Centre for Internet and Society

What You Need To Worry About Before Linking Your Mobile Number With Aadhaar

Admin — 2017-11-26T05:55:49Z

As part of the directive issued by the Department of Telecommunications (DoT) dated March 23, 2017, major telecom service providers have issued a deadline of February 6, 2018, for linking mobile numbers with Aadhaar as part of the E-KYC verification.

The blog post by Roopa Raju and Shekhar Rai was published in Youth Ki Awaaz on November 8, 2017

The landmark case referenced by the DoT in the circular was the order issued by the Supreme Court on February 6, 2017, delivered by Justice JS Khehar (the erstwhile Chief Justice of India) in the case of Lokniti Foundation vs Union of India. The petitioner contended that terrorists, criminals and anti-social elements frequently used SIM cards to commit atrocious, organised and unorganised crimes across the country. The petition called for ensuring 100% verification on the identity of telecom service subscribers in public interest under Article 32 of the Constitution of India. The PIL added that unverified SIM cards pose a serious threat to the country’s security as they are routinely used in criminal and terrorist activities, thereby affecting a citizen’s right (as ensured under Article 21 of the Constitution). As per the CAG report tabled at the Parliament in 2014, the identities of 4.59 crore mobile users still remained unverified.

Article 21 of the Constitution of India, 1949, states that – “No person shall be deprived of his life or personal liberty except according to procedure established by law.” While there is a threat to the common public interest through increased acts of terrorism and atrocities due to unverified SIM cards, the safety of information provided and linked to Aadhaar are increasingly being questioned.

In a study dated May 1, 2017, published by the Centre for Internet and Society (CIS), a Bangalore-based organisation, it was observed that data of over 130 million Aadhaar card-holders were leaked from just four government portals dealing with the National Social Assistance programme, the National Rural Employment Guarantee Scheme, the Chandranna Bima Scheme and the Daily Online Payment Reports of NREGA.

On October 25, 2017, the chief minister of West Bengal, Mamata Banerjee, also strongly opposed the government’s plan to link mobile numbers with Aadhaar cards. She said that it was a breach of privacy and that the ruling government was intruding upon the citizen’s right to personal freedom. However, the Supreme Court questioned the state government’s right to challenge the Centre and asked her to file a plea with the court in her individual capacity.

As per the data published by Telecom Regulatory Authority of India (TRAI) on September 14, 2017, India’s telecom subscriber base dipped by 1.3 lakh to 121.07 crore in July 2017. Moreover, only three operators – Reliance Jio, Bharti Airtel and the state-run BSNL – reported additions to their subscriber base.

Month	Telephone subscriber base (in million)	Growth rate
Mar-17	1194.58	–
Apr-17	1198.89	0.36%
May-17	1204.98	0.51%
Jun-17	1210.84	0.49%
Jul-17	1210.71	-0.01%

(Source: TRAI monthly subscription data)

The dip in the subscriber count for various telecom operators can be accredited to the phasing of registration of SIM cards through E-KYC for new mobile numbers. While there is a the possibility of addition of genuine subscribers in the following months, the direct subscriber acquisition cost (DSAC) has been significantly reduced owing to the overall reduction in subscriber addition (assuming exclusion of sunk cost).

Prior to the DoT directive, telecom service providers relied heavily on the documents provided by the subscribers for SIM registration. The two-fold impact of this was the delay in SIM activation, owing to the transfer of documents from the retailer to the distributor to the company and the possibility of documents not matching with the usage timeline of usage. Additionally, tracking the ever-changing retailers was difficult for the service providers – and with the subscriber documents being collected and stored at one location by the service providers, verification of dummy subscribers was difficult.

With the introduction of Aadhaar linkage for mobile numbers, subscribers are held accountable for its usage, thereby tagging responsibility for any acts arising as a result. Savings from the digitisation of documents and paper should also be considered.

However, an increased number of job losses is possible, owing to the ‘optimisation’ of the process by way of document verification, servicing costs and reliance on third parties (to name just a few). Increased compliance costs are also an issue of concern.

The key question that looms prominently with the approaching deadline is how secure public data will be, given that it may possibly be linked with bank account numbers and income tax returns. With retailers using fingerprints of the subscribers to validate Aadhaar numbers with the mobile numbers at the time of SIM registration, there is an increased risk of exposure to identity theft.

While the government is increasingly trying to bring in a seamless process to assimilate data for transparency in analysing consumer patterns, it is suggested that they also allocate funds for enhancing the cyber-security of the data consolidated from this directive. Furthermore, cyber security regulations can be strengthened to avoid data leakages to third party organisations. Severe penalties should also be implemented to ensure robust compliance to these measures.

For more details visit https://cis-india.org/internet-governance/news/youth-ki-awaaz-roopa-sudarshan-what-you-need-to-worry-about-before-linking-your-mobile-number-with-aadhaar

Privacy issues exist even without Aadhaar

Admin — 2017-11-23T16:12:11Z

There is a critical need for a data privacy regulator to penalize unauthorized disclosure of personal information.

The article by Ronald Abraham was published by Livemint on November 15, 2017.

In part I, I argued that while Aadhaar can be a tool to infringe upon our right to privacy, it is merely one such; there exist other tools that can be similarly exploited. This becomes evident when you analyse each privacy issue related to Aadhaar using the National Privacy Principles framework, and compare Aadhaar’s data privacy risks to other national ID systems. We need an independent data privacy regulator, backed by a robust law, to safeguard against the risks.

Here, we explore two such data privacy issues: data disclosure and voluntariness (database linking was analysed in part I).

Data disclosure

According to the National Privacy Principle on data disclosure, “a data controller shall not disclose personal information to third parties, except after providing notice and seeking informed consent from the individual for such disclosure”.

On paper, the Aadhaar Act appears compliant with this principle as Section 29 prohibits the disclosure of personal information. Exceptions exist for courts to request demographic data, and for joint secretaries and higher ranks to request biometric data; the latter on the grounds of “national security”. However, greater clarity is required on whether individuals will be informed of data disclosures.

In practice, however, data disclosures well beyond these exceptions have taken place. A study by the Centre for Internet and Society found that nearly 130 million Aadhaar numbers had been published online by four government departments. In many cases, these were published along with information on “caste, religion, address, photographs and financial information”. If someone manages to steal these individuals’ fingerprints as well (which is becoming less difficult), one possibility is that Aadhaar-linked bank accounts can be cleaned out using micro-ATMs.

Demographic data disclosure, however, is not limited to Aadhaar. For transparency reasons, state election commission websites disclose the personal information of every person registered to vote online. Agencies scrape these databases and sell them.

Like database linking, the onus of abiding by the principle of data disclosure is on the “data controller”. The four government agencies that disclosed Aadhaar data—not the Unique Identification Authority of India (UIDAI)—are the relevant data controllers in this case. However, UIDAI has not pressed charges against them; under the Aadhaar Act, it is solely authorized to do so. Given UIDAI’s role of working with the government to enable and encourage the use of Aadhaar, it should not also be responsible for regulating them. Additionally, the Election Commission’s data disclosure norms demonstrate that the issue is bigger than Aadhaar.

This, therefore, points to the critical need for a data privacy regulator to investigate and penalize unauthorized disclosure of sensitive personal information. A strong regulator, with a clear law, will also serve as an effective deterrent for negligent disclosure practices.

Voluntariness

The ability to voluntarily opt in and out of data systems, based on informed consent, is central to the National Privacy Principle of “Choice and Consent”. Once an individual opts in, the principle clarifies that they “also have an option to withdraw (their) consent given earlier to the data controller”.

With regard to opting in, UIDAI has maintained that Aadhaar enrolment is voluntary. However, Section 7 of the Aadhaar Act and various orders by government agencies require Aadhaar to access basic services. Though exceptions are allowed, in practice they are implemented inconsistently, making Aadhaar near-mandatory.

To be sure, the choice principle states that data controllers can choose not to provide services if an individual doesn’t consent to provide data, “if such information is necessary for providing the goods or services”. However, we need more explicit guidelines on what features satisfy this condition, something that can be defined in a data privacy law.

With regard to opting out, no such UIDAI provision exists. One argument is that more data increases UIDAI’s capability to establish the uniqueness of new enrollees. However, it is unclear why this is the case because even if millions opt out of Aadhaar, UIDAI’s ability to guarantee the uniqueness of new enrollees compared to existing enrollees doesn’t diminish.

While voluntariness is actively discussed with Aadhaar, the same is not true for other IDs and data initiatives. For example, fingerprints are collected to issue Indian passports, but the use of this is not clear—raising concerns around voluntariness as well as purpose limitation.

Through this analysis, it becomes clear that data privacy issues exist even without Aadhaar. To tackle the risks to privacy, India requires a strong, competent and independent data privacy regulator, backed by a robust law.

With the recent Supreme Court judgement and upcoming hearings, we have a unique opportunity to strengthen our institutional ability to manage future risks. We must seize this opportunity to try and secure a privacy-protected future.

Ronald Abraham is a partner at IDinsight and co-author of ‘State of Aadhaar’ report 2016-17.

Research contributions from Shreya Dubey and Akash Pattanayak.

For more details visit https://cis-india.org/internet-governance/news/livemint-november-23-2017-ronald-abraham-privacy-issues-exist-even-without-aadhaar

Aadhaar seeding: benefits and concerns

Admin — 2017-11-23T02:02:45Z

Products and services such as bank accounts, life insurance policies and phone connections have to be linked with Aadhaar. But is this of any real help?

The article by Shaikh Zoaib Saleem was published by Livemint on November 14, 2017.

The government has made it mandatory for consumers to link many important services with Aadhaar. You too may be getting frequent reminders to link your banks account, mutual fund and mobile number with Aadhaar. Recently, the Reserve Bank of India also clarified that it is mandatory to link bank accounts with Aadhaar.

The latest addition to this list are insurance policies. In a circular, the Insurance Regulatory and Development Authority of India (Irdai) has stated that linking of Aadhaar number to insurance policies is mandatory under the Prevention of Money-laundering (Maintenance of Records) Second Amendment Rules, 2017.

The issue is being discussed intensively, with the Supreme Court taking a decision in favour of linking Aadhaar biometrics and the number with a host of services. Several petitions have been filed challenging not just the linking of these services with Aadhaar but also the validity of Aadhaar itself. We spoke to people who support and those who oppose this linking, to understand how either case impacts consumers.

The benefits

According to the Unique Identification Authority of India (UIDAI), government schemes are asking for Aadhaar as it helps to clean out duplications and fakes, and provides accurate data to enable implementation of direct benefit programmes. “Use of Aadhaar reduces the cost of identifying persons and provides increased transparency to the government in implementation of its schemes,” the Authority states under frequently asked questions on its website (read more at: https://uidai.gov.in/your-aadhaar/help/faqs.html) So, when you link your bank account with your Aadhaar, government benefits such as subsidy on LPG cylinders is credited directly to that account. The FAQs, however, do not elaborate how such linking helps an individual who does not get, or does not wish to get, such subsidies. In a tweet, UIDAI had said that verifying a bank account using Aadhaar adds an additional layer of security.

Nakul Saxena, a former banker who now works on policy advocacy at the software think tank iSpirt Foundation, said that linking of Aadhaar with these services will help eradicate fake accounts, fake insurance policies and unauthorised mobile connections. “It is possible that there are many accounts in the system that have been opened using such documents and copied signatures and even the banks may not be aware of it. Some people may not even be aware that an account exists in their name. These accounts need to be verified using Aadhaar now,” he said.

The government claims to have removed millions of fake beneficiaries for government benefits by Aadhaar linking. As reported by Mint in May 2017, over 23 million fake ration cards have been scrapped, potentially saving the government Rs14,000 crore in food subsidy every year. Another Mint report in August says, three states discovered that about 2,72,000 fake students were availing the mid-day meal (MDM) scheme.

However, those who are against linking Aadhaar disagree with these arguments. “Initially, Aadhaar was about delivery of services. But linking everybody’s phone number and bank account is not about that anymore. The real question is, what purpose this linking serves. If the intention is to update the databases, then there can be other means to update those,” said Rahul Narayan, a Supreme Court advocate who is among the lawyers representing petitioners who have challenged Aadhaar linking in court.

The concerns

The fundamental objection to this linking of services is that all information on an individual will be available at a single place, which could make surveillance easier and also increase the risks if this information is hacked. “As of now, your bank knows something about you, your insurance company knows something and your mobile phone company knows something about you. Each of these are different silos of information. When these converge, which is then accessible to a single person, that person knows almost everything about you,” said Narayan.

Moreover, a user’s Aadhaar number and fingerprint are permanent identifiers, and at least the Aadhaar number has been compromised for over 130 million citizens, as per a study by Centre for Internet & Society, said Nikhil Pahwa, co-founder of the SaveTheInternet.in (https://internetfreedom.in) campaign for net neutrality in India. “This leaves the users vulnerable to social hacks, some of which we have already been reading about in the news. To forcefully and mandatorily link Aadhaar to bank accounts means that their finances are at risk,” he said.

Saxena said the data leaks that have been highlighted have been typically about demographic details such as name, date of birth and address “which have been commonly available so far.” However, given the heightened sensitivities in this digital age, customers must ask their service providers to not publish such details, nor provide this information freely, he added.

Grievance redressal and data privacy

Another major concern is the absence of a clear redressal mechanisms for consumers in case of a data leak, misuse or hack. “When things go wrong, consumers need to have access to a proper complaints mechanism. In the case of Aadhaar, such access is to be provided through the establishment of ‘contact centres’ under the Regulation 32 of the UIDAI Enrolment and Update Regulations. To the best of our knowledge, not much beyond Regulation 32 has yet been specified by the UIDAI,” said Renuka Sane, associate professor at the National Institute of Public Finance and Policy, who has worked on data privacy and security issues.

Apart from this, Section 47 of the Aadhaar Act stipulates that only UIDAI or its authorised officers can file a criminal complaint for violations of the Act, she added.

“The UIDAI has been given complete discretion in determining if and when to file a criminal complaint for violations of the Act, and an individual aggrieved by actions of a third person is left to rely upon the bonafide actions of the UIDAI,” Sane added. The government is also working towards a data privacy legislation, that is needed to give citizens protection against misuse of their data, and them having some control over who gets their data, how it is used, and where it can be shared. “However, a data privacy legislation and mechanism will not ensure that data remains secure and protected, and that processes are followed. The Act disallowing people from sharing Aadhaar numbers did not prevent government departments from publishing details online,” said Pahwa. He also said that systems can get hacked, which could include the Aadhaar database, the parallel Aadhaar databases with state governments, or eKYC databases held with banks and telecom operators.

Saxena said the UIDAI has clarified that biometric information is not stored with user agencies, and stored biometrics can't be used for Aadhaar authentication or eKYC. “Hence, customers can be assured when using Aadhaar and biometrics with authorized entities,” he said. “The data privacy law will address data privacy and protection in all digital systems, not just Aadhaar. It will equally apply to social media and mobile apps. It should also go into the aspect of ‘right to be forgotten’,” said Saxena.

Pahwa, however, insists that the least that should be done is to give citizens the right to not link their Aadhaar and use other IDs for authentication, plus the ability to change their ID number if the system gets compromised.

What you should do

For now, the deadlines for linking bank accounts with Aadhaar is 31 December 2017, and for mobile phones it is 7 February 2018. In its latest hearing on the matter, the Supreme Court has directed service providers to mention these deadlines in their reminders. “Right now, regardless of what they say, nobody is going to shut down your bank account or disconnect your mobile connection, at least till the deadline. There are several petitions being heard in the Supreme Court. The matter is supposed to be taken up by the Supreme Court in the last week of November. The final word from the court is yet to come and it is quite possible that at least the deadlines gets extended,” said Narayan.

If you have already linked these services with Aadhaar, you are in no trouble. But if you are having second thoughts, the linking cannot be undone. If you are concerned about safety or other aspects, you can wait to get more clarity from the Supreme Court.

For more details visit https://cis-india.org/internet-governance/news/shaikh-zoaib-saleem-livemint-november-14-2017-aadhaar-seeding-benefits-and-concerns

UIDAI admits 210 government websites made Aadhaar details public

Admin — 2017-11-21T16:03:29Z

The Unique Identification Authority of India (UIDAI) has admitted that Aadhaar details were leaked on over 200 central and state government websites.

The article was published in the Financial Express on November 20, 2017.

The Unique Identification Authority of India (UIDAI) has admitted that Aadhaar details were made public on over 200 central and state government websites. According to an RTI reply, these websites publicly displayed name, address and other details of Aadhaar beneficiaries, which was removed when the breach was identified.

However, UIDAI does not have information about the time of the breach. It also said that Aadhaar details have never been made public by UIDAI. “However, it was found that approximately 210 websites of the central government, state government departments including educational institutes were displaying the list of beneficiaries along with their name, address, other details and Aadhaar numbers for information of the general public,” it said.

UIDAI issues Aadhaar — a 12-digit unique identification number — which acts as a proof of identity and addresses anywhere in the country. Lately, Aadhaar has been creating furore for security and privacy reasons, especially after the Narendra Modi government began aggressively pushing the identification number to be linked with social benefits, banks, PAN, mobile number et al. In a landmark judgement this August, the Supreme Court ruled that privacy was a fundamental right of citizens, weakening the case for pushing Aadhar.

Currently, cases are being heard in the apex court on linking Aadhaar to banks and mobile numbers. In May, the Centre for Internet and Society had claimed that Aadhaar numbers of as many as 135 millions could have been leaked. “Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report by CIS had said. Further, as many as 100 million bank account numbers could have been “leaked” from the four portals, it had added.

UIDAI and the government had been vehemently denying that Aadhaar details can be leaked despite apprehension from different sections of society. Soon after the RTI reply appeared in media, UIDAI refuted the news of leaks, calling it a “skewed presentation of facts. “Such report is a skewed presentation of the facts and poses as if the Aadhaar data is breached or leaked which is not the true presentation. Aadhaar data is fully safe and secure and there has been no data leak or breach at UIDAI,” press release by PIB said.

It said that the data on these websites was placed in public domain as a measure of proactive disclosure under the RTI Act.

For more details visit https://cis-india.org/internet-governance/news/financial-express-november-20-2017-government-websites-made-aadhaar-details-public

Attempted data breach of UIDAI, RBI, ISRO and Flipkart is worrisome

Admin — 2018-01-02T16:20:58Z

Perhaps, we got lucky this time, but the ongoing problem of massive cyber-security breaches wouldn't stop at one thwarted attempt to steal sensitive information from the biggest and most important databases.

This was published by DailyO on October 4, 2017.

An alarming report on a potential data breach impacting almost 6,000 Indian organisations — including the Unique Identification Authority of India (UIDAI) that hosts Aadhaar numbers, Reserve Bank of India, Bombay Stock Exchange and Flipkart — has surfaced and supposedly been contained.

A cyber security firm in Pune, Seqrite, had found in its Cyber Intelligence Labs that India's national internet registry, IRINN (Indian Registry for Internet Names and Numbers), which comes under NIXI (National Internet Exchange of India), was compromised, though the issue has reportedly been "addressed".

Sequite tracked an advertisement on the "dark net" — the digital underworld — offering access to servers and database dump of more than 6,000 Indian businesses and public assets, including the big ones such as UIDAI, RBI, BSE and Flipkart.

The report states that the "dealer could have had access to usernames, email ids, passwords, organisation name, invoices and billing documents, and few more important fields, and could have potentially shut down an entire organisation".

The UIDAI has denied the security breach of Aadhaar data in the IRINN attacks, in an expected move. "UIDAI reiterated that its existing security controls and protocols are robust and capable of countering any such attempts or malicious designs of data breach or hacking," said the report, which is basically a rebuttal from the powerful organisation at the heart of centralising all digital information of all Indians.

Though the aggrieved parties have been notified, and the NCIIPC (National Critical Information Infrastructure Protection Centre) is looking at the issue, what this means is that digital information is a minefield susceptible to all kinds of threats from criminals as well as foreign adversaries, along with being commercially exploited by major conglomerates.

Till August 2017 alone, around 37 incidents of ransomware attacks have been reported, including the notorious WannaCry attacks. But what makes the attacks very, very threatening is the government's insistence — illegal at that — to link Aadhaar with every service, and create a centralised nodal, superior network of all networks.

This "map of maps" has been rightly called out as a potential national security threat, as it makes a huge reservoir of data vulnerable to cyberthreats from mercenaries, the digital underworld and foreign adversaries.

A widely circulated report prepared by the Centre for Internet and Society (CIS) underlined the major flaws in the 2016 Aadhaar Act, that makes it vulnerable to several digital threats. Photo: Reuters

That the data dump in the digital black market provides access to entire servers for a meagre sum of Rs 42 lakh, as mentioned in the report, is a sign of how insecure our personal information could be on the servers of the biggest government organisations and commercial/online retail giants. This includes the likes of Flipkart, which store our passwords, emails, phone numbers and other important information linked to our bank details and more.

Whilst UIDAI was declared a "protected system" under Section 70 of the Information Technology Act, and a critical information infrastructure, in practice, there are way too many breaches and leaks of Aadhaar data to merit that tag.

Because the current (officially thwarted) attempt to hack into these nodal databases involved the data of hundreds of millions of Indians, the matter has been dealt with the required seriousness. However, as the report states, "among the companies whose emails they found were Tata Consultancy Services, Wipro, Indian Space Research Organisation, Mastercard/Visa, Spectranet, Hathway, IDBI Bank and EY".

This is a laundry list of the biggest and most significant organisations, with massive digital footprints, which are sitting on enormous databanks. Hacking into ISRO, for example, could pose a formidable risk to India's space programmes as well as jeopardise information safety of crucial space projects that are jointly conducted with friendly countries such as Russia, China and the US.

A widely circulated report prepared by the Centre for Internet and Society (CIS) on the Aadhaar Act and its non-compliance with data protection law in India underlined the major flaws in the 2016 Aadhaar Act, that makes it vulnerable to several digital threats.

Moreover, CIS also reported how government websites, especially "those run by National Social Assistance Programme under Ministry of Rural Development, National Rural Employment Guarantee Act (NREGA) run by Ministry of Rural Development, Daily Online Payment Reports under NREGA (Governemnt of Andhra Pradesh) and Chandranna Bima Scheme (also run by Government of Andhra Pradesh) combined were responsible for publicly exposing personal and Aadhaar details of over 13 crore citizens".

The government has been rather lackadaisical about the grave security threats posed by India's shaky digital infrastructure, saying it's robust when it's not: the UIDAI itself has been brushing the allegations of exclusion, data breach and leaking of data from various government and private operators' servers and there have been several documentations of the security threat as well as the human rights violations that the digital breaches pose for India's institutions and its citizens.

As noted welfare economist Jean Dreze says, "With Aadhaar immensely reinforcing the government's power to reward loyalty and marginalise dissenters, the embers of democracy are likely to be further smothered."

Even as India's jurisprudence held privacy and autonomy as supreme, Indians remain vulnerable to institutional failures and an abject lack of awareness on the gravity of digital destabilisation.

For more details visit https://cis-india.org/internet-governance/news/daily-o-october-4-2017-attempted-data-breach-of-uidai-rbi-isro-and-flipkart

Privacy is not a unidimensional concept

amber — 2017-08-07T08:02:20Z

Right to privacy is important not only for our negotiations with the information age but also to counter the transgressions of a welfare state. A robust right to privacy is essential for all citizens in India to defend their individual autonomy in the face of invasive state actions purportedly for the public good. The ruling of this nine-judge bench will have far-reaching impact on the extent and scope of rights available to us all.

This article, written by Amber Sinha was published in the Economic Times on July 23, 2017.

In a disappointing case of judicial evasion by the apex court, it has taken over 600 days since a reference order passed in August 11, 2015, for this bench to be constituted. Over two days of arguments, the counsels for the petitioners have presented before the court why the right to privacy, despite not finding a mention in the Constitution of India, is a fundamental right essential to a person’s dignity and liberty, and must be read into not one but multiple articles of the Constitution. The government will make its arguments in the coming week.

One must wonder why we are debating the contours of the right to privacy, which 40 years of jurisprudence had lulled us into believing we already had. The answer to that can be found in a series of hearings in the Aadhaar case that began in 2012. Justice KS Puttaswamy, a former Karnataka High Court judge, filed a petition before the Supreme Court, questioning the validity of the Aadhaar project due its lack of legislative basis (since then the Aadhaar Act was passed in 2016) and its transgressions on our fundamental rights. Over time, a number of other petitions also made their way to the apex court, challenging different aspects of the Aadhaar project. Since then, five different interim orders by the Supreme Court have stated that no person should suffer because they do not have an Aadhaar number. Aadhaar, according to the court, could not be made mandatory to avail benefits and services from government schemes. Further, the court has limited the use of Aadhaar to specific schemes: LPG, PDS, MGNREGA, National Social Assistance Programme, the Pradhan Mantri Jan Dhan Yojna and EPFO.

The real spanner in the works in the progress of this case was the stand taken by Mukul Rohatgi, then attorney general of India who, in a hearing before the court in July 2015, stated that there is no constitutionally guaranteed right to privacy. His reliance was on two Supreme Court judgments in MP Sharma v Satish Chandra (1954) and Kharak Singh v State of Uttar Pradesh (1962): both cases, decided by eight- and six-judge benches respectively, denied the existence of a constitutional right to privacy. As the subsequent judgments which upheld the right to privacy were by smaller benches, Rohatgi claimed that MP Sharma and Kharak Singh still prevailed over them, until they were overruled by a larger bench.

The reference to a larger bench has since delayed the entire matter, even as a number of government schemes have made Aadhaar mandatory. This reading of privacy as a unidimensional concept by the courts is, with due respect, erroneous. Privacy, as a concept, includes within its scope, spatial, familial, informational and decisional aspects. We all have a legitimate expectation of privacy in our private spaces, such as our homes, and in our personal relationships. Similarly, we must be able to exercise some control over how personal data, like our financial information, are disseminated. Most importantly, privacy gives us the space to make autonomous choices and decisions without external interference. All these dimensions of privacy must stand as distinct rights. In MP Sharma, the court rejected a certain aspect of the right of privacy by refusing to acknowledge a right against search and seizure. This, in no way prevented the court, even in the form of a smaller bench, from ruling on any other aspects of privacy, including those that are relevant to the Aadhaar case.

The limited referral to this bench means that the court will have to rule on the status of privacy and its possible limitations in isolation, without even going into the details of the Aadhaar case (based on the nature of protection that this bench accords to privacy, the petitioners and defendants in the Aadhaar case will have to argue afresh on whether the project does impede on this most fundamental right). There are no facts of the case to ground the legal principles in, and defining the contours of a right can be a difficult exercise. The court must be wary of how any limits they put on the right may be used in future. Equally, it is important to articulate that any limitations on the right to privacy due to competing interests such as national security and public interest must be imposed only when necessary and always be proportionate.

It will not be enough for the court to merely state that we have a constitutional right to privacy. They would be well advised to cut through the muddle of existing privacy jurisprudence, and unequivocally establish the various facets of the right. Without that, we may not be able to withstand the modern dangers of surveillance, denial of bodily integrity and self-determination through forcible collection of information. The nine judges, in their collective wisdom, must not only ensure that we have a right to privacy, but also clearly articulate a robust reading of this right capable of withstanding the growing interferences with our autonomy.

For more details visit https://cis-india.org/internet-governance/privacy-is-not-a-unidimensional-concept

Aadhar: Privacy is not a unidimensional concept

amber — 2017-08-23T01:50:19Z

Right to privacy is important not only for our negotiations with the information age but also to counter the transgressions of a welfare state. A robust right to privacy is essential for all Indian citizens to defend their individual autonomy in the face of invasive state actions purportedly for the public good.

The article was published in the Economic Times on July 23, 2017.

The ruling of this nine-judge bench will have far-reaching impact on the extent and scope of rights available to us all. In a disappointing case of judicial evasion by the apex court, it has taken over 600 days since a reference order was passed in August 11, 2015, for this bench to be constituted. Over two days of arguments, the counsels for the petitioners have presented before the court why the right to privacy, despite not finding a mention in the Constitution of India, is a fundamental right essential to a person’s dignity and liberty, and must be read into not one but multiple articles of the Constitution. The government will make its arguments in the coming week.

For more details visit https://cis-india.org/internet-governance/blog/economic-times-july-23-2017-amber-sinha-aadhar-privacy-is-not-a-unidimensional-concept

Social Activist Alleges Threat By Police Officer Over Possession of Aadhaar

Admin — 2017-07-20T14:31:12Z

Social activist Shabnam Hashmi recorded a policeman telling her those without address proof and Aadhaar could be “eliminated”.

The article by Gaurav Vivek Bhatnagar was published in the Wire on July 16, 2017. Pranesh Prakash was quoted.

Well-known social activist Shabnam Hashmi held a press conference to say she was threatened on the telephone by a police officer at the Lajpat Nagar police station warning her that the government had launched a ‘surround and eliminate’ campaign against people whose addresses are not known and who do not possess Aadhaar numbers or cards. This is now a standing instruction to all police stations, Hashmi was told. Moreover, the officer – accused of threatening and abusing Hashmi when she called him on the night of July 14 to know why the husband of a woman, who learns stitching at a training centre run by the NGO Pehchan at Jaitpur in south-east Delhi, had been summoned at a late hour – insisted that police personnel were well within their rights to act in this way.

The police may brush aside this assertion as the concerned officer’s personal opinion, or they may deny the veracity of the conversation, which Hashmi recorded and shared with the media; but she and other anti-Aadhaar activists say the interaction raises questions about the consequences – intended or unintended – of the Centre’s stress on making Aadhaar mandatory for the personal liberty and civil rights of ordinary residents.

Many Aadhaar critics have, in the past, expressed the fear that the irresponsible use or misuse of Aadhaar could lead to India becoming a ‘surveillance state’ or ‘police state’ by placing enormous discretionary powers in the hands of unscrupulous state officials.

Petitioners in SC had cautioned against misuse of Aadhaar

Earlier this year, Communist Party of India leader Binoy Viswam had filed a petition in the Supreme Court questioning the introduction of Section 139 AA of the IT Act to link Aadhaar cards with PAN cards. Subsequently, in an interview in April this year, he had noted that “the citizens are becoming instruments in the hands of the state” as “by taking fingerprints, iris scans and other details of the citizens of the country, the state is becoming the custodian of its people.” He had also expressed the fear that “the state can use this data according to its whims and fancies”.

Viswam could not have been more correct. Much before the use of data, “elements” of the state have started using the ruse of creation of data itself as a convenient tool to threaten and intimidate people and this is precisely what happened in the case of Hashmi.

Recalling the incident, Hashmi, who is the founding trustee of Pehchan, said the NGO runs a small centre in Jaitpur extension where it teaches school dropouts to appear for class 10 and 12 examinations and also runs sewing classes for women.

Hashmi said that at around 9 pm on July 14, Haseen, the husband of Mubina, one of the trainees, was summoned by a sub-inspector to the Lajpat Nagar police station regarding a complaint. When Hashmi called up the police station to find out what the summons was about, the policeman allegedly “hurled abuses”, and used “highly derogatory and uncivilised language” during the conversation.

Though Hashmi did not have a recorder in her phone at the time of the first call, she subsequently downloaded one and later recorded her conversation with the same officer.

In this conversation, the policeman is heard reasoning with Hashmi that he had not summoned Haseen at a late hour. He claimed that he used harsh language in the first conversation since she had not identified herself and had only proclaimed herself to be a social worker. It also comes across in the conversation that Hashmi had told the man in the earlier conversation that he was drunk while being on duty and that this had irked him. It emerged that the cop had got an inkling that she was recording the later conversation, because of which he apparently mellowed down.

The issue assumes significance as after declaring twice in the past that Aadhaar cannot be made mandatory for delivering services, the Supreme Court had recently upheld the validity of an Income Tax law amendment linking PAN with Aadhaar for filing tax returns.

Former Attorney General Mukul Rohatgi had argued that the government was “entitled to have identification” and that “as constituents of society people can’t claim immunity from identification.” Rohatgi had insisted that “no right is absolute, right to body is not absolute. Under extreme cases even right to life can be taken away, under due process.”

Experts have often cautioned against Aadhaar misuse

According to legal experts, the illegalities related to Aadhaar do not just end with such arguments. Writing for The Wire, Prashant Reddy T., a research associate at the School of Law, Singapore Management University, had noted that in the past couple of months the “Modi government has increasingly used its rule-making powers under various laws in a manner which is contrary to the law of the land.” He was referring to the Centre’s announcement to mandatorily link Aadhaar numbers to all non-small bank accounts, failing which, access to the bank accounts would be disabled after December 31.

“As is often the case with this government, the question now is whether this new mandatory Aadhaar requirement (and the threatened punishment) is legal,” the expert had asked.

Earlier this year, writing for the Hindustan Times, Pranesh Prakash, policy director at the Centre for Internet and Society, and an affiliated fellow at Yale Law School’s Information Society Project, had referred to the immense potential of Aadhaar for profiling and surveillance. He had called for fundamentally altering Aadhaar, saying that if the rampant misuse of surveillance and wilful ignorance of the law by the state were anything to go by, the future looked bleak.

For more details visit https://cis-india.org/internet-governance/news/the-wire-gaurav-vivek-bhatnagar-july-16-2017-social-activist-alleges-threat-by-police-officer-over-possession-of-aadhaar

Centre to form panel to 'encrypt' MGNREGA-DBT database and prevent leaks

praskrishna — 2017-07-14T10:46:45Z

Around 5 crore bank accounts of active MGNREGA workers yet to be seeded with Aadhaar.

The article by Sanjeeb Mukherjee was published in the Business Standard on July 14, 2017.

Alarmed over reports of ‘public disclosure’ of sensitive Aadhaar data through various portals and payment gateways, the Centre is in the process of appointing a high-powered panel of almost 20 experts to suggest ways and means through which data, particularly one which can be accessed through the MGNREGA-DBT platform can be encrypted.

Encryption, officials believe, would prevent the Aadhaar data and other related information from falling into wrong hands.

The need for proper encryption of Aadhaar data rose after the government made it mandatory for availing almost all benefits - be it school scholarships, payments of MGNREGA wages, identification of beneficiaries under mid-day meal scheme and even public distribution system along with others.

Ensuring cyber security has become all the more necessary as the Central government, in a notification issued last month, has made it mandatory for all bank accounts to be seeded with Aadhaar numbers by December 31, 2017, or else they would cease to be operational until the time the account holder furnishes his Aadhaar number.

This could seriously hamper payment of wages to MGNREGA workers because as per available information almost 5 crore active workers don’t have their bank accounts seeded with Aadhaar.

To complete the process before December 2017, the ministry of rural development has planned special Aadhaar camps to be held in villages from July 20 to September 2017.

Recently, a website published all confidential details of customers of a private telecom company including Aadhaar numbers and other information.

The breach was another instance of secure confidential information falling into public domain.

Officials of the panel, which would be headed by former NASSCOM head Kiran Karnik are expected to submit their report on the same within the next few months.

Other members of the panel include Director General of National Institute of Smart Governance (NISG), officials from Indian Computer Emergency Response Team (ICERT) and others.

However, cyber security experts believe that encrypting Aadhaar-DBT details mainly for those schemes and programmes which have a direct linkage with the public at this later stage has its own challenges as the entire ecosystem around Aadhaar has grown manifold ever since it was made mandatory for a variety of programmes.

Also, in the absence of a national encryption policy, such a move will have its own legal and regulatory challenges.

“Ever since the government made Aadhaar mandatory for many things, the entire ecosystem around it including the Central Identities Data Repository (the agency which stores Aadhaar data is exposed to leaks,” noted cyber law expert Pawan Duggal told Business Standard.

He said that without a proper national encryption law, it would be extremely challenging to provide legal and regulatory backing to encrypt all Aadhaar- DBT data details for MGNREGA. “Also now that the ‘cat is out of the bag,’ encryption of Aadhaar details will be hugely challenging,” Duggal said.

Already, civil society activists said that after some concern, the central government has removed all Aadhaar numbers and bank details from MGNREGA website, which has made tracking payments difficult.

A recent study by Amber Sinha and Srinivas Kodali from the Centre for Internet and Society (CIS) found that granular details about individuals including sensitive personally identifiable information such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away through government schemes dashboard and portals.

“While initiatives such as the government open data portals may be laudable for providing easy access to government data condensed for easy digestion, however in the absence of proper controls exercised by the government departments the results can be disastrous by divulging sensitive and adversely actionable information about the individuals who are responding units of such databases,” the report said.

It specifically studied two major schemes of the ministry of rural development; the National National Social Assistance Programme and MGNREGA along with some state schemes.

Pointers

a) Centre to form a panel to encrypt all MGNREGA-DBT database to prevent leaks.

b) The panel might also suggest ways and means in which such ‘encryption’ could be applied in other platforms.

c) The panel is expected to be headed by former NASSCOM head Kiran Karnik.

d) The encryption is essential as from January 2018 all non-Aadhaar seeded bank accounts will cease to be operational unless the holders seed them.

e) A recent study found that vivid details about individuals can be easily accessed from government platforms and databases.

f) The MGNREGA database was one such publicly available platform which formed part of the study.

For more details visit https://cis-india.org/internet-governance/news/business-standard-sanjeeb-mukherjee-july-14-2017-centre-to-form-panel-to-encrypt-mgnrega-dbt-database-and-prevent-leaks

Supreme Court sets up constitution bench to hear Aadhaar privacy issues

praskrishna — 2017-07-14T10:55:04Z

The Supreme Court ‘s five-judge constitution bench will also decide if the Aadhaar privacy issue should be heard by a larger bench.

The article by Priyanka Mittal was published in Livemint on July 12, 2017. Sunil Abraham was quoted.

A five-judge constitution bench will hear arguments on 18-19 July as to whether Indian citizens have the right to privacy, and whether the Aadhaar unique identity project breaches the right.

Chief Justice of India (CJI) J.S. Khehar on Wednesday set the dates for the hearing by the constitution bench, which will decide whether the issue should be heard by a larger bench.

Should the five-judge bench decide to rule on the case itself and not refer it to a larger bench, it will decide the future of Aadhaar, which has become the backbone of government welfare programmes, the tax administration network and online financial transactions.

This will be based on whether the right to privacy is a fundamental right of Indian citizens.

Privacy rights activists argue that personal data gathered under the Aadhaar programme, aimed at giving a unique 12-digit identity number to every Indian, is vulnerable to abuse. Then attorney general Mukul Rohatgi told the Supreme Court in 2015 that Indian citizens don’t have a fundamental right to privacy under the Indian Constitution—an argument he repeated subsequently.

“In the two-day hearing, the court is not going to decide the full issue of privacy,” said Alok Prasanna Kumar, a lawyer and visiting fellow at think tank Vidhi Centre for Legal Policy, explaining how the Constitution bench is likely to proceed. “They are going to take a call on whether, in light of precedents, there is a need to refer the issue to a larger bench. There are past judgements and the court will have to look at the scope of privacy under each to decide the number of judges.”

He added: “If the five-judge bench agrees with the precedents, then it would continue to address the angle of privacy; if not, then it would be referred back to the CJI to constitute a larger bench of nine judges.”

All cases related to Aadhaar, including the right to privacy, will be heard by the constitution bench; the court decided to set up the constitution bench to hear the privacy case in August 2015.

The CJI’s decision came on a plea by advocate Shyam Divan, who has appeared in several cases opposing Aadhaar, and attorney general K.K. Venugopal seeking the speedy creation of a Constitution bench. It came a week after justice J. Chelameswar said that all matters related to Aadhaar should be addressed by a constitution bench.

“I see it as a step in the right direction. Personally, I hope that the privacy issue is heard by a five-judge bench as against a larger bench as that can bring more disagreement,” said Sunil Abraham, executive director of Bengaluru-based research think tank Centre for Internet and Society.

Last month, the Supreme Court court upheld the government’s decision to link Aadhaar with the permanent account number (PAN) for filing of income-tax returns but ruled that non-compliance with the law will carry no retrospective consequences.

Under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, the unique identity number is mandatory only to receive social welfare benefits.

For more details visit https://cis-india.org/internet-governance/news/livemint-priyanka-mittal-july-12-2017-supreme-court-sets-up-constitution-bench-to-hear-aadhaar-privacy-issues

Reliance Jio data leaked on website : report

praskrishna — 2017-07-10T14:53:42Z

Reliance Jio customer data was leaked on independent website magicapk.com, including details such as names, mobile numbers and email IDs , said a report.

The article was published by Livemint on July 10, 2017.

Reliance Jio Infocomm Ltd’s customer data was allegedly leaked on an independent website, magicapk.com, a report said. Jio, which crossed the 100 million mark in February, barely six months after it was launched, ended the financial year with 108.9 million subscribers as of 31 March.

The report, published first in a late-night article on Sunday on Fonearena.com, alleged that “several sensitive details” were exposed, including customers’ first and last names, mobile numbers, email IDs, circles, SIM activation dates and even the Aadhaar numbers. The Aadhaar numbers, however, were redacted on magicapk.

“To my disbelief I found my own details in the database and also couple of my colleagues are affected too,” wrote Varun Krish, the author of the article. However, if you now click on Magicapk.com, it reads: “This Account has been suspended .” The Registrar of the site, according to the whois database, is Godaddy.com, LLC.

When contacted, a Reliance Jio spokesperson said, “We have come across the unverified and unsubstantiated claims of the website and are investigating it. Prima facie, the data appears to be unauthentic. We want to assure our subscribers that their data is safe and maintained with highest security. Data is only shared with authorities as per their requirement. We have informed law enforcement agencies about the claims of the website and will follow through to ensure strict action is taken.”

Fonearena.com, on its site, has responded with a: “We still stand by our story.”

The report assumes significance because the site exposed redacted Aadhaar card details. There are nearly 1.2 billion Aadhaar number holders in the country. Aadhaar aims to plug leakages in the delivery of state benefits, such as subsidized grains to the poor, and aid in generating a savings of about Rs70,000 crore a year for the government. But data breaches have rattled citizens, especially since India does not have a Privacy Act.

In March, the Unique Identification Authority of India (UIDAI) blacklisted a common services centre for 10 years after it shared the Aadhaar details of former cricket captain Mahendra Singh Dhoni. On 25 April, Mint reported that many government departments, including the ministry of drinking water and sanitation, the Jharkhand Directorate of Social Security, and the Kerala government’s pension department, had published Aadhaar numbers of beneficiaries of the schemes they run in violation of the Aadhaar Act .

On 1 May, Bengaluru-based think tank Centre for Internet and Society (CIS) reported that a Central government ministry and a state government may have made public up to 135 million Aadhaar numbers .

Under the Aadhaar (Targeted Delivery of Financial Subsidies, Benefits and Services) Act, 2016, the unique identity number is mandatory only to receive social welfare benefits. However, tagging of the Aadhaar number is being made mandatory by the government for various schemes including PAN (permanent account number) accounts for taxation. On 7 July, the Supreme Court refused to pass any interim order against the mandatory use of Aadhaar for various government schemes. It, instead, suggested that petitioners call for immediate formation of a Constitution bench to decide on the case .

News of the alleged data leak also comes at a time when there have been a spate of cyber hacks.

For instance, just when companies started believing that WannaCry—the malware that held over 200,000 individuals across 10,000 organizations in nearly 100 countries to ransom—was on the wane, a virus christened GoldenEye (a variant of the Petya ransomware) by security firm Bitdefender Labs attacked companies, mostly in Ukraine. And while the target primarily appeared to be European countries, the ransomware was also reported to be making inroads in countries like India.

For more details visit https://cis-india.org/internet-governance/news/livemint-july-10-2017-reliance-jio-data-leaked-on-website-report

UIDAI declining multiple requests by police to share Indian citizens’ biometrics

praskrishna — 2017-07-06T15:25:32Z

The Unique Identification Authority of India (UIDAI), the governing agency in charge of Aadhaar, has declined multiple requests from all law enforcement agencies, including the Delhi Police, for biometrics of citizens for criminal investigations, according to a report by The Indian Express.

The blog post by Justin Lee was published by Biometric Update on July 4, 2017.

Investigating agencies such as CBI and NIA have been repeatedly requesting the details of Aadhaar cardholders including their biometrics, UIDAI said.

UIDAI Deputy Director General Rajesh Kumar Singh has written to the heads of each agency, ordering them to stop asking for such details.

“This is regarding requests frequently received by the UIDAI from police and other law enforcement agencies, seeking demographic and biometric information of residents for facilitating identification of individuals in different cases,” Singh said in his letter. “In this regard, I would like to draw your kind attention to provisions under Sections 28 and 29 of the Aadhaar (Targeted delivery of financial and other subsidies, benefits and services) Act, 2016, which prohibits sharing of core biometric and identity related information with other authorities.”

Rather than asking forensic labs to match fingerprints, state police and investigating agencies are requesting biometrics data from UIDAI.

“Identity information cannot be shared by UIDAI,” Singh said. “The requests received from law enforcement agencies lead to avoidable delays in investigation by the police authorities and unnecessary increase in the workload of subordinate authorities.”

UIDAI is also concerned about data potentially leaking as the central government has confirmed that identities of individuals, including Aadhaar numbers and other private information, has been leaked to the public.

In May, the Centre for Internet and Society published a report that claimed between 130 to 135 million numbers in India’s Aadhaar biometric registry system, and around 100 million bank numbers of pensioners and rural jobs-for-work beneficiaries, have been leaked online by four key government programs.

For more details visit https://cis-india.org/internet-governance/news/biometric-update-july-4-2017-justin-lee-uidai-declining-multiple-requests-by-police-to-share-indian-citizens-biometrics

Why did Nandan Nilekani praise a Twitter troll?

praskrishna — 2017-06-12T01:34:53Z

As the Supreme Court upholds the linking of ‘Aadhar’ with PAN, questions around ex-UIDAI chairman Nandan Nilekani praising iSPIRT head Sharad Sharma Twitter troll and ‘Aadhar’s privacy properties will continue to be asked.

The article by Kiran Jonnalgadda was published in the Indian Express on June 10, 2017.

Last month, Sharad Sharma, the head of the Indian Software Product Industry Round Table (iSPIRT) Foundation, an organisation that promotes Aadhaar to industry, was outed as the operator of at least two anonymous Twitter troll accounts that viciously harassed and defamed critics of Aadhaar. The shocking revelation was first met with denial by iSPIRT, and then followed by what may be understood as a reticent apology from Mr Sharma.

In a bizarre sequence of events, the apology received praise from several quarters. iSPIRT’s Guidelines and Compliance Committee (IGCC) investigated Mr Sharma and the ‘Sudham’ team that coordinated the trolling campaign. Two members of the investigating committee subsequently resigned, although only one confirmed.

The committee’s findings, confirming that Mr Sharma was responsible, were summarised for the public by Mr Sharma himself, who then announced that his role as a public spokesperson would now be handled by Sanjay Jain. Mr Jain was once with the Unique Identification Authority of India (UIDAI), launched by Nandan Nilekani, is currently a director at Nandan Nilekani’s EkStep Foundation, and a close confidante of Mr Sharma. The two have often pitched iSPIRT’s IndiaStack initiative together.

In an internal email questioning this decision, an iSPIRT member asked whether Mr Jain was a part of the ‘Sudham’ team, and whether he was also “at least partially culpable for the [troll] campaign and the violation of the code of conduct.”

The victims of the trolling have received no report, and the two apologies posted by Mr Sharma were both for having “condoned uncivil behaviour”, but not for personally orchestrating the attacks. Among those who praised him was Nandan Nilekani, former chairman of UIDAI and chief mentor of iSPIRT.

Critics have been pointing out for years that Aadhaar lacks sufficient checks and balances, and that claims of benefits are overstated. These concerns have been met with denial, condemnation of critics, and often outright refusal to engage in debate. This has unfortunately only served to alienate an even larger section of the population, turning ordinary citizens into activists.

We can gain an insight into how Aadhaar is promoted by examining iSPIRT. The organisation was founded in 2013 by volunteers who had been working together on the sidelines of the NASSCOM Product Conclave. These volunteers felt the need for an independent grassroots organisation to represent tech entrepreneurs who were building products for India and the world. iSPIRT has grown phenomenally influential over its few years, largely by the work of volunteers who were truly interested in building a mutual assistance community.

Level playing fields are a recurring topic. Just as there is a desire to lower bureaucratic hurdles to give every entrepreneur a fair chance, there is also the question of how a startup can compete against a foreign competitor that has the advantage of a stronger home market.

Flipkart and Ola are two prominent examples in their fight to defend their market share against Amazon and Uber, competitors armed with global experience, more capital, and better trained talent. iSPIRT’s take is that for Indian companies to thrive they must have a supportive ecosystem that enables rapid growth, and so iSPIRT must step up as an “activist think tank”.

One aspect of this activism is IndiaStack, which seeks to help startups by promoting a suite of ‘public goods’: Aadhaar and eKYC for id verification, eSign and Digilocker for digital contracts and certificates, and UPI for payments. If one accepts at face value that these services are well intentioned, then IndiaStack is on a noble quest. The details, unfortunately, are less pristine.

iSPIRT is a private non-profit, but its volunteers include several former members of UIDAI. The guidance and compliance committee (IGCC) investigating the trolling included a current member of government. iSPIRT helped build and evangelise the UPI (United Payments Interface) platform and BHIM app for NPCI, but the level of involvement and terms of the agreement are not public.

For an organisation that claims to champion public goods, iSPIRT is opaque on the level of influence they wield with government (Mr Sharma once claimed some influence but no control), and on who exactly built the various components of IndiaStack, within or outside of government.

They showed a remarkable degree of influence when foisting UPI on a change-resistant banking sector. They have funding from four banks (IDFC, SBI, Bank of Baroda and Axis Bank) and from fintech startups. Despite this level of responsibility, they also have no accountability since they are a pro bono volunteer force, allowing them to distance themselves from failures (UPI failures are NPCI’s problem and Aadhaar failures are UIDAI’s problem, etc) and unpleasant incidents such as the ‘Sudham’ trolling project. (No one has accepted responsibility for operating a troll account.)

At the core of IndiaStack is ‘Aadhaar’, which as it currently stands has serious concerns from its technical architecture to institutional safeguards. Aadhaar lacks publicly verifiable audits, a data breach disclosure policy, or an engagement process for researchers to report concerns.

For reasons best known to them, the promoters of ‘Aadhaar’ are in a tearing hurry to impose it everywhere, in every aspect of an Indian’s life, out of an apparent fear that it will die if adoption slows down. This is eerily reminiscent of startup mantras like “fake it till you make it” and “move fast and break things”.

But ‘Aadhaar’ already has a billion enrollments and the backing of legal measures pushed by the Union Government. There is no threat of imminent demise. And yet, as the Twitter trolling shows, this fear continues to exist for ‘Aadhaar’s proponents, so much so that critics must be silenced at any cost.

Where trolling failed to work, subtler attacks are sure to follow. There have been some in the recent past.

The Centre for Internet and Society (CIS) is facing one such attack for its report on the leak of 130 million Aadhaar numbers. The report received wide coverage and was followed by new rules from MEITy (ministry of Electronics & Information Technology) regarding the handling of Aadhaar numbers, but instead of commending CIS for its role in improving safeguards, UIDAI is accusing it of hacking, demanding the identity of the researcher so that he or she may be individually prosecuted.

When Sameer Kochhar demonstrated that previously captured fingerprints were being reused because Aadhaar’s API lacked technical safeguards, UIDAI responded by prosecuting him. A News18 journalist was also prosecuted for demonstrating how double application for enrollment was possible using different names.

As of September 30, 2017, ‘registered’ devices will be mandatory as the current devices are not secure against fingerprint reuse, and an unknown number of fingerprints have already been captured and stored. This sort of forced technological upgrade will happen again as more problems surface into public consciousness, with more researchers and critics harassed for pointing these out.

‘Aadhaar’ pursues inherently contradictory goals. The process of ‘inorganic seeding’, for instance, allows a database to be seeded with ‘Aadhaar’ numbers, to help a service provider identify and eliminate duplicates without the individual’s cooperation. (Inorganic seeding is an official UIDAI scheme.) And yet, the law prohibits using and sharing ‘Aadhaar’ numbers without the individual’s consent.

‘Aadhaar’ aims to be an inclusive project, providing an identity for everyone, and yet easily lends itself to being an instrument of exclusion. There is technical exclusion when biometrics fail to match, and there is institutional exclusion when Aadhaar is made mandatory and an individual is then blacklisted from a service or denied Aadhaar enrollment.

Aviation minister Jayant Sinha recently announced a proposal to use digital id for just this purpose. ‘Aadhaar’ in its current state makes it extraordinarily simple for an organisation to demand it for authentication, but what of the necessary safeguards to protect an individual’s rights? Or of ensuring that grievance redressal mechanisms are in place and actually functional? These are not solved by a technical API integration.

Just as we’ve seen with nuclear power, weak institutions which are sensitive to criticism and fail to ensure effective oversight amplify the risks of the underlying technology. Aadhaar’s supporting institutions, whether government bodies like UIDAI or private bodies like iSPIRT, are immature for the mandate they carry. All technology improves with time, but weak institutions hamper their benefit to society.

As the leading promoter of Aadhaar, founding chairman of UIDAI, and chief mentor of iSPIRT, Mr Nilekani must step up and commit to improving the institutions he commands, and take responsibility for their failures. Condemning critics instead does not help build institutions.

For more details visit https://cis-india.org/internet-governance/news/indian-express-kiran-jonnalgadda-june-10-2017-why-did-nandan-nilekani-praise-a-twitter-troll

New law to unlock data economy

praskrishna — 2017-06-12T01:10:06Z

Proposal has been sent to PMO for approval.

The article by Yuthika Bhargava was published in the Hindu on June 9, 2017.

The government is mulling a new data protection law to protect personal data of citizens, while also creating an enabling framework to allow public data to be mined effectively. The move assumes significance amid the debate over security of individuals’ private data, including Aadhaar-linked biometrics, and the rising number of cyber-crimes in the country.

“The Ministry of Electronics and Information Technology (MEIT) is working on a new data protection law. A proposal to this effect has been sent to the Prime Ministers’ Office for approval,” a senior ministry official told The Hindu.

Once the PMO approves it, the ministry will set up a “cross-functional committee” on the issue.

“We want to include all stakeholders. It will be a high-level committee, and all current and future requirements of the sector will be discussed.”

Two chief aims

The official said: “We are working with two main aims – to ensure that personal data of individuals remain protected and is not misused, and to unlock the data economy.”

The official explained that a lot of benefits can be derived from the data that is publicly available, by using technology and big data analytics. “The information can be used for the benefit of both individuals and companies,” the official said.

“The underlying infrastructure of the digital economy is data. India is woefully unprepared to protect its citizens from the avalanche of companies that offer services in exchange for their data, with no comprehensive framework to protect users,” Software Freedom Law Centre (SFLC.in), a non-profit, said in an emailed reply.

Currently, India does not have a separate law for data protection, and there is no body that specifically regulates data privacy.

“There is nominally a data protection law in India in the form of the Reasonable Security Guidelines under Section 43A of the Information Technology Act. However, it is a toothless law and is never used. Even when data leaks such as the ones from the official Narendra Modi app or McDonald’s McDelivery app have happened, section 43A and its rules have not proven of use,” said Pranesh Prakash, policy director at CIS.

Some redress for misuse of personal data by commercial entities is also available under the Consumer Protection Act enacted in 2015, according to information on the website of Privacy International, an NGO. As per the Act, the disclosure of personal information given in confidence is an unfair trade practice.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-yuthika-bhargava-june-9-2017-new-law-to-unlock-data-economy

Privacy is culture specific, MNCs hit by Aadhaar, says TRAI chief

praskrishna — 2017-06-07T13:57:08Z

A clutch of petitions filed by those opposing what they call the unchecked use of Aadhaar is currently in the Supreme Court.

The article by Pranav Mukul was published in the Indian Express on June 1, 2017.

Questioning the anti-Aadhaar campaigns by non-governmental organisations and civil society groups, Telecom Regulatory Authority of India’s (TRAI) Chairman R S Sharma, who is also the former Director General of Unique Identification Authority of India (UIDAI), said that various multinational companies were being affected by Aadhaar as it was in conflict with their attempts to create their own database of users.

“It’s making a mountain out of a molehill. There are motivated campaigns being launched. Various multinationals are getting affected. There are companies, which are creating their own identities. Someone has called it digital colonisation. The fingerprint scanners on smartphones can be easily used for authenticating Aadhaar but they don’t allow it. A lot of fraudulent or benami transactions can go down because of Aadhaar,” Sharma told The Indian Express. While he refused to elaborate on these multinationals, the remarks are an apparent reference to Silicon Valley giants such as Facebook and Google.

Sharma’s remarks come at a time when civil society groups have flagged serious concerns on issues such as privacy and accountability that arise from the Centre’s increasing use of Aadhaar. A clutch of petitions filed by those opposing what they call the unchecked use of Aadhaar is currently in the Supreme Court.

Recently, a Bengaluru-based NGO — Centre for Internet & Society (CIS) — released a report suggesting 130 million Aadhaar numbers were leaked on government portals. CIS later updated its report to say that there were no “leaks” or “leakages” but a “public disclosure”. The UIDAI served a show-cause notice to CIS, asking it to explain its claims.

The TRAI chairman defended UIDAI’s decision to send the notice to CIS and said that there were no leakages from Aadhaar, or decryption of of biometric data from the UIDAI server. At the same time, Sharma made a case for having a comprehensive data protection law in the country. “There is a need for a larger data protection law. In today’s digitally connected world, data protection law is a must. Data security, its protocols, rules, responsibilities, accountabilities, damage, payments, compensations, all these issues must come in that law,” he said.

“Aadhaar Act, itself, is very self-contained, which takes into account all data protection and privacy issues,” Sharma said, adding that privacy was a cultural concept. “Privacy is a culture specific concept, which they are trying to import here. Except for NGOs, has any individual or poor person complained, or filed a case about privacy?” he asked.

In a recent interview to The Indian Express, Minister of Law & Justice and Electronics & Information Technology Ravi Shankar Prasad had tried to allay fears of any loopholes in the Aadhaar security system and said “this systematic campaign against Aadhaar comes as a surprise for me”. He said that the voter ID information was also in public domain, but “I don’t see any campaign there”.

For more details visit https://cis-india.org/internet-governance/news/indian-express-june-1-2017-pranav-mukul-privacy-is-culture-specific-mncs-hit-by-aadhaar-says-trai-chief