Centre for Internet and Society

Privacy Concerns Overshadow Monetary Benefits of Aadhaar Scheme

Pranesh Prakash and Amber Sinha — 2016-03-17T16:12:26Z

Since its inception in 2009, the Aadhaar system has been shrouded in controversy over issues of privacy, security and viability. It has been implemented without a legislative mandate and has resulted in a PIL in the Supreme Court, which referred it to a Constitution bench. On Friday, it kicked up more dust when the Lok Sabha passed a Bill to give statutory backing to the unique identity number scheme.

The article was published in the Hindustan Times on March 12, 2016.

There was an earlier attempt to give legislative backing to this project by the UPA government, but a parliamentary standing committee, led by BJP leader Yashwant Sinha, had rejected the bill in 2011 on multiple grounds. In an about-turn, the BJP-led NDA government decided to continue with Aadhaar despite most of those grounds still remaining.

Separately, there have been orders passed by the Supreme Court that prohibit the government from making Aadhaar mandatory for availing government services whereas this Bill seeks to do precisely that, contrary to the government’s argument that Aadhaar is voluntary.

In some respects, the new Aadhaar Bill is a significant improvement over the previous version. It places stringent restrictions on when and how the UID Authority (UIDAI) can share the data, noting that biometric information — fingerprint and iris scans — will not be shared with anyone. It seeks prior consent for sharing data with third party. These are very welcome provisions.

But a second reading reveals the loopholes.

The government will get sweeping power to access the data collected, ostensibly for “efficient, transparent, and targeted delivery of subsidies, benefits and services” as it pleases “in the interests of national security”, thus confirming the suspicions that the UID database is a surveillance programme masquerading as a project to aid service delivery.

The safeguards related to accessing the identification information can be overridden by a district judge. Even the core biometric information may be disclosed in the interest of national security on directions of a joint secretary-level officer. Such loopholes nullify the privacy-protecting provisions.

Amongst the privacy concerns raised by the Aadhaar system are the powers it provides private third parties to use one’s UID number. This concern, which wouldn’t exist without a national ID squarely relates to Aadhaar and needs a more comprehensive data protection law to fix it. The supposed data protection under the Information Technology Act is laughable and inadequate.

The Bill was introduced as a Money Bill, normally reserved for matters related to taxation, borrowing and the Consolidated Fund of India (CFI), and it would be fair to question whether this was done to circumvent the Rajya Sabha.

None of the above arguments even get to the question of implementation.

Aadhaar hasn’t been working. When looking into reasons why 22% of PDS cardholders in Andhra Pradesh didn’t collect their rations it was found that there was fingerprint authentication failure in 290 of the 790 cardholders, and in 93 instances there was an ID mismatch. A recent paper in the Economic and Political Weekly by Hans Mathews, a mathematician with the CIS, shows the programme would fail to uniquely identify individuals in a country of 1.2 billion.

The debate shouldn’t be only about the Aadhaar Bill being passed off as a Money Bill and about the robustness of its privacy provisions, but about whether the Aadhaar project can actually meet its stated goals.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-amber-sinha-pranesh-prakash-march-12-2016-privacy-concerns-overshadow-monetary-benefits-of-aadhaar-scheme

Privacy concerns multiply for Aadhaar, India’s national biometric identity registry

praskrishna — 2017-03-22T14:38:52Z

The largest and most sophisticated biometric identity system of any country in the world, India’s Aadhaar, is sparking new fears that the personal data it stores on more than 1.1 billion people could be vulnerable to exploitation.

The article by Kaelyn Lowmaster was published by One World Identity on March 17, 2017, Sunil Abraham was quoted.

Aadhaar, which translates to “foundation” in Hindi, is a unique 12-digit code tied to citizens’ biometric data and personal information. The system was launched in 2009 in an effort to extend social services to India’s millions of unregistered citizens, and to cut down on welfare benefit “leakage” resulting from an opaque and often corrupt bureaucracy.

Constructing a centralized repository of biometric data on nearly a fifth of the world’s population has raised serious concerns among privacy advocates.

The government has also looked to Aadhaar data to underpin mobile payment transfer platforms, which have become crucial for cashless transactions during the country’s demonetization push over past year.

But constructing a centralized repository of biometric data on nearly a fifth of the world’s population has raised serious concerns among privacy advocates, who cite several vulnerabilities both with the Aadhaar system and the Modi administration’s planned expansion.

Despite this, recent metrics indicate that Aadhaar has been enormously successful in achieving those goals. Though the program is theoretically voluntary, more than 99% of Indian adults are now enrolled. Over three billion individual identity verifications have been conducted, and some reports indicate that the Indian government is saving a billion dollars per year now that welfare subsidies can be paid to citizens directly through Aadhaar-verified fund transfers.

Prime Minister Narendra Modi has ambitions to broaden the system even further, seeking to use Aadhaar as the gateway for accessing government programs ranging from public education to subsidized cooking gas, as well as partnering with private companies to offer services facilitated by the Aadhaar database.

Concerns, however, remain. One primary worry is that India’s legal framework for information security is still weak and fragmented, despite government assurances that Aadhaar biometrics have never been misused or stolen.

“There are no regulations in India on safeguards over and procedures for the collection, processing, storage, retention, access, disclosure, destruction, and anonymization of sensitive personal information by any service provider,” according to a 2016 World Bank report.

A patchwork of rules outlining “reasonable security practices and procedures” for personal data has accumulated since Aadhaar was launched, but there is no codified law outlining how data in the system must be secured, or what penalties exist for potential leaks, fraud or misuse.

“Imagine a situation where the police (are) secretly capturing the iris data of protesters and then identifying them through their biometric records” – Sunil Abraham, executive director of the Centre for Internet and Society in Bangalore

This regulatory gap poses a particularly acute risk now that the government has begun offering companies and app developers support for starting new businesses that use Aadhaar data. Through a new initiative called IndiaStack, the administration is providing open program interfaces for companies in fintech, healthcare, and other areas to integrate Aadhaar-based transactions into their business platforms. While IndiaStack’s terms of use explicitly state that user consent is required for any information sharing between service providers and the Aadhaar database, doubts remain about the integrity of the network infrastructure and the lack of clarity surrounding acceptable information sharing and storing protocols.

Another source of concern is the risk that Aadhaar information could be leveraged by the government itself for political purposes.

“Maintaining a central database is akin to getting the keys of every house in Delhi and storing them at a central police station,” Sunil Abraham, executive director of the Centre for Internet and Society in Bangalore, told Reuters. “It is very easy to capture iris data of any individual with the use of next generation cameras. Imagine a situation where the police (are) secretly capturing the iris data of protesters and then identifying them through their biometric records.”

Further stoking fears of federal overreach, the Modi administration has attempted to make Aadhaar registration mandatory in certain sectors, violating a Supreme Court ruling from October 2015 that enrollment must remain voluntary.

Still, the benefits of building on the Aadhaar identity system appear to be outweighing the risks for now, and the system is gathering momentum worldwide. The World Bank is helping market the Aadhaar model abroad, and Russia, Morocco, Tunisia, and Algeria have all expressed interest in instituting national biometric identity programs of their own. Microsoft is already on board, and Google is negotiating ways to get involved.

Aadhaar may indeed live up to is potential and become the global standard for universal legal identity, but until India can manage to create more robust mechanisms to protect citizens’ personal data, their security could remain uncertain.

For more details visit https://cis-india.org/internet-governance/news/one-world-indentity-kaelyn-lowmaster-march-17-2017-privacy-concerns-multiply-for-aadhaar-indias-national-biometric-identity-registry

Press Release, March 15, 2016: The New Bill Makes Aadhaar Compulsory!

Amber Sinha — 2016-03-16T10:11:32Z

We published and circulated the following press release on March 15, 2016, to highlight the fact that the Section 7 of the Aadhaar Bill, 2016 states that authentication of the person using her/his Aadhaar number can be made mandatory for the purpose of disbursement of government subsidies, benefits, and services; and in case the person does not have an Aadhaar number, s/he will have to apply for Aadhaar enrolment.

Nandan Nilekani, the former chairperson of the Unique Identification Authority of India had repeatedly stated that Aadhaar is not mandatory. However, in the last few years various agencies and departments of the government, both at the central and state level, had made it mandatory in order to be able to avail beneficiary schemes or for the arrangement of salary, provident fund disbursals, promotion, scholarship, opening bank account, marriages and property registrations. In August 2015, the Supreme Court passed an order mandating that the Aadhaar number shall remain optional for welfare schemes, stating that no person should be denied any benefit for reason of not having an Aadhaar number, barring a few specified services.

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, however, has not followed this mandate. Section 7 of the Bill states that “a person should be authenticated or give proof of the Aadhaar number to establish his/her identity” “as a condition for receiving subsidy, benefit or service”. Further, it reads, “In the case a person does not have an Aadhaar number, he/she should make an application for enrollment.” The language of the provision is very clear in making enrollment in Aadhaar mandatory, in order to be entitled for welfare services. Section 7 also says that “the person will be offered viable and alternate means of identification for receiving the subsidy, benefit or service. However, these unspecified alternate means will be made available in the event “an Aadhaar number is not assigned”. This language is vague and it is not clear whether it mandates alternate means of identification for those who choose not to apply for an Aadhaar number for any reason. The fact that it does make it mandatory to apply for an Aadhaar number for persons without it, may lead to the presumption that the alternate means are to be made available for those who may have applied for an Aadhaar number but it has not been assigned for any reason. It is also noteworthy that draft legislation is silent on what the “viable and alternate means of identification” could be. There are a number of means of identification, which are recognised by the state, and a schedule with an inclusive list could have gone a long way in reducing the ambiguity in this provision.

Another aspect of Section 7 which is at odds with the Supreme Court order is that it allows making an Aadhaar number mandatory for “for receipt of a subsidy, benefit or service for which the expenditure is incurred” from the Consolidated Fund of India. The Supreme Court had been very specific in articulating that having an Aadhaar number could not be made compulsory except for “any purpose other than the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene” or for the purpose of the LPG scheme. The restriction in the Supreme Court order was with respect to the welfare schemes, however, instead of specifying the schemes, Section 7 specified the source of expenditure from which subsidies, benefits and services can be funded, making the scope much broader. Section 7, in effect, allows the Central Government to circumvent the Supreme Court order if they choose to tie more subsidies, benefits and services to the Consolidated Fund of India.

These provisions run counter to the repeated claims of the government for the last six years that Aadhaar is not compulsory, nor is the specification by the Supreme Court for restricting use of Aadhaar to a few services only, reflected anywhere in the Bill. The “viable and alternate means” clause is too vague and inadequate to prevent denial of benefits to those without an Aadhaar number. The sum effect of these factors is to give the Central Government powers to make Aadhaar mandatory, for all practical purposes.

For more details visit https://cis-india.org/internet-governance/blog/press-release-aadhaar-15032016-the-new-bill-makes-aadhaar-compulsory

Press Release, March 11, 2016: The Law cannot Fix what Technology has Broken!

Japreet Grewal and Sunil Abraham — 2016-03-16T10:10:40Z

We published and circulated the following press release on March 11, 2016, as the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. This Bill was proposed by finance minister, Mr. Arun Jaitley to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).

The Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 today. This Bill was proposed by finance minister, Mr. Arun Jaitley to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).

The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. The Bill has made it compulsory for an individual to enrol under Aadhaar in order to receive any subsidy, benefit or service from the Government. Biometric information that is required for the purpose of enrolment has been deemed "sensitive personal information" and restrictions have been imposed on use, disclosure and sharing of such information for purposes other than authentication, disclosure made pursuant to a court order or in the interest of national security. Here, the Bill has acknowledged the standards of protection of sensitive personal information established under Section 43A of the Information Technology Act, 2000. The Bill has also laid down several penal provisions for acts that include impersonation at the time of enrolment, unauthorised access to the Central Identities Data Repository, unauthorised use by requesting entity, noncompliance with intimation requirements, etc.

Key Issues

1. Identification without Consent

Before the Aadhaar project it was not possible for the Indian government to identify citizens without their consent. But once the government has created a national centralized biometric database it will be possible for the government to identify any citizen without their consent. Hi-resolution photography and videography make it trivial for governments and also any other actor to harvest biometrics remotely. In other words, the technology makes consent irrelevant. A German ministers fingerprints were captured by hackers as she spoke using hand gesture at at conference. In a similar manner the government can now identify us both as individuals and also as groups without requiring our cooperation. This has direct implications for the right to privacy as we will be under constant government surveillance in the future as CCTV camera resolutions improve and there will be chilling effects on the right to free speech and the freedom of association. The only way to fix this is to change the technology configuration and architecture of the project. The law cannot be used as band-aid on really badly designed technology.

2. Fallible Technology

The technology used for collection and authentication as been said to be fallible. It is understood that the technology has been feasible for a population of 200 million. The Biometrics Standards Committee of UIDAI has acknowledged the lack of data on how a biometric authentication technology will scale up where the population is about 1.2 billion. Further, a report by 4G Identity Solutions estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population.

We know that the Aadhaar number has been issued to dogs, trees (with the Aadhaar letter containing the photo of a tree). There have been slip-ups in the Aadhaar card enrolment process, some cards have ended up with pictures of an empty chair, a tree or a dog instead of the actual applicants. An RTI application has revealed that the Unique Identification Authority of India (UIDAI) has identified more than 25,000 duplicate Aadhaar numbers in the country till August 2015.

At the stage of authentication, the accuracy of biometric identification depends on the chance of a false positiveâ€” the probability that the identifiers of two persons will match. For the current population of 1.2 billion the expected proportion of duplicates is 1/121, a ratio which is far too high. In a recent paper in EPW by Hans Mathews, a mathematician with CIS, shows that as per UIDAI's own statistics on failure rates, the programme would badly fail to uniquely identify individuals in India. [1]

Endnote

[1] See: http://cis-india.org/internet-governance/blog/epw-27-february-2016-hans-varghese-mathews-flaws-in-uidai-process

For more details visit https://cis-india.org/internet-governance/blog/press-release-aadhaar-11032016-the-law-cannot-fix-what-technology-has-broken

Pratap Vikram Singh - Why Aadhaar is Baseless?

praskrishna — 2016-04-02T05:31:30Z

This article by Pratap Vikram Singh, Governance Now, discusses the problems emerging out of the UIDAI project due to its lack of mechanisms for informed and granular consent, and for seeking recourse in the case of denial of service. The article quotes Sumandro Chattapadhyay and mentions Hans Varghese Mathew's work on the biometric basis of UIDAI. It was written before the Aadhaar bill was passed in Lok Sabha.

Cross-posted from Governance Now.

It was no less than a roller-coaster ride for Aadhaar, a programme formulated by the UPA government to assign a 12-digit unique number to every Indian resident. From the time it came into being in 2009, Aadhaar drew a volley of criticism, thanks to the misgivings and apprehensions that various critics and civil society organisations had. It was criticised for lack of a clear purpose, degree of effectiveness and absence of a privacy law and was virtually thrown into the bin by a parliamentary panel headed by BJP’s Yashwant Sinha in December 2011.

When the finance minister Arun Jaitley, in his budget speech, announced that the government would introduce the Aadhaar bill during the budget session, expectations were already set high. The bill, giving statutory backing to the unique identification authority of India (UIDAI), the implementing authority, was passed by the Lok Sabha on March 11. While the privacy and voluntary versus mandatory provisions are under the consideration of the supreme court, the bill makes way for linking Aadhaar with all government subsidies, benefits and services. The law on Aadhaar, former UIIDAI chairman Nandan Nilekani wrote in the Indian Express, will help the government in going paperless, presence-less and cashless. The legislation, however, fails to deliver on several counts.

However, prior to evaluating the bill (yet to be passed by the Rajya Sabha at the time of this writing though it is a money bill), let us take a look at its major aspects. For those, who always wondered whether Aadhaar is mandatory or voluntary, the bill 2016 makes it mandatory to avail subsidy, benefit or a service from the government.

The bill has provisions related to information security and confidentiality (section 28) which not only extend to employees of the UIDAI but also consultants and external agencies working with the authority.

The proposed law restricts information sharing. It bars UIDAI from sharing core biometric information – the bill defines it as fingerprints and iris scan – with “anyone for any reason whatsoever” or “used for any purpose other than generation of Aadhaar numbers and authentication under this Act”. The section 32 of the bill entitles Aadhaar number holders to access her or his authentication record. It also bars the authority from collecting, keeping or maintaining information about the purpose of authentication.

Odd Drives the Bill

While the intent is clear and is aimed at streamlining welfare schemes to ensure it reaches the bottom of the pyramid, cutting through the long chain of pilferage and subversion, the bill, however, has several shortcomings. To begin with, the government should not have taken the money bill route to pass the legislation – tactfully avoiding any conclusive discussion and debate in the Rajya Sabha, where it is in minority.

The bill assumes that the technology and the biometric system used by the UIDAI are flawless and it doesn’t provide any recourse in case of denial of a service. “If your fingerprint is not matching and you lose out on service, then what is the alternative mechanism you have,” asks Sumandro Chattapadhyay, research director, centre for internet and society (CIS). The bill doesn’t provide for recourse. “What if the scanning machine fails? What if the identifiers of two people match?”

Based on experiments conducted in the initial days of the Aadhaar programme, Hans Verghese Mathews, another CIS researcher, did a study on the probability of matching of identifiers of two persons. “For the current population of 1.2 billion the expected proportion of duplicands (users whose identifiers match) is 1/121, a ratio which is far too high,” Mathews wrote in the Economic and Political Weekly in February.

“It is like putting the technology in a black box – which can’t be reviewed,” says Chattapadhyay. The bill doesn’t talk about setting up an independent body to review the logs and keep an eye on wrong and duplicate matches.

Who Defines National Security?

According to public policy experts, it is an attempt to seek “minimal legitimacy” from parliament and further adds to the unbridled power of the executive.

Although the bill restricts information sharing in section 29, sections 33 and 48 provide exemption in cases of national security and public emergency, respectively. The legislation, nevertheless, doesn’t elaborate on what constitutes national security and public emergency, leaving it to the executives. The section 33 reads: “Nothing contained in… shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security….”

Similarly, section 48 states that if, at any time, the central government is of the opinion that a public emergency exists, “the central government may, by notification, supersede the Authority for such period, not exceeding six months, as may be specified in the notification and appoint a person or persons as the president may direct to exercise powers and discharge functions under this Act”.

Says Jayati Ghosh, professor, centre for economic studies and planning, Jawaharlal Nehru University, “National security is a very opaque term. Who decides what national security is? Today, the whole JNU is being projected as a threat to national security.” Swagato Sarkar, associate professor and executive director, Jindal school of government and public policy, OP Jindal Global University, says, “The bill has provisions for oversight on the use of Aadhaar, but then it suspends those provisions in case of emergency in the later sections, giving the state the power to use biometric information for whatever it deems fit.”

Sarkar adds, “It seems the bill is simply an instrument for seeking minimum legitimacy from parliament. The bill tries to address the concern of privacy minimally and it hardly serves any purpose.” He believes that there is a need to define the broader contours of democratic control of the state and reassess the changing state-citizen relationship, instead of rejecting the whole idea on the basis of surveillance and privacy. In other words, there is a need for strong parliamentary oversight, and that the Aadhaar related matters shouldn’t be completely delegated to the executive.

In its recommendations on formulating Privacy Act, the justice AP Shah committee in 2012 provided for establishing the office of privacy commissioner at the regional and central levels, defining the role of self-regulating organisations and co-regulation, and creating a system of complaints and redressal for aggrieved individuals. Since the country still doesn’t have any legislation on privacy, people are left on their own in case of an infringement or violation of privacy. Moreover, section 47 states, “No court shall take cognizance of any offence punishable under this Act, save on a complaint made by the Authority or any officer or person authorised by it.”

In its report, the parliamentary committee headed by Yashwant Sinha notes that “enactment of national data protection law… is a prerequisite for any law that deals with large scale collection of information from individuals and its linkages across separate databases”. The committee notes that in absence of data protection legislation, it would be difficult to deal with issues of access, misuse of personal information, surveillance, profiling, linking and matching of databases and securing confidentiality of information.

Subsidy-Aadhaar Linkage

The Sinha committee also takes a cautious view of the role of Aadhaar in curbing leakages in subsidy distribution, as beneficiary identification is done by states. It notes, “Even if the Aadhaar number links entitlements to targeted beneficiaries, it may not even ensure that beneficiaries have been correctly identified. Thus, the present problem of proper identification would persist.”

According to Ghosh, the biggest danger in using Aadhaar for social welfare programmes is that the fingerprints of the rural working class is not always in good shape and hence Aadhaar will not be the best way of identification. “If I am misidentified, I can go to so many places for recourse. But what if a labourer in a remote Jharkhand village is misidentified? Where and whether he would go?” the economist asks. Besides, the bill doesn’t limit the use of Aadhaar and defines areas where it can be used. Section 57 says that the law will not prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, “whether by the state or anybody corporate or person, pursuant to any law, for the time being in force or any contract to this effect.”

According to a PRS Legislative review, since the bill also allows private persons to use Aadhaar as a proof of identity for any purpose, the provision will open a floodgate and enable private entities such as airlines, telecom, insurance and real estate companies to mandate Aadhaar as a proof of identity for availing their services.

Since the bill doesn’t restrict its application, people will not have a choice to identify themselves other than using Aadhaar when corporate organisations make it mandatory, says Chattapadhyay of the CIS. Adds Sarkar, “The bill should clearly mention sectors or services where Aadhaar will be potentially used (or made mandatory). Every time a new sector or service is added to the list, it is done after parliamentary approval.”

So far, 98 crore people have been assigned Aadhaar number. So far the project has costed Rs 8,000 crore.

For more details visit https://cis-india.org/internet-governance/news/gov-now-pratap-vikram-singh-17032016-why-aadhaar-is-baseless

PMO’s no to smart cards, insists on Aadhaar

praskrishna — 2016-04-20T02:19:18Z

The government has decided to stop issuing new smart cards to beneficiaries of government schemes as Aadhaar is now backed by a law.

The article by Somesh Jha was published in the Hindu on April 10, 2016. Sunil Abraham was quoted.

The Prime Minister’s Office (PMO) has issued strict instructions to the Information Technology Ministry to ensure that States and the Central governmentstop issuing smart cards for new programmes for beneficiaries, and to rely on the Aadhaar-based Direct Benefit Transfer platform instead.

The move will impact ministries such as Labour, Social Justice and Health, which are in the process or have already rolled out smart cards.

The government had said earlier that over 100 crore people, constituting 93 per cent of the adult population, had a unique identification (UID) number under the Aadhaar platform.

“The undersigned is directed to request the department to examine the need for state and central government departments to issue separate smart cards in the light of the near universal coverage of Aadhaar and the delivery of the most public welfare benefits through Aadhaar enabled platforms,” according to a directive issued by Gulzar N, Director, PMO, to Aruna Sharma, Secretary, Department of Electronics and Information Technology.

“The undersigned is also directed to request the department to prepare policy on the delivery of various public services using Aadhaar, Jan Dhan Yojana and existing platforms without the issuance of new smart cards.”

Last month, Union Minister for Social Justice and Empowerment Thaawar Chand Gehlot had announced that all differently abled persons would soon get a unique identity card to avail welfare schemes. .

State governments had also planned to use smart card technology for welfare schemes. For instance, Odisha was mulling smart cards for construction workers in the State.

The PMO sent a separate communiqué to Labour Secretary Shankar Aggarwal in the context of a proposal to issue 40 crore smart cards to informal sector workers, called the Unorganised Workers’ Identification Number (U-WIN). The UWIN cards were to be used by these workers to access benefits under schemes such as Rashtriya Swasthya Bima Yojana , Aam Aadmi Bima Yojana , Atal Pension Yojana, Pradhan Mantri Suraksha Bima Yojana and Jeevan Jyoti Bima Yojana.

The PMO rejected the proposal noting that Aadhaar would act as a “universal unique identifier for each citizen.”

“Adding a UWIN number would not only duplicate work, but also introduce further problems in linking up with other databases which have already been linked with Aadhaar,” said the missive reviewed by The Hindu.

However, experts are sceptical of the government’s move.

“Smart cards are always better than biometrics. If that was not the case, the global financial infrastructure today will be working on biometrics and not on smart cards,” said Sunil Abraham, executive director of The Centre for Internet and Society.

“Why are these banks working on smart cards? Smart cards work using cryptography, which is more fool-proof than biometrics. Biometrics allow for remote, covert and non-consensual identification,” Mr. Abraham said.

Smart card vendors, however, said the move may not impact their market. “The demand for smart cards is massive in all the other segments such as for use in debit and credit cards or driving licenses and vehicle registration numbers,” said Deven Mehta, managing director of the Mumbai-based Smart Card IT Solutions.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-april-10-2016-somesh-jha-pmo-no-to-smart-cards-insists-aadhaar

Plug data leak before imposing Aadhaar

praskrishna — 2017-05-17T02:10:37Z

As the Central government continues to expand the scope and boundaries of the applicability of Aadhaar, the unique identification number, even before the Supreme Court’s verdict on its constitutional validity, reports suggesting that millions of Aadhaar numbers may have been leaked deliberately or inadvertently are a matter of grave concern.

The article was published in the Deccan Herald on May 11, 2017.

The Centre for Internet and Society, a Bengaluru-based organisation, has claimed that close to 135 million Aadhaar numbers and 100 million bank account numbers have been exposed by government portals dealing with pension, social welfare and employment guarantee schemes. The report says that with Aadhaar being used or planned to be used for authenticating and authorising several transactions, the financial risks of the disclosure of such data are greatly exacerbated. Virtually confirming that some ‘over-enthusiastic’ government agencies have been making the Aadhaar data public, Aruna Sundararajan, secretary, Union Electronics and Information Technology Ministry, has said that the Centre is in the process of ‘educating officials’ about the sanctity of the material collected, besides drafting amendments to the Information Technology Act to ensure data protection and secrecy. That’s indeed a late realisation, and hopefully, not a case of locking the stables once the horses have bolted.

The Supreme Court is also rightly concerned about the invasion of a citizen’s body in obtaining fingerprints and iris impressions for Aadhaar and the violation of an individual’s privacy. Attorney General Mukul Rohatgi raised several eyebrows by arguing that “citizens don’t have an absolute right over their own bodies” and there was nothing illegal about obtaining biometric details. He may be legally right, but as the court pointed out, it is the duty of the state to maintain the liberty and dignity of all individuals. As almost 98% of the population has already been covered by Aadhaar, the question of privacy is now more academic, though making Aadhaar mandatory for the filing of income tax along with PAN card is not. As the government is unable to come to grips with millions of benami transactions and largescale evasion of income tax in the country, if the linking of Aadhaar is going to bring down such cases, it needs to be welcomed.

However, Aadhaar is not a magic bullet that has a solution for every problem. The government shoulddrop the idea of making it mandatory for social welfare programmes such as children availing midday mealsin schools, supply of nutrition under ICDS programme and provision of scholarship for the disabled. The government certainly has a responsibility to prevent misuse of the schemes, while making sure that welfare measures are not denied to the needy on technical grounds.

For more details visit https://cis-india.org/internet-governance/news/deccan-herald-may-11-2017-plug-data-leak-before-imposing-aadhaar

Pension won’t be denied for want of Aadhaar, says EPFO

Admin — 2018-04-10T22:33:39Z

The move is aimed at ensuring that no retired government employee is deprived of pension for want of Aadhaar or failure of fingerprint authentication.

The article by Prashant K. Nanda and Komal Gupta published by Livemint on April 11, 2018 quoted Pranesh Prakash.

Tens of thousands of pensioners under the employees pension scheme will not be denied their monthly pension if their Aadhaar authentication fails or they do not have the 12-digit unique ID, the Employees Provident Fund Organisation (EPFO) has indicated.

The retirement fund manager has asked banks and post offices to facilitate pension disbursement without making senior citizens do the rounds.

The move comes after EPFO received several complaints of denial of pension by banks.

For paying pension to those whose fingerprint authentication fails, “banks may make provisions for iris scanner, along with the fingerprint scanner in bank branches. It has been observed that in many cases, iris authentication is successful even though fingerprint authentication may have failed. This is particularly true for many senior citizens. In such cases, digital life certificate may be generated on the basis of iris authentication and pension may be given,” the EPFO said in a circular on Monday.

And when both iris and fingerprint authentication are not feasible, “an entry should be made in the exception register with reasons and pension may be provided on the basis of paper life certificate and physical Aadhaar card or E-Aadhaar card of the pensioner after due verification as deemed fit by the bank,” the circular said.

The move is aimed at ensuring that no senior citizen is deprived of pension for want of Aadhaar or failure of fingerprint authentication.

Banks have been advised to ensure that benefits of the pension scheme reach the citizens and a proper mechanism for “handling exceptions” is put in place.

“Banks should make special arrangements for the bed-ridden, differently abled, or senior citizens who are unable to visit the Aadhaar enrolment centre,” the circular said.

EPFO has also instructed pension disbursing banks and post offices to make necessary arrangements for enrolling pensioners for Aadhaar and to carry out authentication through iris, especially for those who cannot be verified through fingerprints.

The Unique Identification Authority of India (UIDAI) has been under the scanner over the past few months over allegations of access to pension being denied as the fingerprints of the elderly do not match biometrics in the Aadhaar database.

So far, pensioners had to furnish a life certificate and needed to authenticate it using biometrics.

“The fact that it is coming now means that the Unique Identification Authority of India’s claim in the Supreme Court about no person having been denied any benefit due to the lack of Aadhaar is simply untrue,” said Bengaluru-based Pranesh Prakash, an affiliated fellow with the Yale Law School’s Information Society Project that works on issues related to the intersection of law, technology and society.

Prakash, however, welcomed EPFO’s move laying down “a procedure both for those who don’t have an Aadhaar number, as well as those whose biometrics fail for any reason”.

Prakash further said that “as per the UIDAI’s own data, failure rates for iris authentication are higher (8.54%) than for fingerprints (6%). So the utility of pushing for iris authentication is unclear.”

There are more than 1.2 billion Aadhaar holders in the country.

For more details visit https://cis-india.org/internet-governance/news/livemint-prashant-k-nanda-and-komal-gupta-pension-wont-be-denied-for-want-of-aadhaar-epfo

Panel Discussion on UID/ Aadhar act 2016 and its impact on Social, Security

praskrishna — 2016-04-28T17:02:59Z

Sunil Abraham was a speaker at this event organized by Students Christian Movement of India at SCM House in Bangalore on April 25, 2016. Mathew Thomas and Usha Ramanathan also gave talks.

With the passage of the Aadhaar act 2016 is UID / Aadhar mandatory now? How do we understand the issue of Social Security in the context of the new law? What does it mean for those who need to access their senior citizen pension, rations, school and college scholarships, etc.

How does one understand the money bill route for introducing the bill in Parliament? What are implications of this for the validity of the law?

What will happen to the court cases challenging the UID now?

Where are we now on the thorny issues of surveillance, tracking, profiling, biometrics, private and foreign companies and subsidy? What does the law say?

This discussion will revisit the debates around the UID and examine the implications of the new law.

For more details visit https://cis-india.org/internet-governance/news/panel-discussion-on-uid-aadhar-act-2016-and-its-impact-on-social-security

Opposition questions govt move to make Aadhaar must

praskrishna — 2017-04-12T14:19:20Z

Congress leader Jairam Ramesh claimed that the Aadhaar system was becoming an instrument of social exclusion rather than one of identity.

The article by Komal Gupta was published in Livemint on April 11, 2017. Pranesh Prakash was quoted.

The Rajya Sabha on Monday witnessed a lively debate on Aadhaar, with the opposition questioning the government’s move to make the 12-digit unique identification number mandatory for a host of welfare benefits.

Congress leader Jairam Ramesh claimed that the Aadhaar system was becoming an instrument of social exclusion rather than one of identity.

“My major concern is implementation, how Aadhaar is being used to exclude people to avail benefits of the schemes which have been designed for them…If you need to apply to avail benefits, it’s as good as mandatory,” said Ramesh.

The former cabinet minister argued that over 25% of the population will stand excluded.

“The Rs50,000 crore savings due to Aadhaar linkage as given by the government is highly questionable,” he said, adding that according to Comptroller and Auditor General (CAG) reports, 92% of the savings on domestic gas subsidies is not on account of Aadhaar implementation or direct benefit transfer. “Instead, it is because of the fall in international oil prices,” Ramesh argued.

Trinamool Congress member Derek O’Brien said that for manual labourers, biometric identification does not always match and that can deprive them of welfare.

He gave the example of Andhra Pradesh, where almost half the 85,000 ration card holders in 2014 were unable to get subsidized foodgrains due to faulty point of sale machines and biometrics not matching.

K.T.S Tulsi, member of Parliament and senior Supreme Court advocate, said, “Not in my whole career have I come across a greater mutilation of a statutory provision than what has taken place in the case of Aadhaar.” He said Section 29 of the Aadhaar Act doesn’t permit data stored with the Unique Identification Authority of India (UIDAI) to be shared with anyone but a provision was later made for voluntary agreement to allow the sharing of data.

IT and law minister Ravi Shankar Prasad said, “No religion, income, medical history, ethnicity or education is asked in Aadhaar. Even email ID and phone number is optional.”

“The right of privacy of individuals must be respected. The privacy of the data cannot be breached by us except in the case of national security,” Prasad added.

He claimed that the government has been blacklisting operators that share data from the Aadhaar system. It has blacklisted 34,000 operators, and has taken action against 1,000 of them.

Prasad also said that UIDAI will be accountable to the Parliament.

Expressing concern on mandating the use of Aadhaar for different services, Pranesh Prakash, Policy director of the Centre for Internet and Society, said, “As an enabler, people would want to have Aadhaar. But when it is made mandatory, it becomes more of a disenabler instead of an enabler.”

“With the move towards a digital economy, setting up of a data protection authority as recommended by the Shah committee is important along with mass surveillance and greater accountability from the government,” he added.

For more details visit https://cis-india.org/internet-governance/news/livemint-april-12-2017-komal-gupta-opposition-questions-govt-move-to-make-aadhaar-must

Online Trolls Attack Critics of India's Aadhaar State ID System

praskrishna — 2017-06-07T13:34:00Z

India's biometric state ID system has been leaking citizens’ data for months. When this information surfaced in April 2017, it stoked fears that the system could be used as an instrument of surveillance against Indian residents.

The blog post by Rohith Jyothish was published by Global Voices on May 31, 2017.

The Unique Identity Authority of India (UIDAI), which administrates the system known as Aadhaar (meaning foundation in Hindi) maintains that it only collects minimal personal data and stores it securely. But critics have firmly expressed doubts about these claims.

The implications of these leaks, and of any system flaw in Aadhaar technology, are substantial, especially for Indians who depend on the Aadhaar system in order to authenticate their identities when they use any number of government services. The Aadhaar system has become the gatekeeper of state systems and services ranging from voting to financial savings to food subsidies.

The digital sphere is now starting to see a pushback against Aadhaar critics through articles and blogposts that describe concerned citizens and privacy experts as the ‘anti-Aadhaar brigade‘ and accuse them of publishing “half-truths” and “spread[ing] confusion to advance their own interests.” One such article was even featured on the UIDAI website.

Some of the most well-researched critiques of the system have come from the Centre for Internet and Society (CIS), an inter-disciplinary research organisation in Bangalore that has now become a target of the pro-Aadhaar lobby. Shortly after CIS released a report that pointed out security flaws in the Aadhaar ecosystem, the UIDAI accused the organization of hacking into the Aadhaar system themselves.

In fact, CIS had investigated databases of four specific government websites. Three were available publicly, the fourth one was accessible by simply changing one of the URL parameters. Following the accusation from UIDAI, CIS clarified that the Aadhaar numbers along with other sensitive personal financial information like bank account details were made available by government websites themselves, putting a sizeable portion of Indian citizens at risk of financial fraud.

The Press Trust of India (India's largest news agency) referred to it as a “flip-flop”, which was contested by researchers at CIS.

Independent technology news platform Medianama reported that the accusation by the UIDAI is regrettably consistent with previous actions in which they filed a case against a journalist for exposing flaws in Aadhaar's enrollment mechanism.

A website called ‘Support Aadhaar‘ and its Twitter handle sought to collate opinions supporting Aadhaar and quell those speaking against it. However, most of their messages appear to evade or deflect the concerns that critics have raised by touting the benefits of the system and portraying critics as having a poor understanding of the benefits of technology.

Many Twitter users have also begun noticing patterns in the pro-Aadhaar posts:

Meanwhile, several critics of Aadhaar have repeatedly been trolled by anonymous handles on Twitter. These ‘sock puppet’ accounts seemed to be targeting those who criticise Aadhaar on social media.

One of the most active trolls issued an open challenge to reveal their identity with just their Aadhaar number. Technology entrepreneur Kiran Jonnalagadda accepted the challenge and found that ‘@Confident_India’, one of the many anonymous troll Twitter handles, is Sharad Sharma, the co-founder and director of iSPIRT Foundation (Indian Software Product Industry Roundtable), the software lobby that built the backbone of the Aadhaar ecosystem.

Sharma accidentally tweeted a denial from the troll account which has since been deleted. He then tweeted again from his personal handle which was captured.

iSPIRT officially denied allegations by Jonnalgadda that the “evidence presented is a deliberate misreading of our intent to engage with those speaking against India Stack.” India Stack is the digital infrastructure that has been built over Aadhaar.

But several other Twitter users have confirmed that Sharma's phone number is linked to ‘@Confident_India’. By their own admission, iSPIRT seemed to have an officially sanctioned project intended to systematically challenge anti-Aadhaar campaigners in online platforms. But they refuse to term these actions as “trolling”.

However, Sharma later made an apology for trolling and called it a “lapse of judgement”. CIS Executive Director Sunil Abraham seemed to appreciate the message. He tweeted: Bravo to @sharads for this! All of us at @cis_india look fwd to collaborating with @Product_Nation & @sharads to serve Indian s/w sector. https://twitter.com/sharads/status/866943195678035968 …

iSPIRT is an initiative which finds far-reaching support from several IT industry leaders in India. What is worrying is that there is still no clarification from iSPIRT on the identities of the other anonymous trolls and their position on trolling against genuine concerns raised by citizens.

More than a week after the trolling revelations, iSPIRT announced on its website, the results of an investigation carried out by an Internal Guidelines and Compliance Committee over the allegations against Sharma of operating the anonymous handles, ‘@Confident_India’ and ‘@Indiaforward2′. Jonnalgadda was one of the trolling victims who testified in the internal meeting. A summary of the investigation was posted bafflingly by the accused himself in which he says that project Sudham has been dissolved and that he has been told to not make public appearances on behalf of iSPIRT for four months while he remains Director and the face of the organisation. FactorDaily reported that iSPIRT members on the condition of anonymity said that Pallav Nadhani (Founder, Chief Executive, FusionCharts) and Naveen Tewari (Co-founder, InMobi) who quit iSPIRT were upset with their excessive focus on India Stack.

One wonders whether this kind of behavior would be treated differently if it took place offline. Is intimidating those who appear to be ‘detractors’ the most effective way of dealing with criticism? Why is a software lobby taking it upon themselves to defend the idea of Aadhaar and India Stack through such means?

Many are hoping that experts on both sides of the issue can find a way to debate questions around the privacy and security of Aadhaar's technology — that affect some 1.3 billion people — in a more democratic way.

For more details visit https://cis-india.org/internet-governance/news/global-voices-rohith-jyothish-may-31-2017-online-troll-attack-critics-of-indias-aadhaar-state-id-system

Now, Aadhaar details displayed in Mizoram too

praskrishna — 2017-04-27T16:59:37Z

Contrary to the Centre’s assurances, government websites are revealing digital details of the poor, leaving them vulnerable to financial frauds and identity theft.

The article by Sebastian PT was published in the National Herald on April 26, 2017. Sunil Abraham was quoted.

Could there be a method to the madness? Or is it just carelessness? From the Jharkhand Government to the Union Territory of Chandigarh to the Union Ministry of Water and Sanitation to even Mizoram’s Food and Civil Supplies Department, government websites are found to have displayed Aadhaar details of citizens, a crime under the law.

In Jharkhand, details of 16 lakh beneficiaries – their bank account details, ration card and the 12-digit Aadhaar number – were displayed on the website of the Directorate of Social Security. Similar blunders were witnessed from different corners of the country from Chandigarh to Kerala, where details of 35 lakh people have been breached. This flies in the face of the Government’s repeated claims on data privacy, that Aadhaar details are completely safe.

The law doesn’t allow this. The displaying of the Aadhaar data, for instance, is in clear violation of Section 29 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. The provision clearly says that “no” Aadhaar number or core biometric information of an Aadhaar number holder shall be “published, displayed or posted publicly”.

“There appears to be no regulation worth the name as far as the Aadhaar project is concerned,” says economist Reetika Khera from IIT Delhi.

So, will these officials responsible be punished according to the Act? More importantly, what about the damage of leaking such sensitive, apparently confidential data?

Irreparable Damage

Several cyber security experts have been warning of the possibility of precisely such leaks and Opposition parties were vociferously pointing this out while the Centre was brazenly violating the Supreme Court’s orders and forcibly extending Aadhaar to almost everything – including it being linked to one’s Permanent Account Number (PAN), used for filing income tax.

“What has been broken through technology, can’t be fixed with the law,” says Sunil Abraham, Executive Director of Bangalore-based research organisation, the Centre for Internet and Society.

The data breach just made it easy for players in the black market for ID (identification) documents to be lapped up to create false ID cards, for instance.

When demonetisation was being implemented, sources say that black money hoarders apparently bought fake IDs which were made from stolen Aadhaar details to get the old notes exchanged – one way for doing this was perhaps by opening new bank accounts or to, say, utilise unused Jan Dhan accounts to deposit the money. Now, one can only imagine what terrorists can do with these details.

So far, perhaps, the only solace is that the biometric details of the beneficiaries weren’t leaked. But, in the backdrop of the lax attitude of the various government departments, even that too is just waiting to happen, fear experts.

Abraham warns that Aadhaar was always a risky proposition as it was based on biometrics, which “made it very insecure”. He terms it as a “mass surveillance technology” – that too a poorly-designed technology – which, in fact, “undermines security”. Once biometric data are compromised, it cannot be secured again. Instead of biometrics, he suggests the UIDAI shift to using smart cards.

The unfettered forcible linking of almost everything – from bank accounts to one’s PAN card – to Aadhaar only makes things worse. “The Centre is ‘seeding’ the various data bases with the Aadhaar number, which is a very bad move. And, involving various private and public agencies in this only makes the entire thing very precarious,” warns Abraham. He points out that, for instance, when the PAN cards are linked with the Aadhaar number, breach made possible.

Instead, he says, the government should adopt the ‘tokenisation approach’, instead of the ‘seeding approach’. What this means is that, say, if the PAN card is to be linked to Aadhaar, then UIDAI issues a token number and not the original 12-digit Aadhaar number. So, even if a breach happens, the hacker will not be able to get all the Aadhaar details, he says.

However, the government does not seem to be taking the issue of privacy very seriously. What perhaps is not being understood is that this is not just a privacy issue, but making the masses vulnerable to frauds. Instead of treading cautiously in implementing Aadhaar, the government seems to be in a hurry to extend it to almost every possible silo in an individual’s life.

“Given the callous attitude of central and state governments, I hope that the Supreme Court will stop the government from a forced linking of Aadhaar, on the one hand, and bank accounts and PAN numbers on the other hand,” says Khera.

For more details visit https://cis-india.org/internet-governance/news/national-herald-sebastian-pt-april-26-2017-now-aadhaar-details-displayed-in-mizoram-too

No such rule, but many vaccination centres are insisting on Aadhaar as proof

Sreedevi Jayarajan — 2021-06-26T04:43:13Z

Radhika Radhakrishnan saw three words swimming before her as she inched closer to the hospital lobby.

The blog post by Sreedevi Jayarajan was published in the News Minute on June 4, 2021. Pranesh Prakash was quoted.

The words were written on a white board inside the private hospital she had visited in Bengaluru on May 21, three weeks after the Union Government opened up COVID-19 vaccinations for the 18+ category after online registration. “I had booked a vaccine slot and visited the hospital and the words on the board read ‘Aadhaar is mandatory’, along with other dos and don’ts of the vaccination process that the hospital followed,” she tells TNM. On the morning of her vaccination date, Radhika had registered on the Union Health Ministry’s CoWin portal for a vaccine slot in the 18+ age group. She had given her PAN number when the portal asked for a government ID proof. The appointment slip on CoWin also showed her PAN, she says.

But on the day of vaccination, authorities at the private hospital refused to accept her PAN card. Radhika says that they insisted on her Aadhaar number in order to authenticate her vaccination appointment, despite her telling them that it is illegal to demand her Aadhar card. “The hospital authorities told me that they only used Aadhaar cards to register people for vaccination or authenticate CoWin appointments. They said that if I did not want to give my Aadhaar number, I would have to wait a few more hours for them to figure out a different process,” she tells TNM. By this time, Radhika had already waited three hours in the hospital queue.

Bengaluru-based journalist Biswak* too recounts a similar experience at a government run vaccination centre he had visited on May 5. The 25-year-old had registered on CoWin using his Driving License, one of five government ID proofs that the Health Ministry portal accepts for booking vaccination slots. But at the centre, Biswak says that the officials insisted on his Aadhaar number. “Thankfully I had the number despite not carrying my card. I got vaccinated and the vaccination certificate issued on my CoWin account showed the last four digits of my Aadhaar, and did not mention my driving license which was my ID proof of choice,” he says.

TNM got in touch with several people from Tamil Nadu and Karnataka among other states who confirmed that their vaccination centres refused to accept any other ID proof, and insisted on Aadhaar. This despite the Union government not making Aadhaar mandatory for CoWin registration, for on-the-spot registrations, and even for authentication of appointments at vaccination centres.

Co-Win does not insist on Aadhaar

A quick look at the CoWin portal will tell you that you can register with any of six government ID proofs other than your Aadhaar card. These are Driving License, PAN card, Passport, Pension Passbook, NPR Smart Card and Voter ID (EPIC). To the vaccine centres, registered citizens should carry the very same ID proof they have used to register on the Co-Win portal, along with a printout or screenshot of their appointment slip. This means, if a person has registered on the portal using an Aadhaar card, the vaccination centre will ask for the same for authentication.

Once vaccinated, citizens get a certificate with their vaccination status (one dose or fully vaccinated) on their phones. This certificate contains the person’s name, age, type of vaccine (Covishield or Covaxin) and the last four digits of the ID proof used for registration.

While Radhika and Biswak say that their appointment slips had their PAN and Driving License numbers respectively, after they were coerced to give their Aadhaar numbers, the vaccination certificate on the Co-Win portal showed their Aadhaar number. “This means that they have forced me to give my Aadhaar number and then used this, despite me giving a different ID proof,” Radhika says. Multiple private hospitals in Chennai too currently insist on Aadhaar card for vaccinations, while Tamil Nadu government maintains that Aadhaar is not mandatory.

TNM spoke to a senior official in the Revenue and Finance Department of the Greater Chennai Corporation who confirmed that centres, both private and government, did not have the right to demand Aadhaar for vaccination. “There is no such rule that Aadhaar has to be submitted by citizens. In fact, the Co-Win portal also has a section to register those who have no ID proof, i.e homeless persons or those from marginalised sections. The portal finds another way to register these people. So insisting on an Aadhaar number is out of the question,” he says. In the neighbouring state of Kerala, the government recently announced that persons who had to travel abroad for various reasons should register on the government portal only using their passports. This, so that their vaccination certificate would generate their passport number as ID proof.

A matter of convenience?

In the absence of a law which mandates Aadhaar to be used for the purpose of universal COVID-19 vaccination, there is no legal basis for hospitals and vaccination centres to insist on Aadhaar numbers to vaccinate people. “Unlike a law passed by the Union government which makes it compulsory for your PAN to be linked to your Aadhaar, there is no law which the government has passed to make Aadhaar compulsory for vaccination. The Union government does, however, have the legislative competence to pass such a law. Which means that if they want to make Aadhaar mandatory for vaccination, they can. So far they have not. And therefore, nobody has the right to demand Aadhaar to vaccinate people,” says Pranesh Prakash of the Centre for Internet and Society.

However, it could be a matter of convenience for hospitals to use one type of ID proof, to be able to streamline their data entry process. “As (I believe) Aadhaar is the most widespread ID card in the country right now, when compared to other ID proofs, it makes it simple for vaccination centres to ask for Aadhaar numbers and key this in," Pranesh adds.

To a query that TNM posted on Twitter, we got varied responses from people. While many said that the centres did not insist on a particular ID card, many others said they had to give their Aadhaar. The insistence for Aadhaar by vaccination centres, both private and government, seems to be random, with no proper pattern or rule in place.

System does not support other ID proofs?

From Radhika’s experience, the hospital she visited for vaccination could not support any other ID proof, as they, in their own words “followed a system of using just Aadhaar cards”. This indirectly coerces unwilling citizens to part with their Aadhaar details, and offers no choice for those who registered with other ID proofs.

“I had to finally give my Aadhaar number but it said that there was a mismatch. Later we found out that my name on my PAN was a bit different from the name on my Aadhaar card. Since I had used the PAN to register on Co-Win, the portal could not authenticate me with the Aadhaar number. Finally I had to re-register on the spot and give a different phone number as the phone number I had given was already linked to my Aadhaar and PAN,” she says, adding that all of this could have been avoided if the hospital had accepted her PAN in the first place.

However, a private hospital that has been doing vaccinations in many places across India told TNM that they had no instructions from the state or Union government to use only Aadhaar and claimed that they only asked for Aadhaar if the person had used it during registration. However, many people who responded to TNM named this private hospital and many others too as those insisting on Aadhaar as proof.

For more details visit https://cis-india.org/internet-governance/news/the-news-minute-june-4-2021-sreedevi-jayarajan-no-such-rule-but-many-vaccination-centres-are-insisting-on-aadhaar-as-proof

No ID, no benefits: thousands could lose lifeline under India’s biometric scheme

praskrishna — 2017-03-22T14:27:25Z

Controversial Aadhaar card restricts fundamental rights, argue critics, limiting access to free school meals and exposing 1 billion people to privacy risks.

The article was published in the Guardian on March 21, 2017. Sumandro Chattapadhyay was quoted.

An Aadhaar biometric identity card, which will be mandatory for Indians to access many essential government services and benefits. Photograph: Bloomberg/Getty Images

Hundreds of thousands of people in India could be left without essential government services and benefits – including free school meals and uniforms, food subsidies and pensions – under new rules that make access to more than three dozen state-funded schemes conditional on showing identification.

Over the past month, citizens have been notified that they have to prove their identity with a biometric ID, known as an Aadhaar card, to be eligible to use various services. Booking railway tickets online, applying for some jobs, and getting fuel subsidies will also be dependent on showing the controversial card.

Aadhaar cards were introduced by the Indian government in 2009, and rolled out by prime minister Narendra Modi in 2014. They record personal biometric data, including fingerprints and eye scans, which the government says allows it to ensure that welfare services are being delivered to those who really need them, and saving billions of rupees by reducing welfare fraud.

The Unique Identification Authority of India (UIDAI), which oversees the Aadhaar programme, says that more than 1.13 billion people have been enrolled on an official database. But activists say that hundreds of thousands of Indians and migrants are still undocumented and could miss out on their fundamental rights because of the new rules.

“What if a Facebook account was necessary to log in to the internet, and what if Facebook was owned by the government of the US?” asked Sumandro Chattapadhyay, research director at the Centre for Internet and Society (CIS), a thinktank with offices in Bangalore and Delhi. “We are building a system that will decide whether a child will eat or not on an afternoon based on [the] quality of internet connectivity and cleanliness of the child’s thumbprint.”

Chattapadhyay argued that Aadhaar, which is effectively being forced upon Indians, and which is used increasingly by private companies, exposed more than a billion people to huge privacy risks.

“The Aadhaar ID is being connected to digital communications via sim card registration, it is being connected to financial transactions via bank accounts, and all Indian citizens are being forced to enrol for it against the threat of losing out from welfare services,” he said.

“The potential of unmonitored and unregulated use of such linked data by the private sector is massive. It does not matter if the Indian state will finally go ahead with implementing this system or not. The fact that [it] is considering such a system is scary enough.”

Nanu Bhasin, spokesperson at the ministry of women and child development, confirmed that the order to link Aadhaar to government schemes had come directly from the Modi government. “There are leakages in the system,” she said. “This will plug leakages.”

Bhasin said Aadhaar was now mandatory: “You have to take it, it is necessary. You cannot take the right to a benefit if you don’t have the Aadhaar card.”

She said she did not know if those who did not want to enrol in the scheme because of potential privacy risks would still be able to receive benefits. “You have bank accounts, there you give all your details, everything. Why make a fuss [about privacy] for Aadhaar?” she said.

One of the most contentious new rules introduced this month, and coming into force in July, requires children to show Aadhaar cards to get free school meals. The notice led to a media storm in India, where malnutrition rates are high and nearly 60 million children are underweight.

On 7 March the government said alternative forms of ID would be accepted for free school meals where people did not yet have Aadhaar cards, and urged schools and childcare centres to enrol all attendees.

Activists argue that setting any barriers to free school meals is unethical and unconstitutional. Ambarish Rai, national convenor of the Right to Education Forum, said: “This is a very insensitive decision of the government. How can you make it mandatory? It is a clear-cut violation of the Right to Education Act 2009.”

Compulsory identification could deter school attendance if children struggle to get free school meals or uniforms, said Swati Narayan, visiting research scholar from the LSE and food activist. “India’s school meal programme covers almost 100 million children – the largest in the world. Instead of creating unnecessary barriers, the focus should be on how to improve these modest meals by adding eggs, fruit and nutritious foods to the menu.”

Glitches in the Aadhaar system have already led to reports of people being unfairly denied government subsidies. In February, the news website Scroll recorded a number of people in the state of Jharkhand being denied rice subsidies because of problems with Aadhaar card machines.

The constitutional validity of the government’s new orders is currently being debated in court, with questions raised as to whether the Indian parliament can restrict fundamental rights enshrined in the constitution, and whether the government has the power to force citizens to enrol.

In 2015, a supreme court order had ruled that the scheme was purely voluntary, and that it could not become mandatory with a court ruling. But in 2016, parliament passed the Aadhaar Act, which allowed the government to require identification for government services.

Khagesh Jha, a lawyer and activist, argued that the act was fundamentally unconstitutional. “Rescued children, children who have been trafficked or those who have been forced into child labour – [you] can’t expect them to hold an Aadhaar card or documents like a birth certificate. Right to education is a fundamental right, and is protected by the core of the constitution. It cannot be challenged by any other document.”

UIDAI, the agency overseeing Aadhaar, issued a statement saying the government had made savings of more than 490bn rupees (£6bn) in the past two and a half years, thanks to schemes linking government benefits to Aadhaar. It added that during the past seven years, there had been no report of a breach or leak of residents’ data.

For more details visit https://cis-india.org/internet-governance/news/the-guardian-march-21-2017-no-id-no-benefits

No Genie At Your Fingertips

praskrishna — 2017-02-16T16:02:31Z

Aadhaar biometrics will now enable cashless shopping sans card and smartphone. A look at the hopes and fears.

The article by Arindam Mukherjee was published in the Outlook on February 20, 2017. Pranesh Prakash and Sunil Abraham were quoted.

Soon, you will be able to pay for your groceries and other purchased goods by using just your fingerprints and biometric data. You won’t need debit or credit cards, smartphones or e-wallets. You won’t need to sign or even remember your PIN.

In a bid to increase digitisation and move to the next phase of ‘cashless India’, the government is preparing to launch Aadhaar Pay, an initiative that will supersede the need to use credit cards, debit cards, smartphones and PINs to make payments or transfer money. The proposed system of payments will use a person’s biometric data and fingerprints to make payments through Aadhaar-linked bank accounts.

The initiative, which has been running as a pilot project in fair price shops in Andhra Pradesh, is expected to be launched in a month’s time. According to officials of the Unique Identification Authority of India (UIDAI), the system has been getting a positive response in these trials and is ready for a nationwide launch.

In Aadhaar Pay, all a person needs to carry to a shop are his fingerprints as merchant establishments will authenticate his or her identity through fingerprints, which will give them access to a person’s Aadhaar data. The only essential requirement for this new mode of payments is that bank accounts have to be linked with the account-holder’s Aadhaar number.

Unlike the post-demonetisation limits imposed on ATM and bank account withdrawals, no limits are proposed to be put on Aadhaar Pay transactions as of now. The proposal is to leave the fixing of limits to the discretion of banks. However, the government hopes Aadhaar Pay will be used mostly for small-value transactions rather than large deals.

The system will work through an app in the merchant establishment’s smartphone—with a fingerprint scanner device—eliminating the requirement of a Point of Sale (POS) terminal, which is required for credit card and debit card transactions. The scanner will be priced at around Rs 2,000, considerably cheaper than POS terminals that cost Rs 8,000-10,000.

Aadhaar Pay is the next step of the government’s successful run of Aadhaar Enabled Payment System (AEPS), under which transactions are made through ‘banking correspondents’, mostly in rural areas. These transactions are done through POS machines and micro-ATMs. Like Aadhaar Pay, AEPS disburses money without a signature or a debit or credit card, and without the need to visit a bank branch. But unlike AEPS, which works through banking correspondents, Aadhaar Pay will be available through merchant establishments much the same way as debit or credit cards work.

The biggest task before the government to ensure the success of Aadhaar Pay is to develop a network of merchant establishments that will accept Aadhaar Pay just the way they accept credit or debit cards or e-wallet payments like Paytm. To do this, the government said in this year’s budget that banks would be encouraged to put 20 lakh Aadhaar Pay access machines across the country. “We have asked every bank to select 35 merchants for this. These merchants will have a smartphone and a biometric device attachment to carry out Aadhaar Pay transactions,” UIDAI CEO Ajay Bhushan Pandey tells Outlook.

This won’t be easy. Even in case of debit or credit cards, the biggest limiting factor is the relatively small number of POS terminals that accept them. According to data from the National Payment Corporation of India (NPCI), there are only 14 lakh POS terminals in India, which has over 3.5-4 crore merchant establishments and 80 crore cards (77 crore debit cards and three crore credit cards). The bulk of these terminals are in tier I and tier II cities and almost none in tier III and IV towns. To improve the situation, the government is already working towards bringing in 10 lakh new terminals by March, most of which will be put in tier III and tier IV towns, bringing them deeper within the ambit of the digitised, cashless economy.

Though a starting target of 20 lakh terminals for Aadhaar Pay may seem quite ambitious, according to the latest data, 111.51 crore adults have already obtained their Aadhaar numbers and 50 crore bank accounts (of a total 110 crore savings accounts in the country) of 40 crore people have been linked to Aadhaar and, according to UIDAI, nearly two crore people are linking their bank accounts with Aadhaar every month, brightening up the prospects of Aadhaar Pay. A majority of these numbers are from rural areas and smaller cities.

The government and UIDAI aim to roll out Aadhaar Pay primarily in rural areas and tier III and tier IV cities to begin with, as these areas do not have proper debit or credit card coverage and the people living there are not big users of plastic cards or smartphones. “We need to provide a solution for every segment of the population,” says Pandey. “We have to take care of the people who cannot use smartphones or other mobile phones and debit or credit cards, and those who cannot remember their PIN for authentication. The only tool with them is their fingerprint. Approximately 30 crore people are not comfortable with cards or phone. We had to get them into the mode of digital payments.”

Not surprisingly, critics of Aadhaar and Aadhaar-based services have attacked Aadhaar Pay and AEPS on issues of privacy and security of biometric and personal data. Pranesh Prakash, policy director with the Centre for Internet and Society (CIS), recently tweeted, “As long as AEPS encourages biometric authorisation of transactions, it is bound to be a security nightmare, with widespread fraud.” Would you tell a shopkeeper your debit card’s PIN? No. Then why share your fingerprint? A fingerprint, in this system, becomes a kind of unchangeable PIN, he asks.

Pointing out a possible danger, Usha Ramanathan, an independent law researcher who has been following Aadhaar since its inception, says, “In many payments, biometric data is authenticated and then it remains in the system where there are leakages. Intermediaries then have access to the data, which is thus made insecure.”

According to the UIDAI, however, once biometric data is provided by the consumer while making Aadhaar-based payments, it gets encrypted and a merchant doesn’t get access to that data. The Aadhaar Act also prohibits any storing of biometric data in local devices. And yet, there are many like CIS executive director Sunil Abraham who believe it is a mistake to use biometrics for authentication, especially when payments are concerned. “Our concern with Aadhaar Pay is about the biometric component of the project,” says Abraham. “Biometrics is an identification technology. Unfortunately, it is being presented as an authentication technology. It is not a secure authentication technology as biometric data can be stolen easily. It is also irrevocable; once biometric data is stolen, it cannot be re-issued like a smart card.”

Then there is the problem of availability of fingerprints. In the case of many people from rural areas and the working class, fingerprints get affected due to the manual nature of their work. This makes it difficult for this target group of UIDAI to conduct transactions properly through Aadhaar Pay. “In Rajasthan, 30 per cent of the households are not even able to procure ration using fingerprints,” says Ramanathan.

The launch of Aadhar Pay at this time becomes more challenging as there has been a decline in digital payments this January. According to RBI data, digital payments, including transactions made by using credit cards, debit cards, electronic fund transfers, digital wallets and mobile banking transactions, were 10.2 per cent lower by volume and 7 per cent lower by value in January 2017 as compared to December 2016. Also, digital transactions fell from 1,027.7 million (worth Rs 105.4 lakh crore) to 922.9 million (worth Rs 98 lakh crore). This could get worse as the RBI raised the cash withdrawal limits from Rs 24,000 to Rs 50,000 from February 20 and aims to remove all limits by mid-March.

Within digital transactions, debit and credit transactions at POS terminals declined 18.6 per cent month-on-month in January, while mobile banking transactions declined by 7.6 per cent, showing that people still prefer to deal in cash. According to NPCI data, however, IMPS transactions rose by 18 per cent in January and UPI-based transactions went up from 2 million transactions (worth Rs 700 crore) in December to 4.2 million transactions (worth Rs 1,666 crore) in January.

Clearly, considering India’s demography and its problems, when it comes to the security of personal and biometric data, the government and the UIDAI have many issues to clear before Aadhaar Pay can achieve any success. Moreover, there are over 100 crore mobile phones in India today, with even the lowest strata of the population having access to one. Yet mobile-based payments and m-wallets are yet to hit that critical mass. To make Aadhaar Pay a bigger success than that could be a gigantic task.

For more details visit https://cis-india.org/internet-governance/news/outlook-arindam-mukherjee-february-20-2017-no-genie-at-your-fingertips