Centre for Internet and Society

BBMP faces ire for publishing pourakarmikas' Aadhaar details on website

praskrishna — 2017-06-06T14:27:27Z

The Bruhat Bengaluru Mahanagara Palike (BBMP) has published the Aadhaar details and other personal information of thousands of its pourakarmikas - civic workers who sweep streets and collect waste door-to-door.

This has angered activists who believe it could be misused. BBMP claims it was done to bring transparency in the city's solid waste management. The article by Bharat Joshi was published in the Economic Times on May 29, 2017.

The Aadhaar number, provident fund number, employee state insurance (ESIC) number and residential addresses of thousands of pourakarmikas are available ward-wise on the civic body's website. ET accessed as many as 4,215 Aadhaar numbers and 5,744 PF and ESI numbers of pourakarmikas from 58 wards. The number could be much higher across the city's 198 wards. An ESI number grants access to personal details of an employee on the esic.nic.in website, such as father's name and date of birth.

The city has over 30,000 pourakarmikas, most of them Dalit women and employed by contractors. The disclosure of their Aadhaar numbers comes at a time when the Modi administration's push for wider application of the unique identification number has triggered a nationwide debate on privacy.

"(Disclosure) happens because authorities don't read the law," Supreme Court advocate KV Dhananjay said. "There is every possibility of misuse, especially identity theft. What hackers do is they start aggregating such information because the Aadhaar is used as a platform for transfer of benefits. And with Aadhaar set to become the anchor for many things, the BBMP should immediately remove those details."

A recent report by city-based Centre for Internet and Society flagged four government agencies for publishing Aadhaar and other financial data. It blamed the Unique Identification Authority of India (UIDAI) for turning a blind eye to the lack of standards prescribed for how other agencies deal with data, such cases of massive public disclosure and "the myriad ways in which it could be used for mischief."

Earlier this month, UIDAI chief executive officer Ajay Bhushan Pandey wrote to chief secretaries of all states, reminding them that publishing an Aadhaar number is prohibited under Sections 29(2), 29(3) and 29(4) of the Aadhaar Act, 2016. "Our intention was not to cause anyone any harm," BBMP Joint Commissioner (solid waste management) Sarfaraz Khan said. The idea was to prevent contractors from taking payments against non-existent pourakarmikas. "We're also planning to make public details of which exact street a pourakarmika is working on."

He added that he would discuss the disclosure with the Commissioner, "If there is any violation, the Aadhaar numbers will be removed."

This points to the need for BBMP to have a policy on data and privacy, said Vinay K Sreenivasa of the Alternative Law Forum. "Of what use is an Aadhaar number to the BBMP? Names and photographs would have sufficed to ensure transparency."

ET Follow-up on Scare in Malleswaram
BBMP Joint Commissioner Sarfaraz Khan was unaware that publishing Aadhaar data is a punishable offence. However, the election wing of the BBMP has ordered a probe after ET reported how a certain Hanumantharaju, claiming to be a municipal official, collected Aadhaar details from residents of the Atma KT Apartment in Malleswaram.

Residents also filed a complaint with the Malleswaram police. "We called the man's mobile number but a woman picked up. Further investigation is underway and BBMP is also checking its records," a police officer said.

Residents also plan to submit a representation to Malleswaram MLA CN Ashwathnarayan. "We have taken this seriously and are awaiting a report from the Malleswaram BBMP revenue office," Assistant Commissioner (election) TR Shobha told ET.

For more details visit https://cis-india.org/internet-governance/news/economic-times-may-29-2017-bharat-joshi-bbmp-faces-ire-for-publishing-pourakarmikas-aadhaar-details-on-website

Provide hacker details, outfit that claimed data leak told

praskrishna — 2017-06-07T12:14:13Z

The Unique Identification Authority of India (UIDAI), the regulatory authority for Aadhaar, has written to a Bengaluru-based research organisation, Centre for Internet & Society (CIS), seeking details about a suspected hack attack on government websites that led to the leak of information about 13 crore users.

The article by Mahendra Singh was published in the Times of India on May 18, 2017.

In a recent report, CIS had highlighted that websites run by various government departments, owing to a poor security framework, had publicly displayed sensitive personal financial information and Aadhaar numbers of beneficiaries of certainprojects.

In its letter, UIDAI argued that the data downloaded from one of the websites could not have been accessed unless the website was hacked. As hacking is a grave offence under the law, the UIDAI has asked CIS to provide details of the persons involved in the data theft.

According to a source, the UIDAI said that access to data on the website for the 'National Social Assistance Program' was only possible for someone in possession of authorised login details, or if the site (http://nsap.nic.in) was hacked or breached. The UIDAI said in its letter that such illegal access was against the provisions of the Aadhaar Act, 2016, and the IT Act, 2000, and that the persons involved had committed a grave offence.

Asking the CIS to reply before May 30, the UIDAI also said, "Aadhaar system is a protected system under Section 70 of the IT Act, 2000, the violation of which is punishable with rigorous imprisonment for a period up to 10 years." It added that the penalty clauses for violations are also provided in Section 36, Section 38 and Section 39 of the Aadhaar Act.

The UIDAI, however, maintained that even if the Aadhaar details were known to someone it did not pose a real threat to the people whose information was publicly available because the Aadhaar number could not be misused without biometrics.

The UIDAI letter said, "While, as your report suggests, there is a need to strengthen IT security of government websites, it is also important that the persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law."

"Your report mentions 13 crore people's data has been 'leaked'. Please specify how much of this data had been downloaded by you or are in your possession or in the possession of any other persons that you know. Please provide the details," the UIDAI added in its letter. The UIDAI also urged CIS to provide the details of the persons/organisations with whom it shared the data, if it did.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-mahendra-singh-may-18-2017-provide-hacker-details-outfit-that-claimed-data-leak-told

Aadhaar: Ushering in a Commercialized Era of Surveillance in India

praskrishna — 2017-06-07T12:45:30Z

Since last year, Indian citizens have been required to submit their photograph, iris and fingerprint scans in order to access legal entitlements, benefits, compensation, scholarships, and even nutrition programs. Submitting biometric information is needed for the rehabilitation of manual scavengers, the training and aid of disabled people, and anti-retroviral therapy for HIV/AIDS patients. Soon police in the Alwar district of Rajasthan will be able to register criminals, and track missing persons through an app that integrates biometric information with the Crime and Criminal Tracking Network Systems (CCTNS).

The article by Jyoti Panday was published by the Electronic Frontier Foundation on June 1, 2017.

These instances demonstrate how intrusive India’s controversial national biometric identity scheme, better known as Aadhaar has grown. Aadhaar is a 12-digit unique identity number (UID) issued by the government after verifying a person’s biometric and demographic information. As of April 2017, the Unique Identification Authority of India (UIDAI) has issued 1.14 billion UIDs covering nearly 87% of the population making Aadhaar, the largest biometric database in the world. The government asserts that enrollment reduces fraud in welfare schemes and brings greater social inclusion. Welfare schemes that provide access to basic services for marginalized and vulnerable groups are essential. However, unlike countries where similar schemes have been implemented, invasive biometric collection is being imposed as a condition for basic entitlements in India. The privacy and surveillance risks associated with the scheme have caused much dissension in India.

Identity and Privacy in India

Initiated as an identity authentication tool, the critical problem with Aadhaar is that it is being pushed as a unique identifier to access a range of services. The government continues to maintain that the scheme is voluntary, and yet it has galvanized enrollment by linking Aadhaar to over 50 schemes. Aadhaar has become the de-facto identity document accepted at private, banks, schools, and hospitals. Since Aadhaar is linked to the delivery of essential services, authentication errors or deactivation has serious consequences including exclusion and denial of statutory rights. But more importantly, using a unique identifier across a range of schemes and services enables seamless combination and comparison of databases. By using Aadhaar, the government can match existing records such as driving license, ration card, financial history to the primary identifier to create detailed profiles. Aadhaar may not be the only mechanism, but essentially, it's a surveillance tool that the Indian government can use to surreptitiously identify and track citizens.

This is worrying, particularly in context of the ambiguity regarding privacy in India. The right to privacy for Indian citizens is not enshrined in the Constitution. Although, the Supreme Court has located the right to privacy as implicit in the concept of “ordered liberty” and held that it is necessary in order for citizens to effectively enjoy all other fundamental rights. There is also no comprehensive national framework that regulates the collection and use of personal information. In 2012, Justice K.S. Puttaswamy challenged Aadhaar in the Supreme Court of India on the grounds that it violates the right to privacy. The Court passed an interim order restricting compulsory linking of Aadhaar for benefits delivery, and referred the clarification on privacy as a right to a larger bench. More than a year later, the constitutional bench is yet to be constituted.

The delay in sorting out the nature and scope of privacy as right in India has allowed the government to continue linking Aadhaar to as many schemes as possible, perhaps with the intention of ensuring the scheme becomes too big to be rolled back. In 2016, the government enacted the 'Aadhaar Act' passing the legislation without any debate, discussion or even approval of both houses of Parliament. In April this year, Aadhaar was made compulsory for filing income tax or PAN number application and the decision is being challenges in Supreme Court. Defending the State , the Attorney-General of India claimed that the arguments on so-called privacy and bodily intrusion is bogus, and citizens cannot have an absolute right over their body! The State’s articulation is chilling, especially in light of the Human DNA Profiling Bill seeking the right to collect biological samples and DNA indices of citizens. Such anti-rights arguments are worth note because biometric tracking of citizens isn't just government policy - it is also becoming big business.

Role of Private Companies

Private companies supply hardware, software, programs, and the biometric registration services for rolling out Aadhaar to India’s large population. UIDAI’s Committee on Biometrics acknowledges that biometrics data are national assets though American biometric technology provider L-1 Identity Solutions, and consulting firms Accenture and Ernst and Young can access and retain citizens' data. The Aadhaar Act introduces electronic Know-Your-Customer (eKYC) that allows government agencies and private companies to download data such as name, gender and date of birth from the Aadhaar database at the time of authentication. Banks and telecom companies using authentication process to download data and auto-fill KYC forms and to profile users. Over the last few years, the number of companies or applications built around profiling of citizens’ personally sensitive data has grown exponentially.

A number of people linked with creating the UIDAI infrastructure have founded iSPIRT, an organisation that is pushing for commercial uses of Aadhaar. Private companies are using Aadhaar for authentication purposes and background checks. Microsoft has announced SkypeLite integration with Aadhaar to verify users. Others, such as TrustId and Eko are integrating rating systems into their authentication services and tracking users through platforms they create. In essence such companies are creating their own private database to track authenticated Aadhaar users and they may sell this data to other companies. The growth of companies that share and combine databases to profile users is an indication of the value of personal data and its centrality for both large and small companies in India.

Integrating and linking large biometrics collections to each other, which are then linked with traditional data points that private companies hold such as geolocation or phone number enables constant surveillance to take over. So far, there has been no parliamentary discussion on the role of private companies. UIDAI remains the ultimate authority in deciding the nature, level and cost of access granted to private companies. For example, there is nothing in Aadhaar Act that prevents Facebook from entering into an agreement with the Indian government to make Aadhaar mandatory to access WhatsApp or any of its other services. Facebook could also pay data brokers and aggregators to create customer profiles to add to its ever growing data points for tracking and profiling its users.

Security Risks and Liability

A series of data leakages have raised concerns about which private entities are involved, and how they handle personal and sensitive data. In February, UIDAI registered a complaint against three companies for storing and using biometric data for multiple transactions. Aadhaar numbers of over 130 million people and bank account details of about 100 million people have been publicly displayed through government portals owing to poor security practices. A recent report from Centre for Internet and Society (CIS) showed that a simple tweaking of URL query parameters of the National Social Assistance Programme (NSAP) website could unmask and display private information of a fifth of India's population.

Such data leaks pose a huge risk as compromised biometrics can never be recovered. The Aadhaar Act establishes UIDAI as the primary custodian of identity information, but is silent on the liability in case of data breaches. The Act is also unclear about notice and remedies for victims of identity theft and financial frauds and citizens whose data has been compromised. UIDAI has continued to fix breaches upon being notified, but maintains that storage in federated databases ensures that no agency can track or profile individuals.

After almost a decade of pushing a framework for mass collection of data, the Indian government has issued guidelines to secure identity and sensitive personal data in India. The guidelines could have come earlier, and given large data leaks in the past may also be redundant. Nevertheless, it is reassuring to see practices for keeping information safe and the idea of positive informed consent being reinforced for government departments. To be clear, the guidelines are meant for government departments and private companies using Aadhaar for authentication, profiling and building databases fall outside its scope. With political attitudes to corporations exploiting personal information changing the world over, the stakes for establishing a framework that limits private companies commercializing personal data and tracking Indian citizens are as high as they have ever been.

For more details visit https://cis-india.org/internet-governance/news/electronic-frontier-foundation-jyoti-panday-june-1-2017-aadhaar-ushering-in-a-commercialized-era-of-surveillance-in-india

Debate over #Aadhaar Turns Nasty as Critics Accuse Supporters of Online Trolling

praskrishna — 2017-06-07T13:09:10Z

Internet Freedom Foundation’s Kiran Jonnalagadda has alleged that iSPIRT and its co-founder Sharad Sharma set up fake Twitter profiles to harass, intimidate Aadhaar critics.

The article by Ajoy Ashirwad Mahaprahasta was published in the Wire on May 19, 2017.

As bizarre as this may sound, one of the founders of the Indian Software Products Industry Round Table (iSPIRT) – an influential think-tank closely associated with the Unique Identification Authority of India (UIDAI) – Sharad Sharma, is battling allegations of trolling anti-Aadhar campaigners through fake Twitter profiles.

Kiran Jonnalagadda, one of the founders of Internet Freedom Foundation (IFF), has alleged that a number of fake profiles started to troll him online earlier this month in response to his criticism of Aadhar on Twitter. Surprisingly, he said, one of the profiles –@confident_India – which trolled him was apparently operated by Sharma, considered highly influential within the IT and start-up industry and a governing council member of iSPIRT.

What is iSPIRT?

In 2013, a group of volunteers working with NASSCOM founded iSPIRT to represent the software products industry independently. It is widely known that many of these same volunteers also helped the UIDAI develop much of the initial Aadhaar infrastructure and ecosystem. According to Forbes India, iSPIRT helps Indian software product companies “draft and take policy proposals to government officials; create reusable ‘playbooks’ from successful companies that can be applied by others; and create ‘self-help communities’.” It aims to facilitate Indian software product companies, which build affordable and innovative technologies, get a footprint in sectors like health, education, infrastructure and create conditions so that they get an equal platform to compete with big multinationals.

In this mission, iSPIRT believes that Aadhaar-based technologies, which Indian software product companies may create, could help the Indian software product industry gain an advantage over multinationals, which may be skeptical about using Aadhaar. In other words, iSPIRT, one of the biggest advocates of Aadhaar, sees a commercial advantage to the increasing use of Aadhaar for many of the entrepreneurs associated with the Round Table. To this end, iSPIRT runs two initiatives – ProductNation and IndiaStack, a collection of open APIs for technology infrastructure projects like UPI and Aadhaar.

While the mission may sound fine, many of the Aadhaar advocates within iSPIRT have had to face questions from civil society, most of which have to do with the suspicion that Aadhaar could compromise online privacy. This, over the past few months, has led to heated social media battles between iSPIRT and anti-Aadhaar campaigners.

However, the debate took a darker turn when Jonnalagadda uploaded a video showing that the @Confident_India Twitter handle could be traced back to Sharma’s personal mobile phone number on Twitter. Sharma, has since then, apparently changed his number.

“It was only when I started to grow suspicious of the handle that I thought of using Sharma’s phone number to verify the account,” Jonnalagadda tells The Wire.

In an article – “Inside the mind of India’s chief tech stack evangelist” – where he narrates the events, he says “a flurry of newly created Twitter trolls accounts began heckling me about Aadhaar”.

Around 10 such handles started making unprovoked attacks on Jonnalagadda and another founder of IFF, Nikhil Pahwa, accusing them of being guided by “greed, profit, and deceit” for being in the “#AntiAadhaar brigade.”

As the argument continued, @confident_India called Jonnalgadda “pretentious” mouthing “highfalutin stuff” and “techno-babble”.

“All these did not perturb me as it was a part of routine arguments,” says Jonnalagadda.

However, in what he calls a “lightbulb moment”, he had the first inkling that Sharma could be operating the account of @confident_India through this thread:

“Sharad Sharma’s original account doesn’t follow any of these people on the thread. The conversation would not have shown on his timeline. Yet both @confident_India and Sharad Sharma made the same argument,” says Jonnalagadda.

Then, he says, Sharma gave it out. A question addressed to Sharad Sharma ended up being answered by @confident_India.

@Confident_India also went on a tirade against the IFF fellows and called them “JNUtype”, “ISISstooge” or belonging to Lutyens Delhi, insinuating that the IFF fellows are terrorists or largely belong to a certain social elite category of people.

When this prompted Jonnalagadda to verify the account with Sharma’s number, it matched. He later posted the video on his account.

An email from The Wire to Sharad Sharma remained unanswered at the time of writing.

However, soon after this alleged expose kicked off a Twitter war between the two groups, Sharad responded with a reply to Nikhil Pahwa’s tweet.

iSPIRT also responded in various online forums. “Sharad Sharma, co-founder of iSPIRT, named in these allegations is in the US for a medical emergency in his family. As of this morning, Eastern Standard Time, Sharad has categorically denied these allegations. We will further investigate the confusion around the alleged link of mobile number and clarify all outstanding questions. For the moment, we are prioritising the well-being of Sharad and his family,” says the organisation’s response.

“We want to categorically state that the allegations against iSPIRT coordinating and/or promoting any troll campaign are false and the evidence presented is a deliberate misreading of our intent to engage with those speaking against India Stack” it added.

Interestingly, however, what has emerged out of the controversy is another allegation by the IFF that iSPIRT had made trolling part of its policy to counter Aadhaar’s “detractors.”

At a fellows meeting earlier this year in February, iSPIRT charted out a “Detractors Matrix” in which they categorised the anti-Aadhar campaigners into four categories, namely “misinformed, fearful, and engaging”, “informed, fearful and engaging”, “misinformed and trolling” and lastly, “informed yet trolling”. In an internal iSPIRT presentation, Reetika Khera, IIT professor and a renowned economist, and Nikhil Pahwa, IFF’s co-founder were shown as belonging to the last two categories.

To counter Aadhaar critics on online platforms, iSPIRT volunteers intended to group themselves into “archers” and “swordsmen” who would challenge their theories on Twitter and elsewhere.

iSPIRT has acknowledged discussing the “detractor matrix” in its reply to the allegation but dismissed it being equivalent to trolling, as Jonnalagadda alleges. Co-founder of iSPIRT, ThiyagaRajan Maruthavanan, while responding to allegations said that there was no official involvement on behalf of iSPIRT.

CIS allegations

Many of the pro-Aadhaar Twitter trolls, most noticeably Confident_India, have also lashed out at other Internet rights organisations. This includes the Bangalore-based Centre for Internet and Society (CIS) which last month released a report that claimed that over 100 million Aadhaar numbers were publicly exposed by four government websites. The Confident_India Twitter handle has alleged that CIS has violated foreign funding regulations (under the Foreign Contributions Regulations Act), that they are likely “funded by ISI” and that because of their “advocacy efforts”, the organisation should be shut down.

It should be noted that the Unique Identification Authority of India has also sent a sharp letter to CIS over its report and has suggested that some of the Aadhaar data that the report documented could not have been gotten through legal means.

For more details visit https://cis-india.org/internet-governance/news/the-wire-may-19-2017-ajoy-ashirwad-mahaprahasta-debate-over-aadhaar-turns-nasty-as-critics-accuse-supporters-of-online-trolling

Online Trolls Attack Critics of India's Aadhaar State ID System

praskrishna — 2017-06-07T13:34:00Z

India's biometric state ID system has been leaking citizens’ data for months. When this information surfaced in April 2017, it stoked fears that the system could be used as an instrument of surveillance against Indian residents.

The blog post by Rohith Jyothish was published by Global Voices on May 31, 2017.

The Unique Identity Authority of India (UIDAI), which administrates the system known as Aadhaar (meaning foundation in Hindi) maintains that it only collects minimal personal data and stores it securely. But critics have firmly expressed doubts about these claims.

The implications of these leaks, and of any system flaw in Aadhaar technology, are substantial, especially for Indians who depend on the Aadhaar system in order to authenticate their identities when they use any number of government services. The Aadhaar system has become the gatekeeper of state systems and services ranging from voting to financial savings to food subsidies.

The digital sphere is now starting to see a pushback against Aadhaar critics through articles and blogposts that describe concerned citizens and privacy experts as the ‘anti-Aadhaar brigade‘ and accuse them of publishing “half-truths” and “spread[ing] confusion to advance their own interests.” One such article was even featured on the UIDAI website.

Some of the most well-researched critiques of the system have come from the Centre for Internet and Society (CIS), an inter-disciplinary research organisation in Bangalore that has now become a target of the pro-Aadhaar lobby. Shortly after CIS released a report that pointed out security flaws in the Aadhaar ecosystem, the UIDAI accused the organization of hacking into the Aadhaar system themselves.

In fact, CIS had investigated databases of four specific government websites. Three were available publicly, the fourth one was accessible by simply changing one of the URL parameters. Following the accusation from UIDAI, CIS clarified that the Aadhaar numbers along with other sensitive personal financial information like bank account details were made available by government websites themselves, putting a sizeable portion of Indian citizens at risk of financial fraud.

The Press Trust of India (India's largest news agency) referred to it as a “flip-flop”, which was contested by researchers at CIS.

Independent technology news platform Medianama reported that the accusation by the UIDAI is regrettably consistent with previous actions in which they filed a case against a journalist for exposing flaws in Aadhaar's enrollment mechanism.

A website called ‘Support Aadhaar‘ and its Twitter handle sought to collate opinions supporting Aadhaar and quell those speaking against it. However, most of their messages appear to evade or deflect the concerns that critics have raised by touting the benefits of the system and portraying critics as having a poor understanding of the benefits of technology.

Many Twitter users have also begun noticing patterns in the pro-Aadhaar posts:

Meanwhile, several critics of Aadhaar have repeatedly been trolled by anonymous handles on Twitter. These ‘sock puppet’ accounts seemed to be targeting those who criticise Aadhaar on social media.

One of the most active trolls issued an open challenge to reveal their identity with just their Aadhaar number. Technology entrepreneur Kiran Jonnalagadda accepted the challenge and found that ‘@Confident_India’, one of the many anonymous troll Twitter handles, is Sharad Sharma, the co-founder and director of iSPIRT Foundation (Indian Software Product Industry Roundtable), the software lobby that built the backbone of the Aadhaar ecosystem.

Sharma accidentally tweeted a denial from the troll account which has since been deleted. He then tweeted again from his personal handle which was captured.

iSPIRT officially denied allegations by Jonnalgadda that the “evidence presented is a deliberate misreading of our intent to engage with those speaking against India Stack.” India Stack is the digital infrastructure that has been built over Aadhaar.

But several other Twitter users have confirmed that Sharma's phone number is linked to ‘@Confident_India’. By their own admission, iSPIRT seemed to have an officially sanctioned project intended to systematically challenge anti-Aadhaar campaigners in online platforms. But they refuse to term these actions as “trolling”.

However, Sharma later made an apology for trolling and called it a “lapse of judgement”. CIS Executive Director Sunil Abraham seemed to appreciate the message. He tweeted: Bravo to @sharads for this! All of us at @cis_india look fwd to collaborating with @Product_Nation & @sharads to serve Indian s/w sector. https://twitter.com/sharads/status/866943195678035968 …

iSPIRT is an initiative which finds far-reaching support from several IT industry leaders in India. What is worrying is that there is still no clarification from iSPIRT on the identities of the other anonymous trolls and their position on trolling against genuine concerns raised by citizens.

More than a week after the trolling revelations, iSPIRT announced on its website, the results of an investigation carried out by an Internal Guidelines and Compliance Committee over the allegations against Sharma of operating the anonymous handles, ‘@Confident_India’ and ‘@Indiaforward2′. Jonnalgadda was one of the trolling victims who testified in the internal meeting. A summary of the investigation was posted bafflingly by the accused himself in which he says that project Sudham has been dissolved and that he has been told to not make public appearances on behalf of iSPIRT for four months while he remains Director and the face of the organisation. FactorDaily reported that iSPIRT members on the condition of anonymity said that Pallav Nadhani (Founder, Chief Executive, FusionCharts) and Naveen Tewari (Co-founder, InMobi) who quit iSPIRT were upset with their excessive focus on India Stack.

One wonders whether this kind of behavior would be treated differently if it took place offline. Is intimidating those who appear to be ‘detractors’ the most effective way of dealing with criticism? Why is a software lobby taking it upon themselves to defend the idea of Aadhaar and India Stack through such means?

Many are hoping that experts on both sides of the issue can find a way to debate questions around the privacy and security of Aadhaar's technology — that affect some 1.3 billion people — in a more democratic way.

For more details visit https://cis-india.org/internet-governance/news/global-voices-rohith-jyothish-may-31-2017-online-troll-attack-critics-of-indias-aadhaar-state-id-system

Digital native: Look before you (digitally) leap

nishant — 2017-06-08T01:22:54Z

Creating a digital future is great, but there’s a serious need to secure the infrastructure first.

The article was published in the Indian Express on May 28, 2017.

Digital technologies of connectivity have one unrelenting promise — they offer us new ways of doing things, augmenting existing practices, amplifying capacities and affording new possibilities of information and data transactions that accelerate the ways in which we live. This idea of the internet as infrastructure is central to India’s transition into an information technologies future.

Nandan Nilekani, almost a decade ago, in his book, Imagining India, had clearly charted how the digital is the basis for shaping the future of our communities, societies and governance. As one of the architects of Aadhaar, Nilekani had argued that the country of the 21st century will have to be one that seriously invests in the digital infrastructure.

In 10 short years, we have reached a point where we no longer question the enormous investment we make in digital systems of governance and functioning, and we appreciate the economic and networked values of projects like #DigitalIndia and #MakeInIndia that shape our markets and cities into becoming the new cyber-hubs.

There is no denying that digital offers a new way of consolidating a country as polyphonic, multicultural, expansive and diverse as India. We also have to appreciate that, even if selectively, the digitisation of public records, government services, and state support is clearly producing an administrative momentum that is reforming various practices of corruption and incompetence in the massive state machinery. The role of the digital as infrastructure has been a boon for many developing countries.

This positioning, however, masks the fact that infrastructure needs its own support and care systems. Take roads, for example. Roads allow for connectivity, movement and mobility between different spaces. They are one of the most important of state and public infrastructures and for all our jokes about pot-holes and eroding spaces for pedestrians, roads remain the life-line of our everyday life. A complex mechanism of planning, regulation and maintenance needs to be put into place in order to make roads survive.

The amount of attention we pay to roads — the material quality, the land that it occupies, the lanes for different vehicles, the traffic lights and zebra crossings, blockages and streamlines, authorising specific use of roads and disallowing certain activities to happen there — is staggering. A public planner would tell you that before the road comes into being, the idea of the road has to be formulated. The road needs protection and planning and its own infrastructure of support and creation.

When it comes to the information superhighway of the digital web, this remains forgotten. We are so focused on the digital as infrastructure that we seem to pay no attention to its infrastructure. Thus, when we proposed, deployed and now enforced a project like Aadhaar, the focus remained on its unfolding and its operations. Aadhaar as an aspiration of governance has its values and has the capacity to become a system that augments statecraft.

However, the infrastructure that is needed to make Aadhaar possible — rules and regulations around privacy, bills and acts about data sharing and ownership, contexts of informed consent and engagement, community awareness and data security protocol — have been missing from the debates. For years now, activists have been advising and warning the state that building this digital infrastructure without building the contexts within which they make sense is not just irresponsible, but downright dangerous.

Different governments have turned a deaf ear to these protests. Now, when the Aadhaar portals are found disclosing massive volumes of public data, making people vulnerable to data and identity theft and fraud, we are realising the massive projects we have started without thinking about the context of security.

With the ongoing controversies around #AadhaarLeaks, the question is not whether the disclosure of this information was a leak, a breach or an ignorant exposure of sensitive information. The response to it cannot be just about fixing the infrastructure and building more robust systems. The question that we need to confront is how do we stop thinking of the internet as infrastructure and start focusing on the infrastructure that needs to be set into place so that these digital systems promise safety, security, and protection for the lives they intersect with.

For more details visit https://cis-india.org/raw/indian-express-nishant-shah-may-28-2017-digital-native-look-before-you-digitally-leap

New law to unlock data economy

praskrishna — 2017-06-12T01:10:06Z

Proposal has been sent to PMO for approval.

The article by Yuthika Bhargava was published in the Hindu on June 9, 2017.

The government is mulling a new data protection law to protect personal data of citizens, while also creating an enabling framework to allow public data to be mined effectively. The move assumes significance amid the debate over security of individuals’ private data, including Aadhaar-linked biometrics, and the rising number of cyber-crimes in the country.

“The Ministry of Electronics and Information Technology (MEIT) is working on a new data protection law. A proposal to this effect has been sent to the Prime Ministers’ Office for approval,” a senior ministry official told The Hindu.

Once the PMO approves it, the ministry will set up a “cross-functional committee” on the issue.

“We want to include all stakeholders. It will be a high-level committee, and all current and future requirements of the sector will be discussed.”

Two chief aims

The official said: “We are working with two main aims – to ensure that personal data of individuals remain protected and is not misused, and to unlock the data economy.”

The official explained that a lot of benefits can be derived from the data that is publicly available, by using technology and big data analytics. “The information can be used for the benefit of both individuals and companies,” the official said.

“The underlying infrastructure of the digital economy is data. India is woefully unprepared to protect its citizens from the avalanche of companies that offer services in exchange for their data, with no comprehensive framework to protect users,” Software Freedom Law Centre (SFLC.in), a non-profit, said in an emailed reply.

Currently, India does not have a separate law for data protection, and there is no body that specifically regulates data privacy.

“There is nominally a data protection law in India in the form of the Reasonable Security Guidelines under Section 43A of the Information Technology Act. However, it is a toothless law and is never used. Even when data leaks such as the ones from the official Narendra Modi app or McDonald’s McDelivery app have happened, section 43A and its rules have not proven of use,” said Pranesh Prakash, policy director at CIS.

Some redress for misuse of personal data by commercial entities is also available under the Consumer Protection Act enacted in 2015, according to information on the website of Privacy International, an NGO. As per the Act, the disclosure of personal information given in confidence is an unfair trade practice.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-yuthika-bhargava-june-9-2017-new-law-to-unlock-data-economy

Why did Nandan Nilekani praise a Twitter troll?

praskrishna — 2017-06-12T01:34:53Z

As the Supreme Court upholds the linking of ‘Aadhar’ with PAN, questions around ex-UIDAI chairman Nandan Nilekani praising iSPIRT head Sharad Sharma Twitter troll and ‘Aadhar’s privacy properties will continue to be asked.

The article by Kiran Jonnalgadda was published in the Indian Express on June 10, 2017.

Last month, Sharad Sharma, the head of the Indian Software Product Industry Round Table (iSPIRT) Foundation, an organisation that promotes Aadhaar to industry, was outed as the operator of at least two anonymous Twitter troll accounts that viciously harassed and defamed critics of Aadhaar. The shocking revelation was first met with denial by iSPIRT, and then followed by what may be understood as a reticent apology from Mr Sharma.

In a bizarre sequence of events, the apology received praise from several quarters. iSPIRT’s Guidelines and Compliance Committee (IGCC) investigated Mr Sharma and the ‘Sudham’ team that coordinated the trolling campaign. Two members of the investigating committee subsequently resigned, although only one confirmed.

The committee’s findings, confirming that Mr Sharma was responsible, were summarised for the public by Mr Sharma himself, who then announced that his role as a public spokesperson would now be handled by Sanjay Jain. Mr Jain was once with the Unique Identification Authority of India (UIDAI), launched by Nandan Nilekani, is currently a director at Nandan Nilekani’s EkStep Foundation, and a close confidante of Mr Sharma. The two have often pitched iSPIRT’s IndiaStack initiative together.

In an internal email questioning this decision, an iSPIRT member asked whether Mr Jain was a part of the ‘Sudham’ team, and whether he was also “at least partially culpable for the [troll] campaign and the violation of the code of conduct.”

The victims of the trolling have received no report, and the two apologies posted by Mr Sharma were both for having “condoned uncivil behaviour”, but not for personally orchestrating the attacks. Among those who praised him was Nandan Nilekani, former chairman of UIDAI and chief mentor of iSPIRT.

Critics have been pointing out for years that Aadhaar lacks sufficient checks and balances, and that claims of benefits are overstated. These concerns have been met with denial, condemnation of critics, and often outright refusal to engage in debate. This has unfortunately only served to alienate an even larger section of the population, turning ordinary citizens into activists.

We can gain an insight into how Aadhaar is promoted by examining iSPIRT. The organisation was founded in 2013 by volunteers who had been working together on the sidelines of the NASSCOM Product Conclave. These volunteers felt the need for an independent grassroots organisation to represent tech entrepreneurs who were building products for India and the world. iSPIRT has grown phenomenally influential over its few years, largely by the work of volunteers who were truly interested in building a mutual assistance community.

Level playing fields are a recurring topic. Just as there is a desire to lower bureaucratic hurdles to give every entrepreneur a fair chance, there is also the question of how a startup can compete against a foreign competitor that has the advantage of a stronger home market.

Flipkart and Ola are two prominent examples in their fight to defend their market share against Amazon and Uber, competitors armed with global experience, more capital, and better trained talent. iSPIRT’s take is that for Indian companies to thrive they must have a supportive ecosystem that enables rapid growth, and so iSPIRT must step up as an “activist think tank”.

One aspect of this activism is IndiaStack, which seeks to help startups by promoting a suite of ‘public goods’: Aadhaar and eKYC for id verification, eSign and Digilocker for digital contracts and certificates, and UPI for payments. If one accepts at face value that these services are well intentioned, then IndiaStack is on a noble quest. The details, unfortunately, are less pristine.

iSPIRT is a private non-profit, but its volunteers include several former members of UIDAI. The guidance and compliance committee (IGCC) investigating the trolling included a current member of government. iSPIRT helped build and evangelise the UPI (United Payments Interface) platform and BHIM app for NPCI, but the level of involvement and terms of the agreement are not public.

For an organisation that claims to champion public goods, iSPIRT is opaque on the level of influence they wield with government (Mr Sharma once claimed some influence but no control), and on who exactly built the various components of IndiaStack, within or outside of government.

They showed a remarkable degree of influence when foisting UPI on a change-resistant banking sector. They have funding from four banks (IDFC, SBI, Bank of Baroda and Axis Bank) and from fintech startups. Despite this level of responsibility, they also have no accountability since they are a pro bono volunteer force, allowing them to distance themselves from failures (UPI failures are NPCI’s problem and Aadhaar failures are UIDAI’s problem, etc) and unpleasant incidents such as the ‘Sudham’ trolling project. (No one has accepted responsibility for operating a troll account.)

At the core of IndiaStack is ‘Aadhaar’, which as it currently stands has serious concerns from its technical architecture to institutional safeguards. Aadhaar lacks publicly verifiable audits, a data breach disclosure policy, or an engagement process for researchers to report concerns.

For reasons best known to them, the promoters of ‘Aadhaar’ are in a tearing hurry to impose it everywhere, in every aspect of an Indian’s life, out of an apparent fear that it will die if adoption slows down. This is eerily reminiscent of startup mantras like “fake it till you make it” and “move fast and break things”.

But ‘Aadhaar’ already has a billion enrollments and the backing of legal measures pushed by the Union Government. There is no threat of imminent demise. And yet, as the Twitter trolling shows, this fear continues to exist for ‘Aadhaar’s proponents, so much so that critics must be silenced at any cost.

Where trolling failed to work, subtler attacks are sure to follow. There have been some in the recent past.

The Centre for Internet and Society (CIS) is facing one such attack for its report on the leak of 130 million Aadhaar numbers. The report received wide coverage and was followed by new rules from MEITy (ministry of Electronics & Information Technology) regarding the handling of Aadhaar numbers, but instead of commending CIS for its role in improving safeguards, UIDAI is accusing it of hacking, demanding the identity of the researcher so that he or she may be individually prosecuted.

When Sameer Kochhar demonstrated that previously captured fingerprints were being reused because Aadhaar’s API lacked technical safeguards, UIDAI responded by prosecuting him. A News18 journalist was also prosecuted for demonstrating how double application for enrollment was possible using different names.

As of September 30, 2017, ‘registered’ devices will be mandatory as the current devices are not secure against fingerprint reuse, and an unknown number of fingerprints have already been captured and stored. This sort of forced technological upgrade will happen again as more problems surface into public consciousness, with more researchers and critics harassed for pointing these out.

‘Aadhaar’ pursues inherently contradictory goals. The process of ‘inorganic seeding’, for instance, allows a database to be seeded with ‘Aadhaar’ numbers, to help a service provider identify and eliminate duplicates without the individual’s cooperation. (Inorganic seeding is an official UIDAI scheme.) And yet, the law prohibits using and sharing ‘Aadhaar’ numbers without the individual’s consent.

‘Aadhaar’ aims to be an inclusive project, providing an identity for everyone, and yet easily lends itself to being an instrument of exclusion. There is technical exclusion when biometrics fail to match, and there is institutional exclusion when Aadhaar is made mandatory and an individual is then blacklisted from a service or denied Aadhaar enrollment.

Aviation minister Jayant Sinha recently announced a proposal to use digital id for just this purpose. ‘Aadhaar’ in its current state makes it extraordinarily simple for an organisation to demand it for authentication, but what of the necessary safeguards to protect an individual’s rights? Or of ensuring that grievance redressal mechanisms are in place and actually functional? These are not solved by a technical API integration.

Just as we’ve seen with nuclear power, weak institutions which are sensitive to criticism and fail to ensure effective oversight amplify the risks of the underlying technology. Aadhaar’s supporting institutions, whether government bodies like UIDAI or private bodies like iSPIRT, are immature for the mandate they carry. All technology improves with time, but weak institutions hamper their benefit to society.

As the leading promoter of Aadhaar, founding chairman of UIDAI, and chief mentor of iSPIRT, Mr Nilekani must step up and commit to improving the institutions he commands, and take responsibility for their failures. Condemning critics instead does not help build institutions.

For more details visit https://cis-india.org/internet-governance/news/indian-express-kiran-jonnalgadda-june-10-2017-why-did-nandan-nilekani-praise-a-twitter-troll

An Urgent Need for the Right to Privacy

sumandro — 2016-03-17T07:40:12Z

Along with a group of individuals and organisations from academia and civil society, we have drafted and are signatories to an open letter addressed to the Union government and urging the same to "urgently take steps to uphold the constitutional basis to the right to privacy and fulfil it’s constitutional and international obligations." Here we publish the text of the open letter. Please follow the link below to support it by joining the signatories.

Read and sign the open letter.

Text of the Open Letter

As our everyday lives are conducted increasingly through electronic communications the necessity for privacy protections has also increased. While several countries across the globe have recognised this by furthering the right to privacy of their citizens the Union Government has adopted a regressive attitude towards this core civil liberty. We urge the Union Government to take urgent measures to safeguard the right to privacy in India.

Our concerns are based on a continuing pattern of disregard for the right to privacy by several governments in the past. This trend has increased as can be plainly viewed from the following developments.

In 2015, the Attorney General in the case of *K.S. Puttaswamy v. Union of India*, argued before the Hon’ble Supreme Court that there is no right to privacy under the Constitution of India. The Hon'ble Court was persuaded to re-examine the basis of the right to privacy upsetting 45 years of judicial precedent. This has thrown the constitutional right to privacy in doubt and the several judgements that have been given under it. This includes the 1997 PUCL Telephone Tapping judgement as well. We urge the Union Government to take whatever steps are necessary and urge the Supreme Court to hold that a right to privacy exists under the Constitution of India.

Recently Mr. Arun Jaitley, Minister for Finance introduced the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. This bill was passed on March 11, 2016 in the middle of budget discussion on a short notice as a money bill in the Lok Sabha when only 73 of 545 members were present. Its timing and introduction as a money bill prevents necessary scrutiny given the large privacy risks that arise under it. This version of the bill was never put up for public consultation and is being rushed through without adequate discussion. Even substantively it fails to give accountable privacy safeguards while making Aadhaar mandatory for availing any government subsidy, benefit, or service.

We urge the Union Government to urgently take steps to uphold the constitutional basis to the right to privacy and fulfil it’s constitutional and international obligations. We encourage the Government to have extensive public discussions on the Aadhaar Bill before notifying it. We further call upon them to constitute a drafting committee with members of civil society to draft a comprehensive statute as suggested by the Justice A.P. Shah Committee Report of 2012.

Signatories:

Amber Sinha, the Centre for Internet and Society
Japreet Grewal, the Centre for Internet and Society
Joshita Pai, Centre for Communication Governance, National Law University
Raman Jit Singh Chima, Access Now
Sarvjeet Singh, Centre for Communication Governance, National Law University
Sumandro Chattapadhyay, the Centre for Internet and Society
Sunil Abraham, the Centre for Internet and Society
Vanya Rakesh, the Centre for Internet and Society

For more details visit https://cis-india.org/internet-governance/blog/an-urgent-need-for-the-right-to-privacy

Press Release, March 15, 2016: The New Bill Makes Aadhaar Compulsory!

Amber Sinha — 2016-03-16T10:11:32Z

We published and circulated the following press release on March 15, 2016, to highlight the fact that the Section 7 of the Aadhaar Bill, 2016 states that authentication of the person using her/his Aadhaar number can be made mandatory for the purpose of disbursement of government subsidies, benefits, and services; and in case the person does not have an Aadhaar number, s/he will have to apply for Aadhaar enrolment.

Nandan Nilekani, the former chairperson of the Unique Identification Authority of India had repeatedly stated that Aadhaar is not mandatory. However, in the last few years various agencies and departments of the government, both at the central and state level, had made it mandatory in order to be able to avail beneficiary schemes or for the arrangement of salary, provident fund disbursals, promotion, scholarship, opening bank account, marriages and property registrations. In August 2015, the Supreme Court passed an order mandating that the Aadhaar number shall remain optional for welfare schemes, stating that no person should be denied any benefit for reason of not having an Aadhaar number, barring a few specified services.

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, however, has not followed this mandate. Section 7 of the Bill states that “a person should be authenticated or give proof of the Aadhaar number to establish his/her identity” “as a condition for receiving subsidy, benefit or service”. Further, it reads, “In the case a person does not have an Aadhaar number, he/she should make an application for enrollment.” The language of the provision is very clear in making enrollment in Aadhaar mandatory, in order to be entitled for welfare services. Section 7 also says that “the person will be offered viable and alternate means of identification for receiving the subsidy, benefit or service. However, these unspecified alternate means will be made available in the event “an Aadhaar number is not assigned”. This language is vague and it is not clear whether it mandates alternate means of identification for those who choose not to apply for an Aadhaar number for any reason. The fact that it does make it mandatory to apply for an Aadhaar number for persons without it, may lead to the presumption that the alternate means are to be made available for those who may have applied for an Aadhaar number but it has not been assigned for any reason. It is also noteworthy that draft legislation is silent on what the “viable and alternate means of identification” could be. There are a number of means of identification, which are recognised by the state, and a schedule with an inclusive list could have gone a long way in reducing the ambiguity in this provision.

Another aspect of Section 7 which is at odds with the Supreme Court order is that it allows making an Aadhaar number mandatory for “for receipt of a subsidy, benefit or service for which the expenditure is incurred” from the Consolidated Fund of India. The Supreme Court had been very specific in articulating that having an Aadhaar number could not be made compulsory except for “any purpose other than the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene” or for the purpose of the LPG scheme. The restriction in the Supreme Court order was with respect to the welfare schemes, however, instead of specifying the schemes, Section 7 specified the source of expenditure from which subsidies, benefits and services can be funded, making the scope much broader. Section 7, in effect, allows the Central Government to circumvent the Supreme Court order if they choose to tie more subsidies, benefits and services to the Consolidated Fund of India.

These provisions run counter to the repeated claims of the government for the last six years that Aadhaar is not compulsory, nor is the specification by the Supreme Court for restricting use of Aadhaar to a few services only, reflected anywhere in the Bill. The “viable and alternate means” clause is too vague and inadequate to prevent denial of benefits to those without an Aadhaar number. The sum effect of these factors is to give the Central Government powers to make Aadhaar mandatory, for all practical purposes.

For more details visit https://cis-india.org/internet-governance/blog/press-release-aadhaar-15032016-the-new-bill-makes-aadhaar-compulsory

Govt narrative on Aadhaar has not changed in the last six years: Sunil Abraham

praskrishna — 2016-03-16T16:37:19Z

The bill is basically the same as the UPA version, with some cosmetic changes, and some tokenism towards the right to privacy, says Abraham.

Shreeja Sen interviewed Sunil Abraham. The article was published in Livemint on March 8, 2016.

The government’s bid to push financial inclusiveness and access to government services has received a fresh boost, with finance minister Arun Jaitley introducing a proposed law to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).

This project, which uses a person’s biometric data like fingerprints and iris scans to authenticate identity of people receiving subsidies and other state benefits, will move India towards a cashless economy and help digital initiatives such as biometric attendance, Pradhan Mantri Jan Dhan Yojana, digital certificates, pension payments and the proposed introduction of payments banks.

Sunil Abraham, 42

Abraham is executive director of Centre for Internet and Society, a Bengaluru-based think tank focusing on accessibility, access to knowledge, telecom and Internet governance. He has written extensively on the UID scheme, and the intersection of privacy and security. He founded Mahiti—an enterprise that aims to reduce the cost and complexity of information and communications technology for the voluntary sector by using free software.

The Aadhaar project has faced its share of roadblocks with cases challenging it pending before the Supreme Court. A constitution bench of the court will decide whether the right to privacy is a fundamental right and if Aadhaar violates it.

Sunil Abraham, the executive director of Centre for Internet and Society, a Bengaluru-based policy research institute, is a critic of Aadhaar for several reasons. He explained his concerns in an interview. Edited excerpts:

Have any of the concerns regarding the Aadhaar project since its inception in 2009 been addressed?

Whatever we complained about six or seven years ago, whatever complaints were made by the civil society...all of those complaints remain in the exact same situation.

Nothing has changed.

What kind of concerns?

The first thing to remember is that privacy and security are just two sides of the same coin. You cannot have one without the other.

Our first concern with the project is centralization. Whenever you build an information system, and you create a central point of failure, then it will fail because the possibility of failure exists. The Internet has no central point of failure. That is why it is so difficult for you to bring the Internet down. Complaint number 2 is the opaque technology.

UIDAI keeps saying that “we have built a technology using a free software and open standard stack”. The first is a de-duplication software and the second one is the authentication software—those are the most important pieces of software.

This software is proprietary and nobody knows how they work and nobody can independently audit them.

The third complaint is the use of an irrevocable and non-consensual authentication factor. In the UID scheme, the biometrics serve two purposes: it can be used to identify a citizen and it can be used to authenticate a transaction. Authentication factors, commonly known as passwords, should always be revocable. That means if the password is compromised, you should be able to change the password or at least say that this password is no longer valid. The use of biometrics eliminates those two important requirements.

Further, in most other authentication, the process of authentication ensures that you are consenting. For example, PIN (personal identity number) authentications. But suppose I am authenticating you through your irises, then as long as your eyes are open, the machine will think you’re authenticating. There’s no way of saying I don’t want to authenticate. Or if you’re sleeping, somebody can hold your fingers over a biometric reader and open your iPhone. So that’s complaint number three.

The fourth complaint from the privacy perspective is: there is a very important database that they don’t talk about. I call it the transactions database. Suppose there is somebody who is using the UIDAI service to authenticate a transaction, then UIDAI should keep a record of that successful or unsuccessful transaction authentication. That means you have been registered into the database.

You go to a fair price shop to purchase subsidized grain and at that fair price shop or ration shop, you use your finger on the biometric reader, and then the UIDAI system says “yes you are indeed who you say you are”.

So, at that point, later the shop should not be able to say X never came here, or X came twice. So, in order for them to not say all those things, a record should be made on the UID database, that on this day, from this geographical location, this particular biometric reader sent us X’s biometric template and asked if the template matched against X’s UID number...the transaction database can be used for profiling. They never talk about it.

They never tell us what that database holds and how long they’re keeping all those records. None of that is clear.

Does Aadhaar bill help assuage your doubts about the project?

The government narrative has not changed in the last six years; the bill is basically the same as the UPA (United Progressive Alliance) version, with some cosmetic changes, and some tokenism towards the right to privacy. The proof that the technology is fallible is in the bill.

If the technology was infallible, as the UIDAI would like us to believe, then the bill would not criminalize the following: (1) impersonation at the time of enrolment; (2) unauthorized access to the Central Identities Data Repository.

Imagine that the bill admits that every Indian’s biometric can be stolen from one single centralized database. Now why don’t we have a similar offence for stealing all private keys from the Internet—we don’t because that is technical impossibility thanks to decentralization.

Therefore we don’t need a law to make (it) illegal. We’ve suggested changes to both the technology and the law. We’ve written seven open letters to the UIDAI, and we’ve never gotten any response. Very few of our concerns have been addressed. We’ve seen dogs getting UID, various other things getting UID, so there’s a lot of evidence that the system does not work. From Kerala we have stories of one person getting several UIDs, so we have no idea about technological feasibility of the project.

One of our distinguished fellows, Hans Varghese Mathews, has published an academic paper in the latest EPW (Economic and Political Weekly), by extrapolating UIDAI field trial data to national scale. He predicts that by the time the number crosses 1 billion, every time UIDAI tries to register someone new, they will match with about 850 people already in the database positively. So, the unique identification capability of the UIDAI will not scale above the billion. The consequence of the technology failing is not trivial. If someone replaces your biometrics in the central database, then the onus is on you to prove that you are a resident of India.

Previously, human beings determined the answer to this question, and they had to find proof that you were not a resident. Now, a fallible technology will be asked to answer this important question.

Isn’t the basic function of the Aadhaar project to ensure that benefits reach the person they are meant for, and it’s easier for people to get an identity proof for those who have no other ID, like migrant workers?

Two responses: is it good anti- corruption technology? Unfortunately not, because it is intended at retail fraud. The person under surveillance is very poor. But the person responsible for corruption is not poor. So, I believe you should be surveilling those responsible for corruption.

What I had said is UID should be first given to every single bureaucrat and every single politician in the country. From Delhi till the Panchayat office, till the ration shop in the village, that supply chain must be monitored and documented using cryptography, so that nobody can deny anything. We need non-repudiatable audit trail from New Delhi to the village because according to all analyses, that is where the theft is happening—in the supply chain. The villager who is taking false benefits, that is called retail fraud.

The bulk of the fraud is actually wholesale fraud. Please tackle wholesale fraud using non-repudiatable public audit trail from New Delhi to the village first, before you start surveilling the poor.

The second point is that people find it easy to get the UID. That is fine, but there is a problem; that it’s not uniquely identifying anybody. So, people will keep registering and the UID system will keep giving them more and more UIDs because there are no human checks and balances. Because you’ve gone with a pure technological solution, it’s very easy to fool (the system).

So, the ease of registration has not served the purpose.

For more details visit https://cis-india.org/internet-governance/news/livemint-march-8-2016-shreeja-sen-govt-narrative-on-aadhaar-has-not-changed-in-last-six-years-sunil-abraham

Aadhaar is actually surveillance tech: Sunil Abraham

praskrishna — 2016-03-16T17:07:39Z

On March 12, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, paving the way for giving legal status to Aadhaar, a 12-digit unique identification number generated after collecting biometric and other details of an Indian resident.

Sahil Makkar on behalf of Business Standard interviewed Sunil Abraham. The article was published on March 12, 2016.

The government intends to use Aadhaar to roll out more subsidy schemes and allay privacy concerns. However, activists are not convinced. Sunil Abraham, executive director of Bengaluru based-research organisation The Centre for Internet & Society, tells Sahil Makkar that the concept of Aadhaar is principally flawed and it doesn't substantially help in plugging leakages in government schemes. Edited excerpts:

What is your position on Aadhaar and the UIDAI Bill?

What technology has broken cannot be fixed by the law. Aadhaar is a broken technology; it is surveillance technology disguised as developmental intervention that identifies people without their consent and authenticates transactions on their behalf. The architecture is a disaster from the security perspective and there is no recourse in law for citizens whose rights have been infringed. The other objection should be to the subtitle of the Bill that mentions "services": it is unclear whether Aadhaar is to be provided to the residents or the citizens. A bulk of the government services is meant for citizens.

What are the repercussions of this "broken technology"?

Consent happens without conscious cooperation during the authentication process of getting access to a subsidy or a service. Also, the person providing the service is holding a biometric reader and he may say the device is not working and hence, refuse the subsidy. Yet the database will reflect that the subsidy has been availed of because authentication has already been completed. So you have to accept what the person is saying because only that person and the UIDAI have access to the information. Aadhaar makes the citizen transparent to the state but makes the state completely opaque and unaccountable to its citizens.

Will the beneficiary not receive a message about the transaction?

That will only happen when the banks are involved. At the subsidised ration shop the beneficiary will get nothing. The world over security professionals don't trust biometric-based authentication, relying rather on other revocable authentication factors. It is irrevocable if the biometric details are compromised. Instead, writable smart cards could be used to record details of government officers on the cards of beneficiaries and make both the state and the resident transparent to each other.

Hasn't the National Population Register under the Ministry of Home Affairs been advocating the use of smart cards?

In this case biometrics should be used only to link the individual to the smart card. Biometric information should be stored on smart cards and under no circumstances should there be a central repository of biometrics at one place. Maintaining a central database is akin to getting the keys of every house in Delhi and storing them at a central police station. The chances of getting a central database compromised depend on the nature of information stored in it. For the sake of security one can't create a honey pot to be attacked by many. The internet is secure because it doesn't have a central database. The other difference is that faking biometrics is much easier than faking smart cards.

So your principle opposition is to the setting up of a central repository of biometrics?

I am also opposed to the use of biometrics for identification and authentication; this is nothing but surveillance. It is very easy to capture iris data of any individual with the use of next generation cameras. Imagine a situation when the police is secretly capturing the iris data of protesters and then identifying them through their biometric records.

But if the security agencies are able to identify those who create law and order problems, what is the hitch?

It is exactly the same argument that Apple is giving while refusing back-door entry to intelligence and investigating agencies. Once you build surveillance capacity for good governance, it may be misused by a repressive government, a rogue corporation or by criminals. Fear of this type of surveillance will deter people from holding any protest.

Doesn't the Aadhaar or the UIDAI conform to safety and security provisions in the IT Act?

The standards in our IT Act are woefully inadequate in comparison to European regulators and courts. If it adhered to the highest standards, the European privacy commissioner and data protection authorities would have given India adequacy status. The second problem is that the current IT Act doesn't apply to the government. If the government holds your data, it is under no obligation to protect your rights.

You have been part of the Justice A P Shah Committee on privacy. How important is it to have a separate privacy law in the present context?

It is not only important for the purpose of safeguarding human rights, but also to protect the competitiveness of our BPO, ITeS and KPO sectors. We need a data protection law that is compliant with European Data Protection Regulation.

How will such a law help a common man whose data have been compromised?

It will provide clarity to an individual about where he or she stands with regard to privacy. It is strange that the government took diametrically opposite stands in two cases related to privacy in the Supreme Court. When some activists demanded that the UIDAI be scrapped, the government argued before the court that there was no Constitutional right to privacy. When the police asked for the biometric records from the UIDAI, the same government argued there was a right to privacy and that it couldn't divulge the details to the police. The government is not speaking in the same voice; even courts are not speaking in the same voice, because there have been conflicting judgements. So the proposed law will provide clarity on privacy and people will be able to seek compensation under it.

At the same time it cannot be denied that Aadhaar can plug leakages and save hundreds and thousands of rupees for the exchequer....

Aadhaar is only answering two questions: Is this particular biometric unique (enrolment) and does it match the template in the database? If you bring a Bangladeshi into the system, it will answer both the questions in the affirmative. The Aadhaar only eliminates the possibility of one person receiving the benefits twice. At the same time it is very easy to put a ghost beneficiary back into the system. If Aadhaar has to work, we need a publicly visible auditable trail of subsidy moving from Delhi to the villages. That will eliminate corruption in the supply chain.

Isn't it difficult for a large number of ghost beneficiaries to get into the system?

There is no way to check whether a genuine or a ghost beneficiary has been removed from the list. It is not a foolproof system because no one is vouching for anybody. In the current system it is difficult to find out who created this ghost beneficiary. Nobody loses a job for creating a ghost; in fact, here everyone has an incentive.

If there are problems with the UIDAI system, why is the government upbeat about it?

As techno-utopians our government wants technology to answer everything and solve all our problems. If anything goes wrong, it can easily be blamed on technology.

For more details visit https://cis-india.org/internet-governance/news/business-standard-sahil-makkar-march-12-2016-aadhaar-is-actually-surveillance-tech-sunil-abraham

Forget privacy, Aadhaar Bill gives too much power to the executive

praskrishna — 2016-03-17T14:44:12Z

The government promotes the Aadhaar programme because it believes the 12-digit unique identification number will let them track every penny spent from the exchequer. But money is not all that the Aadhaar number can track.

The article by Aloke Tikku was published in the Hindustan Times on March 17, 2016. Sunil Abraham gave inputs.

It can help track people too with amazing efficiency. This is at the centre of the controversy around the programme, and the Aadhaar bill that requires every resident to get the number to access government subsidies and services.

Finance minister Arun Jaitley put up a spirited defence of the bill in the Rajya Sabha on Wednesday when the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 came up for passage. And he was right.

As far as privacy is concerned, the NDA government’s version is much more stringent than the creaky draft proposed by the UPA in 2010.

Jaitley said there were only two circumstances in which personal data collected by UIDAI could be shared under this bill.

One, if the Aadhaar number holder consents to his details being shared. Second, if a government agency wants to access this data on grounds of national security.

But the debate around privacy concerns – that neither the NDA nor the UPA governments addressed – and the new bill is much more fundamental.

The Aadhaar bill gives the executive too much power to decide how to administer the law.

Every law requires the government to frame rules to specify the nitty-gritty of its implementation.

But the Aadhaar bill passed by Parliament gives the Unique Identification Authority of India (UIDAI) the power to prescribe regulations for nearly every provision, right down to what biometric or biological attributes need to be captured.

“The law leaves too much power in the hands of the executive,” said Sunil Abraham, executive director of the Bengaluru-headquartered research advocacy group, Centre for Internet and Society.

For instance, the bill gives the Unique identification Authority of India (UIDAI) powers to determine if it should collect any biological attribute of people too. This means the government could at a later date mandate that DNA of all Aadhaar numbers too be collected.

The example echoed in the Rajya Sabha on Wednesday as well.

“No power should be delegated to the UID Authority because then the UID Authority will decide tomorrow that DNA is required, and they will then have the powers to take DNA information as well,” Congress MP Jairam Ramesh said.

The minister tried to explain the reliance on regulations issued by UIDAI – the word ‘regulations’ does appear some 50 times through the legislation – as compared to less than 10 in, say, the right to information law or the 2010 version of the bill.

He said MPs could still review notifications issued by UIDAI when they are placed for parliamentary approval.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-march-17-2016-aloke-tikku-forget-privacy-aadhaar-bill-gives-too-much-power-to-the-executive

India's billion-member biometric database raises privacy fears

praskrishna — 2016-03-17T15:25:45Z

India's parliament is set to pass legislation that gives federal agencies access to the world's biggest biometric database in the interests of national security, raising fears the privacy of a billion people could be compromised.

The article by Sanjeev Miglani and Manoj Kumar was published by Reuters on March 16, 2016. Sunil Abraham was quoted.

The move comes as the ruling Bharatiya Janata Party (BJP) cracks down on student protests and pushes a Hindu nationalist agenda in state elections, steps that some say erode India's traditions of tolerance and free speech.

It could also usher in surveillance far more intrusive than the U.S. telephone and Internet spying revealed by former National Security Agency (NSA) contractor Edward Snowden in 2013, some privacy advocates said.

The Aadhaar database scheme, started seven years ago, was set up to streamline payment of benefits and cut down on massive wastage and fraud, and already nearly a billion people have registered their finger prints and iris signatures.

Now the BJP, which inherited the scheme, wants to pass new provisions including those on national security, using a loophole to bypass the opposition in parliament.

"It has been showcased as a tool exclusively meant for disbursement of subsidies and we do not realize that it can also be used for mass surveillance," said Tathagata Satpathy, a lawmaker from the eastern state of Odisha.

"Can the government ... assure us that this Aadhaar card and the data that will be collected under it – biometric, biological, iris scan, finger print, everything put together – will not be misused as has been done by the NSA in the U.S.?"

Finance Minister Arun Jaitley has defended the legislation in parliament, saying Aadhaar saved the government an estimated 150 billion rupees ($2.2 billion) in the 2014-15 financial year alone.

A finance ministry spokesman added that the government had taken steps to ensure citizens' privacy would be respected and the authority to access data was exercised only in rare cases.

According to another government official, the new law is in fact more limited in scope than the decades-old Indian Telegraph Act, which permits national security agencies and tax authorities to intercept telephone conversations of individuals in the interest of public safety.

"POLICE STATE"

Those assurances have not satisfied political opponents and people from religious minorities, including India's sizeable Muslim community, who say the database could be used as a tool to silence them.

"We are midwifing a police state," said Asaduddin Owaisi, an opposition MP.

Raman Jit Singh Chima, global policy director at Access, an international digital rights organization, said the proposed Indian law lacked the transparency and oversight safeguards found in Europe or the United States, which last year reformed its bulk telephone surveillance program.

He pointed to the U.S. Foreign Intelligence Surveillance Court, which must approve many surveillance requests made by intelligence agencies, and European data protection authorities as oversight mechanisms not present in the Indian proposal.

The Indian government brought the Aadhaar legislation to the upper house of parliament on Wednesday in a bid to secure passage before lawmakers go into recess.

To get around its lack of a majority there, the BJP is presenting it as a financial bill, which the upper chamber cannot reject. It can return it to the lower house, where the ruling party has a majority.

In its assessment of the measure, New Delhi-based PRS Legislative Research said law enforcement agencies could use someone's Aadhaar number as a link across various datasets such as telephone and air travel records.

That would allow them to recognize patterns of behavior and detect potential illegal activities.

But it could also lead to harassment of individuals who are identified incorrectly as potential security threats, PRS said.

Sunil Abraham, executive director of the Bengaluru-based Centre for Internet and Society, said Aadhaar created a central repository of biometrics for almost every citizen of the world's most populous democracy that could be compromised.

"Maintaining a central database is akin to getting the keys of every house in Delhi and storing them at a central police station," he said.

"It is very easy to capture iris data of any individual with the use of next generation cameras. Imagine a situation where the police is secretly capturing the iris data of protesters and then identifying them through their biometric records.

For more details visit https://cis-india.org/internet-governance/news/reuters-march-16-2016-sanjeev-miglani-and-manoj-kumar-indias-billion-member-biometric-database-raises-privacy-fears

Privacy Concerns Overshadow Monetary Benefits of Aadhaar Scheme

Pranesh Prakash and Amber Sinha — 2016-03-17T16:12:26Z

Since its inception in 2009, the Aadhaar system has been shrouded in controversy over issues of privacy, security and viability. It has been implemented without a legislative mandate and has resulted in a PIL in the Supreme Court, which referred it to a Constitution bench. On Friday, it kicked up more dust when the Lok Sabha passed a Bill to give statutory backing to the unique identity number scheme.

The article was published in the Hindustan Times on March 12, 2016.

There was an earlier attempt to give legislative backing to this project by the UPA government, but a parliamentary standing committee, led by BJP leader Yashwant Sinha, had rejected the bill in 2011 on multiple grounds. In an about-turn, the BJP-led NDA government decided to continue with Aadhaar despite most of those grounds still remaining.

Separately, there have been orders passed by the Supreme Court that prohibit the government from making Aadhaar mandatory for availing government services whereas this Bill seeks to do precisely that, contrary to the government’s argument that Aadhaar is voluntary.

In some respects, the new Aadhaar Bill is a significant improvement over the previous version. It places stringent restrictions on when and how the UID Authority (UIDAI) can share the data, noting that biometric information — fingerprint and iris scans — will not be shared with anyone. It seeks prior consent for sharing data with third party. These are very welcome provisions.

But a second reading reveals the loopholes.

The government will get sweeping power to access the data collected, ostensibly for “efficient, transparent, and targeted delivery of subsidies, benefits and services” as it pleases “in the interests of national security”, thus confirming the suspicions that the UID database is a surveillance programme masquerading as a project to aid service delivery.

The safeguards related to accessing the identification information can be overridden by a district judge. Even the core biometric information may be disclosed in the interest of national security on directions of a joint secretary-level officer. Such loopholes nullify the privacy-protecting provisions.

Amongst the privacy concerns raised by the Aadhaar system are the powers it provides private third parties to use one’s UID number. This concern, which wouldn’t exist without a national ID squarely relates to Aadhaar and needs a more comprehensive data protection law to fix it. The supposed data protection under the Information Technology Act is laughable and inadequate.

The Bill was introduced as a Money Bill, normally reserved for matters related to taxation, borrowing and the Consolidated Fund of India (CFI), and it would be fair to question whether this was done to circumvent the Rajya Sabha.

None of the above arguments even get to the question of implementation.

Aadhaar hasn’t been working. When looking into reasons why 22% of PDS cardholders in Andhra Pradesh didn’t collect their rations it was found that there was fingerprint authentication failure in 290 of the 790 cardholders, and in 93 instances there was an ID mismatch. A recent paper in the Economic and Political Weekly by Hans Mathews, a mathematician with the CIS, shows the programme would fail to uniquely identify individuals in a country of 1.2 billion.

The debate shouldn’t be only about the Aadhaar Bill being passed off as a Money Bill and about the robustness of its privacy provisions, but about whether the Aadhaar project can actually meet its stated goals.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-amber-sinha-pranesh-prakash-march-12-2016-privacy-concerns-overshadow-monetary-benefits-of-aadhaar-scheme