Centre for Internet and Society

Aadhaar numbers of 135 mn may have leaked, claims CIS report

praskrishna — 2017-05-20T11:10:37Z

Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals due to lack of IT security practices, the Centre for Internet and Society has claimed.

The article was published by DNA on May 2, 2017.

"Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million," the report by CIS said.

Further, as many as 100 million bank account numbers could have been "leaked" from the four portals, it added.

The portals where the purported leaks happened were those of National Social Assistance Programme, National Rural Employment Guarantee Scheme, as well as two websites of the Andhra Pradesh government.

"Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT (Direct Benefit Transfer), and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number," it cautioned.

The disclosure came as part of a CIS report titled 'Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information'.

When contaced, a senior official of the Unique Identification Authority of India (UIDAI) said that there was no breach in its own database. The UIDAI issues Aadhaar to citizens.

The CIS report claimed that the absence of "proper controls" in populating the databases could have disastrous results as it may divulge sensitive information about individuals, including details about address, photographs and financial data.

"The lack of consistency of data masking and de- identification standard is an issue of great concern...the masking of Aadhaar numbers does not follow a consistent pattern," the report added.

For more details visit https://cis-india.org/internet-governance/news/dna-may-2-2017-report-aadhaar-numbers-of-135-mn-may-have-leaked-claims-cis-report

Aadhaar numbers of 135 mn may have leaked, claims CIS report

praskrishna — 2017-05-20T10:42:59Z

The news was published by the Press Trust of India on May 2, 2017.

"Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million," the report by CIS said.

Further, as many as 100 million bank account numbers could have been "leaked" from the four portals, it added.

The portals where the purported leaks happened were those of National Social Assistance Programme, National Rural Employment Guarantee Scheme, as well as two websites of the Andhra Pradesh government.

"Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT (Direct Benefit Transfer), and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number," it cautioned.

The disclosure came as part of a CIS report titled 'Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information'.

When contaced, a senior official of the Unique Identification Authority of India (UIDAI) said that there was no breach in its own database. The UIDAI issues Aadhaar to citizens.

The CIS report claimed that the absence of "proper controls" in populating the databases could have disastrous results as it may divulge sensitive information about individuals, including details about address, photographs and financial data.

"The lack of consistency of data masking and de- identification standard is an issue of great concern...the masking of Aadhaar numbers does not follow a consistent pattern," the report added.

For more details visit https://cis-india.org/internet-governance/news/pti-news-may-2-2017-aadhaar-numbers-of-135mn-may-have-leaked-claims-cis-report

Aadhaar numbers of 135 mn may have leaked, claims CIS report

praskrishna — 2017-05-12T15:40:28Z

The article was published in the Times of India on May 2, 2017.

"Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million," the report by CIS said.

Further, as many as 100 million bank account numbers could have been "leaked" from the four portals, it added.

When contaced, a senior official of the Unique Identification Authority of India (UIDAI) said that there was no breach in its own database. The UIDAI issues Aadhaar to citizens.

"The lack of consistency of data masking and de- identification standard is an issue of great concern...the masking of Aadhaar numbers does not follow a consistent pattern," the report added. SR MBI MR

For more details visit https://cis-india.org/internet-governance/news/times-of-india-may-5-2017-aadhaar-numbers-of-135-mn-may-have-leaked-claims-cis-report

Aadhaar Number vs the Social Security Number

elonnai — 2015-07-24T01:24:00Z

This blog calls out the differences between the Aadhaar Number and the Social Security Number

In response to news items that reported the Government of India running pilot projects to enroll children at the time of birth for Aadhaar numbers - an idea that government officials in the news items claimed was along the lines of the social security number - this note seeks to point out the ways in which the Aadhaar number and the social security number are different.[1]

Governance

SSN is governed by Federal legislation: The issuance, collection, and use of the SSN is governed by a number of Federal and State legislation with the most pertinent being the Social Security Act 1935[2] - which provides legal backing for the number, and the Privacy Act 1974 which regulates the collection, access, and sharing of the SSN by Federal Executive agencies.[3]

Aadhaar was constituted under the Planning Commission: The UIDAI was constituted as an attached office under the Planning Commission in 2009.[4] A Unique Identification Authority Bill has been drafted, but has not been enacted.[5] Though portions of the Information Technology Act 2008 apply to the UID scheme, section 43A and associated Rules (India's data protection standards) do not clearly apply to the UIDAI as the provision has jurisdiction only over body corporate.

Purpose

SSN was created as a number record keeping scheme for government services: The Social Security Act provides for the creation of a record keeping scheme - the SSN. Originally, the SSN was used as a means to track an individuals earnings in the Social Security system.[6] In 1943 via an executive order, the number was adopted across Federal agencies. Eventually the number has evolved from being a record keeping scheme into a means of identity. In 1977 it was clarified by the Carter administration that the number could act as a means to validate the status of an individual (for example if he or she could legally work in the country) but that it was not to serve as a national identity document.[7] Today the SSN serves as a number for tracking individuals in the social security system and as one (among other) form of identification for different services and businesses. Alone, the SSN card does not serve proof of identity, citizenship, and it cannot be used to transact with and does not have the ability to store information. [8]

Aadhaar was created as a biometric based authenticator and a single unique proof of identity: The Aadhaar number was established as a single proof of identity and address for any resident in India that can be used to authenticate the identity of an individual in transactions with organizations that have adopted the number. The scheme as been promoted as a tool for reducing fraud in the public distribution system and enabling the government to better deliver public benefits.[9]

Applicability

SSN is for citizens and non-citizens authorized to work: The social security number is primarily for citizens of the United States of America. In certain cases, non citizens who have been authorized by the Department of Homeland Security to work in the US may obtain a Social Security number.[10]

Aadhaar is for residents: The aadhaar number is available to any resident of India.[11]

Storage, Access, and Disclosure

SSN and applications are stored in the Numident: The numident is a centralized database containing the individuals original SNN and application and any re-application for the same. All information stored in the Numident is protected under the Privacy Act. Individuals may request records of their own personal information stored in the Numident. With the exception of the Department of Homeland Security and U.S Citizenship and Immigration Services, third parties may only request access to Numident records with the consent of the concerned individual.[12] Federal agencies and private entities that collect the SSN for a specific service store the number at the organizational level. The Privacy Act and various state level legislation regulates the disclosure, access, and sharing of the SSN number collected by agencies and organizations.

Aadhaar and data generated at multiple sources is stored in the CIDR and processed in the data warehouse: According to the report "Analytics, Empowering Operations", "At UIDAI, data generated at multiple sources would typically come to the CIDR (Central ID Repository), UIDAIs Data centre, through an online mechanism. There could be certain exceptional sources, like Contact centre or Resident consumer surveys, that will not feed into the Data center directly. Data is then processed in the Data Warehouse using Business Intelligence tools and converted into forms that can be accessed and shared easily." Examples of data that is stored in the CIDR include enrollments, letter delivery, authentication, processing, resident survey, training, and data from contact centres.[13] It is unclear if organizations that authenticate individuals via the Adhaar number store the number at the organizational level. Biometrics are listed as a form of sensitive personal information in the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) 2011, thus if any body corporate collects biometrics with the Aadhaar number - the storage, access, and disclosure of this information would be protected as per the Rules, but the Aadhaar number is not explicitly protected. [14]

Use by public and private entities

Public and private entities can request SSN: Public and private entities can request the SSN to track individuals in a system or as a form of identifying an individual. Any private business is allowed to request and use the SSN as long as the use does not violate federal or state law. Legally, an individual is only required to provide their SSN to a business if they are engaging in a transaction that requires notification to the Internal Revenue Service or the individual is initiating a transaction that is subject to federal Customer Identification Program rules.[15] Thus, an individual can refuse to provide their SSN, but a private business can also refuse to provide a service.[16]

Any public authority requesting the SSN must provide a disclosure notice to the individual explaining if the provision of SSN is required or optional. According to the Privacy Act of 1974, no individual can be denied a government service or benefit for not providing the SSN unless Federal law specifically requires the number for a particular service.[17] Thus, there are a number of Federal legislation in the U.S that specifically require the SSN. For example, the Social Security Independence and Program Improvements Act 1994 allows for the use of the SSN for jury selection and allows for cross matching of SSNs and Employer Identification Numbers for investigation into violation of Federal Laws. [18]

Public and private entities can request Aadhaar: The Aadhaar number can be adopted by any public or private entity as a single means of identifying an individual. The UIDAI has stated that the Aadhaar number is not mandatory,[19] and the Supreme Court of India has clarified that services cannot be denied on the grounds that an individual does not have an Aadhaar number.[20]

Verification

The SSN can be verified only in certain circumstances: The SSA will only respond to requests for SSN verification in certain circumstances:

Before issuing a replacement SSN, posting a wage item to the Master Earnings File, or establishing a claims record - the SSA will verify that the name and the number match as per their records.
When legally permitted, the SSA verification system will verify SSNs for government agencies.
When legally permitted the SSA verification system will verify a workers SSN for pre-registered and approved private employers.
If an individual has provided his/her consent, the SSA will verify a SSN request from a third party.

For verification the SSN number must be submitted with an accompanying name to be matched to and additional information such as date of birth, fathers name, mothers name etc. When verifying submitted SSN's, the system will respond with either confirmation that the information matches or that it does not match. It is important to note that because SSN is verified only in certain circumstances, it is not guaranteed that the person providing an SSN number is the person whom the number was assigned.[21]

The Aadhaar number can be verified in any transaction: If an organization, department, or platform has adopted the Aadhaar number as a form of authentication, they can send requests for verification to the UIDAI. The UIDAI will respond with a yes or no answer. When using their Aadhaar number as a form of authentication individuals can submit their number and demographic information or their number and biometrics for verification.[22]

Lost or stolen

SSN can be replaced: If an individual loses his/her SSN card lost or their number is fraudulently used, they can apply for a replacement SSN card or a new SNN number. [23]

Aadhaar number can be replaced: If an individual has lost their Aadhaar number, there is a process that they can follow to have their number re-sent to them. If the number cannot be located by the UIDAI , the individual has the option of re-enrolling for a new Aadhaar number.[24] The UIDAI has built the scheme with the understanding the biometrics are a unique identifier that cannot be lost or stolen, and thus have not created a system to address the possibility of stolen or fraudulent use of biometrics.

Implementation

Legislation and formal roll out: The SSN program was brought into existence via the Social Security Act and officially rolled out while eventually being adopted across Federal Departments.

Bill and pilot studies: The UID scheme has been envisioned as being brought into existence via the Unique Identification Authority Bill 2010 which has not been passed. Thus far, the project has been implemented in pilot phases across States and platforms.

Enrollment

Social Security Administration: The Social Security Agency is the soul body in the US that receives and processes applications for SSN and issues SSN numbers. [25]

UIDAI, registrars, and enrolling agencies: The UIDAI is the soul body that issues Aadhaar numbers. Registrars (contracted bodies under the UIDAI_ - and enrolling agencies (contracted bodies under Registrars) are responsible for receiving and processing enrollments into the UID scheme.

Required supporting documents

SSN requires proof of age, identity, and citizenship: To obtain a SSN you must be able to provide proof of your age, your identity, and US citizenship. The application form requires the following information:

Name to be shown on the card
Full name at birth, if different
Other names used
Mailing address
Citizenship or alien status
Sex
Race/ethnic description (SSA does not receive this information under EAB)
Date of birth
Place of birth
Mother's name at birth
Mother's SSN (SSA collects this information for the Internal Revenue Service (IRS) on an original application for a child under age 18. SSA does not retain these data.)
Fathers' name
Father's SSN (SSA collects this information for IRS on an original application for a child under age 18. SSA does not retain these data).
Whether applicant ever filed for an SSN before
Prior SSNs assigned
Name on most recent Social Security card
Different date of birth if used on an earlier SSN application.
Date application completed
Phone number
Signature
Applicant's relationship to the number holder.[26]

Aadhaar requires proof of age, address, birth, and residence and biometric information: The application form requires the following information:

Name
Date of birth
Gender
Address
Parent/guardian details
Email
Mobile number
Indication of consenting or not consenting to the sharing of information provided to the UIDAI with Public services including welfare services
Indication of if the individual wants the UIDAI to facilitate the opening of a bank account linked to the Aadhaar number and permits the sharing of information for this purpose
If the individual has no objection to linking their present bank account to the Aadhaar number and the relevant bank details
Signature[27]

[1] Sahil Makkar, "PM's idea to track kids from birth hits practical hurdles", Business Standard. April 11^th 2015. Available at: http://www.business-standard.com/article/current-affairs/pm-s-idea-to-track-kids-from-birth-hits-practical-hurdles-115041100828_1.html

[2] The Social Security Act of 1935. Available at: http://www.ssa.gov/history/35act.html

[3] The United States Department of Justice, "Overview of the Privacy Act of 1974". Available at: http://www.justice.gov/opcl/social-security-number-usage

[4] Government of India Planning Commission "Notification". Available at: https://uidai.gov.in/images/notification_28_jan_2009.pdf

[5] The National Identification Authority of India Bill 2010. Available at: http://www.prsindia.org/uploads/media/UID/The%20National%20Identification%20Authority%20of%20India%20Bill,%202010.pdf

[6] History of SSA 1993 - 2000. Chapter 6: Program Integrity. Available at: http://www.ssa.gov/history/ssa/ssa2000chapter6.html

[7] Social Security Number Chronology. Available at: http://www.ssa.gov/history/ssn/ssnchron.html

[8] History of SSA 1993 - 2000, Chapter 6: Program Integrity. Available at: http://www.ssa.gov/history/ssa/ssa2000chapter6.html

[9] UID FAQ: Aadhaar Features, Eligibility. Available at: https://resident.uidai.net.in/faqs

[10] Social Security Numbers for Noncitizens. Available at: http://www.ssa.gov/pubs/EN-05-10096.pdf

[11] Aapka Aadhaar. Available at: https://uidai.gov.in/aapka-aadhaar.html

[12] Program Operations Manual System. Available at: https://secure.ssa.gov/poms.nsf/lnx/0203325025

[13] UIDAI Analytics -Empowering Operations - the UIDAI Experience. Available at: https://uidai.gov.in/images/commdoc/other_doc/uid_doc_30012012.pdf

[14] Information Technology (Reasonable security practices and procedures and sensitive personal data or information rules 2011) available at: http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf

[15] IdentityHawk, "Who can lawfully request my social security number?" Available at: http://www.identityhawk.com/Who-Can-Lawfully-Request-My-Social-Security-Number

[16] SSA FAQ " Can I refuse to give my social security number to a private business?" Available at: https://faq.ssa.gov/link/portal/34011/34019/Article/3791/Can-I-refuse-to-give-my-Social-Security-number-to-a-private-business

[17] The United States Department of Justice, "Overview of the Privacy Act of 1974". Available at: http://www.justice.gov/opcl/social-security-number-usage

[18] Social Security Number Chronology. Available at: http://www.ssa.gov/history/ssn/ssnchron.html

[19] Aapka Aadhaar. Available at: https://uidai.gov.in/what-is-aadhaar.html

[20] Business Standard, "Aadhaar not mandatory to claim any state benefit, says Supreme Court" March 17^th, 2015. Available at: http://www.business-standard.com/article/current-affairs/aadhaar-not-mandatory-to-claim-any-state-benefit-says-supreme-court-115031600698_1.html

[21] Social Security History 1993 - 2000, Chapter 6: Program Integrity. Available at: http://www.ssa.gov/history/ssa/ssa2000chapter6.html

[22] Aapka Aadhaar. Available at: https://uidai.gov.in/auth.html

[23] SSA. New or Replacement Social Security Number Card. Available at: http://www.ssa.gov/ssnumber/

[24] UIDAI, Lost EID/UID Process. Available at: https://uidai.gov.in/images/mou/eiduid_process_ver5_2_27052013.pdf

[25] Social Security. Availabl at: http://www.ssa.gov/

[26] Social Security Administration, Application for a Social Security. Available at: http://www.ssa.gov/forms/ss-5.pdf

[27] Aadhaar enrollment/correction form. Available at: http://hstes.in/pdf/2013_pdf/Genral%20Notification/Aadhaar-Enrolment-Form_English.pdf

For more details visit https://cis-india.org/internet-governance/blog/aadhaar-vs-social-security-number

Aadhaar marks a fundamental shift in citizen-state relations: From ‘We the People’ to ‘We the Government’

pranesh — 2017-04-04T16:10:06Z

Your fingerprints, iris scans, details of where you shop. Compulsory Aadhaar means all this data is out there. And it’s still not clear who can view or use it.

The article was published in the Hindustan Times on April 3, 2017.

Until recently, people were allowed to opt out of Aadhaar and withdraw consent to have their data stored. This is no longer going to be an option.
(Siddhant Jumde / HT Illustration)

Imagine you’re walking down the street and you point the camera on your phone at a crowd of people in front of you. An app superimposes on each person’s face a partially-redacted name, date of birth, address, whether she’s undergone police verification, and, of course, an obscured Aadhaar number.

OnGrid, a company that bills itself as a “trust platform” and offers “to deliver verifications and background checks”, used that very imagery in an advertisement last month. Its website notes that “As per Government regulations, it is mandatory to take consent of the individual while using OnGrid”, but that is a legal requirement, not a technical one.

Since every instance of use of Aadhaar for authentication or for financial transactions leaves behind logs in the Unique Identification Authority of India’s (UIDAI) databases, the government can potentially have very detailed information about everything from the your medical purchases to your use of video-chatting software. The space for digital identities as divorced from legal identities gets removed. Clearly, Aadhaar has immense potential for profiling and surveillance. Our only defence: law that is weak at best and non-existent at worst.

The Aadhaar Act and Rules don’t limit the information that can be gathered from you by the enrolling agency; it doesn’t limit how Aadhaar can be used by third parties (a process called ‘seeding’) if they haven’t gathered their data from UIDAI; it doesn’t require your consent before third parties use your Aadhaar number to collate records about you (eg, a drug manufacturer buying data from various pharmacies, and creating profiles using Aadhaar).

It even allows your biometrics to be shared if it is “in the interest of national security”. The law offers provisions for UIDAI to file cases (eg, for multiple enrollments), but it doesn’t allow citizens to file a case against private parties or the government for misuse of Aadhaar or identity fraud, or data breach.

It is also clear that the government opposes any privacy-related improvements to the law. After debating the Aadhaar Bill in March 2016, the Rajya Sabha passed an amendment by MP Jairam Ramesh that allowed people to opt out of Aadhaar, and withdraw their consent to UIDAI storing their data, if they had other means of proving their identity (thus allowing Aadhaar to remain an enabler).

But that amendment, as with all amendments passed in the Rajya Sabha, was rejected by the Lok Sabha, allowing the government to make Aadhaar mandatory, and depriving citizens of consent. While the Aadhaar Act requires a person’s consent before collecting or using Aadhaar-provided details, it doesn’t allow for the revocation of that consent.

In other countries, data security laws require that a person be notified if her data has been breached. In response to an RTI application asking whether UIDAI systems had ever been breached, the Authority responded that the information could not be disclosed for reasons of “national security”.

The citizen must be transparent to the state, while the state will become more opaque to the citizen.

How Did Aadhaar Change?

How did Aadhaar become the behemoth it is today, with it being mandatory for hundreds of government programmes, and even software like Skype enabling support for it?

The first detailed look one had at the UID project was through an internal UIDAI document marked ‘Confidential’ that was leaked through WikiLeaks in November 2009. That 41-page dossier is markedly different from the 170-page ‘Technology and Architecture’ document that UIDAI has on its website now, but also similar in some ways.

In neither of those is the need for Aadhaar properly established. Only in November 2012 — after scholars like Reetika Khera pointed out UIDAI’s fundamental misunderstanding of leakages in the welfare delivery system — was the first cost-benefit analysis commissioned, by when UIDAI had already spent ₹28 billion. That same month, Justice KS Puttaswamy, a retired High Court judge, filed a PIL in the Supreme Court challenging Aadhaar’s constitutionality, wherein the government has argued privacy isn’t a fundamental right.

Every time you use Aadhaar, you leave behind logs in the UIDAI databases. This means that the government can potentially have very detailed information about everything from the your medical purchases to your use of video-chatting software.

Even today, whether the ‘deduplication’ process — using biometrics to ensure the same person can’t register twice — works properly is a mystery, since UIDAI hasn’t published data on this since 2012. Instead of welcoming researchers to try to find flaws in the system, UIDAI recently filed an FIR against a journalist doing so.

At least in 2009, UIDAI stated it sought to prevent anyone from “[e]ngaging in or facilitating profiling of any nature for anyone or providing information for profiling of any nature for anyone”, whereas the 2014 document doesn’t. As OnGrid’s services show, the very profiling that the UIDAI said it would prohibit is now seen as a feature that all, including private companies, may exploit.

UID has changed in other ways too. In 2009, it was as a system that never sent out any information other than ‘Yes’ or ‘No’, which it did in response to queries like ‘Is Pranesh Prakash the name attached to this UID number’ or ‘Is April 1, 1990 his date of birth’, or ‘Does this fingerprint match this UID number’.

With the addition of e-KYC (wherein UIDAI provides your demographic details to the requester) and Aadhaar-enabled payments to the plan in 2012, the fundamentals of Aadhaar changed. This has made Aadhaar less secure.

Security Concerns

With Aadhaar Pay, due to be launched on April 14, a merchant will ask you to enter your Aadhaar number into her device, and then for your biometrics — typically a fingerprint, which will serve as your ‘password’, resulting in money transfer from your Aadhaar-linked bank account.

Basic information security theory requires that even if the identifier (username, Aadhaar number etc) is publicly known — millions of people names and Aadhaar numbers have been published on dozens of government portals — the password must be secret. That’s how most logins works, that’s how debit and credit cards work. How are you or UIDAI going to keep your biometrics secret?

In 2015, researchers in Carnegie Mellon captured the iris scans of a driver using car’s side-view mirror from distances of up to 40 feet. In 2013, German hackers fooled Apple iOS’s fingerprint sensors by replicating a fingerprint from a photo taken off a glass held by an individual. They even replicated the German Defence Minister’s fingerprints from photographs she herself had put online. Your biometrics can’t be kept secret.

Typically, even if your username (in this case, Aadhaar number) is publicly known, your password must be secret. That’s how most logins works, that’s how debit and credit cards work. How are you or UIDAI going to keep your biometrics secret?

In the US, in a security breach of 21.5 million government employees’ personnel records in 2015, 5.2 million employees’ fingerprints were copied. If that breach had happened in India, those fingerprints could be used in conjunction with Aadhaar numbers not only for large-scale identity fraud, but also to steal money from people’s bank accounts.

All ‘passwords’ should be replaceable. If your credit card gets stolen, you can block it and get a new card. If your Aadhaar number and fingerprint are leaked, you can’t change it, you can’t block it.

The answer for Aadhaar too is to choose not to use biometrics alone for authentication and authorisation, and to remove the centralised biometrics database. And this requires a fundamental overhaul of the UID project.

Aadhaar marks a fundamental shift in citizen-state relations: from ‘We the People’ to ‘We the Government’. If the rampant misuse of electronic surveillance powers and wilful ignorance of the law by the state is any precedent, the future looks bleak. The only way to protect against us devolving into a total surveillance state is to improve rule of law, to strengthen our democratic institutions, and to fundamentally alter Aadhaar. Sadly, the political currents are not only not favourable, but dragging us in the opposite direction.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-pranesh-prakash-april-3-2017-aadhaar-marks-a-fundamental-shift-in-citizen-state-relations

Aadhaar linking deadline approaches: Here are all the myths and facts

Admin — 2018-01-01T16:04:25Z

Love it or hate it, you just can't escape it. We're talking about Aadhaar, which is a bigger buzzword than usual in the face of the looming end-December deadline for linkages with bank accounts, PPF, insurance policies, ration card and perhaps even PAN. As India rushes to comply, there are a number of myths and half-truth making the rounds.

The article was published by Business Today on December 7, 2017.

The official website of the Unique Identification Authority of India (UIDAI), the body issuing the biometrics-based Aadhaar number, helpfully lists out some of them, while others came to light when activists took up cudgels on behalf of Aadhaar-harassed citizens. But, either ways, you need to know the hard truth behind them.

Myth: Aadhaar-linkage is not only mandatory for every Indian citizen but also every person residing in the country.
Fact: In a notification dated May 11, 2017, the Central Board of Direct Taxes exempted the following categories from mandatory Aadhaar enrolment:
Those who are not citizens of India, non-resident Indians as per Income Tax Laws, those aged over 80 years at any time during the tax year, and the residents of Assam, Meghalaya and Jammu & Kashmir.

The UIDAI has also made it clear that NRIs and those holding the Overseas Citizen of India (OCI) card are not eligible to obtain Aadhaar as per the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. "NRI/OCI need not verify their bank account or SIM or PAN with Aadhaar. If required, they may inform the service provider(s) that they being NRI/OCI are exempted from Aadhaar verification," the UIDAI had said on Twitter way back in October, and followed it up with a circular in mid-November.

As per the Aadhaar Act, only a "resident" is entitled to obtain Aadhaar, which refers to an individual, irrespective of nationality, who has resided in India for a period aggregating 182 days or more in the year immediately preceding the date of application for enrolment. So, this means that even NRIs and expats fulfilling the above criteria can apply for Aadhaar, but they cannot be forced to link their Indian bank accounts with it.

Myth: I had to give my fingerprints to get a SIM card and now the telecom company will keep my biometrics for future use

Fact: According to UIDAI, a telecom company cannot store your biometrics at its end. All the biometrics collected should be encrypted by the service provider and sent to UIDAI at that instant itself. Any storage of biometric by any agency is a serious crime punishable with up to three years of imprisonment under the Aadhaar Act.

Myth: Aadhaar is prone to data breaches and leaks
Fact: Yes, there have been at least two serious leaks reported in the media, but the UIDAI has denied both of them.

In May 2017, The Centre for Internet and Society, a Bangalore-based non-profit research organisation, had reportedly investigated three government portals linked with social welfare schemes that together leaked Aadhaar information of around 1.3 crore people. Then, two months later, came news about over 200 government websites Aadhaar information public. This raised a lot of concerns and detractors cried themselves hoarse.

According to the UIDAI, some agencies of central or state governments had been proactively putting up details of their beneficiaries as required under the RTI Act. While the said information was promptly removed from the offending websites, the authority points out that no biometrics were displaced.

"Therefore to say that Aadhaar has been breached, data has been leaked, is completely incorrect and misleading," it says.

Moreover, the Aadhaar Act and IT Act are now in place, which impose restrictions on publication of Aadhaar numbers, bank account, and other personal details.

Myth: Aadhaar has a poorly verified database.
Fact: Several security measures are in place to ensure that Aadhaar enrolment system is secure. It is done through registrars-credible institutions like state government, banks, Common Service Centres which employ enrolment agencies empanelled by UIDAI. The latter, in turn, employ operators certified by the authority. Aadhaar enrolments are done only through customized software developed and provided by UIDAI. Every day, the operators have to log into the enrolment machine through their Aadhaar number and fingerprints. Once an enrolment is done, the operator is required to sign through his/ her biometrics. Moreover, at the time of enrolment itself, the captured data is encrypted and can't be read by anyone other than the UIDAI server.

Myth: People are being denied benefits and rations because they don't have Aadhaar or because of biometrics issues
Fact: UIDAI CEO Ajay Bhushan Pandey has clarified to the media that though Section 7 of the Aadhaar Act stipulates that benefits and subsidies from the Consolidated Fund of India shall be given on the basis of Aadhaar or proof of possession of an Aadhaar number, the lack of it cannot be grounds for denial. "Section 7 specifies that till Aadhaar number is prescribed, the benefits should be given through alternate means of identification," Pandey said to The Hindu.

The Act also provides for statutory protection to those who are unable to authenticate because of worn-out fingerprints, medical conditions like leprosy or other reasons such as technical faults. "The field agencies have been accordingly instructed through the notifications issued by the government. In spite of this, if a person is denied because he does not have Aadhaar or he is unable to biometrically authenticate, it is undisputedly a violation of instructions issued by the government and such violators have to be punished," added Pandey.

Myth: Publicly sharing the Aadhaar number, to track a lost Amazon package, for instance, makes one susceptible to identity fraud
Fact: Your Aadhaar number, just like your mobile phone number or bank account number, is not a secret though it is certainly sensitive personal information. Just as no one can hack into your bank account using just the account number, identity theft is impossible using the Aadhaar number alone.

What you need to assiduously protect are things like passwords, including OTPs, and PINs. A prudent practice would be to never put up any sensitive personal information on websites or social media platforms.

For more details visit https://cis-india.org/internet-governance/news/aadhaar-linking-deadline-approaches-here-are-all-the-myths-and-facts

Aadhaar is actually surveillance tech: Sunil Abraham

praskrishna — 2016-03-16T17:07:39Z

On March 12, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, paving the way for giving legal status to Aadhaar, a 12-digit unique identification number generated after collecting biometric and other details of an Indian resident.

Sahil Makkar on behalf of Business Standard interviewed Sunil Abraham. The article was published on March 12, 2016.

The government intends to use Aadhaar to roll out more subsidy schemes and allay privacy concerns. However, activists are not convinced. Sunil Abraham, executive director of Bengaluru based-research organisation The Centre for Internet & Society, tells Sahil Makkar that the concept of Aadhaar is principally flawed and it doesn't substantially help in plugging leakages in government schemes. Edited excerpts:

What is your position on Aadhaar and the UIDAI Bill?

What technology has broken cannot be fixed by the law. Aadhaar is a broken technology; it is surveillance technology disguised as developmental intervention that identifies people without their consent and authenticates transactions on their behalf. The architecture is a disaster from the security perspective and there is no recourse in law for citizens whose rights have been infringed. The other objection should be to the subtitle of the Bill that mentions "services": it is unclear whether Aadhaar is to be provided to the residents or the citizens. A bulk of the government services is meant for citizens.

What are the repercussions of this "broken technology"?

Consent happens without conscious cooperation during the authentication process of getting access to a subsidy or a service. Also, the person providing the service is holding a biometric reader and he may say the device is not working and hence, refuse the subsidy. Yet the database will reflect that the subsidy has been availed of because authentication has already been completed. So you have to accept what the person is saying because only that person and the UIDAI have access to the information. Aadhaar makes the citizen transparent to the state but makes the state completely opaque and unaccountable to its citizens.

Will the beneficiary not receive a message about the transaction?

That will only happen when the banks are involved. At the subsidised ration shop the beneficiary will get nothing. The world over security professionals don't trust biometric-based authentication, relying rather on other revocable authentication factors. It is irrevocable if the biometric details are compromised. Instead, writable smart cards could be used to record details of government officers on the cards of beneficiaries and make both the state and the resident transparent to each other.

Hasn't the National Population Register under the Ministry of Home Affairs been advocating the use of smart cards?

In this case biometrics should be used only to link the individual to the smart card. Biometric information should be stored on smart cards and under no circumstances should there be a central repository of biometrics at one place. Maintaining a central database is akin to getting the keys of every house in Delhi and storing them at a central police station. The chances of getting a central database compromised depend on the nature of information stored in it. For the sake of security one can't create a honey pot to be attacked by many. The internet is secure because it doesn't have a central database. The other difference is that faking biometrics is much easier than faking smart cards.

So your principle opposition is to the setting up of a central repository of biometrics?

I am also opposed to the use of biometrics for identification and authentication; this is nothing but surveillance. It is very easy to capture iris data of any individual with the use of next generation cameras. Imagine a situation when the police is secretly capturing the iris data of protesters and then identifying them through their biometric records.

But if the security agencies are able to identify those who create law and order problems, what is the hitch?

It is exactly the same argument that Apple is giving while refusing back-door entry to intelligence and investigating agencies. Once you build surveillance capacity for good governance, it may be misused by a repressive government, a rogue corporation or by criminals. Fear of this type of surveillance will deter people from holding any protest.

Doesn't the Aadhaar or the UIDAI conform to safety and security provisions in the IT Act?

The standards in our IT Act are woefully inadequate in comparison to European regulators and courts. If it adhered to the highest standards, the European privacy commissioner and data protection authorities would have given India adequacy status. The second problem is that the current IT Act doesn't apply to the government. If the government holds your data, it is under no obligation to protect your rights.

You have been part of the Justice A P Shah Committee on privacy. How important is it to have a separate privacy law in the present context?

It is not only important for the purpose of safeguarding human rights, but also to protect the competitiveness of our BPO, ITeS and KPO sectors. We need a data protection law that is compliant with European Data Protection Regulation.

How will such a law help a common man whose data have been compromised?

It will provide clarity to an individual about where he or she stands with regard to privacy. It is strange that the government took diametrically opposite stands in two cases related to privacy in the Supreme Court. When some activists demanded that the UIDAI be scrapped, the government argued before the court that there was no Constitutional right to privacy. When the police asked for the biometric records from the UIDAI, the same government argued there was a right to privacy and that it couldn't divulge the details to the police. The government is not speaking in the same voice; even courts are not speaking in the same voice, because there have been conflicting judgements. So the proposed law will provide clarity on privacy and people will be able to seek compensation under it.

At the same time it cannot be denied that Aadhaar can plug leakages and save hundreds and thousands of rupees for the exchequer....

Aadhaar is only answering two questions: Is this particular biometric unique (enrolment) and does it match the template in the database? If you bring a Bangladeshi into the system, it will answer both the questions in the affirmative. The Aadhaar only eliminates the possibility of one person receiving the benefits twice. At the same time it is very easy to put a ghost beneficiary back into the system. If Aadhaar has to work, we need a publicly visible auditable trail of subsidy moving from Delhi to the villages. That will eliminate corruption in the supply chain.

Isn't it difficult for a large number of ghost beneficiaries to get into the system?

There is no way to check whether a genuine or a ghost beneficiary has been removed from the list. It is not a foolproof system because no one is vouching for anybody. In the current system it is difficult to find out who created this ghost beneficiary. Nobody loses a job for creating a ghost; in fact, here everyone has an incentive.

If there are problems with the UIDAI system, why is the government upbeat about it?

As techno-utopians our government wants technology to answer everything and solve all our problems. If anything goes wrong, it can easily be blamed on technology.

For more details visit https://cis-india.org/internet-governance/news/business-standard-sahil-makkar-march-12-2016-aadhaar-is-actually-surveillance-tech-sunil-abraham

Aadhaar Details Of 13.5 Crore People Available On Government Sites

praskrishna — 2017-05-20T11:00:55Z

Up to 13.5 crore Aadhaar numbers can be easily accessed through government portals and nearly three-fourths of these are linked to bank accounts, said non-profit research organisation the Centre For Internet & Society (CIS).

Calling the Unique Identification Authority of India (UIDAI) “extremely irresponsible” in maintaining privacy standards, CIS blamed the Aadhaar governing body for turning a "blind eye" to the lack of standards regarding use of Aadhaar data by private and public bodies

"It is staggering that while these databases have existed in the public domain for months, while framing the Aadhaar Act Regulations in late 2016, the UIDAI did not even deem these as important matters to be addressed by way of regulations or standards," CIS said in a report titled ‘Information Security Practices of Aadhaar (or lack thereof)’.

The CIS report points out several government sites which showcase inefficiently masked Aadhaar codes with sensitive personally identifiable information, also available for download as spreadsheets.

Read the full story on Bloomberg Quint

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-may-2-2017-mahima-kapoor-aadhaar-details-of-people-available-on-govt-sites

Aadhaar data of over 89 lakh MNREGA workers in Andhra Pradesh leaked online

Admin — 2018-05-05T08:43:53Z

Independent security researcher Kodali Srinivas tweeted screenshots of Aadhaar data of 89,38,138 MNREGA workers available on the Andhra Pradesh Benefit Disbursement Portal.

The article was published in New Indian Express on April 27, 2018.

Independent security researcher Kodali Srinivas, who exposed the leakage of Aadhaar and other personal data of 1.34 lakh beneficiaries on the State Housing Corporation website, on Thursday tweeted screenshots of Aadhaar data of 89,38,138 MNREGA workers availalbe on the Andhra Pradesh Benefit Disbursement Portal, which is maintained by APOnline, a joint venture between the Tata Consultancy Services (TCS) and the State government.

Hours after he blew the whistle, the website administrators began masking the data. In May 2017, Srinivas had co-authored a report for the Centre for Internet and Society, exposing how the Aadhaar data of 13.5 crore card holders was leaked online. The data was then leaked by four government portals, National Social Assistance Programme, National Rural Employment Guarantee Scheme, Chandranna Bima Scheme of the Government of Andhra Pradesh and Daily Online Payment Reports of NREGA of the Government of Andhra Pradesh.

It appears that almost a year later, nothing much has changed. Srinivas told TNIE he had sent a mail to the chief operating officer, APOnline and Universal Identification Authority of India, the National Critical Information Infrastructure Protection Centre, and CERT-In, the Centre's cyber response wing. When contacted, Balasubramanyam, Joint Secretary (NREGS) told TNIE, "I have seen it. It is Benefit Disbursement Portal... not maintained by us. We have been very careful ever since that massive leak of data last year."

Executive (operations), APOnline, S Chandramouleeswara Reddy refused comment saying that he was not the competent authority to speak on the issue. APOnline developed ICT solution for MGNREGA scheme, a framework involving Department of Posts, for disbursement of entitlements after accurate authentication of the entitlements through finger print authentication. TCS implements the ICT solution for MGNREGA in the State.

For more details visit https://cis-india.org/internet-governance/news/new-indian-express-april-26-2018-aadhaar-data-over-89-lakh-mnrega-workers-in-andhra-pradesh-leaked-online

Aadhaar data of over 13 crore people exposed: New report

praskrishna — 2017-05-20T08:57:24Z

Ajay Bhushan Pandey, CEO of UIDAI, the nodal body for Aadhaar, said, “There is no data leak from UIDAI.”

The article was published in the Indian Express on May 3, 2017.

UP TO 13.5 crore Aadhaar numbers are exposed and are publicly available on government websites and approximately 10 crore of these are linked to bank account details, according to a new report published on Monday. The 27-paged report — Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information — published by non-profit organisation The Centre for Internet and Society (CIS) has collected Aadhaar data from four government portals.

Two of these are national portals: National Social Assistance Programme and National Rural Employment Guarantee Act (NREGA), both under the Ministry of Rural Development. The other two studied by the report’s authors, Srinivas Kodali and Amber Sinha, are run by the Andhra Pradesh government: a daily online payments report under NREGA by the state government, and Chandranna Bima Scheme.

The report states: “Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million (13-13.5 crore) and the number of bank accounts numbers leaked at around 100 million (10 crore) from the specific portals we looked at.” Ajay Bhushan Pandey, CEO of Unique Identification Authority of India (UIDAI), the nodal body for Aadhaar, said, “There is no data leak from UIDAI.”

Since the CIS report focused on websites of only four schemes, it is possible that many more Aadhaar cards may be available on other government websites. At least nine other instances were reported in April alone. Section 29(4) of Aadhaar Act prohibits making Aadhaar number of any individual public.

Pandey said, “Aadhaar numbers and bank accounts have been independently collected from people by other agencies for their own usage, not related to UIDAI.” Asked if UIDAI will take action against errant government departments, he said the “police will need to take action”.

For more details visit https://cis-india.org/internet-governance/news/indian-express-may-3-2017-aadhaar-data-of-over-13-crore-people-exposed-new-report

Aadhaar data of 130 millions, bank account details leaked from govt websites: Report

praskrishna — 2017-05-20T09:13:57Z

Just how leaky is the Aadhaar data? A lot, says a study published by Centre for Internet and Society, a Bengaluru-based organisation (CIS). In a study published on May 1, two researchers from CIS found that data of over 130 million Aadhaar card holders has been leaked from just four government websites. As scary as this is, there is more to it. Not only the Aadhaar numbers, names and other personal details of millions of people have been leaked but also their bank account numbers.

The article was published in India Today on May 4, 2017.

The CIS report noted that the leak is from four portals that deal with National Social Assistance Programme, National Rural Employment Guarantee Scheme, Chandranna Bima Scheme and Daily Online Payment Reports of NREGA.

"Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million and the number of bank accounts numbers leaked at around 100 million from the specific portals we looked at," notes the report released on May 1.

It also says that the extent of the leaks could be even bigger than what the CIS research found. "While these numbers are only from two major government programmes of pensions and rural employment schemes, other major schemes, who have also used Aadhaar for DBT could have leaked PII similarly due to lack of information security practices. Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT,10 and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number," noted the report prepared by Amber Sinha and Srinivas Kodali.

The report highlights that one of the major issues with the Aadhaar project is how the data has been collected is handled by various government agencies. "While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take little responsibility in ensuring the security and privacy of such data," notes the report. "...it is extremely irresponsible on the part of the UIDAI, the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may used for mischief."

This is not the first time, there have been leaks into the Aadhaar system, although this is probably the first time someone has documented the whole bit so meticulously. There have been reports of data leaks in the past. In fact, as more and more government schemes and ID cards gets linked with Aadhaar data the instances of leaks have increased significantly.

One of the big problem with the Aadhaar data is that of accountability. In absence of a good privacy law and provisions that prescribe punishment in case of private data leak, private and public agencies in India are often careless about handling of data. The private details of people have not only leaked from government websites but also from private bodies like banks, telecom operators, insurance providers and financial organisations. Recently, a major data leak came to light involving a website that was selling private information of probably hundreds of thousands of people who have take car loan in the last several years.

This is a point that is also highlighted by CIS report. "Information and data leaks have been occurring in India for a long time and the leaks around Aadhaar are not the first data leaks. But with the scale and design of Aadhaar, any information being leaked is dangerous and its impact not entirely reversible," it says.

Yet, despite all the data leaks and the fact that they undermine the faith in Digital India, the government -- first UPA and now NDA -- has not created and introduced a proper privacy and data protection law in India.

For more details visit https://cis-india.org/internet-governance/news/india-today-may-4-2017-aadhaar-data-of-130-millions-bank-account-details-leaked-from-govt-websites-report

Aadhaar data leaks not from UIDAI: Centre

praskrishna — 2017-05-20T08:27:28Z

Aadhaar is foolproof, it tells SC

The article by Krishnadas Rajagopal was published in the Hindu on May 3, 2017.

Leaks of Aadhaar card details are not from the UIDAI, but at the State level, the Union government told the Supreme Court on Wednesday.

“As of today, Aadhaar is foolproof. Biometric technology is the best system in 2016. There has not been a single leak from the UIDAI. The leaks of details may have been from the States... their offices and agencies,” advocate Arghya Sengupta, counsel for the Centre, submitted in the court.

The Centre’s clarification comes in the midst of reports that data of over 130 million Aadhaar cardholders have been leaked from four government websites.

Reports, based on a study conducted by the Centre for Internet and Society (CIS), a Bengaluru-based organisation, said Aadhaar numbers, names and other personal details of people have been leaked.

The Centre was washing its hands of the alleged leaks for the second consecutive day in the Supreme Court.

A-G’s assurance

On Tuesday, Attorney-General Mukul Rohatgi had emphatically assured the Supreme Court that biometrics of Aadhaar cardholders were safe and had not fallen into other hands. He said the biometric details were kept in a central database run by the Centre.

For more details visit https://cis-india.org/internet-governance/news/hindu-krishnadas-rajagopal-may-3-2017-aadhaar-data-leaks-not-from-uidai

Aadhaar data leak: Take precautions while sharing info on websites, MEITy tells all depts

praskrishna — 2017-05-19T14:59:38Z

‘Publishing identity info is in clear contravention of the provisions of the Aadhaar Act, 2016’

The article was published in the Indian Express on May 11, 2017.

In light of various Central and state government departments making public Aadhaar information of several users on their websites, the Ministry of Electronics and Information Technology (MEITy) has written to secretaries of all government departments asking them to sensitise the officials and take precautions while publishing or sharing data on their websites.

“It has come to notice that there have been instances wherein personal identity or information of residents, alongwith Aadhaar numbers and demographic information and other sensitive personal data such as bank details collected by ministries/departments, state departments for administration of welfare schemes etc. have been
published online,” IT secretary Aruna Sundararajan wrote in the letter dated April 24.

“Publishing identity information i.e. Aadhaar number along with demographic information is in clear contravention of the provisions of the Aadhaar Act, 2016 and constitutes an offence punishable with imprisonment up to three years. Further, publishing of financial information including bank details, being sensitive personal data, is also in contravention of provision under IT Act, 2000 with violations liable to pay damages by way of compensation to persons affected,” she noted.

According to media reports, Aadhaar numbers of hundreds of thousands of pension beneficiaries were published on a state government website, and was followed by Chandigarh’s Food and Civil Supplies Department revealing the Aadhaar information of beneficiaries of public distribution system. Following Sundararajan’s letter, various central government ministries have issued advisories to sensitise the officials and the web information managers to comply with the IT Act.

Earlier this month, a report by non-profit organisation The Centre for Internet and Society noted that up to 13.5 crore Aadhaar numbers were exposed and were publicly available on government websites, with about 10 crore of these being linked to bank account details. The 27-paged report — Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information — has collected Aadhaar data from four government portals.

Two of these are national portals: National Social Assistance Programme and Mahatma Gandhi National Rural Employment Guarantee Act, both under the rural development ministry. The other two studied by the report’s authors, Srinivas Kodali and Amber Sinha, are run by the AP government: a daily online payments report under MGNREGA by the state government, and Chandranna Bima Scheme.

“Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million (13-13.5 crore) and the number of bank accounts numbers leaked at around 100 million (10 crore) from the specific portals we looked at,” the report stated.

The letter

“It has come to notice that there have been instances wherein…information of residents, alongwith Aadhaar numbers and demographic information…have been published online,” IT secretary Aruna Sundararajan wrote in the letter dated April 24

For more details visit https://cis-india.org/internet-governance/news/the-indian-express-may-11-2017-aadhaar-data-leak-take-precautions-while-sharing-info-on-websites-meity-tells-all-depts

Aadhaar Case: Beyond Privacy, An Issue of Bodily Integrity

Amber Sinha and Aradhya Sethia — 2017-05-03T16:02:02Z

The insertion of Section 139AA in the Income Tax Act has been challenged and is being heard by a two-judge bench of the Supreme Court.

The article was published in the Quint on May 1, 2017.

The Finance Act, 2017, among its various sweeping changes, also inserted a new provision into the Section 139AA of the IT ACT, which makes Aadhaar numbers mandatory for:

(a) applying for PAN and

(b) filing income tax returns

In case one does not have an Aadhaar number, she or he is required to submit the enrolment ID of one’s Aadhaar application. The overall effect of this provision is that it makes Aadhaar mandatory for filing tax returns and applying for a PAN. The SC hearings began on 26 April. In order to properly appreciate the tough task at hand for the counsel for the petitioners, it is important to do a quick recap of the history of the Aadhaar case.

Case Over Constitutional Validity

Back in August 2015, the Supreme Court had referred the question of the constitutional validity of the fundamental right to privacy to a larger bench.

This development came after the Union government pointed out that the judgements in MP Sharma vs Satish Chandra and Kharak Singh vs State of UP (decided by eight and six judge benches respectively) rejected a constitutional right to privacy.

The reference to a larger bench has since delayed the entire Aadhaar case, while an alarming number of government schemes have made Aadhaar mandatory in the meantime.

Since then, the Supreme Court has not entertained any arguments related to privacy in the court proceedings on Aadhaar pending the resolution of this issue by a constitutional bench, which is yet to to be set up. The petitioners have had to navigate this significant handicap in the current proceedings as well.

Ongoing Hearing in Aadhaar Case

At the beginning of Advocate Shyam Divan’s arguments on behalf of the petitioners, the Attorney General objected to the petitioners making any argument related to the right to privacy. Anticipating this objection, Divan assured the court, right at the outset that they “will not argue on privacy issue at all”.

In the course of his arguments, Divan referred to at least three rights which may otherwise have been argued as facets of the right to privacy – personal autonomy, informational self-determination and bodily integrity. However, in this hearing those rights were strategically not couched as dimensions of privacy.

Divan consistently maintained that these rights emanate from Article 21 and Article 19 of the Constitutions and are different from the right to privacy.

Many Layers of the Right to Privacy

If one follows the courtroom exchanges in the original Aadhaar matter (not the one being argued now), the debates around the privacy implications of Aadhaar have focussed on simplistic balancing exercises of “security vs privacy” and “efficient governance vs privacy”.

These observations depict the right to privacy as a monolithic concept, i.e. a single right which has a unity of harm it captures within itself. In other words, all privacy harms are considered to be on the same footing. "Privacy harms" here mean the undesirable effects of the violation of the right to privacy.

This monolithic conception was clearly reflected in the Supreme Court’s decision to refer the constitutionality of “right to privacy” to a larger bench.

In MP Sharma vs Satish Chandra, the Supreme Court had rejected certain dimensions of what is generally understood as the right to privacy in a specific context (and hence dealing with a specific kind of privacy harm). A monolithic conception of the right to privacy would mean that MP Sharma should be applicable to all kinds of privacy claims.

Prof Daniel Solove, a privacy law expert, in his landmark paper “Taxonomy of Privacy” argues that the right to privacy captures multiple kinds of harms within itself. The right to privacy is not a monolithic concept, but a plural concept; there is no one right to privacy, but multiple hues of right to privacy.

Sidestepping ‘Privacy’ in the Current Case

The plural conception of the right to privacy not only makes our privacy jurisprudence more nuanced and comprehensive, but also guides us to analyse differential privacy harms according to the standards appropriate for them.

Therefore, the refusal of the Supreme Court in MP Sharma to recognise a specific construction of privacy read into a specific constitutional provision should not have precluded the bench, even one smaller in number, from treating other conceptions of privacy into the same or other constitutional provisions.

As a lawyer, Divan was severely compromised from being unable to argue the right to privacy, which in my opinion, cuts at the heart of the constitutional issues with the Aadhaar project.

He refrained from couching any of his arguments on bodily integrity, informational self-determination, and personal autonomy as privacy arguments. What the approach reveals is that far from being a monolithic notion, the harms that privacy, as we understand it, addresses, are capable of being broken into multiple and distinct rights.

Moving Beyond Article 21

Divan further argues that coercing someone to give personal information is compelled speech and hence, violative of Article 19(1)(a) (the rights to free speech and expression). Once again, the harm described here – compelling someone to part with personal data – is conventionally a privacy harm.

However, it is important to note here that a privacy harm may also be a speech harm. Therefore, Article 21 is not the sole repository of these rights. They may also be located under other articles. The practical consequence of these rights being located under multiple constitutional provisions could be added protection of these rights.

For instance, if it can be shown that compelling an individual to part with personal data results into violation of Article 19(1)(a), the State will have to show which ground laid down under Article 19(2) does the specific restriction fall under.

This might be more challenging as opposed to the vague standard of “compelling state interest” test which has been the constitutional test for privacy violations under Article 21.

Changing the Definition of Right to Privacy

The arguments presented by Divan, if accepted by the Supreme Court, could represent a two-pronged shift in the landscape of the values popularly understood under the right to privacy in India:

1) first, the idea of the rights of bodily integrity, informational self-determination, and personal autonomy as part of a plural concept (whether arising from the right to privacy or another right) that encompasses several harms within it, and

2) second that some of these rights may be read into other Articles in the Constitution.

Under the circumstances, Mr Divan’s performance was nothing short of heroic. Whether they pass muster and impact the course of this long drawn legal battle remains to be seen.

(Amber Sinha is a lawyer and works as a researcher at the Centre for Internet and Society. Aradhya Sethia is a final year law student at the National Law School of India University, Bangalore. This is an opinion piece and the views expressed above are the author’s own. The Quint neither endorses nor is responsible for the same.)

For more details visit https://cis-india.org/internet-governance/blog/the-quint-amber-sinha-and-aradhya-sethia-may-1-2017-aadhaar-case-beyond-privacy-an-issue-of-bodily-integrity

Aadhaar Card: One Identity, Multiple Disorders

praskrishna — 2017-05-26T00:01:54Z

It is still hazy to see the desperation of the union government to imposing the Aadhaar Card mandatory when matters related to Aadhaar Card are already sub judice.

This was blog post by Gaurav Raj was published by India Saga on May 25, 2017.

The constitutionality of Aadhaar is yet to be decided by the Supreme Court, however, the enrolment of Aadhaar has reached the mark of more than one billion. Recently, the government declared Aadhaar mandatory to file Income Tax Return (ITR) while the Supreme Court is opined not to treat Aadhaar mandatory, but voluntarily. Now it is imperative of the government to confide the citizens that the Aadhaar information- demography and biometrics-are in safe hands, a debate which has been heating up, and the contempt of the court’s decision by the government is for greater good. But the uproar against the speculation of identity revelation threat and possible misuse of Aadhaar details by the government-corporate nexus, plausible reasons to doubt the security of privacy, which is a fundamental right of Indian citizen. Ironically, after the Finance Minister Arun Jaitley defended the ‘Aadhaar Money Bill controversy’ filed by former congress MP Jairam Ramesh in the court, the Supreme Court is in dilemma and yet to decide whether ‘Right to Privacy' is a fundamental right or not.

Why Aadhaar Card Mandatory?

Nandan Nilekani, the co-founder of Infosys and the ideologue of Aadhaar, said that Aadhaar will change the PDS system in India since it ensures no ghost or fake beneficiaries to avail unentitled benefits of the various welfare schemes and subsidies. Nilekani also says that there might be margin of error up to 5 per cent in distributing the subsidies or benefits of various welfare schemes to the masses. The top-honcho technocrat has also defended Aadhaar that any breach of privacy of citizens is not possible as the Unique Identification Authority of India (UIDAI) is efficient to secure the public data under CIDR.

The government claims that the corruption-mounted Public Distribution System (PDS) in India is reformed due to the introduction of the 12 digit unique identification number. More than 40000 crore have been saved in the form of exchequer due to curb of fake and ghost beneficiaries in the PDS system. Now if we believe Nilekani claim of 5% error, then more than 5 crore beneficiaries would be losing their benefits due the error in the biometric identification. The Infosys co-founder later said that if there is a margin of error then ‘One Time Password’ (OTP) comes in. However, he didn’t define what if there is a congestion of network in the remotest Indian villages where phone signals are rare? Standing on the PDS shop waiting for food grains and network, is certainly not an ideal way to avail the benefits of the government welfare schemes. In 2011, activist and writer Ruchika Gupta said in an interview to Tahalka, “The UID cannot address the bulk of delivery problems in the two of the biggest social sectors programmes like MGNREGA and PDS. Linking UID with social sector legislation is completely baseless.”

PAN Card Linked with Aadhaar Card?

The government has directed the Reserve Bank of India to make Aadhaar mandatory for Income Tax Return filing. Currently, there are approximately 24.37 crores PAN holders in India, however 3.8 crore people file income tax return every year. There have been cases of people owned not more than one but 100 PAN Cards with them. PAN cards in India are mostly used by the citizens as a proof of identity. The government believes that PAN card linking with Aadhaar will curb the tax evasion.

How Safe Is Your Data In This Panopticon Model Of Mass Surveillance?

In the late 18th century, the well-known English social reformer and jurist Jeremy Bentham wanted to build a ‘panoptican’ for a mass surveillance of the prisoners in England. He advocated designing an institutional building be used to keep an eye on all the jail inmates by a single watchman. Very similarly, India is witnessing the biggest surveillance program ever under the name of single identity and availing benefits of governments’ schemes. Another logic behind enrolment of Aadhaar is the ‘national security’. National security? How can any government ensure national security backing Aadhaar, when international companies have been hired in consortium to collect residents’ biometric and demography details? In 2010, Accenture, Mahindra-Satyam Morpho and L1 identity solutions were pooled in by UIDAI for leveraging de-duplication exercise of Aadhaar and data collection. L1 Identity Solutions’ top brasses are the former Director CIA George Tenet and former Homeland Security deputy secretary Adm James. With its headquarters in Connecticut, this company is one of the biggest defence contractors specialised in facial recognition and biometrics. L1 Identity Solutions and Accenture work in a close affinity to US intelligence agencies. This is an age of information. Corporate houses and big telecom players are dying to get details of consumers. Obvious are the concerns about the safety and security of the people’s data. It is feared that the database can be used for various marketing and business purposes.

CIDR, A Single Database Of People’s Data

Central Identities Data Repository (CIDR) is a data management and storing agency in India which is initiated for the Aadhaar project. It is regulated by the statutory body of Unique Identification Authority of India (UIDAI). This centralised database is probably one of the biggest repositories on this planet.

In 2010, experts had claimed that more than a thousand government sites and portals were attacked more than 4000 times by China alone in one year. In April 2011, 77 million Sony Playstations and digital media delivery service Qriocity were hacked which resulted into a shutdown of the network for a week. The London School of Economics also reported that a central database of vulnerable to hacking and other terrorist and cyber crime activities. Recently Wannacry Ransomware virus hits the globe. More than 99 countries were affected.

Building one single repository for billions of Aadhaar Card data seems to be a big risk in the most vulnerable country where dat breach is at most.

Data Leak Crisis

UIDAI has so far spent approximately 5982.62 crores for more than a billion enrolments of Aadhaar Cards. 1615.34 crores have been spent between the financial year 2015-2016. Centre for Internet and Society, Bengaluru-based organization (CIS) has learned that data of more than 130 million Aadhaar card holders has been leaked from four government websites. They are National Social Assistance Programme, National Rural Employment Guarantee Scheme, Chandranna Bima Scheme and Daily Online Payments Reports of NREGA. It also includes Bank details and other confidential details of millions of residents.

What is Next?

The Lok Sabha has passed the Aadhaar Bill as Money Bill. Mukul Rohatgi said in the Supreme Court that according to Article 110 of the constitution, there is use of consolidated funds of India so the bill is a Money bill. Chief Justice Khehar said, “Your object might be good but whether it is a ‘Money Bill’ or not is the question.” Justice Ramana referred to a 2014 judgment passed by the Apex court that courts had no jurisdiction over procedurals matters of legislative.” In response P. Chidambram, the counsel for Jairam Ramesh said, “This petition is not about a procedural matter. There has been substantive infraction.”

For more details visit https://cis-india.org/internet-governance/news/the-indiasaga-may-25-2017-aadhaar-card-one-identity-multiple-disorders