Centre for Internet and Society

Clarification on the Information Security Practices of Aadhaar Report

Amber Sinha and Srinivas Kodali — 2018-11-05T12:08:06Z

We are issuing a second clarificatory statement on our report titled “Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information” published on May 1, 2017.

The report concerned can be accessed here, and the first clarificatory statement (dated May 16, 2017) can be accessed here.

This clarificatory statement is being issued in response to reports that misrepresent our research. In light of repeated questions we have received, which seem to emanate from a misunderstanding of our report, we would like to make the following clarifications.

Our research involved documentation and taking illustrative screenshots (included in our report) of public webpages on the four government websites listed in our report. These screenshots were taken to demonstrate that the vulnerability existed.
The figure of 130-135 million Aadhaar Numbers quoted in our Report are, as clearly stated, derived directly by adding the aggregate numbers (of beneficiaries/individuals whose data were listed in the three government websites concerned) and published by the portals themselves in the MIS reports publicly available on the portals. The numbers are as follows:
- 10,97,60,343 from NREGA,
- 63,95,317 from NSAP, and
- 2,05,60,896 from Chandranna Bima (screenshots included in the report).
We did not arrive at this number by downloading data ourselves but by adding the figures on the government websites. To our knowledge, no harm, financial or otherwise has been caused to anyone due to the public availability. Further, it must be noted that we published the report only after ascertaining that the websites in questions had masked or removed the data. Therefore our report only points to the possibility that there could be harm caused by malicious actors before the data was taken down. However, we are not aware of any such cases of exploitation, nor do we suggest so anywhere in our report.

We sincerely hope that this clarification helps with a clearer comprehension of the argument and implications of the said report. We urge those who are using our report in their research to reach out to us to prevent the future misinterpretation of the report.

— Amber Sinha and Srinivas Kodali

For more details visit https://cis-india.org/internet-governance/blog/clarification-on-the-information-security-practices-of-aadhaar-report

CIS Submission to TRAI Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks

2016-12-12T13:59:00Z

This submission presents responses by the CIS on the Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks published by the TRAI on November 15, 2016. Our analysis of the solution proposed in the Note, in brief, is that there is no need of a solution for non-existing interoperability problem for authentication and payment services for accessing public Wi-Fi networks. The proposed solution in this Note only adds to over-regulation in this sector, and does not incentivise new investment in the sector, but only establishes UIDAI and NPCI as the monopoly service providers for authentication and payment services.

The comments were authored by Japreet Grewal, Pranesh Prakash, Sharath Chandra, Sumandro Chattapadhyay, Sunil Abraham, and Udbhav Tiwari, with expert comments from Amelia Andersdotter.

1. Preliminary

1.1. This submission presents responses by the Centre for Internet and Society (“CIS”) [1] on the Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks (“the Note”) published by the Telecom Regulatory Authority of India (“TRAI”) on November 15, 2016 [2].

1.2. The CIS welcomes the effort undertaken by TRAI to map regulatory and other barriers to deployment of public Wi-Fi in India. We especially appreciate that TRAI has recognised [3] two key barriers to provision of public Wi-Fi networks identified and highlighted in our earlier response to the Consultation Paper on Proliferation of Broadband through Public WiFi [4]: 1) over regulation (including, licensing requirements, data retention, and Know Your Customer policy), and 2) paucity of spectrum [5].

2. General Responses

2.1. Before responding to the specific questions posed by the Note, we would like to make the following observations.

2.2. There is no need of a solution for non-existing interoperability problem for authentication and payment services for accessing public Wi-Fi networks. The proposed solution in this Note only adds to over-regulation in this sector. The proposed solution does not incentivise new investment in the sector, but only establishes UIDAI and NPCI as the monopoly service providers for authentication and payment services.

2.3. As the TRAI has consulted widely with industry and other stakeholders before it settled on the list of priority issues contained in Section C.6 of the Note, we are surprised to find that this Note aims to address only the problem of lack of “seamless interoperable payment system for Wi-Fi networks” (Section C.6.d. Of the Note), and does not discuss and propose solutions for any other key barriers identified by the Note.

2.4. The Note fails to clarify the “interoperability” problem in the payment system for usage of public Wi-Fi networks that it is attempting to solve. The Note identifies that lack of “single standard” for “authentication and payment mechanisms” for accessing public Wi-Fi networks as a key impediment to provide scalable and interoperable public Wi-Fi networks across the country [6]. By conceptualising the problem in this manner, TRAI has bundled together two completely different concerns - authentication and payment - into one and this is at the root of the problems emanating from the proposed solution in this Note.

2.5. Lack of standard process for authentication is created by over-regulation via Know Your Customer (“KYC”) policies, and selection of eKYC service provided by UIDAI as the only acceptable authentication mechanism for all users of public Wi-Fi networks across India, creating further economic and legal challenges for smaller would-be providers of public Wi-Fi networks as they assess their liabilities and start-up costs. Additionally, since this would amount to making UID/Aadhaar enrolment mandatory for any user of public wi-fi networks, it seems to create a contradiction with previously communicated policy from the UIDAI and the Government that no such obligation should arise. Supreme Court has also mandated over successive Orders that enrolment for UID/Aadhaar number should remain optional for the citizens and residents.

2.6. As was observed by the respondents to the TRAI Consultation concluded earlier this year, there is no interoperability problem that needs to be solved regarding payments for accessing public Wi-Fi networks. Payment services continue to be evolved and payment aggregator services provided by existing companies may be expected to resolve many of the outstanding issues of service proliferation in the upcoming years, at least in the absence of additional mandatory technical measures imposed by the government. Bundling of payment with authentication will only undermine the already existing independent market for payment aggregators, and further enforce mandatoriness of UID/Aadhaar number.

2.7. Further, the payment mechanism proposed would seem to worsen difficulties for tourists and foreigners in accessing public Wi-Fi in India, as well adds an additional layer of authentication in a system already identified (even in the Note itself) to be overburdened by regulations regarding KYC and data retention. Section C.6.b of the Note highlights the problems faced by foreigners and tourists when the authentication mechanism is premised upon use of One Time Password (OTP) that requires a functioning local mobile phone number. It contradicts itself later by proposing an authentication method that requires the user to not only download an application onto their mobile/desktop device, but also to enrol for UID/Aadhaar number and/or to use their existing UID/Aadhaar number. Instead of reducing the existing barriers to provision of and access to public Wi-Fi, which the Note is supposed to achieve, it creates significant new barriers.

2.8. The technological architecture advanced by the Note upholds support of governance and surveillance projects that, in addition to being costly in their implementation and thereby slowing down the objective of getting India connected, are also of questionable value to the security of the Indian polity. UID, UPI, and related projects risk undermining cyber-security through their reliance on centralised architectures and interfere with healthy competitive market dynamics between commercial and non-commercial actors.

2.9. The Note continues to only consider and enable commercial models for the provision of public Wi-Fi networks. We have identified this as a problematic assumption in our last submission [7]. It is most crucial that TRAI does not ignore and fail to promote and facilitate the possibility of not-for-profit models that involve grassroot communities, academia, and civil society.

2.10. Last but not the least, the term “Wi-Fi” refers to a particular technology for establishing wireless local area networks. Further, the term is a trademark of the Wi-Fi Alliance [8]. It is this not a neutral term, and it must not be used as a general and universal synonym for wireless local area networks. We recommend that TRAI may consider using a technology-neutral term, say “public wireless services” or “public networking services”, to describe the sector. Following the terminology used in the Note, we have decided to continue using the term “Wi-Fi” in this response. This does not reflect our agreement about the appropriateness of this term. Important: The recommendation for technology-neutral regulation also comes with the qualification that safeguards like regulations on Listen Before Talk and Cycle Time are required to prevent technologies like LTE-U from squatting on spectrum and interfering with connections based on other standards.

3. Specific Responses

Q1. Is the architecture suggested in the consultation note for creating unified authentication and payment infrastructure will enable nationwide standard for authentication and payment interoperability?

3.1. No. The proposed infrastructure is likely to be costly for a large number of actors to implement and undermine some of the ongoing innovation in the Indian digital payment services industry. Rather than being helpful, it risks introducing additional requirements on an industry that TRAI has already identified as facing a number of large challenges.

3.2. There is no need for a unified architecture that provides nationwide standard for authentication and payment interoperability. It does not offer any incentive towards provision of public Wi-Fi networks. Neither is there an interoperability problem at the physical or data link layers that has been pointed out, nor is government mandated interoperability required at the payment or ID layer since there are private entities that provide such interoperability (like, payment aggregators). Additionally, we believe it is inappropriate that the TRAI is trying to predict the most suitable business/technological model for digital payments to be used for accessing commercial Wi-Fi networks. India has a booming online payments industry, and it must be allowed to evolve in an enabling regulatory environment that allow for competition and ensures responsible practices.

3.3. The Note identifies several structural impediments to expansion of public Wi-Fi networks in India, namely paucity of backhaul connectivity infrastructure (Section C.6.a), Inadequate associated infrastructure to offer carrier grade Wi-Fi network (Section C.6.c), dependency of authentication mechanism on pre-existing (Indian) mobile phone connection (Section C.6.b), and limited availability of spectrum to be used for public Wi-Fi networks (Section C.6.e). All these are crucial concerns and none of them have been addressed by the architecture suggested in the Note.

Q2. Would you like to suggest any alternate model?

3.4. Yes. The model proposed in the Note is likely to exclude several types of potential users (say, foreigners and tourists), and impose a single authentication and payment service provider for accessing public Wi-Fi networks, which may undermine both competition and security in the market for these services.

3.5. Internationally, there are cities and regions (say, the city of Barcelona and the Catalonia region in Spain) where public Wi-Fi networks have been provided in a pervasive and efficient manner by taking a light regulatory approach that enables opportunities for potential providers to set up their own infrastructures and additionally have access to backhaul. Further, reducing legal requirements on authentication should be considered in place of government mandated technical architectures for authentication and payment. In particular, allowing for anonymous access to Public Wi-Fi or wireless connectivity would reduce both the administrative and the technical burden on potential providers at the hyper-local level, especially for providers whose main activity it is not, and cannot be, to provide internet services (say, event venues, malls, and shops).

3.6. The CIS suggests the following steps towards conceptualising an “alternative model”:

remove existing regulatory disincentives,
urgently explore policies to promote deployment of wired infrastructures in general, and to enable a larger range of actors, including local authorities, to invest in and deploy local infrastructures by reducing licensing requirements in particular,
examine spectrum requirements for provision of public Wi-Fi, and
provide incentives, such as allowing telecom service providers to share backhaul traffic over public Wi-Fi, and ways for telecom service providers to lower their costs if they also make Internet access available for free.

Q3. Can Public Wi-Fi access providers resell capacity and bandwidth to retail users? Is “light touch regulation” using methods such as “registration” instead of “licensing” preferred for them?

3.7. CIS holds that capacity and bandwidth are neither comparable to tangible goods nor to digital currency. They are a utility, and the provider of the utility has to accept that their customers use the utility in the way they see fit, even if that use entails sharing said capacity and bandwidth with downstream private persons or customers. Wi-Fi capabilities are currently a built-in standardised feature of all consumer routers. Any individual, community, or store with access to an internet connection and a consumer router could become a public Wi-Fi access provider at no additional cost to themselves, furthering the goals of the Indian government in its Digital India strategy to ensure public and universal access to the internet.

3.8. In order to exploit the opportunities awarded by a large amount of entities in the Indian society potentially becoming Public Wi-Fi providers, TRAI should require neither registration nor licensing of these actors. Imposing administrative burdens on potential public Wi-Fi access providers creates legal uncertainty and will cause a lot of actors, who may otherwise contribute to the goals of Digital India, not to do so. This is particularly true for community organisers and citizens, who may not have access to legal assistance and therefore may avoid contributing to the goals of the government.

3.9. Light touch regulation when it comes to both granting license to public Wi-Fi access providers as well as authentication of retail users, however, are needed not only as an exceptional practice for such instances but as a general practice in case of entities offering public Wi-Fi services, either commercially or otherwise. Further, additional laxity in administrative responsibilities is needed to incentivise provision of free, that is non-commercial, public Wi-Fi networks.

Q4. What should be the regulatory guidelines on “unbundling” Wi-Fi at access and backhaul level?

3.10. The Note refers to unbundling of activities related to provision of Wi-Fi but it does not define the term. It is neither explained which specific activities at access and backhaul levels must be considered for unbundling.

3.11. While unbundling should clearly be allowed and any regulatory hurdles to unbundling should be removed, any such decision must be taken with a focus on urgently addressing the stagnated growth in landline and backhaul, as identified in Section C.6.a of the Note. Relying only on spectrum intensive infrastructures, such as mobile base stations, for providing connectivity, creates a heavy regulatory burden for the TRAI, while simultaneously not ensuring optimal connectivity for business and private users. The CIS is concerned that the focus of the Note on standardising a government-mediated authentication and payment mechanism detracts attention from this urgent obstacle to the fulfillment of the Digital India plans of accelerated provision of broadband highways, universal access, and public, especially free, access to internet services.

3.12. From the example of European telecommunications legislations, implementation of policy measures to ensure that vertical integration between infrastructure (say, cables, switches, and hubs) providers and service (say, providing a subscriber with a household modem or a SIM card) providers in the telecommunications sector does not become a barrier to new market entrants has yielded much success in countries that have pursued it, like Sweden and Great Britain.

3.13. Further, there should be no default assumption of bundling by the TRAI. In particular, the TRAI should consider reviewing all regulations that may cause bundling to occur when this is not necessary, and put in place in a monitoring mechanism for ensuring that bundled practises (especially in electronic networks, base station infrastructures, backhaul and similar) do not cause competitive problems or raise market entry barriers [9]. In most EU countries, especially where the corporate structure of incumbent(s) is not highly vertically integrated, interconnection requirements for electronic network providers of wired networks in the backhaul or backbone (effectively price regulated interconnection), and a conscious effort to ensure that new market players can enter the field, have ensured a competitive telecommunications environment. TRAI may consider reviewing the European regulation on local loop unbundling (1999) and discussions on functional separation (especially by the British regulatory authority Ofcom), within an Indian context.

Q5. Whether reselling of bandwidth should be allowed to venue owners such as shop keepers through Wi-Fi at premise? In such a scenario please suggest the mechanism for security compliance.

3.14. Yes. Venue owners should be allowed to provide public Wi-Fi service both on a commercial and non-commercial basis.

3.15. It is not clear from the Note and the question what type of security concerns the TRAI is seeking to address. In terms of payment security, the payment industry already has a large range of verification and testing mechanisms. The CIS objects to the mandatory introduction of the proposed payment system so as to ensure greater security for Wi-Fi access providers and the users.

3.16. As far as hardware-related security issues are concerned, it is again unclear why consumer equipment compliant with existing Wi-Fi standards would not be sufficiently secure in the Indian context. Wi-Fi has proven to be a sturdy technical standard, its adoption is high in multiple jurisdictions around the world, and it also enjoys great technical stability. Similar security assessments could easily be made for alternative wireless technologies, such as WiMaX.

3.17. The CIS foresees problems is in the allocation of risk and liability by law. The already existing legal obligation to verify the identity of each user, for instance, is likely to introduce a large administrative burden on potential Public Wi-Fi providers, which may lead to such potential providers abstaining from entering the market. Should the identification requirement be removed, however, other concerns pertaining to legal obligations may arise. These include liability for user activities on the web or on the internet (cf. copyright infringement, libel, hate speech). We propose a “safe harbour” mechanism in these cases, limiting the liability of the potential public Wi-Fi provider.

Q6. What should be the guidelines regarding sharing of costs and revenue across all entities in the public Wi-Fi value chain? Is regulatory intervention required or it should be left to forbearance and individual contracting?

3.18. The market segments identified by the TRAI in Section F.18 of the Note should normally all be competitive markets themselves, and so do not require regulatory assistance in sharing of costs and revenues. The more elaborate the requirements imposed on each actor of each market segment identified by the TRAI in Section F.18, the more costly the roll-out of public Wi-Fi is going to be for the market actors. Such a cost is not avoided by price regulation.

3.19. The TRAI may instead consider introducing public funding for backhaul roll-out in remote areas, where the market is unlikely to engage in such roll-out on its own. Presently, some Indian states (such as Karnataka) are committing to public funding for wireless access in remote areas. The Union Government can assist such endeavours.

Endnotes

[1] See: http://cis-india.org/.

[2] See: http://trai.gov.in/Content/ConDis/20801_0.aspx.

[3] See Section C.6 of the Note.

[4] See: http://trai.gov.in/Content/ConDis/20782_0.aspx.

[5] See: http://cis-india.org/telecom/blog/cis-submission-to-trai-consultation-on-proliferation-of-broadband-through-public-wifi-networks.

[6] See Section E.11. of the Note.

[7] See: http://cis-india.org/telecom/blog/cis-submission-to-trai-consultation-on-proliferation-of-broadband-through-public-wifi-networks.

[8] See: https://www.wi-fi.org/.

[9] See: Monitoring bundled products in the telecommunications sector is also recommended by the OECD: http://oecdinsights.org/2015/06/22/triple-and-quadruple-play-bundles-of-communication-services-towards-all-in-one-packages/.

For more details visit https://cis-india.org/telecom/blog/cis-submission-trai-note-on-interoperable-scalable-public-wifi

Checks and balances needed for mass surveillance of citizens, say experts

Admin — 2017-12-16T14:32:23Z

A number of measures are required to protect law-abiding citizens from mass surveillance and misuse of their personal data, according to top technology and legal experts.

The article by Peerzada Abrar was published in the Hindu on December 9, 2017

The measures include issuing of tokens by the Unique Identification Authority of India (UIDAI) instead of Aadhaar numbers and having an official in the judiciary give permission to vigilance.

The experts were participating in a panel discussion on ‘Navigating Big Data Challenges’ at Carnegie India’s Global Technology Summit here. They also said there was a need to implement ‘de-identification of data’ or preventing a person’s identity from being connected with information.

The moderator of the discussion was Justice B.N. Srikrishna, a former Supreme Court judge, who was also heading a government-appointed committee of experts to identify “key data protection issues” and recommend methods to address them. Justice Srikrishna told the panellists that Aadhaar or the unique identification number had empowered the people. But in situations where the State wants all the information about citizens from different service providers because of its suspicions related to terrorism or criminal activity, he asked, what is the method to create a balance?

“Surveillance is like salt in cooking which is essential in tiny quantities, but counterproductive even if slightly in excess,” responded Sunil Abraham, executive director of Bengaluru-based think tank, Centre for Internet and Society. He said there was a need to make a surveillance system which had privacy by design built into it.

Mr. Abraham said that his organisation had proposed to the UIDAI that it used ‘tokenisation,’ which meant that whenever there was a ‘know your customer’ requirement, the Aadhaar number was not accessed by organisations like telecom firms or the banks. Instead, when the citizens used various services via smart cards or pins, a token got generated, which was controlled by the UIDAI. Organisations like banks and telecom firms can store those token numbers in their database. He said this would make it harder for unauthorised parties to combine databases. But at the same time would enable law enforcement agencies to combine database using the appropriate authorizations and infrastructure.

“UIDAI is considering this, they call it the dummy Aadhaar numbers. We need technical as well as institutional checks and balances,” said Mr. Abraham.

Countries like the U.S also have processes like Foreign Intelligence Surveillance Court (FISA court) which entertains applications made by the U.S Government for approval of electronic surveillance, physical search, and certain other forms of investigative actions for foreign intelligence purposes.

“My concern is that in the current system, surveillance can be done by the State machinery. I don’t necessarily suggest FISA court.... but some kind of mechanism where (one can’t) be held at the mercy of incestuous State machinery,” said Rahul Matthan, a partner at law firm Trilegal. “But have some second person who is outside the influence of this system (and) who actually says ‘yes this is a terrorist which requires us to do mass surveillance,” he said.

Artificial Intelligence

A large amount of information or Big data ranging from financial, health to political insights of people is being collected by different organisations and service providers which is sitting in different silos. All of this is likely going to be linked through Aadhaar. Mr. Srikrishna asked what if a situation arises where all of this data is aggregated and using artificial intelligence and machine learning, one is able to analyse it and profile individuals. He said “would that be not a terrifying scenario” where the State can act super-monitor for citizens. He asked how can citizens be guarded against it?

Mr.Srikrishna was referring to the ‘Social Credit System’ proposed by the Chinese government for creating a national reputation system to rate the trustworthiness of its citizens including their economic and social status. It works as a mass surveillance tool and uses big data analysis technology.

“It is a possibility. What stands in the way of it becoming a reality (in India) is a robust law,” said Mr.Matthan. “Technology is so powerful that it could equally be used for good as well as bad.”

For more details visit https://cis-india.org/internet-governance/news/the-hindu-peerzada-abrar-december-9-2017-checks-and-balances-needed-to-mass-surveillance-of-citizens-say-experts

Centre to form panel to 'encrypt' MGNREGA-DBT database and prevent leaks

praskrishna — 2017-07-14T10:46:45Z

Around 5 crore bank accounts of active MGNREGA workers yet to be seeded with Aadhaar.

The article by Sanjeeb Mukherjee was published in the Business Standard on July 14, 2017.

Alarmed over reports of ‘public disclosure’ of sensitive Aadhaar data through various portals and payment gateways, the Centre is in the process of appointing a high-powered panel of almost 20 experts to suggest ways and means through which data, particularly one which can be accessed through the MGNREGA-DBT platform can be encrypted.

Encryption, officials believe, would prevent the Aadhaar data and other related information from falling into wrong hands.

The need for proper encryption of Aadhaar data rose after the government made it mandatory for availing almost all benefits - be it school scholarships, payments of MGNREGA wages, identification of beneficiaries under mid-day meal scheme and even public distribution system along with others.

Ensuring cyber security has become all the more necessary as the Central government, in a notification issued last month, has made it mandatory for all bank accounts to be seeded with Aadhaar numbers by December 31, 2017, or else they would cease to be operational until the time the account holder furnishes his Aadhaar number.

This could seriously hamper payment of wages to MGNREGA workers because as per available information almost 5 crore active workers don’t have their bank accounts seeded with Aadhaar.

To complete the process before December 2017, the ministry of rural development has planned special Aadhaar camps to be held in villages from July 20 to September 2017.

Recently, a website published all confidential details of customers of a private telecom company including Aadhaar numbers and other information.

The breach was another instance of secure confidential information falling into public domain.

Officials of the panel, which would be headed by former NASSCOM head Kiran Karnik are expected to submit their report on the same within the next few months.

Other members of the panel include Director General of National Institute of Smart Governance (NISG), officials from Indian Computer Emergency Response Team (ICERT) and others.

However, cyber security experts believe that encrypting Aadhaar-DBT details mainly for those schemes and programmes which have a direct linkage with the public at this later stage has its own challenges as the entire ecosystem around Aadhaar has grown manifold ever since it was made mandatory for a variety of programmes.

Also, in the absence of a national encryption policy, such a move will have its own legal and regulatory challenges.

“Ever since the government made Aadhaar mandatory for many things, the entire ecosystem around it including the Central Identities Data Repository (the agency which stores Aadhaar data is exposed to leaks,” noted cyber law expert Pawan Duggal told Business Standard.

He said that without a proper national encryption law, it would be extremely challenging to provide legal and regulatory backing to encrypt all Aadhaar- DBT data details for MGNREGA. “Also now that the ‘cat is out of the bag,’ encryption of Aadhaar details will be hugely challenging,” Duggal said.

Already, civil society activists said that after some concern, the central government has removed all Aadhaar numbers and bank details from MGNREGA website, which has made tracking payments difficult.

A recent study by Amber Sinha and Srinivas Kodali from the Centre for Internet and Society (CIS) found that granular details about individuals including sensitive personally identifiable information such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away through government schemes dashboard and portals.

“While initiatives such as the government open data portals may be laudable for providing easy access to government data condensed for easy digestion, however in the absence of proper controls exercised by the government departments the results can be disastrous by divulging sensitive and adversely actionable information about the individuals who are responding units of such databases,” the report said.

It specifically studied two major schemes of the ministry of rural development; the National National Social Assistance Programme and MGNREGA along with some state schemes.

Pointers

a) Centre to form a panel to encrypt all MGNREGA-DBT database to prevent leaks.

b) The panel might also suggest ways and means in which such ‘encryption’ could be applied in other platforms.

c) The panel is expected to be headed by former NASSCOM head Kiran Karnik.

d) The encryption is essential as from January 2018 all non-Aadhaar seeded bank accounts will cease to be operational unless the holders seed them.

e) A recent study found that vivid details about individuals can be easily accessed from government platforms and databases.

f) The MGNREGA database was one such publicly available platform which formed part of the study.

For more details visit https://cis-india.org/internet-governance/news/business-standard-sanjeeb-mukherjee-july-14-2017-centre-to-form-panel-to-encrypt-mgnrega-dbt-database-and-prevent-leaks

Centre brings in new safeguards following cases of Aadhaar data leaks on government websites

praskrishna — 2017-06-06T15:41:16Z

The Centre has put in new safeguards following a number of cases of Aadhaar data leaks on government websites. All ministries are being asked to encrypt all Aadhaar data and personal financial details. Also, officials are being "sensitised" about legal consequences of data breach. And every government department is to now have one official responsible for Aadhaar data protection.

The article by Nidhi Sharma was published in the Economic Times on June 2, 2017.

The ministry of electronics and information technology has written to all departments on better data security. ET has reviewed the new guidelines. Aadhaar, a 12-digit unique identity number issued on the basis of biometric data, is linked to a person's bank account and used by government agencies to directly transfer benefits of several social welfare schemes.

Senior officials, who spoke off record, told ET all departments have been asked to immediately review their website content to check if personal data is on display.

A set of 27 dos and 9 don'ts has been circulated on data handling. This includes instructions on masking Aadhaar data and bank details as well as encrypting data. The government has mandated regular audits to check safety of personal data.

The ministry letter says, "It has come to notice there have been instances wherein personal identity or information of residents, along with Aadhaar numbers and demographic information, and other sensitive personal data ... have been published online."

The letter also spells out legal consequences of such data breach and warns the government departments to check future leaks. "Publishing identity information, i.e. Aadhaar number along with demographic information is in clear contravention of the provisions of the Aadhaar Act 2016 and constitutes an offence punishable with imprisonment up to 3 years. Further, publishing of financial information including bank details, being sensitive personal data, is also in contravention of provision under IT Act 2000 with violations liable to pay damages by way of compensation to persons affected."

The move to protect personal data comes after reports that data of 130 million Aadhaar cardholders has been leaked from four government websites. Reports, based on a study conducted by the Centre for Internet and Society (CIS) said Aadhaar numbers and details have been leaked.

For more details visit https://cis-india.org/internet-governance/news/economic-times-june-2-2017-nidhi-sharma-centre-brings-in-new-safeguards-following-cases-of-aadhaar-data-leaks-on-government-websites

Can the Matters Dealt with in the Aadhaar Act be the Objects of a Money Bill?

Pooja Saxena — 2016-04-24T14:15:06Z

In this infographic, we highlight the matters dealt with in the Aadhaar Act 2016, recently tabled in and passed by the Lok Sabha as a money bill, and consider if these can be objects of a money bill. The infographic is designed by Pooja Saxena, based on information compiled by Sumandro Chattapadhyay and Amber Sinha.

Download the infographic: PDF and JPG.

License: It is shared under Creative Commons Attribution 4.0 International License.

For more details visit https://cis-india.org/internet-governance/blog/can-matters-dealt-with-in-aadhaar-act-be-objects-of-money-bill

Can the Judiciary Upturn the Lok Sabha Speaker’s Decision on Aadhaar?

amber — 2017-02-27T15:44:56Z

When ruling on the petition filed by Jairam Ramesh challenging passing the Aadhaar Act as a money Bill, the court has differing precedents to look at.

The article was published in the Wire on February 21, 2017.

In an earlier article, I had argued that the characterisation of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, as a money Bill by Sumitra Mahajan, speaker of the Lok Sabha, was erroneous. Specifically, I had argued that upon perusal of Article 110 (1) of the constitution, the Aadhaar Act does not satisfy the conditions required of a money Bill. For a legislation to be classified as a money Bill, it must comprise of ‘only’ provisions dealing with the following matters: (a) imposition, regulation and abolition of any tax, (b) borrowing or other financial obligations of the government of India, (c) custody, withdrawal from or payment into the Consolidated Fund of India (CFI) or Contingent Fund of India, (d) appropriation of money out of CFI, (e) expenditure charged on the CFI or (f) receipt or custody or audit of money into CFI or public account of India; or (g) any matter incidental to any of the matters specified in sub-clauses (a) to (f).

Article 110 is modelled on Section 1(2) of the UK’s Parliament Act, 1911, which also defines money Bills as those only dealing with certain enumerated matters. The use of the word ‘only’ was brought up by Ghanshyam Singh Gupta during the constituent assembly debates. He pointed out that the use of the word ‘only’ limits the scope money Bills to only those legislations which did not deal with other matters. His amendment to delete the word ‘only’ was rejected, clearly establishing the intent of the framers of the constitution to keep the ambit of money Bills extremely narrow. G.V. Mavalankar, the first speaker of Lok Sabha, had stated that the word ‘only’ must not be construed so as to give an overly restrictive meaning. For instance, a Bill which deals with taxation could have provisions which deal with the administration of the tax. The finance minister, Arun Jaitley, referred to these words by Mavalankar, justifying the classification of the Aadhaar Act as a money Bill.

While the Aadhaar Bill does makes references to benefits, subsidies and services funded by the CFI, even a cursory reading of the Bill reveals its main objectives as creating a right to obtain a unique identification number and providing for a statutory apparatus to regulate the entire process. Any reasonable reading of the legislation would be hard pressed to view all provisions in the Aadhaar Act, aside from the one creating a charge on the CFI, as merely administrative provisions incidental to the creation such charge. The mere fact of establishing the Aadhaar number as the identification mechanism for benefits and subsidies funded by the CFI does not give it the character of a money Bill. The Bill merely speaks of facilitating access to unspecified subsidies and benefits rather than their creation and provision being the primary object of the legislation. Erskine May’s seminal textbook, Parliamentary Practice, is instructive in this respect and makes it clear that a legislation which simply makes a charge on the consolidated fund does not becomes a money Bill if otherwise its character is not that of one. Further, the subordinate regulations notified under the Aadhaar Act deal almost entirely with matters to do with enrolment, updation, authentication of the Aadhaar number and related matters such as data security regulations and sharing of information collected, rather than the provision of benefits or subsidies or disbursal of funds otherwise from the CFI.

However, in the context of the petition filed by former Union minister Jairam Ramesh challenging the passage of the law on Aadhaar as a money Bill, the more important question is whether the judiciary has a right to question the speaker’s decision in such a matter. If not, any other questions about whether the legislation is a money Bill will remain merely academic in nature.

Irregularity vs illegality

Article 110 (3) clearly states that with regard to the question whether a legislation is a money Bill or not, the decision of the speaker is final and binding. The question is whether such a clause completely excludes any judicial review. Further, Article 122 prohibits the courts from questioning the validity of any proceedings in parliament on the ground of any alleged irregularity of procedure.

During the arguments in the court, the attorney general questioned the locus standi of Ramesh. The petition has been made under Article 32 of the constitution and the government argued that no fundamental rights of Ramesh were violated. However, the court has asked Ramesh to make his submission and adjourned the hearing to July. The petition by Ramesh would hinge largely on the powers of the judiciary to question the decision of the speaker of the Lok Sabha.

The powers of privilege that parliamentarians enjoy are integral to the principle of separation of powers. The rationale behind parliamentary privilege is to prevent interference in the lawmakers’ powers to perform essential functions. The ability to speak and vote inside the legislature without the fear of punishment is certainly essential to the role of a lawmaker. However, the extent of this protection lies at the centre of this discussion. During the constituent assembly debates, H.V. Kamath and others had argued for a schedule to exhaustively codify the existing privileges. However, B.R. Ambedkar pointed to the difficulty of doing so and parliamentary privilege on the lines of the British parliamentary practice was retained in the constitution. In the last few decades, a judicial position has emerged that courts could exercise a limited degree of scrutiny over privileges, as they are primarily responsible for interpreting the constitution.

In the matter of Raja Ram Pal vs The Hon’ble Speaker, Lok Sabha, it had been clarified that proceedings of the legislature were immune from questioning by courts in the case of procedural irregularity but not in the case of illegality. In this case, the Supreme Court while dealing with Article 122 stated that it does not oust review by the judiciary in cases of “gross illegality, irrationality, violation of constitutional mandate, mala fides, non-compliance with rules of natural justice and perversity.”

In 1968, the speaker of the Punjab legislative assembly adjourned the proceedings for a period of two months following rowdy behaviour. Subsequently, an ordinance preventing such a suspension was promulgated and the legislature was summoned by the governor to consider some expedient financial matters. The speaker disagreed with the decision and after some confusion, the deputy speaker passed a few Bills as money Bills. While looking into the question of what was protected from judicial review, the court stated that the protection did not extend to breaches of mandatory provisions of the constitution, only to directory provisions. By that logic, if Article 110 (1) is seen as a mandatory provision, a breach of its provisions could lead to an interpretation that the Supreme Court may well question an erroneous decision by the speaker of the Lok Sabha to certify a legislation as a money Bill. The use of the word “shall” in Article 110 (1), the nature and design of the provision, its overriding impact on the other constitutional provisions granting the Rajya Sabha powers are ample evidence of its mandatory nature. Based on the above, Anup Surendranath has argued that the passage of the Aadhaar Act as a money Bill when it does not satisfy the constitutional conditions for it does amount to a gross illegality.

The judicial precedent in Mohd. Saeed Siddiqui vs State of Uttar Pradesh where the matter of the court’s power to question the decision of a speaker was considered, though, leans in the other direction. In 2012, the Uttar Pradesh Lokayukta and Up-Lokayuktas (Amendment) Act, 2012 was passed as money Bill by the Uttar Pradesh state legislature. Subsequently, a writ petition was filed challenging its constitutional validity. A three-judge bench of the Supreme Court looked into the application of Article 212. It is the provision corresponding to Article 122, dealing with the power of the courts to inquire into the proceedings of the state legislature. The court held that Article 212 makes “it clear that the finality of the decision of the Speaker and the proceedings of the State Legislature being important privilege of the State Legislature, viz., freedom of speech, debate and proceedings are not to be inquired by the Courts.” Importantly, ‘proceedings of the legislature’ were deemed to include within its scope everything done in transacting parliamentary business, including the passage of the Bill. While the court did acknowledge the limitations of parliamentary privilege as established in the Raja Ram Pal case, it did not adequately take into account the reasoning in it.

The Aadhaar Act is a legislation which makes it mandatory of all residents to enrol for a biometric identification system in order to avail certain subsidies, benefits and services. It has huge potential risks for individual privacy and national security and has been the subject of an extremely high profile Public Interest Litigation. Its passage as a money Bill, without any oversight from the Rajya Sabha and an opportunity for substantial debate and discussion, is a fraud on the Constitution. Whether or not the court chooses to see it that way remains to be seen.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-amber-sinha-february-21-2017-can-the-judiciary-upturn-the-lok-sabha-speakers-decision-on-aadhaar

Can the Aadhaar Act 2016 be Classified as a Money Bill?

Pooja Saxena — 2016-04-25T13:48:41Z

In this infographic, we show if the Aadhaar Act 2016, recently tabled in and passed by the Lok Sabha as a money bill, can be classified as a money bill. The infographic is designed by Pooja Saxena, based on information compiled by Amber Sinha and Sumandro Chattapadhyay.

Download the infographic: PDF and JPG.

License: It is shared under Creative Commons Attribution 4.0 International License.

For more details visit https://cis-india.org/internet-governance/blog/can-the-aadhaar-act-2016-be-classified-as-a-money-bill

Biometrics: An ‘Angootha Chaap’ nation?

Mukta Batra — 2014-09-19T06:12:17Z

This blog post throws light on the inconsistencies in biometric collection under the UID and NPR Schemes.

Introduction

Fingerprints and iris scans. The Unique Identification (UID) Number aims to serve as a proof of identity that can be easily verified and linked to subsidies and to bank accounts. Four years into its implementation, the UID Scheme seems to have the vote of confidence of the public. More than 65 Crore Indians have been granted UID Numbers,[1] and only a few have been concerned enough to seek clarity through Right to Information Requests to the UIDAI about the finances and legal authority backing the scheme.[2] Parallel to the UID scheme, the National Population Register scheme is also under way, with enrolment in some areas, such as Srinagar, Shimla and Panchkula, having reached 100% of the estimated population.[3]

The NPR scheme is an offshoot of the census. It began in census cycle 2010-11, pursuant to the amendment of the Citizenship Act in 2004, under which national identity cards are to be issued. The desired outcome of the NPR scheme is an NPR card with a chip embedded with three bits of information built into a card: (i) biometric information, (ii) demographic information and (iii) UID Number.

Both the UID and NPR schemes aspire to be conduits that subsidies, utilities, and other benefits are routed through. While the UID and NPR schemes are distinct in terms of their legal sanctity, purpose and form, the harmonization of these two schemes is one of the UIDAI’s functions.

There are substantial overlaps in the information collected and the purpose they serve leading to the argument that having two schemes is redundant. The compatibility of the two schemes was questioned and it was initially thought that a merger would be unreasonable. While there has been speculation that the UID scheme may terminate, or that it would be taken over by the Home Ministry, it has been reported that the new government has directed expedited enrolments through the UID scheme. [4]

Both schemes are incomplete and suffer from vagaries, including, but not limited to: their legality, safeguards against misuse of the data, the implementation of the schemes – including the collection and storage of biometric information and their convergence or divergence.

This blog will focus on understanding the process of collecting biometric data in each scheme – calling out similarities and differences – as well as areas in which data collected under one scheme is incompatible with the other scheme. It will look at existing and missing safeguards in the collection of biometrics, overlap in the collection of biometrics by the two schemes, and existing practice in the collection of biometrics. In doing so the blog will highlight the lack of privacy safeguards for the biometric information and conclude that since the policies for data collection and use policy are unclear, the data subjects do not know how their data is being collected, used, and shared between the UID and the NPR schemes.

Unreliability of Biometric Data

Biometric data has been qualified as being unreliable.[5] It cannot always be successfully used to identify a person, especially in India, where manual labour degrades the fingerprint[6] and nutritional deficiencies mar the iris. Even experts working with the UIDAI[7] admit that fingerprints are not always good indicators of identity. If the very identification of a person fails, which is what the UID seeks to do, then the purpose of the UID is defeated.

Biometric Data Collection under the UID Scheme

In the current structure of the scheme, collected biometric information is stored by, and vests with the UIDAI for an undefined period. The data if used only for identification and authentication purposes, as originally intended, could very well fail to serve its intended purpose. But amassing the personal data of the entire country is lucrative, particularly to the service providers who collect the information and are mandated with the task to manually collect the data before it is fed into the UID system and encrypted. Most of the service providers that collect information, including biometric data, for the UID are engaged in information services such as IT or online marketing service providers.[8]

The below chart delineates the process followed for the collection of biometrics under the UID Scheme:

Under the NIAI Bill, all data collected or authenticated by the UIDAI, until the Bill is enacted and the National Identification Authority of India is created, vests with the UIDAI. In practice this means that the UIDAI owns the biometric data of the data-subject, without clear safeguards against misuse of the data.

In the UID scheme, the collection of biometrics at the time of enrollment by the UIDAI is severely flawed for a number of reasons:

1. Lack of clear legal authority and procedure for collection of biometrics: The only legal authority the UIDAI has to collect biometric information is via the notification of its constitution. Even then, the powers of the UIDAI are vague and broad. Importantly, the notification tells us nothing of how biometric data is to be collected and how it is to be used. These standards have only been developed by the UIDAI in an ad-hoc manner when the need arises or after a problem is spotted. The lack of purpose-specification is in violation of the law[9] and prevents the data subject from giving informed consent to data collection. This is discussed at a later stage.

2. The collection of Biometrics is regulated through only a Bill, which delegates the development of safeguards to Rules: The National Identification Authority of India (NIAI) Bill[10] confers the National Information Authority of India (NOT THE UIDAI) with the power to pass rules to collect biometric data and to prescribe standards for collection.[11] This is a rule-making power, which is conferred under a Bill. Neither has the Bill been enacted, nor have rules for the collection of biometrics been framed and notified.

3. Collection of biometric data only with implied consent: Though collection of biometrics is mentioned in the enrolment form, explicit consent for the collection of biometrics is not collected and only implied consent may be inferred. The last line in the enrollment form is titled ‘CONSENT’ and is a declaration that all data, including biometric information, is true.[12]

4. Collection of biometric data outsourced to third party: Collection of biometric information in the UID scheme is outsourced to third parties through tenders. For instance, Accenture has been declared a biometric service provider under a contract with the UID.[13] The third party may be a company, firm, educational institution or an accreditation agency. The eligibility criteria are quite straightforward, they relate to the entity’s structure and previous experiences with small projects.[14] Since the ability to protect privacy of the data subject is entirely absent from the eligibility criteria, a successful bidder may not have adequate procedure in place or sufficient experience in managing confidential data, to ensure the privacy of the data subject. By outsourcing the data collection, the UIDAI has arguably delegated a function it never had the legal authority to perform. Thus, the agency of the data collection is equally defective. To heighten the irregularity, these contract agents can sub-contract the job of physical data collection.[15] This means that the data operator and the ground supervisors, who come into direct contact with the raw data, including biometric data, are not appointed by the government, or the UIDAI, but by a private agency, who is further removed from the chain. The data operator scans the documents submitted for verification and has physical access to the document.[16]

5. Biometric data is admittedly vulnerable to sale and leakage: In an ongoing case in the Supreme Court of India, the national Capital Territory of Delhi has, in its counter-affidavit, admitted that data collected under the UID is vulnerable to sale and leakage.[17] To quote from the counter-affidavit ‘..in any exercise of gathering identities whether it is by census authority… or through the present process… there is always a possibility of leakage. Enumerators can scan and keep copies of all the forms and sell them for a price.- this (sic) it can never be said that the data gathered… is safe.’[18] Anyone who has registered for either UID is therefore a candidate for identity theft or unsolicited commercial information. This is also true for the NPR, as census data is the basis for the NPR.

Data collection under the NPR Scheme

The declaration of courts that it is unnecessary to link the UID number for public utilities and the admission by Delhi in the case that a data subject cannot be compelled to provide biometrics or to obtain a UID Number under the Aadhaar scheme[19] are steps forward in ensuring the voluntariness of UID. However, the UID Number is mandatory by implication. It is a pre-requisite for registration under the National Population Register, which is compulsory, pursuant to S. 14-A of the Citizenship Act. The below diagram delineates the collection of biometric information under the NPR scheme:

DATA FLOW PROCESS

Flaws in the collection of biometric data under the NPR scheme

Compulsion: Registration in the NPR is legally mandated and individuals who fail to do so can face penalty. As a note, arguably, the compulsion to register for the NPR is untenable, as the Rules prescribe penalty, whereas the Act does not. [20] A word of caution is appropriate here. The penalty under the Rules stands till it is deleted by the legislature or declared void by courts and one may be held liable for refusing to register for the NPR, though the above argument may be a good defense.
Duplicity: Duplicity is a problem under the NPR Scheme. Biometric data is collected twice before the NPR exercise is completed. Even if one has registered under the UID scheme, they have to give their biometric information again under the NPR scheme. The first instance of collection of biometric information is for the UID number and the second, under the NPR scheme. The latter is necessary even if the data has already been collected for the UID number. Since the parties collecting biometric information for NPR are empanelled by the UIDAI and the eligibility is the same, the data is subject to the same or similar threats of data leakage that may arise when registering for the UID. The multi-level data collection only amplifies the admitted vulnerability of data as unauthorized actors can unlawfully access the data at any stage. This, coupled with the fact that UIDAI has to harmonize the NPR and UID schemes, and that the data comes to the UIDAI for de-duplication, means that the NPR data could be used by the UIDAI, but it may not result in a UID Number. There is no data that disproves this potential. This is a matter of concern, as one who wishes not to register for a UID number, in protection of their privacy, is at peril for their data falls into the hands of the UIDAI.
Biometric data collectors under the NPR scheme empanelled by the UIDAI: The service providers collecting biometric data under the NPR are selected through bids and need to be empanelled with the UIDAI.[21] Most enrolment agencies that are empanelled with the UIDAI are either IT or online marketing companies[22], making the fear of targeted marketing even more likely.
Public display and verification: Under the NPR scheme, the biometric and demographic information and UID number of registrants is publicly displayed in their local area for verification.[23] However, it is a violation of privacy to have sensitive personal data, such as biometrics put up publicly. Not only will the demographic information be readily accessible, nothing will prohibit the creation of a mailing list or collection of data for either data theft or for sending unsolicited commercial communication. The publicly available information is the kind of information that can be used for verification (Know Your Customer) and to authorize financial transactions. Since the personal information is displayed in the data subject’s local area, it is arguably a more invasive violation of privacy, since the members of the local area can make complex connections between the data subject and the data.
Smart Card: The desired outcome of the NPR scheme is an NPR card. This card is to contain a chip, which is embedded with information such as the UID Number, biometrics and the demographic information. It is still unclear as to whether this information will be machine-readable. If so, this information may be just a swipe away. However, this cannot be confirmed without information on the level encryption and how the data will be stored on the chip.

‘Privacy safeguards available under the UID and NPR schemes are ad-hoc and incomplete

The safeguards under both the UID and NPR schemes are quite similar, since the UIDAI and its empanelled biometric service providers are involved in collecting biometric information for both the UID and the NPR.

Pilot studies for the UID scheme, including the use of biometrics, were not conducted in advance to implementation. In line with this, the enactment of a legislation governing the UID and the implementation of policies with respect to data handling and use will be made as and when the need arises. The development of safeguards in relation to the NPR will also be ad-hoc.

Also, the data standards for one will potentially influence that of the other scheme. For instance, the change in privacy standards for handling biometrics under the UID may affect the empanelment of biometric service providers. This will automatically affect the data security level the NPR can seek to achieve.

Being developed ad-hoc and after the fact, there is a risk that these regulations may unreasonably curtail the rights of data subjects.

The existing Indian laws on data protection and privacy are not comprehensive. Certain laws protect privacy only in specific situations. For instance, the IT Act and related rules protect privacy in relation to digital information.

Any body that collects sensitive personal data such as biometric data, or any other data for processing and storage has a legal mandate under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011 to make certain disclosures BEFORE OR WHILE THE DATA IS COLLECTED. This includes, inter-alia, disclosures of (i) the purpose of information collection, (ii) the intended recipients of the information and (iii) name and addresses of the collector and of the party retaining the data.[24]

Under the Rules, the data collector has a duty to give the data subject an option to withhold personal sensitive information.[25] A conversation with a data subject shows that this safeguard has not been upheld. The subject also conveyed a lack of knowledge of who the collection agency was. This is a problem of lack of accountability, as the data path cannot be traced and the party responsible for misuse or breach of security cannot be held liable.

Conclusion

The data collection under the NPR and UID schemes shows several vulnerabilities. Apart from the vulnerabilities with biometric information, there is a real risk of misuse of the data and documents submitted for enrolment under these schemes. Since the data collectors are primarily online marketing or IT service providers, there is likelihood that they will use this data for marketing.

We can only hope that in time, data subjects will be able to withdraw their personal data from the UID database and surrender their UID number. We can only wait and watch to see whether (i) the UID Number is a legal prerequisite for the NPR Card and (ii) whether the compulsion to register for NPR is done away with.

[1] https://portal.uidai.gov.in/uidwebportal/dashboard.do accesed: 21 August, 2014

[2] As of January 2013, only 25 RTI requests were made to the UIDAI http://uidai.gov.in/rti/rti-requests.html accessed: 21 August, 2014

[3] DIT-NPR Management Information System accessed: 22 August, 2014 http://nprmis.nic.in/NPRR33_DlyDigitPrgGraph.aspx

[4] Cloud Still Hangs Over Aadhaar’s Future, Business Standard, accessed 28 August, 2014. http://www.business-standard.com/article/current-affairs/cloud-still-hangs-over-aadhaar-s-future-114081401131_1.html

[5] Frost & Sullivan, Best Practices Guide to Biometrics, accessed: 13 August, 2014 http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&cad=rja&uact=8&ved=0CD8QFjAE&url=http%3A%2F%2Fwww.frost.com%2Fprod%2Fservlet%2Fcpo%2F240303611&ei=6VbsU4m8HcK58gWx64DYDQ&usg=AFQjCNGqan81fX6qtG0S4VV6oh_B5R_QYg&sig2=cOOPm1JJ79AcJq2Gfq1_3Q&bvm=bv.73231344,d.dGc

[6] Malavika Jayaram, “India’s Identity Crisis”, Internet Monitor 2013, reflections of a digital world, accessed: 13 August, 2014 http://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID2366840_code727672.pdf?abstractid=2366840&mirid=1

[7]M. Vatsa, et.al, “Analyzing Fingerprints of Indian Population Using Image Quality: A UIDAI Case Study” , accessed: 13 August, 2014 https://research.iiitd.edu.in/groups/iab/ICPR2010-Fingerprint.pdf

[8] Prakash Chandra Sao, The Unique ID Project in India: An Exploratory Study, accessed: 21 August, 2014 http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/

[9] R. 5(3) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011, accessed: 20 August, 2013 http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf

[10] National Identification Authority of India Bill, 2010 (Bill No. LXXV of 2010), accessed: 26 August,2014 http://164.100.24.219/BillsTexts/RSBillTexts/asintroduced/national%20ident.pdf

[11] Clause 23 of the NIAI Bill, 2010

[12]The UID Enrollment form, accessed: 26 August, 2014 http://uidai.gov.in/images/uid_download/enrolment_form.pdf

[13] Documents filed and relied on in Puttuswamy v Union of India

[14] Request for empanelment, accessed: 28 August, 2014. http://uidai.gov.in/images/tenders/rfe_for_concurrent_evaluation_of_processoperation_at_enrolment_centers_13082014.pdf

[15] This information is available from the documents filed and relied on in Puttuswamy v Union Of India, which is being heard in the Supreme Court of India

[16] An anonymous registrant observes that the data was scanned behind a screen and was not visible from the registered counter. The registrant is concerned that, in addition to collection of information for the UID, photocopies or digital copies could be taken for other uses and the registrant would not know.

[17] Counter Affidavit filed in the Supreme Court of India on behalf on New Delhi in K. Puttuswamy v Union of India

It is also admitted that the census is equally vulnerable. The information collected through census is used for the NPR exercise.

[18] Para. 48 in the Counter Affidavit filed by NCR Delhi.

[19] Affidavit in K. Puttuswamy v Union of India.

See also: FAQs: Enrollment Agencies, accessed 22 August, 2014 http://uidai.gov.in/faq.html?catid=37

[20] Usha Ramanathan, A Tale of Two Turfs, The Statesman, accessed: 20 August, 2014 http://www.thestatesman.net/news/10497-a-tale-of-two-turfs-npr-and-uid.html?page=3

[21] RFQ for Engaging MSP for Biometric Enrolment for the Creation of NPR, accessed: 26 August, 2014 http://ditnpr.nic.in/pdf/120102_RFQBiometricUrban_rebidding-Draft.pdf

[22] Prakash Chandra Sao, The Unique ID Project in India: An Exploratory Study, accessed: 21 August, 2014 http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/

[23] http://censusindia.gov.in/2011-Common/IntroductionToNpr.html, accessed: 26 August, 2014

[24] R. 5(3) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011, accessed: 20 August, 2013 http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf

[25] R. 5(7) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011.

For more details visit https://cis-india.org/internet-governance/blog/biometrics-an-angootha-chaap-nation

Biggest blast on Aadhaar leak so far: govt sites leaked data of 13 crore people

praskrishna — 2017-05-03T14:35:23Z

In yet another shocking report of personal data breach in India, it has emerged that Aadhaar data of 13 crore people was put out on websites of four major government projects in the country. The leaked data include bank account details of over one crore people linked to Aadhar numbers under the direct benefit scheme. Over eight crore people lost their private data on the national job guarantee scheme website alone.

The article by Jikku Varghese Jacob was published by Manorama on May 2, 2017.

The shocking details have surfaced in a report released by the Center for Internet Society (CIS) which deals with the publication of Aadhaar data and their security. It appears to be the biggest blast on Aadhaar data leak yet. The report says these pieces of information were available on Internet since last November. Once detected, the CIS officials had initiated steps to remove them.

The CIS report cites two central government portals and websites from Andhra Pradesh as violators. Following are the websites that published the data:

National Social Assistance Programme (under the Ministry of Rural Development).
The national portal of the job guarantee scheme.
Daily online payment reports (Government of Andhra Pradesh)
Chandranna Bheema project (Government of Andhra Pradesh)

Private data of 1,59,42,083 people were leaked on the social assistance scheme site. The two Andhra Pradesh sites breached the privacy of three crore people.

Information leaked on most of the sites could be downloaded as Excel sheet. It is estimated that data on 23 crore people is linked to Aadhaar under the direct benefit scheme.

The CIS fears that if other government sites have also handled such data without care there could have occurred a massive data base breach. The CIS put in months of effort before finalizing this report.

It was recently found that Aadhaar data on 35 lakh people in Kerala was found disclosed on the state's Sevana Pension website. In Jharkhand, 14 lakh people had their privacy violated when their Aadhaar information was put out on a government website.

Such leaks of Aadhaar data is a crime that can fetch up to three years of imprisonment. Complaints have arisen that government departments did not bother to comply with an IT ministry directive last month to remove the Aadhaar data from websites.

Experts point out that criminals can misuse personal data on Aadhaar and bank account. The data could be used to obtain SIM cards and carry out transactions online.

Aadhaar, the world's largest bio-metric enrolment in India, will enrol 1.2 billion people in a 12-digit unique number for each person to be issued to each resident in the country. The number with its biometric information – photograph, fingerprints and iris scan – of each individual is easily verifiable in an online.

For more details visit https://cis-india.org/internet-governance/news/manorama-may-2-2017-jikku-varghese-jacob-biggest-blast-on-aadhaar-leak-so-far-govt-sites-leaked-data-of-13-crore-people

Big Data in India: Benefits, Harms, and Human Rights - Workshop Report

Vidushi Marda, Akash Deep Singh and Geethanjali Jujjavarapu — 2016-11-18T12:58:19Z

The Centre for Internet and Society held a one-day workshop on “Big Data in India: Benefits, Harms and Human Rights” at India Habitat Centre, New Delhi on the 1st of October, 2016. This report is a compilation of the the issues discussed, ideas exchanged and challenges recognized during the workshop. The objective of the workshop was to discuss aspects of big data technologies in terms of harms, opportunities and human rights. The discussion was designed around an extensive study of current and potential future uses of big data for governance in India, that CIS has undertaken over the last year with support from the MacArthur Foundation.

Contents

Big Data: Definitions and Global South Perspectives

Aadhaar as Big Data

Seeding

Aadhaar and Data Security

Aadhaar’s Relational Arrangement with Big Data Scheme

The Myths surrounding Aadhaar

IndiaStack and FinTech Apps

Problems with UID

Big Data: Definitions and Global South Perspectives

“Big Data” has been defined by multiple scholars till date. The first consideration at the workshop was to discuss various definitions of big data, and also to understand what could be considered Big Data in terms of governance, especially in the absence of academic consensus. One of the most basic ways to define it, as given by the National Institute of Standards and Technology, USA, is to take it to be the data that is beyond the computational capacity of current systems. This definition has been accepted by the UIDAI of India. Another participant pointed out that Big Data is not only indicative of size, but rather the nature of data which is unstructured, and continuously flowing. The Gartner definition of Big Data relies on the three Vs i.e. Volume (size), Velocity (infinite number of ways in which data is being continuously collected) and Variety (the number of ways in which data can be collected in rows and columns).

The presentation also looked at ways in which Big Data is different from traditional data. It was pointed out that it can accommodate diverse unstructured datasets, and it is ‘relational’ i.e. it needs the presence of common field(s) across datasets which allows these fields to be conjoined. For e.g., the UID in India is being linked to many different datasets, and they don’t constitute Big Data separately, but do so together. An increasingly popular definition is to define data as “Big Data” based on what can be achieved through it. It has been described by authors as the ability to harness new kinds of insight which can inform decision making. It was pointed out that CIS does not subscribe to any particular definition, and is still in the process of coming up with a comprehensive definition of Big Data.

Further, discussion touched upon the approach to Big Data in the Global South. It was pointed out that most discussions about Big Data in the Global South are about the kind of value that it can have, the ways in which it can change our society. The Global North, on the other hand, has moved on to discussing the ethics and privacy issues associated with Big Data.

After this, the presentation focussed on case studies surrounding key Central Government initiatives and projects like Aadhaar, Predictive Policing, and Financial Technology (FinTech).

Aadhaar as Big Data

In presenting CIS’ case study on Aadhaar, it was pointed out that initially, Aadhaar, with its enrollment dataset was by itself being seen as Big Data. However, upon careful consideration in light of definitions discussed above, it can be seen as something that enables Big Data. The different e-governance projects within Digital India, along with Aadhaar, constitute Big Data. The case study discussed the Big Data implications of Aadhaar, and in particular looked at a ‘cradle to grave’ identity mapping through various e-government projects and the datafication of various transaction generated data.

Seeding

Any digital identity like Aadhaar typically has three features: 1. Identification i.e. a number or card used to identify yourself; 2. Authentication, which is based on your number or card and any other digital attributes that you might have; 3. Authorisation: As bearers of the digital identity, we can authorise the service providers to take some steps on our behalf. The case study discussed ‘seeding’ which enables the Big Data aspects of Digital India. In the process of seeding, different government databases can be seeded with the UID number using a platform called Ginger. Due to this, other databases can be connected to UIDAI, and through it, data from other databases can be queried by using your Aadhaar identity itself. This is an example of relationality, where fractured data is being brought together. At the moment, it is not clear whether this access by UIDAI means that an actual physical copy of such data from various sources will be transferred to UIDAI’s servers or if they will just access it through internet, but the data remains on the host government agency’s server. An example of even private parties becoming a part of this infrastructure was raised by a participant when it was pointed out that Reliance Jio is now asking for fingerprints. This can then be connected to the relational infrastructure being created by UIDAI. The discussion then focused on how such a structure will function, where it was mentioned that as of now, it cannot be said with certainty that UIDAI will be the agency managing this relational infrastructure in the long run, even though it is the one building it.

Aadhaar and Data Security

This case study also dealt with the sheer lack of data protection legislation in India except for S.43A of the IT Act. The section does not provide adequate protection as the constitutionality of the rules and regulations under S.43A is ambivalent. More importantly, it only refers to private bodies. Hence, any seeding which is being done by the government is outside the scope of data protection legislation. Thus, at the moment, no legal framework covers the processes and the structures being used for datasets. Due to the inapplicability of S.43A to public bodies, questions were raised as to the existence of a comprehensive data protection policy for government institutions. Participants answered the question in the negative. They pointed out that if any government department starts collecting data, they develop their own privacy policy. There are no set guidelines for such policies and they do not address concerns related to consent, data minimisation and purpose limitation at all. Questions were also raised about the access and control over Big Data with government institutions. A tentative answer from a participant was that such data will remain under the control of the domain specific government ministry or department, for e.g. MNREGA data with the Ministry of Rural Development, because the focus is not on data centralisation but rather on data linking. As long as such fractured data is linked and there is an agency that is responsible to link them, this data can be brought together. Such data is primarily for government agencies. But the government is opening up certain aspects of the data present with it for public consumption for research and entrepreneurial purposes.The UIDAI provides you access to your own data after paying a minimal fee. The procedure for such access is still developing.

Aadhaar’s Relational Arrangement with Big Data Scheme

The various Digital India schemes brought in by the government were elucidated during the workshop. It was pointed out that these schemes extend to myriad aspects of a citizen’s daily life and cover all the essential public services like health, education etc. This makes Aadhaar imperative even though the Supreme Court has observed that it is not mandatory for every citizen to have a unique identity number. The benefits of such identity mapping and the ecosystem being generated by it was also enumerated during the discourse. But the complete absence of any data ethics or data confidentiality principles make us unaware of the costs at which these benefits are being conferred on us. Apart from surveillance concerns, the knowledge gap being created between the citizens and the government was also flagged. Three main benefits touted to be provided by Aadhaar were then analysed. The first is the efficient delivery of services. This appears to be an overblown claim as the Aadhaar specific digitisation and automation does not affect the way in which employment will be provided to citizens through MNREGA or how wage payment delays will be overcome. These are administrative problems that Aadhaar and associated technologies cannot solve. The second is convenience to the citizens. The fallacies in this assertion were also brought out and identified. Before the Aadhaar scheme was rolled in, ration cards were issued based on certain exclusion and inclusion criteria.. The exclusion and inclusion criteria remain the same while another hurdle in the form of Aadhaar has been created. As India is still lacking in supporting infrastructure such as electricity, server connectivity among other things, Aadhaar is acting as a barrier rather than making it convenient for citizens to enroll in such schemes.The third benefit is fraud management. Here, a participant pointed out that this benefit was due to digitisation in the form of GPS chips in food delivery trucks and electronic payment and not the relational nature of Aadhaar. Aadhaar is only concerned with the linking up or relational part. About deduplication, it was pointed out how various government agencies have tackled it quite successfully by using technology different from biometrics which is unreliable at the best of times.

The Myths surrounding Aadhaar

The discussion also reflected on the fact that Aadhaar is often considered to be a panacea that subsumes all kinds of technologies to tackle leakages. However, this does not take into account the fact that leakages happen in many ways. A system should have been built to tackle those specific kinds of leakages, but the focus is solely on Aadhaar as the cure for all. Notably, participants who have been a part of the government pointed out how this myth is misleading and should instead be seen as the first step towards a more digitally enhanced country which is combining different technologies through one medium.

IndiaStack and FinTech Apps

What is India Stack?

The focus then shifted to another extremely important Big Data project, India Stack, being conceptualised and developed by a team of private developers called iStack, for the NPCI. It builds on the UID project, Jan Dhan Yojana and mobile services trinity to propagate and develop a cashless, presence-less, paperless and granular consent layer based on UID infrastructure to digitise India.

A participant pointed out that the idea of India Stack is to use UID as a platform and keep stacking things on it, such that more and more applications are developed. This in turn will help us to move from being a ‘data poor’ country to a ‘data rich’ one. The economic benefits of this data though as evidenced from the TAGUP report - a report about the creation of National Information Utilities to manage the data that is present with the government - is for the corporations and not the common man. The TAGUP report openly talks about privatisation of data.

Problems with India Stack

The granular consent layer of India Stack hasn’t been developed yet but they have proposed to base it on MIT Media Lab’s OpenPDS system. The idea being that, on the basis of the choices made by the concerned person, access to a person’s personal information may be granted to an agency like a bank. What is more revolutionary is that India Stack might even revoke this access if the concerned person expresses a wish to do so or the surrounding circumstances signal to India Stack that it will be prudent to do so. It should be pointed out that the the technology required for OpenPDS is extremely complex and is not available in India. Moreover, it’s not clear how this system would work. Apart from this, even the paperless layer has its faults and has been criticised by many since its inception, because an actual government signed and stamped paper has been the basis of a claim.. In the paperless system, you are provided a Digilocker in which all your papers are stored electronically, on the basis of your UID number. However, it was brought to light that this doesn’t take into account those who either do not want a Digilocker or UID number or cases where they do not have access to their digital records. How in such cases will people make claims?

A Digital Post-Dated Cheque: It’s Ramifications

A key change that FinTech apps and the surrounding ecosystem want to make is to create a digital post-dated cheque so as to allow individuals to get loans from their mobiles especially in remote areas. This will potentially cut out the need to construct new banks, thus reducing the capital expenditure , while at the same time allowing the credit services to grow. The direct transfer of money between UID numbers without the involvement of banks is a step to further help this ecosystem grow. Once an individual consents to such a system, however, automatic transfer of money from one’s bank accounts will be affected, regardless of the reason for payment. This is different from auto debt deductions done by banks presently, as in the present system banks have other forms of collateral as well. The automatic deduction now is only affected if these other forms are defaulted upon. There is no knowledge as to whether this consent will be reversible or irreversible. As Jan Dhan Yojana accounts are zero balance accounts, the account holder will be bled dry. The implication of schemes such as “Loan in under 8 minutes” were also discussed. The advantage of such schemes is that transaction costs are reduced.The financial institution can thus grant loans for the minimum amount without any additional enquiries. It was pointed out that this new system is based on living on future income much like the US housing bubble crash. Interestingly, in Public Distribution Systems, biometrics are insisted upon even though it disrupts the system. This can be seen as a part of the larger infrastructure to ensure that digital post-dated cheques become a success.

The Role of FinTech Apps

FinTech ‘apps’ are being presented with the aim of propagating financial inclusion. The Technology Advisory Group for Unique Projects report stated that as managing such information sources is a big task, just like electricity utilities, a National Information Utilities (NIU) should be set up for data sources. These NIUs as per the report will follow a fee based model where they will be charging for their services for government schemes. The report identified two key NIUs namely the National Payments Corporation of India (NPCI) and the Goods and Services Tax Network (GSTN). The key usage that FinTech applications will serve is credit scoring. The traditional credit scoring data sources only comprised a thin file of records for an individual, but the data that FinTech apps collect - a person’s UID number, mobile number. and bank account number all linked up, allow for a far more comprehensive credit rating. Government departments are willing to share this data with FinTech apps as they are getting analysis in return. Thus, by using UID and the varied data sources that have been linked together by UID, a ‘thick file’ is now being created by FinTech apps. Banking apps have not yet gone down the route of FinTech apps to utilise Big Data for credit scoring purposes.

The two main problems with such apps is that there is no uniform way of credit scoring. This distorts the rate at which a person has to pay interest. The consent layer adds another layer of complication as refusal to share mobile data with a FinTech app may lead to the app declaring one to be a risky investment thus, subjecting that individual to a higher rate of interest .

Regulation of FinTech Apps and the UID Infrastructure

India Stack and the applications that are being built on it, generate a lot of transaction metadata that is very intimate in nature. The privacy aspects of the UID legislation doesn't cover such data. The granular consent layer which has been touted to cover this still has to come into existence. Also, Big Data is based on sharing and linking of data. Here, privacy concerns and Big Data objectives clash. Big Data by its very nature challenges privacy principles like data minimisation and purpose limitation.The need for regulation to cover the various new apps and infrastructure which are being developed was pointed out.

Problems with UID

It has been observed that any problem present with Aadhaar is usually labelled as a teething problem, it’s claimed that it will be solved in the next 10 years. But, this begs the question - why is the system online right now?

Aadhaar is essentially a new data condition and a new exclusion or inclusion criteria. Data exclusion modalities as observed in Rajasthan after the introduction of biometric Point of Service (POS) machines at ration shops was found to be 45% of the population availing PDS services. This number also includes those who were excluded from the database by being included in the wrong dataset. There is no information present to tell us how many actual duplicates and how many genuine ration card holders were weeded out/excluded by POS.

It was also mentioned that any attempt to question Aadhaar is considered to be an attempt to go back to the manual system and this binary thinking needs to change. Big Data has the potential to benefit people, as has been evidenced by the scholarship and pension portals. However, Big Data’s problems arise in systems like PDS, where there is centralised exclusion at the level of the cloud. Moreover, the quantity problem present in the PDS and MNREGA systems persists. There is still the possibility of getting lesser grains and salary even with analysis of biometrics, hence proving that there are better technologies to tackle these problems. Presently, the accountability mechanisms are being weakened as the poor don’t know where to go to for redressal. Moreover, the mechanisms to check whether the people excluded are duplicates or not is not there. At the time of UID enrollment, out of 90 crores, 9 crore were rejected. There was no feedback or follow-up mechanism to figure out why are people being rejected. It was just assumed that they might have been duplicates.

Another problem is the rolling out of software without checking for inefficiencies or problems at a beta testing phase. The control of developers over this software, is so massive that it can be changed so easily without any accountability.. The decision making components of the software are all proprietary like in the the de-duplication algorithm being used by the UIDAI. Thus, this leads to a loss of accountability because the system itself is in flux, none of it is present in public domain and there are no means to analyse it in a transparent fashion..

These schemes are also being pushed through due to database politics. On a field study of NPR of citizens, another Big Data scheme, it was found that you are assumed to be an alien if you did not have the documents to prove that you are a citizen. Hence, unless you fulfill certain conditions of a database, you are excluded and are not eligible for the benefits that being on the database afford you.

Why is the private sector pushing for UIDAI and the surrounding ecosystem?

Financial institutions stand to gain from encouraging the UID as it encourages the credit culture and reduces transaction costs.. Another advantage for the private sector is perhaps the more obvious one, that is allows for efficient marketing of products and services..

The above mentioned fears and challenges were actually observed on the ground and the same was shown through the medium of a case study in West Bengal on the smart meters being installed there by the state electricity utility. While the data coming in from these smart meters is being used to ensure that a more efficient system is developed,it is also being used as a surrogate for income mapping on the basis of electricity bills being paid. This helps companies profile neighbourhoods. The technical officer who first receives that data has complete control over it and he can easily misuse the data. This case study again shows that instruments like Aadhaar and India Stack are limited in their application and aren’t the panacea that they are portrayed to be.

A participant pointed out that in the light of the above discussions, the aim appears to be to get all kinds of data, through any source, and once you have gotten the UID, you link all of this data to the UID number, and then use it in all the corporate schemes that are being started. Most of the problems associated with Big Data are being described as teething problems. The India Stack and FinTech scheme is coming in when we already know about the problems being faced by UID. The same problems will be faced by India Stack as well.

Can you opt out of the Aadhaar system and the surrounding ecosystem?

The discussion then turned towards whether there can be voluntary opting out from Aadhaar. It was pointed out that the government has stated that you cannot opt out of Aadhaar. Further, the privacy principles in the UIDAI bill are ambiguously worded where individuals only have recourse for basic things like correction of your personal information. The enforcement mechanism present in the UIDAI Act is also severely deficient. There is no notification procedure if a data breach occurs. . The appellate body ‘Cyber Appellate Tribunal’ has not been set up in three years.

CCTNS: Big Data and its Predictive Uses

What is Predictive Policing?

The next big Big Data case study was on the Crime and Criminal Tracking Network & Systems (CCTNS). Originally it was supposed to be a digitisation and interconnection scheme where police records would be digitised and police stations across the length and breadth of the country would be interconnected. But, in the last few years some police departments of states like Chandigarh, Delhi and Jharkhand have mooted the idea of moving on to predictive policing techniques. It envisages the use of existing statistical and actuarial techniques along with many other tropes of data to do so. It works in four ways: 1. By predicting the place and time where crimes might occur; 2. To predict potential future offenders; 3. To create profiles of past crimes in order to predict future crimes; 4. Predicting groups of individuals who are likely to be victims of future crimes.

How is Predictive Policing done?

To achieve this, the following process is followed: 1. Data collection from various sources which includes structured data like FIRs and unstructured data like call detail records, neighbourhood data, crime seasonal patterns etc. 2. Analysis by using theories like the near repeat theory, regression models on the basis of risk factors etc. 3. Intervention

Flaws in Predictive Policing and questions of bias

An obvious weak point in the system is that if the initial data going into the system is wrong or biased, the analysis will also be wrong. Efforts are being made to detect such biases. An important way to do so will be by building data collection practices into the system that protect its accuracy. The historical data being entered into the system is carrying on the prejudices inherited from the British Raj and biases based on religion, caste, socio-economic background etc.

One participant brought about the issue of data digitization in police stations, and the impact of this haphazard, unreliable data on a Big Data system. This coupled with paucity of data is bound to lead to arbitrary results. An effective example was that of black neighbourhoods in the USA. These are considered problematic and thus they are policed more, leading to a higher crime rate as they are arrested for doing things that white people in an affluent neighbourhood get away with. This in turn further perpetuates the crime rate and it becomes a self-fulfilling prophecy. In India, such a phenomenon might easily develop in the case of migrants, de-notified tribes, Muslims etc. A counter-view on bias and discrimination was offered here. One participant pointed out that problems with haphazard or poor quality of data is not a colossal issue as private companies are willing to fill this void and are actually doing so in exchange for access to this raw data. It was also pointed out how bias by itself is being used as an all encompassing term. There are multiplicities of biases and while analysing the data, care should be taken to keep it in mind that one person’s bias and analysis might and usually does differ from another. Even after a computer has analysed the data, the data still falls into human hands for implementation.

The issue of such databases being used to target particular communities on the basis of religion, race, caste, ethnicity among other parameters was raised. Questions about control and analysis of data were also discussed, i.e. whether it will be top-down with data analysis being done in state capitals or will this analysis be done at village and thana levels as well too. It was discussed as topointed out how this could play a major role in the success and possible persecutory treatment of citizens, as the policemen at both these levels will have different perceptions of what the data is saying. . It was further pointed out, that at the moment, there’s no clarity on the mode of implementation of Big Data policing systems. Police in the USA have been seen to rely on Big Data so much that they have been seen to become ‘data myopic’. For those who are on the bad side of Big Data, in the Indian context, laws like preventive detention can be heavily misused.There’s a very high chance that predictive policing due to the inherent biases in the system and the prejudices and inefficiency of the legal system will further suppress the already targeted sections of the society. A counterpoint was raised and it was suggested that contrary to our fears, CCTNS might lead to changes in our understanding and help us to overcome longstanding biases.

Open Knowledge Architecture as a solution to Big Data biases?

The conference then mulled over the use of ‘Open Knowledge’ architecture to see whether it can provide the solution to rid Big Data of its biases and inaccuracies if enough eyes are there. It was pointed out that Open Knowledge itself can’t provide foolproof protection against these biases as the people who make up the eyes themselves are predominantly male belonging to the affluent sections of the society and they themselves suffer from these biases.

Who exactly is Big Data supposed to serve?

The discussion also looked at questions such as who is this data for? Janata Information System (JIS), is a concept developed by MKSS where the data collected and generated by the government is taken to be for the common citizens. For e.g. MNREGA data should be used to serve the purposes of the labourers. The raw data as is available at the moment, usually cannot be used by the common man as it is so vast and full of information that is not useful for them at all. It was pointed out that while using Big Data for policy planning purposes, the actual string of information that turned out to be needed was very little but the task of unravelling this data for civil society purposes is humongous. By presenting the data in the right manner, the individual can be empowered. The importance of data presentation was also flagged. It was agreed upon that the content of the data should be for the labourer and not a MNC, as the MNC has the capability to utilise the raw data on it’s own regardless.

Concerns about Big Data usage

Participants pointed out that privacy concerns are usually brushed under the table due to a belief that the law is sufficient or that the privacy battle has already been lost.
In the absence of knowledge of domain and context, Big Data analysis is quite limited. Big Data’s accuracy and potential to solve problems needs to be factually backed.
The narrative of Big Data often rests on the assumption that descriptive statistics take over inferential statistics, thus eliminating the need for domain specific knowledge. It is claimed that the data is so big that it will describe everything that we need to know.
Big Data is creating a shift from a deductive model of scientific rigour to an inductive one. In response to this, a participant offered the idea that troves of good data allow us to make informed questions on the basis of which the deductive model will be formed. A hybrid approach combining both deductive and inductive might serve us best.
The need to collect the right data in the correct format, in the right place was also expressed.

Potential Research Questions & Participants’ Areas of Research

Following this discussion, participants brainstormed to come up with potential areas of research and research questions. They have been captured below:

Big Data, Aadhaar and India Stack:

Has Aadhaar been able to tackle illegal ways of claiming services or are local negotiations and other methods still prevalent?
Is the consent layer of India Stack being developed in a way that provides an opportunity to the UID user to give informed consent? The OpenPDS and its counterpart in the EU i.e. the My Data Structure were designed for countries with strong privacy laws. Importantly, they were meant for information shared on social media and not for an individual’s health or credit history. India is using it in a completely different sphere without strong data protection laws. What were the granular consent layer structures present in the West designed for and what were they supposed to protect?
The question of ownership of data needs to be studied especially in context of a globalised world where MNCs are collecting copious amounts of data of Indian citizens. What is the interaction of private parties in this regard?

Big Data and Predictive Policing:

How are inequalities being created through the Big Data systems? Lessons should be taken from the Western experience with the advent of predictive policing and other big data techniques - they tend to lead to perpetuation of the current biases which are already ingrained in the system.
It was also pointed out how while studying these topics and anything related to technology generally, we become aware of a divide that is present between the computational sciences and social sciences. This divide needs to be erased if Big Data or any kind of data is to be used efficiently. There should be a cross-pollination between different groups of academics. An example of this can be seen to be the ‘computational social sciences departments’ that have been coming up in the last 3-4 years.
Why are so many interim promises made by Big Data failing? A study of this phenomenon needs to be done from a social science perspective. This will allow one to look at it from a different angle.

Studying Big Data:

What is the historical context of the terms of reference being used for Big Data? The current Big Data debate in India is based on parameters set by the West. For better understanding of Big Data, it was suggested that P.C. Mahalanobis’ experience while conducting the Indian census, (which was the Big Data of that time) can be looked at to get a historical perspective on Big Data. This comparison might allow us to discover questions that are important in the Indian context. It was also suggested that rather than using ‘Big Data’ as a catchphrase to describe these new technological innovations, we need to be more discerning.
What are the ideological aspects that must be considered while studying Big Data? What does the dialectical promise of technology mean? It was contended that every time there is a shift in technology, the zeitgeist of that period is extremely excited and there are claims that it will solve everything. There’s a need to study this dialectical promise and the social promise surrounding it.
Apart from the legitimate fears that Big Data might lead to exclusion, what are the possibilities in which it improve inclusion too?
The diminishing barrier between the public and private self, which is a tangent to the larger public-private debate was mentioned.
How does one distinguish between technology failure and process failure while studying Big Data?

Big Data: A Friend?

In the concluding session, the fact that the Big Data moment cannot be wished away was acknowledged. The use of analytics and predictive modelling by the private sector is now commonplace and India has made a move towards a database state through UID and Digital India. The need for a nuanced debate, that does away with the false equivalence of being either a Big Data enthusiast or a luddite is crucial.

A participant offered two approaches to solving a Big Data problem. The first was the Big Data due process framework which states that if a decision has been taken that impacts the rights of a citizen, it needs to be cross examined. The efficacy and practicality of such an approach is still not clear. The second, slightly paternalistic in nature, was the approach where Big Data problems would be solved at the data science level itself. This is much like the affirmative algorithmic approach which says that if in a particular dataset, the data for the minority community is not available then it should be artificially introduced in the dataset. It was also suggested that carefully calibrated free market competition can be used to regulate Big Data. For e.g. a private personal wallet company that charges higher, but does not share your data at all can be an example of such competition.

Another important observation was the need to understand Big Data in a Global South context and account for unique challenges that arise. While the convenience of Big Data is promising, its actual manifestation depends on externalities like connectivity, accurate and adequate data etc that must be studied in the Global South.

While the promises of Big Data are encouraging, it is also important to examine its impacts and its interaction with people's rights. Regulatory solutions to mitigate the harms of big data while also reaping its benefits need to evolve.

For more details visit https://cis-india.org/internet-governance/big-data-in-india-benefits-harms-and-human-rights-a-report

Bengaluru gives data safety tips to panel

Admin — 2018-01-16T23:19:00Z

A crucial consultation ahead of the framing of the country's data protection laws witnessed animated discussions here on Saturday.

The article was published in Deccan Herald on January 14, 2018

Participants raised a variety of concerns. Held on the IISc campus, it discussed everything from revenge porn and human genomics to artificial intelligence and the right to be forgotten.

Cybersecurity experts, academics, lawyers and others attended the day-long event.

They made their submissions to the Srikrishna Committee, formed on July 31 last year to frame principles for data protection laws.

The session was chaired by Justice B N Srikrishna, retired Supreme Court judge. Also on the panel were Rama Vedashree, CEO, Data Security Council of India, and Gopalakrishnan S.

The basis of the discussion was a 200-page document drafted by the nine members of the Srikrishna Committee. January 31 is the deadline to respond to the committee's white paper.

Classification of data

Several dystopian scenarios, such as profiling and discrimination with the help of behavioural and psychometric data, led to discussions on the need for classification of data types.

Darshana, a lawyer from the People's Union of Civil Liberties (PUCL), spoke about how people were being denied rations for not holding Aadhaar.

The collection of children's biometric data brought up the question of consent.

Srikrishna clarified the white paper contained a chapter on consent: it suggests an age limit below which parental consent will have to be mandatory.

A discussion on the right to be forgotten arose after some participants sought a provision to revoke consent already given.

Questions associated with genome sequencing were raised by Vijay Chandru, professor, IISc.

"We need to pay special attention to this type of information. The collection of DNA in the form of saliva, when, say, you make a visit to a weight loss clinic, has become the commercial norm. The Insurance Regulatory Act can have huge implications as genetic data can be used to discriminate and deny health coverage," Chandru said.

Sunil Abraham, head of the Centre for Internet and Society, said he was delighted with the quality of debate and discussion.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-january-14-2018-pranshu-rathee-bengaluru-gives-data-safety-tips-to-panel

BBMP faces ire for publishing pourakarmikas' Aadhaar details on website

praskrishna — 2017-06-06T14:27:27Z

The Bruhat Bengaluru Mahanagara Palike (BBMP) has published the Aadhaar details and other personal information of thousands of its pourakarmikas - civic workers who sweep streets and collect waste door-to-door.

This has angered activists who believe it could be misused. BBMP claims it was done to bring transparency in the city's solid waste management. The article by Bharat Joshi was published in the Economic Times on May 29, 2017.

The Aadhaar number, provident fund number, employee state insurance (ESIC) number and residential addresses of thousands of pourakarmikas are available ward-wise on the civic body's website. ET accessed as many as 4,215 Aadhaar numbers and 5,744 PF and ESI numbers of pourakarmikas from 58 wards. The number could be much higher across the city's 198 wards. An ESI number grants access to personal details of an employee on the esic.nic.in website, such as father's name and date of birth.

The city has over 30,000 pourakarmikas, most of them Dalit women and employed by contractors. The disclosure of their Aadhaar numbers comes at a time when the Modi administration's push for wider application of the unique identification number has triggered a nationwide debate on privacy.

"(Disclosure) happens because authorities don't read the law," Supreme Court advocate KV Dhananjay said. "There is every possibility of misuse, especially identity theft. What hackers do is they start aggregating such information because the Aadhaar is used as a platform for transfer of benefits. And with Aadhaar set to become the anchor for many things, the BBMP should immediately remove those details."

A recent report by city-based Centre for Internet and Society flagged four government agencies for publishing Aadhaar and other financial data. It blamed the Unique Identification Authority of India (UIDAI) for turning a blind eye to the lack of standards prescribed for how other agencies deal with data, such cases of massive public disclosure and "the myriad ways in which it could be used for mischief."

Earlier this month, UIDAI chief executive officer Ajay Bhushan Pandey wrote to chief secretaries of all states, reminding them that publishing an Aadhaar number is prohibited under Sections 29(2), 29(3) and 29(4) of the Aadhaar Act, 2016. "Our intention was not to cause anyone any harm," BBMP Joint Commissioner (solid waste management) Sarfaraz Khan said. The idea was to prevent contractors from taking payments against non-existent pourakarmikas. "We're also planning to make public details of which exact street a pourakarmika is working on."

He added that he would discuss the disclosure with the Commissioner, "If there is any violation, the Aadhaar numbers will be removed."

This points to the need for BBMP to have a policy on data and privacy, said Vinay K Sreenivasa of the Alternative Law Forum. "Of what use is an Aadhaar number to the BBMP? Names and photographs would have sufficed to ensure transparency."

ET Follow-up on Scare in Malleswaram
BBMP Joint Commissioner Sarfaraz Khan was unaware that publishing Aadhaar data is a punishable offence. However, the election wing of the BBMP has ordered a probe after ET reported how a certain Hanumantharaju, claiming to be a municipal official, collected Aadhaar details from residents of the Atma KT Apartment in Malleswaram.

Residents also filed a complaint with the Malleswaram police. "We called the man's mobile number but a woman picked up. Further investigation is underway and BBMP is also checking its records," a police officer said.

Residents also plan to submit a representation to Malleswaram MLA CN Ashwathnarayan. "We have taken this seriously and are awaiting a report from the Malleswaram BBMP revenue office," Assistant Commissioner (election) TR Shobha told ET.

For more details visit https://cis-india.org/internet-governance/news/economic-times-may-29-2017-bharat-joshi-bbmp-faces-ire-for-publishing-pourakarmikas-aadhaar-details-on-website

Attempted data breach of UIDAI, RBI, ISRO and Flipkart is worrisome

Admin — 2018-01-02T16:20:58Z

Perhaps, we got lucky this time, but the ongoing problem of massive cyber-security breaches wouldn't stop at one thwarted attempt to steal sensitive information from the biggest and most important databases.

This was published by DailyO on October 4, 2017.

An alarming report on a potential data breach impacting almost 6,000 Indian organisations — including the Unique Identification Authority of India (UIDAI) that hosts Aadhaar numbers, Reserve Bank of India, Bombay Stock Exchange and Flipkart — has surfaced and supposedly been contained.

A cyber security firm in Pune, Seqrite, had found in its Cyber Intelligence Labs that India's national internet registry, IRINN (Indian Registry for Internet Names and Numbers), which comes under NIXI (National Internet Exchange of India), was compromised, though the issue has reportedly been "addressed".

Sequite tracked an advertisement on the "dark net" — the digital underworld — offering access to servers and database dump of more than 6,000 Indian businesses and public assets, including the big ones such as UIDAI, RBI, BSE and Flipkart.

The report states that the "dealer could have had access to usernames, email ids, passwords, organisation name, invoices and billing documents, and few more important fields, and could have potentially shut down an entire organisation".

The UIDAI has denied the security breach of Aadhaar data in the IRINN attacks, in an expected move. "UIDAI reiterated that its existing security controls and protocols are robust and capable of countering any such attempts or malicious designs of data breach or hacking," said the report, which is basically a rebuttal from the powerful organisation at the heart of centralising all digital information of all Indians.

Though the aggrieved parties have been notified, and the NCIIPC (National Critical Information Infrastructure Protection Centre) is looking at the issue, what this means is that digital information is a minefield susceptible to all kinds of threats from criminals as well as foreign adversaries, along with being commercially exploited by major conglomerates.

Till August 2017 alone, around 37 incidents of ransomware attacks have been reported, including the notorious WannaCry attacks. But what makes the attacks very, very threatening is the government's insistence — illegal at that — to link Aadhaar with every service, and create a centralised nodal, superior network of all networks.

This "map of maps" has been rightly called out as a potential national security threat, as it makes a huge reservoir of data vulnerable to cyberthreats from mercenaries, the digital underworld and foreign adversaries.

A widely circulated report prepared by the Centre for Internet and Society (CIS) underlined the major flaws in the 2016 Aadhaar Act, that makes it vulnerable to several digital threats. Photo: Reuters

That the data dump in the digital black market provides access to entire servers for a meagre sum of Rs 42 lakh, as mentioned in the report, is a sign of how insecure our personal information could be on the servers of the biggest government organisations and commercial/online retail giants. This includes the likes of Flipkart, which store our passwords, emails, phone numbers and other important information linked to our bank details and more.

Whilst UIDAI was declared a "protected system" under Section 70 of the Information Technology Act, and a critical information infrastructure, in practice, there are way too many breaches and leaks of Aadhaar data to merit that tag.

Because the current (officially thwarted) attempt to hack into these nodal databases involved the data of hundreds of millions of Indians, the matter has been dealt with the required seriousness. However, as the report states, "among the companies whose emails they found were Tata Consultancy Services, Wipro, Indian Space Research Organisation, Mastercard/Visa, Spectranet, Hathway, IDBI Bank and EY".

This is a laundry list of the biggest and most significant organisations, with massive digital footprints, which are sitting on enormous databanks. Hacking into ISRO, for example, could pose a formidable risk to India's space programmes as well as jeopardise information safety of crucial space projects that are jointly conducted with friendly countries such as Russia, China and the US.

A widely circulated report prepared by the Centre for Internet and Society (CIS) on the Aadhaar Act and its non-compliance with data protection law in India underlined the major flaws in the 2016 Aadhaar Act, that makes it vulnerable to several digital threats.

Moreover, CIS also reported how government websites, especially "those run by National Social Assistance Programme under Ministry of Rural Development, National Rural Employment Guarantee Act (NREGA) run by Ministry of Rural Development, Daily Online Payment Reports under NREGA (Governemnt of Andhra Pradesh) and Chandranna Bima Scheme (also run by Government of Andhra Pradesh) combined were responsible for publicly exposing personal and Aadhaar details of over 13 crore citizens".

The government has been rather lackadaisical about the grave security threats posed by India's shaky digital infrastructure, saying it's robust when it's not: the UIDAI itself has been brushing the allegations of exclusion, data breach and leaking of data from various government and private operators' servers and there have been several documentations of the security threat as well as the human rights violations that the digital breaches pose for India's institutions and its citizens.

As noted welfare economist Jean Dreze says, "With Aadhaar immensely reinforcing the government's power to reward loyalty and marginalise dissenters, the embers of democracy are likely to be further smothered."

Even as India's jurisprudence held privacy and autonomy as supreme, Indians remain vulnerable to institutional failures and an abject lack of awareness on the gravity of digital destabilisation.

For more details visit https://cis-india.org/internet-governance/news/daily-o-october-4-2017-attempted-data-breach-of-uidai-rbi-isro-and-flipkart

Atmanirbhar Bharat Meets Digital India: An Evaluation of COVID-19 Relief for Migrants

ankan — 2021-06-03T12:53:57Z

With the onset of the national lockdown on 24th March 2020 in response to the outbreak of COVID-19, the fate of millions of migrant workers was left uncertain. In addition, lack of enumeration and registration of migrant workers became a major obstacle for all State Governments and the Central Government to channelize relief and welfare measures.

A majority of workers were dependent on relief provided by NGOs, Civil Society Organizations and individuals or credit via kinship networks. With mounting domestic and international pressures, various relief and welfare schemes were rolled out but they were too little, too late and more often than not characterised by poor implementation.

The aim of this report is to qualitatively assess health conditions of migrant workers and access to welfare during the first COVID-19 lockdown. The primary focus is on the host states of Tamil Nadu, Maharashtra and Haryana. 20 in-depth interviews were conducted remotely with migrant workers working in various sectors. Their access to welfare schemes of the Central Government as well as of their host states was ascertained. Emphasis was also laid on their access to healthcare facilities in relation to COVID-19 and non-COVID-19 ailments.

The findings of the report showcase a dismal state of affairs. No one in our sample group received any kind of dry ration or cooked food in a sustained manner and, in the rare occasions when they did, it was woefully inadequate. Of the three states considered, we found that relief distribution was the best in Tamil Nadu followed by Maharashtra and then Haryana. Even the Direct Cash Transfer Scheme of the Central Government under ‘Atmanirbhar Bharat’ did not reach the migrant workers. Moreover, the migrant workers were apprehensive to report any COVID-19 related symptom due to the draconian treatment that followed therein and the crumbling healthcare sector made it impossible to avail facilities in non-COVID-19 related issues. Lastly, a case has been made for the creation of bottom-level infrastructures to further dialogue between various stakeholders, including associations of migrant workers, for the implementation of schemes and policies which can consolidate migrant workers as a relevant political subject. As migrant workers reel from the impact of the second wave, pushing for on-ground infrastructure and supporting community-based organisations becomes even more urgent.

Click here to read the report authored by Ankan Barman and edited by Ayush Rathi. [PDF, 882 kb]

For more details visit https://cis-india.org/raw/migrant-workers-solidarity-network-and-cis-ankan-barman-atmanirbhar-bharat-meets-digital-india-an-evaluation-of-covid-19-relief-for-migrants