, as the UID collects secondary data, whereas NPR requires primary data, which it collects through physical survey and authentication. Perhaps the sharing of data could be incorporated when one goes to the data collection centre to submit biometrics for the NPR. The subject could fill in the UID form and submit verification documents at this stage, completing both exercises in one go. This will drastically reduce the combined costs of the two exercises.

[1] Rajesh Aggarwal, Merging UID and NPR???, Igovernment, accessed 5 September, 2014 http://www.igovernment.in/igov/opinion/41631/merging-npr-uid; Bharti Jain, Rajnath Hints at Merger of NPR and Aadhar, Times of India, accessed 5 September, 2014 http://timesofindia.indiatimes.com/india/Rajnath-hints-at-merger-of-NPR-and-Aadhaar/articleshow/35740480.cms

[2] Raju Rajagopal, The Aadhar-NPR Conundrum, Mint, accessed 5 September, 2014 http://www.livemint.com/Opinion/tvpoCYeHxrs2Z7EkAAu7bP/The-AadhaarNPR-conundrum.html .

[3] Cl, 4 of the Notification on the creation o fthe UIDAI, No. A-43011/02/2009-Admin.1 of the Planning Commission of India, dated 28 January, 2009

[4] FAQ for NPR, accessed: 3 September, 2014. http://censusindia.gov.in/2011-Common/FAQs.html

[5] A Jolt for Aadhar: UPA Shouldn’t Have to Put on Hold its Only Good Idea,Business Standard, accessed 5 September, 2014 http://www.business-standard.com/article/opinion/a-jolt-for-aadhaar-114020301243_1.html

[6] Prakash Chandra Sao, The Unique ID Project in India: An Exploratory Study, accessed: 21 August, 2014 http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/

[7] NPR Activities, accessed 5 September, 2014, http://ditnpr.nic.in/NPR_Activities.aspx

[8] R. Dinakaran, NPR and Aadhar- A Confused Process, The Hindu BusinessLine, accessed: 4 September, 2014 http://www.thehindubusinessline.com/blogs/blog-rdinakaran/npr-and-aadhaar-a-confused-process/article4940976.ece

[9] More than sixty-five thousand NPR cards have been issued and biometric data of more than twenty-five lakh people has been captured, as on 28 August, 2014 http://censusindia.gov.in

[10] NPR, not Aadhaar, best tool for cash transfer: BJP's Sinha, accessed: 3 September, http://www.moneycontrol.com/master_your_money/stocks_news_consumption.php?autono=1035033

[11] Bharati Jain, NDA's national ID cards may kill UPA's Aadhaar, accessed 3 September, 2014 http://timesofindia.indiatimes.com/india/NDAs-national-ID-cards-may-kill-UPAs-Aadhaar/articleshow/36791858.cms

[12] Id.

[13] Aadhar Enrolment Drive Begins Again, accessed 3 Spetember, 2014 http://timesofindia.indiatimes.com/city/gurgaon/Aadhaar-enrolment-drive-begins-again/articleshow/38280932.cms

[14] Mahendra Singh, Modi govt to give legal backing to Aadhaar, Times of India, http://timesofindia.indiatimes.com/india/Modi-govt-to-give-legal-backing-to-Aadhaar/articleshow/38336812.cms

[15] Narendra Modi Government to Launch Website to Track Attendance of Central Government Employees, DNA, accessed: 4 September, 2014 http://www.dnaindia.com/india/report-narendra-modi-government-to-launch-website-to-track-attendance-of-central-government-employees-2014684

[16] No gas supply without Aadhaar card, Deccan Chronicle, accessed: 4 September, 2014, http://www.deccanchronicle.com/140829/nation-current-affairs/article/no-gas-supply-without-aadhaar-card

Note: This is an anonymous post.

For more details visit https://cis-india.org/internet-governance/blog/uid-npr-towards-common-ground

UID Act may be released for debate, may be introduced in monsoon session

praskrishna — 2011-04-02T11:27:53Z

An article by Karen Leigh & Surabhi Agarwal in livemint on June 30, 2010.

The government has moved to create a legal basis for its ambitious project to provide all residents with numeric identity cards and guarantee the safety of demographic and biometric data being collected for it.

The draft National Identification Authority of India Act, 2010, was put up for public debate on Tuesday, and is likely to be introduced when Parliament convenes for its monsoon session.

The Act provides for the creation of the National Identity Authority of India to oversee the implementation of the Aadhaar project, but its jurisdiction will not extend to Jammu and Kashmir.

“This Bill will give the authority a legislative framework to function,” said R.S. Sharma, director general of the Unique Identification Authority ofIndia (UIDAI), the nodal agency currently overseeing Aadhaar.

Sharma said the Bill contains provisions that will make sure that sensitive data is protected and there are no hacking attempts. It lays down that “the authority shall ensure the security and confidentiality of identity information of individuals”.

UIDAI is collecting fingerprints and eye scans of all residents, along with other information, for Aadhaar.

The Bill “will also make sure that data related to a citizen’s caste or religion is not collected or chronicled”, Sharma added.

The Bill lays down that impersonation using Aadhaar data can lead to a three-year jail term and a fine of Rs10,000. Unauthorized collection or dissemination of identity information will also invite a three-year jail term, or a Rs1 lakh fine, or both.

The heftiest penalty of Rs1 crore along with three years’ imprisonment has been specified for unauthorized access to the central database, which will contain all individual details collected for Aadhaar.

Although the Bill lays down that no information stored in the database shall be revealed by UIDAI officials, it allows disclosure of personal information in a case of national security. Information can be disclosed on the direction of an officer of joint secretary level or above in the Union government, with the approval of the minister in charge.

But civil rights activists say the safety measures in the Bill are not enough.

“It doesn’t have any of the safeguards and provisions necessary to protect the rights of citizens. It’s only protecting the interests of the UIDAI,” said Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society and a critic of the Aadhaar project.

“They have criminalized an imaginary crime—if the technology were infallible, which is what they claim biometrics is, then you can’t create ghost identities. They’re saying that ghost identities will still be there; that the technology is, in fact, not foolproof.”

Rahul Matthan, founding partner of law firm Trilegal, said the Bill will give a legal basis to UIDAI for collecting data and allotting identities.

“Provisions in the Act on data protection are limited as it can’t be a substitute for an over-arching data protection legislation in the country, which will deal with all kinds of citizen data,” he said.

The Union government is mulling over a separate privacy Bill to safeguard individual data privacy, as reported by Mint on 21 June. The move is aimed at deflecting worries over the safety of the immense amount of data it proposes to collect about its citizens for various programmes, including Aadhaar.

Read the original article in livemint.

For more details visit https://cis-india.org/news/UID-in-monsoon-session

UID & Privacy - A Call for Papers

elonnai — 2012-03-21T10:03:44Z

Privacy India is inviting individuals to author short papers focused on Unique Identity (UID) and Privacy. Selected candidates will have their papers published on the CIS website, and their transportation and accommodation provided for the “Privacy Matters” conference being held in Kolkata on 22 January 2010.

Topic

Privacy and the UID

Submission Deadline

By 15 January 2010 to admin@privacyindia.org

Word Length

3,000-5,000 words

Topic Summary

The Aadhaar scheme, or Unique Identity (UID) scheme is a plan to provide citizens identity cards that are tied to their unique biometric data – such as their fingerprints or retinal scans. Although the most frequently cited justification for this project is to ensure the secure delivery of relief to beneficiaries of government aid schemes, it is clear that the uses to which it will be put exceed this narrow mandate.

As India embarks on one of its most ambitious techno-administrative projects to date, there is surprisingly little clarity or introspection into the implications of having such a concentrated identity locked into a single card. In particular it appears that the grave threats to privacy the scheme poses have not received due attention. Although the final draft UID Bill circulated by the UIDAI in October 2010 contains some provisions that reference privacy, there seems to be a tacit assumption that privacy is an expendable or at least a less-desirable privilege that can be attended to fully once the scheme is in fully in place.

We invite individuals to author short inter-disciplinary papers that engage various topics on the theme of Privacy and the UID, including but not limited to the following:

Comparative studies on privacy and national identity card schemes in other countries

Privacy and the UID Bill

How will a project such as the UID change the relationship between the state, the individual, and the market?

Selected candidates will have their papers published on the CIS website, and their transportation and accommodation provided for the “Privacy Matters” conference being held in Kolkata on January 22nd 2010.

Who We Are

Privacy India was set up with the collaboration of the Centre for Internet and Society (CIS) and Society in Action Group (SAG), under the auspices of the international organization ‘Privacy International’. Privacy International is a non-profit group that provides assistance to civil society groups, governments, international and regional bodies, the media and the public in a number of countries (see www.privacyinternational.org). Privacy India's objective is to raise awareness, spark civil action and promoting democratic dialogue around privacy challenges and violations in India. In furtherance of this goal we aim to draft and promote an over-arching privacy legislation in India by drawing upon legal and academic resources and consultations with the public.

For more details visit https://cis-india.org/internet-governance/blog/privacy/privacy_callforpapers

UAS License Agreement Amendment regarding the Central Monitoring System (CMS)

maria — 2014-01-30T12:43:56Z

For more details visit https://cis-india.org/internet-governance/blog/uas-license-agreement-amendment

Two women arrested over Facebook gripe on Mumbai shutdown

praskrishna — 2013-01-15T09:26:33Z

A woman who complained about the Indian city of Mumbai shutting down for the funeral of divisive Hindu nationalist politician Balasaheb Thackeray was arrested for "hurting religious sentiments," local police told reporters amid public anger over the case.

This article by Emily Alpert appeared in Los Angeles Times on November 19, 2012. Pranesh Prakash is quoted.

Indian media identified the woman as Shaheen Dhada, 21, who reportedly wrote, "People like Thackeray are born and die daily and one should not observe a bandh [shutdown] for that.”

Police also arrested a friend of hers who "liked" the comment.

The Facebook remark spurred angry backers of Thackeray, a controversial figure who once openly called for attacks on Muslims, to assault a clinic owned by Dhada' uncle. Analysts told the Associated Press that the arrests appeared to be a move by police to head off any further violence from Thackeray supporters.

Free-speech groups were outraged by the ransacking and arrests. In a blistering letter to the chief minister of Maharashtra state, a former Supreme Court justice who now heads the Press Council of India called the charges absurd and unlawful and demanded that the police officers involved be prosecuted.

"We are living in a democracy, not a fascist dictatorship," Markandey Katju wrote.

The Maharashtra director-general of police ordered a probe into the arrests Monday, Indian television station IBN reported. The two women were reportedly released on bail during the day.

The Shiv Sena political party that Thackeray founded has polarized Mumbai over the years with campaigns against Muslims and migrants. His death put the city on high alert over the weekend amid fears of violence. As shops were shuttered and taxis sat idle, some Mumbai residents grew frustrated.

"When tens of thousands were making similar comments ... how did the police single out Shaheen Dhada and her friend for arrest?” wrote Pranesh Prakash of the Center for Internet and Society. He added, "This should not be written off as a harmless case of the police goofing up."

For more details visit https://cis-india.org/news/la-times-nov-19-2012-emily-alpert-two-women-arrested-over-facebook-gripe-on-mumbai-shutdown