Centre for Internet and Society

Opposition questions govt move to make Aadhaar must

praskrishna — 2017-04-12T14:19:20Z

Congress leader Jairam Ramesh claimed that the Aadhaar system was becoming an instrument of social exclusion rather than one of identity.

The article by Komal Gupta was published in Livemint on April 11, 2017. Pranesh Prakash was quoted.

The Rajya Sabha on Monday witnessed a lively debate on Aadhaar, with the opposition questioning the government’s move to make the 12-digit unique identification number mandatory for a host of welfare benefits.

Congress leader Jairam Ramesh claimed that the Aadhaar system was becoming an instrument of social exclusion rather than one of identity.

“My major concern is implementation, how Aadhaar is being used to exclude people to avail benefits of the schemes which have been designed for them…If you need to apply to avail benefits, it’s as good as mandatory,” said Ramesh.

The former cabinet minister argued that over 25% of the population will stand excluded.

“The Rs50,000 crore savings due to Aadhaar linkage as given by the government is highly questionable,” he said, adding that according to Comptroller and Auditor General (CAG) reports, 92% of the savings on domestic gas subsidies is not on account of Aadhaar implementation or direct benefit transfer. “Instead, it is because of the fall in international oil prices,” Ramesh argued.

Trinamool Congress member Derek O’Brien said that for manual labourers, biometric identification does not always match and that can deprive them of welfare.

He gave the example of Andhra Pradesh, where almost half the 85,000 ration card holders in 2014 were unable to get subsidized foodgrains due to faulty point of sale machines and biometrics not matching.

K.T.S Tulsi, member of Parliament and senior Supreme Court advocate, said, “Not in my whole career have I come across a greater mutilation of a statutory provision than what has taken place in the case of Aadhaar.” He said Section 29 of the Aadhaar Act doesn’t permit data stored with the Unique Identification Authority of India (UIDAI) to be shared with anyone but a provision was later made for voluntary agreement to allow the sharing of data.

IT and law minister Ravi Shankar Prasad said, “No religion, income, medical history, ethnicity or education is asked in Aadhaar. Even email ID and phone number is optional.”

“The right of privacy of individuals must be respected. The privacy of the data cannot be breached by us except in the case of national security,” Prasad added.

He claimed that the government has been blacklisting operators that share data from the Aadhaar system. It has blacklisted 34,000 operators, and has taken action against 1,000 of them.

Prasad also said that UIDAI will be accountable to the Parliament.

Expressing concern on mandating the use of Aadhaar for different services, Pranesh Prakash, Policy director of the Centre for Internet and Society, said, “As an enabler, people would want to have Aadhaar. But when it is made mandatory, it becomes more of a disenabler instead of an enabler.”

“With the move towards a digital economy, setting up of a data protection authority as recommended by the Shah committee is important along with mass surveillance and greater accountability from the government,” he added.

For more details visit https://cis-india.org/internet-governance/news/livemint-april-12-2017-komal-gupta-opposition-questions-govt-move-to-make-aadhaar-must

Privacy in the Age of Big Data

amber — 2017-04-11T14:43:59Z

Personal data is freely accessible, shared and even sold, and those to whom this information belongs have little control over its flow.

The article was published in the Asian Age on April 10, 2017.

In 2011 it was estimated that the quantity of data produced globally surpassed 1.8 zettabyte. By 2013, it had increased to 4 zettabytes. This is a result of digital services which involve constant data trails left behind by human activity. This expansion in the volume, velocity, and variety of data available, together with the development of innovative forms of statistical analytics on the data collected, is generally referred to as “Big Data”. Despite significant (though largely unrealised) promises about Big Data, which range from improved decision-making, increased efficiency and productivity to greater personalisation of services, concerns remain about the impact of such datafication of all human activity on an individual’s privacy. Privacy has evolved into a sweeping concept, including within its scope matters pertaining to control over one’s body, physical space in one’s home, protection from surveillance, and from search and seizure, protection of one’s reputation as well as one’s thoughts. This generalised and vague conception of privacy not only comes with great judicial discretion, it also thwarts a fair understanding of the subject. Robert Post called privacy a concept so complex and “entangled in competing and contradictory dimensions, so engorged with various and distinct meanings”, that he sometimes “despairs whether it can be usefully addressed at all”.

This also leaves the idea of privacy vulnerable to considerable suspicion and ridicule. However, while there is a lack of clarity over the exact contours of what constitutes privacy, there is general agreement over its fundamental importance to our ability to lead whole lives. In order to understand the impact of datafied societies on privacy, it is important to first delve into the manner in which we exercise our privacy. The ideas of privacy and data management that are prevalent can be traced to the Fair Information Practice Principles (FIPP). These principles are the forerunners of most privacy regimes internationally, such as the OECD Privacy Guidelines, APEC Framework, or the nine National Privacy Principles articulated by the Justice A.P. Shah Committee Report. All of these frameworks have rights to notice, consent and correction, and how the data may be used, as their fundamental principles. It makes the data subject to the decision-making agent about where and when her/his personal data may be used, by whom, and in what way. The individual needs to be notified and his consent obtained before his personal data is used. If the scope of usage extends beyond what he has agreed to, his consent will be required for the increased scope.

In theory, this system sounds fair. Privacy is a value tied to the personal liberty and dignity of an individual. It is only appropriate that the individual should be the one holding the reins and taking the large decisions about the use of his personal data. This makes the individual empowered and allows him to weigh his own interests in exercising his consent. The allure of this paradigm is that in one elegant stroke, it seeks to ensure that consent is informed and free and also to implement an acceptable trade-off between privacy and competing concerns. This approach worked well when the number of data collectors were less and the uses of data was narrower and more defined. Today’s infinitely complex and labyrinthine data ecosystem is beyond the comprehension of most ordinary users. Despite a growing willingness to share information online, most people have no understanding of what happens to their data.

The quantity of data being generated is expanding at an exponential rate. From smartphones and televisions, trains and airplanes, sensor-equipped buildings and even the infrastructures of our cities, data now streams constantly from almost every sector and function of daily life, “creating countless new digital puddles, lakes, tributaries and oceans of information”. The inadequacy of the regulatory approaches and the absence of a comprehensive data protection regulation is exacerbated by the emergence of data-driven business models in the private sector and the adoption of data-driven governance approach by the government. The Aadhaar project, with over a billion registrants, is intended to act as a platform for a number of digital services, all of which produce enormous troves of data. The original press release by the Central Government reporting the approval by the Cabinet of Ministers of the Digital India programme, speaks of “cradle to grave” digital identity as one of its vision areas.

While the very idea of the government wanting to track its citizens’ lives from cradle to grave is creepy enough in itself, let us examine for a minute what this form of datafied surveillance will entail. A host of schemes under Digital India shall collect and store information through the life cycle of an individual. The result, as we can see, is building databases on individuals, which when combined, will provide a 360 degree view into the lives of individuals. Alongside the emergence of India Stack, a set of APIs built on top of the Aadhaar, conceptualised by iSPIRT, a consortium of select IT companies from India, to be deployed and managed by several agencies, including the National Payments Corporation of India, promises to provide a platform over which different private players can build their applications.

The sum of these interconnected parts will lead to a complete loss of anonymity, greater surveillance and impact free speech and individual choice. The move towards a cashless economy — with sharp nudges from the government — could lead to lack of financial agencies in case of technological failures as has been the case in experiments with digital payments in Africa. Lack of regulation in emerging data driven sectors such as Fintech can enable predatory practices where right to remotely deny financial services can be granted to private sector companies. An architecture such as IndiaStack enables datafication of financial transactions in a way that enables linked and structured data that allows continued use of the transaction data collected. It is important to recognise that at the stage of giving consent, there are too many unknowns for us to make informed decisions about the future uses of our personal data. Despite blanket approvals allowing any kind of use granted contractually through terms of use and privacy policies, there should be legal obligations overriding this consent for certain kinds of uses that may require renewed consent.

Biometrics-based identification in UK: In 2005, researchers from London School of Economics and Political Science came out with a detailed report on the UK Identity Cards Bill (‘UK Bill’) — the proposed legislation for a national identification system based on biometrics. The project also envisaged a centralised database (like India) that would store personal information along with the entire transaction history of every individual. The report pointed strongly against the centralising storage of information and suggested other alternatives such as a system based on smartcards (where biometrics are stored on the card itself) or offline biometric-reader terminals.

As per the report, the alternatives would also have been cheaper as neither required real-time online connectivity. In India, online authentication is a far greater challenge. According to Network Readiness Index, 2016, India ranks 91, whereas UK is placed eight. Poor Internet connectivity can raise a lot of problems in the future including paralysis of transactions. The UK identification project was subsequently discarded as a result of the privacy and cost considerations raised in this report.

Aadhaar: Privacy concerns

Once the data is collected through National Information Utilities, it will be privatised and controlled by private utilities.
Once an individual’s data is entered in the system, it cannot be deleted. That individual will have no control over it.
Aadhaar Data (Demographic details along with photographs) are shared/transferred with the private entities including telecom companies as per the Aadhaar (Targeted delivery of Financial and other subsidies, benefits and services) Act, 2016 with the consent of Aadhaar number holder to fulfil their e-KYC requirements. The data is shared in encrypted form through secured channel.
Aadhaar Enabled Payment System (AEPS) on which 119 banks are live.
More than 33.87 crore transactions have taken place through AEPS, which was only 46 lakhs in May 2014.
As on 30-9-2016, 78 government schemes were linked to Aadhaar.
The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, provides that no core-biometric information (fingerprints, iris scan) shall be shared with anyone for any reason whatsoever (Sec 29) and that the biometric information shall not be used for any purpose other than generation of Aadhaar and authentication.
Access to the data repository of UIDAI, called the Central Identities Data Repository(CIDR), is provided to third parties or private companies.

Central Monitoring System (CMS) is already live in Delhi, New Delhi and Mumbai. Union minister Ravi Shankar Prasad revealed this in one of his replies in the Lok Sabha last year. CMS has been set up to automate the process of Lawful Interception & Monitoring of telecommunications.

Lawful Intercept and Monitoring (LIM) systems are used by the Indian Government to intercept records of voice, SMSes, GPRS data, details of a subscriber’s application and recharge history and call detail record (CDR) and monitor Internet traffic, emails, web-browsing, Skype and any other Internet activity of Indian users.

For more details visit https://cis-india.org/internet-governance/blog/asian-age-amber-sinha-april-10-2017-privacy-in-the-age-of-big-data

Privacy, what? Bengaluru police leaks 46,000 phone numbers on Twitter

praskrishna — 2017-04-07T02:57:49Z

Bengaluru police made the biggest goof up of all time by releasing private information of people who called 100 to complain since April 2015 and was seemingly unapologetic about the breach of privacy.

The article by Neha Vashishth was published by India Today on April 6, 2017. Pranesh Prakash was quoted.

We all love our privacy, don't we?

We put various locking apps and hide our private pictures on Facebook, Twitter etc and only share what we want the world to see. But sometimes even after our countless efforts, we end up losing our information on the internet. After all, a breach of privacy is the greatest nightmare one can have.

Bengaluru police goofed up too when it came to handling privacy concerns of Bengaluru citizens. The police department posted phone numbers of thousands of citizens on their Twitter handle (@BCPCR) who called 100 and complained against harassment, quarrels, and gambling etc.

The police posted over 46,000 tweets online since April 2015 sharing information of people who called on 100 along with the app known as 'Suraksha' to lodge complaints. The account was made private as soon as the matter escalated.

The police was unapologetic regarding the matter and said that the tweets were auto-generated from their twitter handle @BCPCR.

Pranesh Prakash, Policy Director at the Centre for Internet and Society said the "police officer who ordered to create such an account should be held responsible if any harm comes to a complainant."

This not only created a major breach of privacy of complainants but also risked their lives. This incident only proves that privacy and sensitivity of the matter has vanished in today's time.

For more details visit https://cis-india.org/internet-governance/news/india-today-neha-vashishth-april-6-2017-privacy-what-bengaluru-police-leaks-phone-numbers-on-twitter

India’s National ID Program May Be Turning The Country Into A Surveillance State

praskrishna — 2017-04-07T12:49:30Z

For seven years, India’s government has been scanning the irises and fingerprints of its citizens into a massive database. The once voluntary program was intended to fix the country’s corrupt welfare schemes, but critics worry about its Orwellian overtones.

The blog post by Pranav Dixit was published by BuzzFeedNews on April 4, 2017. Sunil Abraham was quoted.

An abridged version of the blog post containing Sunil Abraham's quotes are reproduced below:

“You can’t change your fingerprints”

Sunil Abraham, the CIS director, calls himself a “technological critic” of the Aadhaar platform. For years, he’s been warning of the security risks associated with a centralized repository of the demographic and biometric details of a billion or so people.

“Aadhaar is a sitting duck,” Abraham told BuzzFeed News. That’s not an unreasonable assessment considering that India’s track record for protecting people’s private data is far from stellar. Earlier this year, for example, a security researcher discovered a website that was leaking the Aadhaar demographic data of more than 500,000 minors. The website was subsequently shut down, but the incident raised questions about Aadhaar’s security protocols — particularly those around data shared with third parties.

Abraham’s concerns are not without global precedent. In 2012, Ecuadorian police jailed blogger Paul Moreno for breaking into the country’s online national identity database and registering himself as Ecuadorian President Rafael Correa. In April 2016, hackers posted a database containing names, national IDs, addresses, and birth dates of more than 50 million Turkish citizens, including Turkish President Recep Tayyip Erdogan; later that month, Mexico’s entire voter database — over 87 million national IDs, addresses, and more — was leaked onto Amazon’s cloud servers by as-yet-untraced sources; and in the Philippines, more than 55 million voters had their private information — including fingerprints — released on the Dark Web.

“When this database is hacked — and it will be — it will be because someone breaches the computer security that protects the computers actually using the data.”

“What is the price that we pay as a nation if our database of over a billion people — complete with all 10 fingerprints and iris scans — leaks?” Abraham asked. The consequences, he said, will be permanent. Unlike a password, which you can reset at any time, your biometrics, if compromised, are the ultimate privacy breach. “You can’t change your fingerprints.”

The UIDAI claims that the Aadhaar database is protected using the “highest available public key cryptography encryption (PKI-2048 and AES-256)” and would take “billions of years” to crack.

“Encryption like this doesn’t typically get broken, it gets circumvented,” security researcher Troy Hunt told BuzzFeed News. “For example, the web application that sits in front of it is compromised and data is retrieved after decryption.” Or alternatively, he said, the encryption key itself is compromised. “Naturally, governments will offer all sorts of assurances on these things, but the simple, immutable fact is that once large volumes are centralized like this, there is a heightened risk of security incidents and of the data consequently being lost or exposed,” he added.

Cryptographer and cybersecurity expert Bruce Schneier echoed Hunt’s assessment. “When this database is hacked — and it will be — it will be because someone breaches the computer security that protects the computers actually using the data,” he said. “They will go around the encryption.”

Nilekani — who did not respond to BuzzFeed News’ requests for comment — recently dismissed concerns around the project’s privacy implications as “hand-waving.” In an interview with the Economic Times, he repeatedly stressed how secure Aadhaar’s “advanced encryption technology” was. “I can categorically say that it’s the most secure system in India and among the most secure systems in the world,” he said.

Abraham is unconvinced by such assurances. He believes Aadhaar fundamentally changes the equation between a citizen and a state. “There’s a big difference between you identifying yourself to the government, and the government identifying who you are,” he said.

Aadhaar’s opponents say the program’s implementation has left India’s poorest people with no choice but to use it. “If you link people’s food subsidies, wages, bank accounts, and other crucial things to Aadhaar, you hit them where it hurts the most,” Ramanathan argued. “You leave them with no choice but to sign up.”

“Can you imagine if the United States passed a law that said that every person who wished to get food stamps would need their fingerprints registered in a government-owned database?” a journalist turned Aadhaar activist who did not wished to be named told BuzzFeed News. “Imagine what a scandal that would be.”

For Nilekani, such criticism is just overstatement and drama. “I think this so-called anti-Aadhaar lobby is really just a small bunch of liberal elites who are in some echo chamber,” he said during a recent interview with Indian business news channel ET Now. “The reality is that a billion people are using Aadhaar. A lot of the accusations are just delusional. Aadhaar is not a system for surveillance. [The critics] live in a bubble and are not connected to reality.”

Abraham laughed off Nilekani’s comments. “The Unique Identification Authority of India will become the monopoly provider of identification and authentication services in India,” he said. “That sounds like a centrally planned communist state to me. I don’t know which left liberal elites he’s talking about.”

For more details visit https://cis-india.org/internet-governance/news/buzzfeednews-pranav-dixit-april-4-2017-indias-national-id-program-may-be-turning-the-country-into-a-surveillance-state

Bengaluru cops' twitter handle in ethical storm

praskrishna — 2017-04-07T02:38:24Z

The city's privacy activists are among the most strident in trying to prevent the Union government from gaining unprecedented access to citizens' personal information through Aadhaar. But in their own backyard, Bengaluru police have been publishing on Twitter the phone numbers of thousands of citizens reporting various crimes such as gambling on the streets, random quarrels and harassment of women.

The article by Umesh Yadav was published in the Times of India on April 6, 2017. Pranesh Prakash was quoted.

The police control room has put out more than 46,000 tweets since April 2015 containing the numbers of complainants calling the emergency number 100. The phone numbers of citizens reaching the control room through Bengaluru police's new emergency mobile application, Suraksha, too are being published through this handle.

Thankfully, the Twitter handle, @BCPCR, had a mere 66 followers as on the evening of April 5, nearly 30 per cent of which were various police stations in the city. On Wednesday evening, the police closed the account for public view.

ET has screenshots of tweets from the account. A senior police officer at Bengaluru police's Command Control was unapologetic for the breach of privacy. The tweets are generated automatically and meant to `show' the number of calls received by the control room and the number of people using the new app, he said.

On the matter of compromising the safety of the complainants, the officer said, "It is obvious that the accused will know who registered the complaint and privacy does not matter here."

Expectedly, privacy and law experts are indignant.

"This is horrible and unpardonable," said Supreme Court advocate KV Dhananjay. "The fact that the police did not consider it necessary to ask for permission before broadcasting someone's identity shows how insensitive the Police Commissioner's office has become to the privacy concern of our society." Pranesh Prakash, Policy Director at the Centre for Internet and Society and who has been at the forefront of the campaign against any potential misuse of Aadhaar, too said the "police officer who ordered to create such an account should be held responsible if any harm comes to a complainant."

Complainants ET spoke with were startled about the abuse of their privacy. Gowda, a complainant, who had informed the police control room about the sale of cigarettes within 100 metres of a school, had specifically requested the police to not disclose his identity.

"(This is why) it is better to keep quiet when you see lawbreakers," he said on hearing that Bengaluru police had published his phone number on Twitter.

"This is injustice and this is the reason why people are scared to inform the police of crimes. If the accused send people to beat me, what should I do?" Dhanusha had called the control room about some teenagers who were teasing girls at a bus stop. The police arrived and took the boys in. She, too, is now worried. "If the accused get my number, they are going to harass me. The police do not have any right to display our phone numbers in public."

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-april-6-2017-umesh-yadav-bengaluru-cops-twitter-handle-in-ethical-storm

Right to be Forgotten: A Tale of Two Judgements

amber — 2017-04-07T02:27:03Z

In the last few months, there have been contrasting judgments from two Indian high courts, Karnataka and Gujarat, on matters relating to the right to be forgotten. The two high courts heard pleas on issues to do the right of individuals to have either personal information redacted from the text of judgments available online or removal of such judgment from publically available sources.

While one High Court (Karnataka) ordered the removal of personal details from the judgment,^[1] the other (Gujarat) dismissed the plea^[2]. In this post, we try to understand the global jurisprudence on the right to be forgotten, and how the contrasting judgments in India may be located within it.

Background

The ‘right to be forgotten’ has gained prominence since a matter was referred to the Court of Justice of European Union (CJEU) in 2014 by a Spanish court.^[3] In this case, Mario Costeja González had disputed the Google search of his name continuing to show results leading to an auction notice of his reposed home. The fact that Google continued to make available in its search results, an event in his past, which had long been resolved, was claimed by González as a breach of his privacy. He filed a complaint with the Spanish Data Protection Agency (AEPD in its Spanish acronym), to have the online newspaper reports about him as well as related search results appearing on Google deleted or altered. While AEPD did not agree to his demand to have newspaper reports altered, it ordered Google Spain and Google, Inc. to remove the links in question from their search results. The case was brought in appeal before the Spanish High Court, which referred the matter to CJEU. In a judgement having far reaching implications, CJEU held that where the information is ‘inaccurate, inadequate, irrelevant or excessive,’ individuals have the right to ask search engines to remove links with personal information about them. The court also ruled that even if the physical servers of the search engine provider are located outside the jurisdiction of the relevant Member State of EU, these rules would apply if they have branch office or subsidiary in the Member State.

The ‘right to be forgotten’ is a misnomer, and essentially when we speak of it in the context of the proposed laws in EU, we refer to the rights of individuals to seek erasure of certain data that concerns them. The basis of what has now evolved into this right is contained in the 1995 EU Data Protection Directive, with Article 12 of the Directive allowing a person to seek deletion of personal data once it is no longer required.

Critical to our understanding of the rationale for how the ‘right to be forgotten’ is being framed in the EU, is an appreciation of how European laws perceive privacy of individuals. Unlike the United States (US), where privacy may be seen as a corollary of personal liberty protecting against unreasonable state intrusions, European laws view privacy as an aspect of personal dignity, and are more concerned with protection from third parties, particularly the media. The most important way in which this manifests itself is in where the burden to protect privacy rights lie. In Europe, privacy policy often dictates intervention from the state, whereas in the US, in many cases it is up to the individuals to protect their privacy.^[4]

Since the advent of the Internet, both the nature and quantity of information existing about individuals has changed dramatically. This personal information is no longer limited to newspaper reports and official or government records either. Our use of social media, micro-discussions on Twitter, photographs and videos uploaded by us or others tagging us, every page or event we like, favourite or share—all contribute to our digital footprint. Add to this the information created not by us but about us by both public and private bodies storing data about individuals in databases, our digital shadows begin to far exceed the data we create ourselves. It is abundantly clear that we exist in a world of Big Data, which relies on algorithms tracking repeated behaviour by our digital selves. It is in this context that a mechanism which enables the purging of some of this digital shadow makes sense.

Further, it is not only the nature and quantity of information that has changed, but also the means through which this information can be accessed. In the pre-internet era, access to records was often made difficult by procedural hurdles. Permissions or valid justifications were required to access certain kinds of data. Even for the information available in the public domain, often the process of gaining access were far too cumbersome. Now digital information not only continues to exist indefinitely, but can also be easily accessed readily through search engines. It is in this context that in a 2007 paper, Viktor Mayer-Schöenberger pioneered the idea of memory and forgetting for the digital age.^[5] He proposed that all forms of personal data should have an additional meta data of expiration date to switch the default from information existing endlessly to having a temporal limit after which it is deleted. While this may be a radical suggestion, we have since seen proposals to allow individuals some control over information about them.

In 2016, the EU released the final version of the General Data Protection Regulation. The regulation provides for a right to erasure under Article 17, which would enable a data-subject to seek deletion of data.^[6] Notably, except in the heading of the provision, Article 17 makes no reference to the word ‘forgetting.’ Rather the right made available in this regulation is in the form of making possible ‘erasure’ and ‘abstention from further dissemination.’ This is significant because what the proposed regulations provide for is not an overarching framework to enable or allow ‘forgetting’ but a limited right which may be used to delete certain data or search results. Providing a true right to be forgotten would pose issues of interpretation as to what ‘forgetting’ might mean in different contexts and the extent of measures that data controllers would have to employ to ensure it. The proposed regulation attempts to provide a specific remedy which can be exercised in the defined circumstances without having to engage with the question of ‘forgetting’.

The primary arguments made against the ‘right to be forgotten’ have come from its conflict with the right to freedom of speech. Jonathan Zittrain has argued against the rationale that the right to be forgotten merely alters results on search engines without deleting the actual source, thus, not curtailing the freedom of expression.^[7] He has compared this altering of search results to letting a book remain in the library but making the catalogue unavailable. According to Zittrain, a better approach would be to allow data subjects to provide their side of the story and more context to the information about them, rather than allowing any kind of erasure. Unlike in the US, the European approach is to balance free speech against other concerns. So while one of the exceptions in sub-clause (3) of Article 17 provides that information may not be deleted where it is necessary to exercise the right to free speech, free speech does not completely trump privacy as the value that must be protected. On the other hand, US constitutional law would tend to give more credence to the First Amendment rights and allow them to be compromised in very limited circumstances. As per the position of the US Supreme Court in Florida Star v. B.J.F., lawfully obtained information may be restricted from publication only in cases involving a ‘state interest of the highest order’. This position would allow any potential right to be forgotten to be exercised in the most limited of circumstances and privacy and reputational harm would not satisfy the standard. For these reasons the rights to be forgotten as it exists in Article 17 may be unworkable in the US.

Issues in application

Significant technical challenges remain in the effective and consistent application of Article 17 of the EU Directive. One key issue is concerned with how ‘personal data’ is defined and understood, and how its interpretation will impact this right in different contexts. According to Article 17 of the EU directive, the term ‘personal data’ includes any information relating to an individual. Some ambiguity remains about whether information which may not uniquely identify a person, but as a part of small group, could be considered within the scope of personal data. This becomes relevant, for instance, where one seeks the erasure of information which, without referring to an individual, points fingers towards a family. At the same time, often the piece of information sought to be erased by a person may contain personal information about more than one individual. There is no clarity over whether a consensus of all the individuals concerned should be required, and if not, on what parameters should the wishes of one individual prevail over the others. Another important question, which is as yet unanswered, is whether the same standards for removal of content should apply to most individuals and those in public life.

The issue of what is personal data and can therefore be erased gets further complicated in cases of derived data about individuals used in statistics and other forms of aggregated content. While, it would be difficult to argue that the right to be forgotten needs to be extended to such forms of information, not erasing such derived content poses the risk of the primary information being inferred from it. In addition, Article 17(1)(a) provides for deletion in cases where the data is no longer necessary for the purposes for which they were collected or used. The standards for circumstances which satisfy this criteria are, as yet, unclear and may only be fully understood through a consistent application of this law.

Finally, once there are reasonable grounds to seek erasure of information, it is not clear how this erasure will be enforced practically. It may not be prudent to require that all copies of the impugned data are deleted such that they may not be recovered, to the extent technologically possible. A more reasonable solution might be to permit the data to continue to remain available in encrypted forms, much like certain records are sealed and subject to the strictest confidentiality obligations. In most cases, it may be sufficient to ensure that the records of the impugned data is removed from search results and database reports without actually tampering with information as it may exist. These are some of the challenges which the practical application of this right will face, and it is necessary to take them into account in enforcing the proposed regulations.

The two Indian judgments

In the first case, (before the Gujarat High Court), the petitioner entered a plea for “permanent restraint [on] free public exhibition of the judgment and order.” The judgment in question concerned proceeding against the petitioner for a number of offences, including culpable homicide amounting to murder. The petitioner was acquitted, both by the Sessions court and the High Court before which he was pleading. The petitioner’s primary contention was that despite the judgment being classified as ‘unreportable’, it was published by an online repository of judgments and was also indexed by Google search. The decision of the High Court to dismiss the petition, rest of the following factors: a) failure on the part of the petitioner to show any provisions in law which are attracted, or threat to the constitutional right to life and liberty, b) publication on a website does not amount to ‘reporting’, as reporting only refers to that by law reports.

While the second point of reasoning made by the courts is problematic in terms of the function of precedent served by the reported judgments, and the basis for reducing the scope of ‘reporting’ to only law reports, the first point is of direct relevance to our current discussion. The lack of available legal provisions points to the absence of data protection legislation in India. Had there been a privacy legislation which addressed the issues of how personal information may be dealt with, it is possible that it may have had instructive provisions to address situation like these. In the absence of such law, the only recourse that an individual has is to seek constitutional protection under one of the fundamental rights, most notably Article 21, which over the years, has emerged as the infinite repository of unenumerated rights. However, typically rights under Article 21 are of a vertical nature, i.e., available only against the state. Their application in cases where a private party is involved remains questionable, at best.

In contrast, in the second case, the Karnataka High Court ruled in favor of the petitioner. In this case, the petitioner’s daughter instituted both criminal and civil proceedings against a person. However, later they arrived at a compromise and one of the conditions was quashing all the proceedings which had been initiated. The petitioner had raised concerns about the appearance of his daughter’s name in the cause title and was easily searchable. The court, while making vague references to “trend in the Western countries where they follow this as a matter of rule “Right to be forgotten” in sensitive cases involving women in general and highly sensitive cases involving rape or affecting the modesty and reputation of the person concerned, held in the petitioner’s favor, and order that the name be redacted from the cause title and the body of the order before releasing to any service provider. The second judgment is all the more problematic for while it makes a reference to jurisprudence in other countries, yet it does not base it on the fundamental right to privacy, but to the idea of modesty and reputation of women, which has no clear legal basis on either Indian or comparative jurisprudence.

Conclusion

The above two cases demonstrate the problem of lack of a clear legal basis being employed by the judiciary in interpreting the right to be forgotten. Not only were no clear legal provisions in Indian law were taken refuge of while ruling on the existence of this right, the court also do not engage in any analysis of comparative jurisprudence such as the GDPR or the Costeja judgment. Such ad-hoc jurisprudence underlines the need for a data protection legislation, as in its absence, it is likely that divergent views are taken upon this issue, without a clear legal direction. It is likely that most matters concerning the right to erasure concern private parties as data controllers. In such cases, the existing jurisprudence on the right to privacy as interpreted under Article 21 may also be of limited value. Further, as has been pointed out above, the right to be forgotten needs to be a right qualified by conditions very clearly, and its conflict with the right to freedom of expression under Article 19. Therefore, it is imperative that a comprehensive data protection law addresses these issues.

^[1] Sri Vasunathan vs The Registrar, available at http://www.iltb.net/2017/02/karnataka-hc-on-the-right-to-be-forgotten/

^[2] Dharmraj Bhanushankar Dave v. State of Gujarat, available at https://drive.google.com/file/d/0BzXilfcxe7yueXFJWG5mZ1pKaTQ/view.

^[3] Google Spain et al v. Mario Costeja González, available at http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&docid=152065.

^[4] http://www.europarl.europa.eu/RegData/etudes/STUD/2015/536459/IPOL_STU(2015)536459_EN.pdf

^[5] Mayer-Schoenberger, Viktor, Useful Void: The Art of Forgetting in the Age of Ubiquitous Computing (April 2007). KSG Working Paper No. RWP07-022. Available at SSRN: https://ssrn.com/abstract=976541 or http://dx.doi.org/10.2139/ssrn.976541.

^[6] Article 17 (1) states: The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

^[7] Zittrain, Jonathan, “Don’t Force Google to ‘Forget’”, The New York Times, May 14, 2014. Available at https://www.nytimes.com/2014/05/15/opinion/dont-force-google-to-forget.html.

For more details visit https://cis-india.org/internet-governance/blog/right-to-be-forgotten-a-tale-of-two-judgments

Aadhaar marks a fundamental shift in citizen-state relations: From ‘We the People’ to ‘We the Government’

pranesh — 2017-04-04T16:10:06Z

Your fingerprints, iris scans, details of where you shop. Compulsory Aadhaar means all this data is out there. And it’s still not clear who can view or use it.

The article was published in the Hindustan Times on April 3, 2017.

Until recently, people were allowed to opt out of Aadhaar and withdraw consent to have their data stored. This is no longer going to be an option.
(Siddhant Jumde / HT Illustration)

Imagine you’re walking down the street and you point the camera on your phone at a crowd of people in front of you. An app superimposes on each person’s face a partially-redacted name, date of birth, address, whether she’s undergone police verification, and, of course, an obscured Aadhaar number.

OnGrid, a company that bills itself as a “trust platform” and offers “to deliver verifications and background checks”, used that very imagery in an advertisement last month. Its website notes that “As per Government regulations, it is mandatory to take consent of the individual while using OnGrid”, but that is a legal requirement, not a technical one.

Since every instance of use of Aadhaar for authentication or for financial transactions leaves behind logs in the Unique Identification Authority of India’s (UIDAI) databases, the government can potentially have very detailed information about everything from the your medical purchases to your use of video-chatting software. The space for digital identities as divorced from legal identities gets removed. Clearly, Aadhaar has immense potential for profiling and surveillance. Our only defence: law that is weak at best and non-existent at worst.

The Aadhaar Act and Rules don’t limit the information that can be gathered from you by the enrolling agency; it doesn’t limit how Aadhaar can be used by third parties (a process called ‘seeding’) if they haven’t gathered their data from UIDAI; it doesn’t require your consent before third parties use your Aadhaar number to collate records about you (eg, a drug manufacturer buying data from various pharmacies, and creating profiles using Aadhaar).

It even allows your biometrics to be shared if it is “in the interest of national security”. The law offers provisions for UIDAI to file cases (eg, for multiple enrollments), but it doesn’t allow citizens to file a case against private parties or the government for misuse of Aadhaar or identity fraud, or data breach.

It is also clear that the government opposes any privacy-related improvements to the law. After debating the Aadhaar Bill in March 2016, the Rajya Sabha passed an amendment by MP Jairam Ramesh that allowed people to opt out of Aadhaar, and withdraw their consent to UIDAI storing their data, if they had other means of proving their identity (thus allowing Aadhaar to remain an enabler).

But that amendment, as with all amendments passed in the Rajya Sabha, was rejected by the Lok Sabha, allowing the government to make Aadhaar mandatory, and depriving citizens of consent. While the Aadhaar Act requires a person’s consent before collecting or using Aadhaar-provided details, it doesn’t allow for the revocation of that consent.

In other countries, data security laws require that a person be notified if her data has been breached. In response to an RTI application asking whether UIDAI systems had ever been breached, the Authority responded that the information could not be disclosed for reasons of “national security”.

The citizen must be transparent to the state, while the state will become more opaque to the citizen.

How Did Aadhaar Change?

How did Aadhaar become the behemoth it is today, with it being mandatory for hundreds of government programmes, and even software like Skype enabling support for it?

The first detailed look one had at the UID project was through an internal UIDAI document marked ‘Confidential’ that was leaked through WikiLeaks in November 2009. That 41-page dossier is markedly different from the 170-page ‘Technology and Architecture’ document that UIDAI has on its website now, but also similar in some ways.

In neither of those is the need for Aadhaar properly established. Only in November 2012 — after scholars like Reetika Khera pointed out UIDAI’s fundamental misunderstanding of leakages in the welfare delivery system — was the first cost-benefit analysis commissioned, by when UIDAI had already spent ₹28 billion. That same month, Justice KS Puttaswamy, a retired High Court judge, filed a PIL in the Supreme Court challenging Aadhaar’s constitutionality, wherein the government has argued privacy isn’t a fundamental right.

Every time you use Aadhaar, you leave behind logs in the UIDAI databases. This means that the government can potentially have very detailed information about everything from the your medical purchases to your use of video-chatting software.

Even today, whether the ‘deduplication’ process — using biometrics to ensure the same person can’t register twice — works properly is a mystery, since UIDAI hasn’t published data on this since 2012. Instead of welcoming researchers to try to find flaws in the system, UIDAI recently filed an FIR against a journalist doing so.

At least in 2009, UIDAI stated it sought to prevent anyone from “[e]ngaging in or facilitating profiling of any nature for anyone or providing information for profiling of any nature for anyone”, whereas the 2014 document doesn’t. As OnGrid’s services show, the very profiling that the UIDAI said it would prohibit is now seen as a feature that all, including private companies, may exploit.

UID has changed in other ways too. In 2009, it was as a system that never sent out any information other than ‘Yes’ or ‘No’, which it did in response to queries like ‘Is Pranesh Prakash the name attached to this UID number’ or ‘Is April 1, 1990 his date of birth’, or ‘Does this fingerprint match this UID number’.

With the addition of e-KYC (wherein UIDAI provides your demographic details to the requester) and Aadhaar-enabled payments to the plan in 2012, the fundamentals of Aadhaar changed. This has made Aadhaar less secure.

Security Concerns

With Aadhaar Pay, due to be launched on April 14, a merchant will ask you to enter your Aadhaar number into her device, and then for your biometrics — typically a fingerprint, which will serve as your ‘password’, resulting in money transfer from your Aadhaar-linked bank account.

Basic information security theory requires that even if the identifier (username, Aadhaar number etc) is publicly known — millions of people names and Aadhaar numbers have been published on dozens of government portals — the password must be secret. That’s how most logins works, that’s how debit and credit cards work. How are you or UIDAI going to keep your biometrics secret?

In 2015, researchers in Carnegie Mellon captured the iris scans of a driver using car’s side-view mirror from distances of up to 40 feet. In 2013, German hackers fooled Apple iOS’s fingerprint sensors by replicating a fingerprint from a photo taken off a glass held by an individual. They even replicated the German Defence Minister’s fingerprints from photographs she herself had put online. Your biometrics can’t be kept secret.

Typically, even if your username (in this case, Aadhaar number) is publicly known, your password must be secret. That’s how most logins works, that’s how debit and credit cards work. How are you or UIDAI going to keep your biometrics secret?

In the US, in a security breach of 21.5 million government employees’ personnel records in 2015, 5.2 million employees’ fingerprints were copied. If that breach had happened in India, those fingerprints could be used in conjunction with Aadhaar numbers not only for large-scale identity fraud, but also to steal money from people’s bank accounts.

All ‘passwords’ should be replaceable. If your credit card gets stolen, you can block it and get a new card. If your Aadhaar number and fingerprint are leaked, you can’t change it, you can’t block it.

The answer for Aadhaar too is to choose not to use biometrics alone for authentication and authorisation, and to remove the centralised biometrics database. And this requires a fundamental overhaul of the UID project.

Aadhaar marks a fundamental shift in citizen-state relations: from ‘We the People’ to ‘We the Government’. If the rampant misuse of electronic surveillance powers and wilful ignorance of the law by the state is any precedent, the future looks bleak. The only way to protect against us devolving into a total surveillance state is to improve rule of law, to strengthen our democratic institutions, and to fundamentally alter Aadhaar. Sadly, the political currents are not only not favourable, but dragging us in the opposite direction.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-pranesh-prakash-april-3-2017-aadhaar-marks-a-fundamental-shift-in-citizen-state-relations

Get an Aadhaar card if you don't have one

praskrishna — 2017-04-04T15:39:05Z

The Aadhaar number has been made compulsory for filing tax return. With both the government and private parties insisting on it for various activities despite the Supreme Court's assertion that is not mandatory, you need to get one at the earliest.

The article by Priya Nair and Sanjay Kumar Singh was published in the Business Standard on March 27, 2017. Udbhav Tiwari was quoted.

Until now the need for an Aadhaar card arose if someone wanted to avail of the LPG subsidy, or if senior citizens wanted to enjoy a concession on train tickets. This 12-digit number, which is a proof of identity, is largely used by the government to distribute cash benefits and other subsidies under its welfare schemes. Since submitting the Aadhaar card at the time of opening a bank account, investing in a mutual fund, etc is optional (you can submit another proof of identity), many people have still not bothered to get one. That ambivalent attitude will now have to change.

This year onwards all those filing income tax returns will have to furnish their Aadhaar number. There is a field in the income tax return form for Aadhaar number. Don’t forget to fill it this year. If you do not have an Aadhaar number, you will have to submit the enrolment number of your application for Aadhaar. "In case of failure to intimate the Aadhaar number, the PAN allotted to the person shall be deemed invalid and the other provisions of the Income Tax Act shall apply, as if the person has not applied for allotment of PAN," says Amarpal Chadha, tax partner, people advisory services, EY India.

Experts say that this step has been taken to deal with the problem of duplicate permanent account numbers (PAN) and to control black money. Says Kuldip Kumar, partner and leader-personal tax at PwC India: “Many people have more than one PAN, even though there is a penalty under the Income Tax Act for doing so. The government is linking PAN to Aadhaar to deal with this problem. This step will also help control black money. Whether you invest in stocks, shares, or do any other high-value transaction, over a period of time the tax department will be able to see all this information at the click of a button." Other experts also agree that this step will create an audit trail for various transactions. “Linking of Aadhaar and PAN will throw up any discrepancies in reported transactions and provide a ready database to the revenue authorities for necessary action,” says Vikas Vasal, partner, Grant Thornton India.

Interim problems
This measure is expected to create a slew of problems for people. Many individuals may still not have an Aadhaar card. They should apply for one post-haste. Everyone needs to check if their Aadhaar and PAN details match. If there are discrepancies between the two, get either your Aadhaar or PAN details updated so that you do not face problems at the time of filing returns. Details on how to update the Aadhaar and PAN are available on the web sites of UID and the IT department respectively (see box).

Non-Resident Indians (NRI) and foreign nationals may also need to obtain an Aadhaar number now. Many NRIs have an income (before claiming any deduction) that exceeds the basic exemption limit of Rs 2.5 lakh, and hence file a tax return in India. Foreign nationals who have spent time in India and earned an income also need to file a tax return. Indian residents who have been sent by their companies to work abroad will also have to scramble for the card. "March is about to end and tax returns will have to be filed by the end of July. Persons who have to file a tax return but are abroad will face a challenge getting the Aadhaar card made in time since you have to be physically present in India for this purpose,’’ says Kumar. The government may possibly grant some leeway to such people.

Even though the Supreme Court has said that Aadhaar is not mandatory, there are several instances where the authorities are insisting on it. Those applying for domicile proof and those who want to get their property registered are being asked to provide this number. Some telecom providers also insist on it before giving a connection. Schools are asking for it from students. You need it to appear for competitive exams like IIT JEE. Online providers of financial products insist on Aadhaar since it makes KYC easier. With the government moving strongly towards making Aadhaar compulsory, one can't escape complying with this regulation.

Risks of an Aadhaar-centric system
There are several risks associated with Aadhaar, whose basic purpose is authentication and authorisation. The first problem arises from the fact that it is easily accessible to miscreants. Aadhaar numbers of thousands of people have been uploaded on the Internet. "Since the Aadhaar number has to be given at so many places, it can be misused to pull information about people from the centralised database. In the case of credit and debit cards, we are told not to shares these numbers publicly as the number is the first thing required for carrying out a transaction. That is not the case with Aadhaar. UID's position is that you should treat your Aadhaar number carefully. But the fact is that the Aadhaar number is not used carefully either by consumers or businesses. It is a fairly public number. With Aadhaar too much power is being vested in a number that is quite public,’’ says Udbhav Tiwari, policy officer, Centre for Internet and Society, Bengaluru.

Second, Aadhaar has a centralised database, and all centralised databases are vulnerable to hacking. Third, biometrics are not a very secure form of authentication. "Fingerprints are easy to forge. The UID says that the device (used to check the fingerprint) should not remember the biometrics but should only transfer it to UID which will verify the information. But miscreants could use a device that captures your biometrics," says Tiwari.

Other documents used for identification like PAN and passport are not easy to duplicate because of their security features. PAN, for instance, has a hologram. The power of the passport lies not in the passport number but in the document. Without the passport one cannot travel internationally. But in case of Aadhaar one can go on the Internet and print a new Aadhaar card. “If somebody has managed to capture my fingerprint and has my Aadhaar number, he can use it wherever Aadhaar is required,’’ says Tiwari.

For more details visit https://cis-india.org/internet-governance/news/business-standard-march-27-2017-priya-nair-and-sanjay-kumar-singh-get-an-aadhaar-card-if-you-dont-have-one

The Aadhaar of all things

praskrishna — 2017-04-03T15:46:23Z

From a severely critical stand against Aadhaar in 2014, the Modi-led BJP in power has made a sharp U-turn to bulldoze its way into having every Indian scanned, tagged and labelled. A timeline of the country’s chequered date with the unique identification project.

The article by Shriya Mohan was published in the Hindu Businessline on March 31, 2017. Sunil Abraham was quoted.

You’ve probably read the WhatsApp joke about a post-Aadhaar scenario in 2020 India. A man orders pizza over phone. He is asked for his Aadhaar number first. He then orders a family-size seafood pizza, only to be reminded by the attendant about his high blood pressure and cholesterol levels (thanks to his Aadhaar history visible to everybody “on the system”) and is advised to order the low-fat Hokkien Mee pizza instead, based on his recent search history on Hokkien cuisine. As if this isn’t creepy enough, the pizza guy refuses a card payment, citing the man’s maxed-out credit cards, advises against ATM withdrawal owing to his massive overdraft and even decides to hold off the free cola offer given his dire health situation. When the man turns livid, he is told to mind his language, given that in 2007 he was already imprisoned for verbally abusing a policeman!

2020 is two and a half years away, and the WhatsApp scenario appears less incredulous by the day.

By the government’s latest estimate, 112,01,12,468 Aadhaar cards have been issued since January 2009, when the Unique Identification Authority of India (UIDAI) was set up under the Planning Commission. So if you are an adult Indian resident without an Aadhaar card, you are in a two per cent minority (98 per cent adults are covered).

Last week, Finance Minister Arun Jaitley said the 12-digit number would be the single monolith identity for all Indians in the coming years, replacing every other identity card. The government is serious because each week a new scheme is added to the three dozen schemes in which Aadhaar has been made mandatory. All the 84 schemes under the direct subsidy benefit transfer programme are expected to follow suit.

Here are just a few instances in which you should be ready to whip out your Aadhaar card — a free midday meal at a government school, access to Sarv Shiksha Abhiyan, LPG subsidy and foodgrains under the public distribution system, six scholarship schemes for students with disabilities, getting your EPF pensions, booking a train ticket online, getting a backward caste quota or benefit, and, according to the most recent directive in the Finance Bill, filing your tax returns.

Why did a dispensation so critical of Aadhaar in 2014 make a sharp U-turn to bulldoze its way into having every single Indian citizen scanned, tagged and labelled?

The earliest felt need for an identification project can be traced to the Kargil Review Committee, instituted by the Vajpayee Government in 1999, in the wake of the Indo-Pak war. The Krishnaswamy Subrahmanyam-led panel had recommended a citizenship database for the identification of legitimate Indian citizens living in border areas.

As outlined in a Scroll article, this quickly expanded to include all Indians under the Multipurpose National Identity Card project, which was pilot tested in a few villages. The Citizenship Act was also amended to give a legislative backing to the scheme, which built on the Bharatiya Janata Party’s general stance against illegal immigrants.

The search for identity

The Citizenship Act was amended in 2004 by the incumbent Congress government to make way for the National Population Register (NPR), a database of the identities of all Indian residents, maintained by the Registrar General and Census Commissioner of India.

Eventually, in 2009, Aadhaar, or UIDAI, surfaced as a 12-digit identification number that served as proof of identity and address — meaning, it applies to all residents whether they are citizens or not, unlike with the NPR. Aadhaar, which means ‘basis’ in Hindi, is intended to be an all-encompassing substratum of identities that can provide “instant access to services like banking, mobile phone connections and other government and non-government services”. The United Progressive Alliance government managed to link it to its Direct Benefit Transfer (DBT) system for subsidies provided to targeted groups.

As the main Opposition party, the BJP had felt that the Aadhaar number ought to have been given only to Indian citizens, and not all residents, which, in its view, would include millions of illegal immigrants.

Nandan Nilekani, the former CEO of IT giant Infosys, was appointed UIDAI chairman in July 2009. The first Aadhaar number was issued in September 2010, and then the pace accelerated: 100 million by November 2011, 200 million by February 2012 and 500 million by end of 2013. “We felt speed was strategic. Doing and scaling things quickly was critical. If you move very quickly it doesn’t give opposition the time to consolidate,” Nilekani told Forbes India in a 2013 interview.

Here’s the part most of us forget: The largest opposition that Nilekani was referring to at that time was the BJP.

“The people who thought of themselves as having given birth to IT in this country refused to listen to a common man like me. Even the SC has demanded answers,” Narendra Modi, then Gujarat chief minister, had said and alleged that the Aadhaar programme was a bundle of lies to loot the country’s treasury.

As the BJP’s prime ministerial candidate for the 2014 Lok Sabha elections, days ahead of delivering the party’s biggest-ever victory, he had tweeted: “On Aadhaar, neither the Team that I met nor PM could answer my Qs on security threat it can pose. There is no vision, only political gimmick.” Recently, when Aadhaar enrolments had crossed the billion mark, this tweet was dug out prominently.

The U-turn

So, what changed? How did the Aadhaar’s primary opposition become it’s key crusader?

There were two meetings that supposedly changed the destiny of the Aadhaar project. In the first week of June 2014, as Nilekani was vacating his government-allotted Lutyen’s bungalow as UIDAI chief, he met Modi and Jaitley and persuaded the new regime to persist with Aadhaar. The more important meeting was with Vijay Madan, the UIDAI director general and mission director. According to a Governance Now article, when the UID team spoke of the potential savings from plugging subsidy leakages, and weeding out “ghost beneficiaries”, Modi asked them to give a precise estimate. The figure was “up to ₹50,000 crore a year” or a good 9.4 per cent of India’s ₹5,31,177-crore fiscal deficit.

Modi in his keenness to showcase the arrival of “acche din” immediately sought a 100-crore enrolment target at the ‘earliest’, putting paid to speculations that the new government would shelve the UIDAI project. A funding of ₹2,039.64 crore was formalised in the 2014-2015 Budget presented a week later, to create the infrastructure to enrol 30 crore people to add to the 70 crore already enrolled. The UIDAI targeted the 1-billion mark by the end of that fiscal.

Money bill to beat legal hurdles

It was in November 2012 that the SC admitted a PIL filed by retired Karnataka High Court judge KS Puttaswamy and advocate Parvesh Khanna, questioning the government’s decision to issue Aadhaar even as the National Identification Authority of India Bill 2010 was pending before the Rajya Sabha since December 3, 2010. They argued that there was no legislative backing for obtaining personal information. Also, the proposed law was rejected by the Parliamentary Standing Committee on Finance.

The PIL argued that linking the Aadhaar number with food security, LPG subsidy, the Employees’ Provident Fund and other direct benefit transfers made the enrolment mandatory, thereby falsifying the government’s claim that it was voluntary. Several other PILs too voiced similar privacy concerns.

Currently, there are two legal strictures governing the validity of Aadhaar: the apex court order of October 15, 2015, limiting the card’s voluntary use to six schemes (PDS, MGNREGA, LPG, NEPS and social assistance programmes) and prohibiting the government from making it mandatory for receiving any benefits or services; and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, which is under challenge today. Both strictures have distinct operational status, but petitioners argue that recent government directives making Aadhaar mandatory are leading them to wonder whether the SC’s interim order is overshadowed by the Aadhaar Act or if the government is defying the court.

On March 3, 2016, in a surprise move, to put all dissent to rest, the Aadhaar Act was introduced as a Money Bill in Parliament to give it legislative backing. Things moved pretty fast thereon. On March 11, the Aadhaar Act 2016 was passed in the Lok Sabha. On March 26, the Act was notified. Accusing the BJP-led NDA government of showing “utter contempt” for the Rajya Sabha by taking the Money Bill route, senior Congress leader Jairam Ramesh challenged it in the Supreme Court in April. He likened the use of the Money Bill, which was passed overruling amendments moved in the Rajya Sabha, to “knocking a nail in the coffin of the Upper House”.

The government’s move took many, including Aadhaar advocates, by surprise. “We need to separate Aadhaar as identity from its specific functionality for which it’s used,” says Praveen Chakravarty, a senior fellow at the IDFC institute and a former member of Nilekani’s core team. He believes that just as a voter ID alone isn’t enough to vote, seeing the ownership of an Aadhaar card as key for any transaction is “fear-mongering”. Its use will still involve a process of checks and balances.

But can’t thumb prints be replicated with Fevicol?

“Sure, there could be failures, as there are with any system. But this is a far more foolproof method than any we’ve had before. Internationally also, biometric is to authenticate a higher level of security.”

The argument for privacy

“Aadhaar has the potential to improve welfare service delivery. But it has to be achieved in an inclusive manner befitting a truly liberal society and not through coercion,” says Chakravarty.

His only misgiving is with the use of the Money Bill to introduce the Aadhaar, without any right to privacy. “It should have gone through the process of debate in Parliament. Then it wouldn’t have been passed without a strong right to privacy safeguard,” he says, pointing that even a junior UIDAI officer can access the data of anybody he/she chooses.

“Aadhaar inverts the idea of transparency. It makes people transparent but the State opaque,” says legal expert Usha Ramanathan, a legal expert and anti-Aadhaar crusader.

The use of Aadhar as verification at every instance can help piece together very detailed information about citizens. These include banking transactions, online purchases, travel itineraries, mobile phone usage, location history and practically anything that can be electronically recorded and verified with an Aadhaar.

In February this year, the UIDAI filed a police case against Axis Bank and others for alleged unauthorised authentication and impersonation attempts by illegally storing Aadhaar biometrics.

The latest outcry over breached privacy involved a screenshot of cricketer Mahendra Singh Dhoni’s personal details that went viral on Twitter. The UIDAI blacklisted the agency that revealed Dhoni’s Aadhaar details after his wife complained to the IT Minister. A recent Scroll report shows the UIDAI received 1,390 similar complaints but took no action.

There are legitimate fears such an information database might eventually be misused, for instance in racial profiling or revealing voting preferences.

In January this year, Hyderabad-based ECIL developed a biometric-enabled mobile terminal for instant authentication of a voter “to prevent rigging of votes”. Till August 2015, the Election Commission was working on seeding Aadhaar data with that of voter ID card, in an attempt to weed out fake voters. However, the poll panel stopped this exercise after the SC ruled that Aadhaar be made compulsory only for PDS and LPG distribution.

Nilekani, in an interview to BLink, insisted that the Aadhaar has more privacy regulations than any other service in the world. He also pointed out that all election commission data is already online, and anyone can look up any voter’s name, date of birth, gender and address.

Additionally, social media profiles too are shared publicly of our own volition.

Concurring with this view, Chakravarty says, “It is surprising that we’re perfectly okay with giving all our life information to a 32-year-old named Mark Zuckerberg. However, this is voluntary. Whether we fully know consequences or not is another matter altogether.”

With the Finance Bill requiring all PAN cards to be linked to Aadhaar, there is added concern over privacy. Sunil Abraham, founder of the Centre for Internet and Society, says Aadhaar runs the risk of being used fraudulently. “If I want to get you in trouble, I can make a large purchase of gold against your Aadhaar number, which is linked to your PAN,” he explains.

He advocates for a system where different government departments don’t store Aadhaar numbers in their databases but instead use a token issued by UIADI kiosks. This would prevent proliferation of the number.

Technical glitches

In February this year, Modi claimed in the Lok Sabha that plugging leakages through Aadhaar had saved the government ₹14,000 crore. And that nearly four crore fake ration cards have been seized till date.

One method of establishing a fake ration card is if the owner has not availed himself of his ration. Ever since Aadhaar’s biometric identification has been linked to point-of-sale (POS) machines at ration shops, residents have had to queue up with a prayer on their lips. A lot could go wrong — the biometric might not recognise them or, worse, there could be a network failure, forcing everyone to return home empty-handed. In both instances, while ration shop owners should ideally mark such transactions under ‘Transactions with “N” response from Aadhaar’, they invariably mark them under “Household yet to take ration”, implying that the beneficiary has chosen not to take home her share.

The February 2017 data for 22 ration shops across Delhi, accessed on the Department of Food & Supplies website, shows that none have a single beneficiary marked under “N”. At a Delhi Cantonment outlet, of the 1,038 registered beneficiaries only 168 have been marked “Y”, or ‘Yes’, showing they have taken their rations. Another 871 have been marked “Household yet to take ration” and none have been marked ‘N’ to indicate glitches in the Aadhaar authentication.

As Amrita Johri of citizens’ action group Satark Nagrik Sangathan explains, “Aadhaar relies on internet and electricity. This might seem like a problem only of rural areas. But we don’t have to go far. In South Delhi’s East Mehraam Nagar, there is a ration shop with no mobile signal and no network. Officials said we have to show that Aadhaar is a success, so the shop’s POS machine was finally hung on a jamun tree to get it to work.”

She questions the government’s reluctance to acknowledge the many instances of failure in the project.

Frighteningly, three consecutive failed attempts could lead to the card being placed in an abeyance list and possibly invalidated.

Top performers and laggards

Delhi is rated one of the better performing States/union territories, while Rajasthan has one of the worst records with the maximum number of biometric and network failures.

According to the government’s 2017 monthly estimates, 27 per cent of the residents whose Aadhaar cards have been seeded to the PDS were denied rations owing to biometric or network failure. This figure would be higher if the unseeded cards are also taken into account.

Nikhil Dey, founder of Rajasthan’s Mazdoor Kisan Shakti Sangathan (MKSS) says his organisation is fighting with its back against a wall.

“Nearly 73 lakh households get their monthly rations in this State, where a little over a crore households are eligible to receive them. We’re not even talking about exclusions here,” says Dey. Besides network failure, there are many instances of the old and sick who are unable to visit the shop to physically verify themselves.

“Back-up options such as OTP (one-time password) or facial recognition only work in theory,” says Dey. He alleges that shop owners often fudge the OTP system by punching in their own numbers and stealing the quotas of genuine beneficiaries.

He too believes that several names have been struck off as dead to project that the Aadhaar has weeded out a high number of fake social security pension ers.

Nilekani applauds Andhra Pradesh for its progress in the Aadhaar project by investing in infrastructure to eliminate technical glitches. J Satyanarayana, the UIDAI’s part-time chairperson, told BLink in an email interview that Aadhaar has led to transparency and efficiency in nearly all government schemes in AP.

During March 2017, 42.29 lakh (93.02 per cent) pensioners received their payment through Aadhaar-based biometric authentication, he says, adding that real-time monitoring systems are in place.

“The entire PDS (rations) is linked to Aadhaar,” he says. As many as 1.21 crore (87.39 per cent) card holders collected their ration this month, and 95.94 lakh received wages (totalling ₹5,283 crore under MNREGA through Aadhaar-enabled systems, he informs.

Neighbouring Telangana too is known for its 99 per cent Aadhaar enrollment, leading to an impressive 80 per cent of its population accessing the PDS.

BP Acharya, special chief secretary in Telangana’s planning department says, “Aadhaar’s use can perhaps be most seen in Telangana’s speedy clearances, investment promotion, creating licences and clearances for shops and establishments.”

Telangana took the Aadhaar database project one step further through its Citizen 360 programme. In August 2014, months after the State was newly formed, it conducted one of the largest household surveys in a single day, covering one crore households. This data was integrated with the Aadhaar database and now links different benefits on the same platform. Now the Aadhaar identity is linked to other details such as the holder’s driving licence and even crime record.

The UIDAI holds out AP and Telangana as shining examples of Aadhaar’s efficiency when backed by the right network and infrastructure. But for the lakhs of biometric factory rejects who are denied their rights, Aadhaar can only mean a mass experiment gone horribly wrong.

Aadhaar Timeline

2006

The ministry of communications and information technology approves the ‘Unique ID for Below Poverty Line (BPL) families’ project under the chairmanship of Arvind Virmani, then principal advisor, Planning Commission

2008

Empowered group of ministers formed by former Prime Minister Manmohan Singh decides to collate two schemes — the National Population Register under the Citizenship Act, 1955 and the UID project — to conceive Aadhaar.

2009

Planning Commission issues a notification to constitute the Unique Identification Authority of India (UIDAI).

Government appoints Infosys co-founder Nandan Nilekani as the first chairman of UIDAI, with the rank and status of a cabinet minister.

2012

Former Karnataka high court judge justice K Puttaswamy files a public interest litigation before the Supreme Court (SC) declaring that Aadhaar violates an individual’s right to privacy and that the scheme lacks legislative backing.

2014

In an interim order, the SC restrains the UIDAI from transferring biometric information with an Aadhaar number to any other agency without the individual’s consent in writing.

2015

Three-judge bench of the apex court rules the unique identity number is not mandatory to avail of benefits from government programmes, restricting the use of Aadhaar to beneficiaries of the public distribution system and subsidies on cooking gas and kerosene, and refers the question on privacy to a larger constitution bench.

Centre moves SC seeking a review and modification of the August 11 interim order. A five-judge constitution bench modifies the same and extends the use of Aadhaar to Mahatma Gandhi National Rural Employment Guarantee Scheme, Jan Dhan Yojana, pensions and the Employees’ Provident Fund scheme.

2016

Finance minister Arun Jaitley announces in the budget speech that the government will offer statutory backing for Aadhaar. The Lok Sabha passes the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 as a Money Bill, rejecting Rajya Sabha recommendations.

2017

Aadhaar is made mandatory for three dozen schemes with 84 more expected under direct benefit transfers, including midday meal scheme and universal education.

SC again rules that Aadhaar cannot be made mandatory for welfare schemes.

For more details visit https://cis-india.org/internet-governance/news/hindu-businessline-shriya-mohan-the-aadhaar-of-all-things

Analysis of Key Provisions of the Aadhaar Act Regulations

amber — 2017-04-03T14:05:01Z

In exercise of their powers under of the powers conferred by Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016, (Aadhaar Act) the UIDAI has come out with a set of five regulations in late 2016 last year. In this policy brief, we look at the five regulations, their key provisions and highlight point out the unresolved, issues, unaddressed, and created issues as result of these regulations.

This blog post was edited by Elonnai Hickok

Introduction

At the outset it is important to note that a concerning feature of these regulations is that they intend to govern the processes of a body which has been in existence for over six years, and has engaged in all the activities sought to be governed by these policies at a massive scale, considering the claims of over one billion Aadhaar number holders. However, the regulation do not acknowledge, let alone address past processes, practices, enrollments, authentications, use of technology etc. this fact, and there are no provisions that effectively address the past operations of the UIDAI. Below is an analysis of the five regulations issued thus far by the UIDAI.

Unique Identification Authority of India (Transactions of Business at Meetings of the Authority) Regulations^{^[1]}

These regulations framed under clause (h) of sub-section (2) of section 54 read with sub-section (1) of section 19 of the Aadhaar Act, deal with the meetings of the UIDAI, the process following up to each meeting, and the manner in which all meetings are to be conducted.

Provision: Sub-Regulation 3.

Meetings of the Authority– (1) There shall be no less than three meetings of the Authority in a financial year on such dates and at such places as the Chairperson may direct and the interval between any two meetings shall not in any case, be longer than five months

Observations:

The number of times that UIDAI would meet in a year is far too less, taking in account the significance of the responsibilities of UIDAI as the sole body for policy making for all issues related to Aadhaar. In contrast, the Telecom Regulatory Authority of India is required to meet at least once a month. Other bodies such as SEBI and IRDAI are also required to meet at least four times^{^[2]} and six times^{^[3]} in a year respectively.

Provision: Sub-Regulation 8 (5)

Decisions taken at every meeting of the Authority shall be published on the website of Authority unless the Chairperson determines otherwise on grounds of ensuring confidentiality.

Observations:

The Chairperson has the power to determine withholding publication of the decisions of the meeting on the broad grounds of ‘confidentiality’. Given the fact that the decisions taken by UIDAI as a public body can have very real implications for the rights of residents, the ground of confidentiality is not sufficient to warrant withholding publication. It is curious that instead of referring to the clearly defined exceptions laid down in other similar provisions such as the exceptions in Section 8 of the Right to Information Act, 2005, the rules merely refer to vague and undefined criteria of ‘confidentiality’.

Provision: Sub-Regulation 14 (4)

Members of the Authority and invitees shall sign an initial Declaration at the first meeting of the Authority for maintaining the confidentiality of the business transacted at meetings of the Authority in Schedule II.

Observations:

The above provision, combined with the fact that there is no provision regarding publication of the minutes of the meetings of UIDAI raise serious questions about the transparency of its functioning.

Unique Identification Authority of India (Enrolment and Update) Regulations^{^[4]}

These regulations, framed under sub-section (1), and sub-clauses (a), (b), (d,) (e), (j), (k), (l), (n), (r), (s), and (v) of sub-section (2), of Section 54 of the Aadhaar Act deals with the enrolment process, the generation of an Aadhaar number, updation of information and governs the conduct of enrolment agencies and associated third parties.

Provisions:

Sub-Regulation 8 (2), (3) and (4)

The standard enrolment/update software shall have the security features as may be specified by the Authority for this purpose.

All equipment used in enrolment, such as computers, printers, biometric devices and other accessories shall be as per the specifications issued by the Authority for this purpose.

The biometric devices used for enrolment shall meet the specifications, and shall be certified as per the procedure, as may be specified by the Authority for this purpose.

Sub-Regulation 3 (2)

The standards for collecting the biometric information shall be as specified by the Authority for this purpose.

Sub-Regulation 4 (5)

The standards of the above demographic information shall be as may be specified by the Authority for this purpose.

Sub-Regulation 6 (2)

For residents who are unable to provide any biometric information contemplated by these regulations, the Authority shall provide for handling of such exceptions in the enrolment and update software, and such enrolment shall be carried out as per the procedure as may be specified by the Authority for this purpose.

Sub-Regulation 14 (2)

In case of rejection due to duplicate enrolment, resident may be informed about the enrolment against which his Aadhaar number has been generated in the manner as may be specified by the Authority.

Observations:

Though in February 2017, the UIDAI published technical specifications for registered devices^{^[5]}, the regulations leave unaddressed issues such as lack of appropriately defined security safeguards in the Aadhaar. There is a general trend of continued deferrals in the regulations by stating that matters would be specified later on important aspects such as rejection of applications, uploading of the enrolment packet to the CIDR, the procedure for enrolling residents with biometric exceptions, the procedure for informing residents about acceptance/rejection of enrolment application, specifying the convenience fee for updation of residents’ information, the procedure for authenticating individuals across services etc.c. There is a clear failure to exercise the mandate delegated to UIDAI, leaving key matters to determined at a future unspecified date. The delay and ambiguity around when regulations will be defined is all the more problematic in light of the fact that the project has been implemented since 2010 and the Aadhaar number is now mandatory for availing a number of services.

Further it is important to note that a number of policies put out by the UIDAI predate these regulations, on which the regulations are completely silent, thus neither endorsing previous policies nor suggesting that they may be revisited. Further, the regulations choose to not engage with the question of operation of the Aadhaar project, enrolment and storage of data etc prior to the notification of these regulations, or the policies which these regulations may regularise. For instance, the regulations do not specify any measures to deal with issues arising out of enrolment devices used prior to the development of the February 2017 specifications.

Provision: Sub-Regulation 32

The Authority shall set up a contact centre to act as a central point of contact for resolution of queries and grievances of residents, accessible to residents through toll free number(s) and/ or e-mail, as may be specified by the Authority for this purpose.

(2) The contact centre shall:

Provide a mechanism to log queries or grievances and provide residents with a unique reference number for further tracking till closure of the matter;
Provide regional language support to the extent possible;
Ensure safety of any information received from residents in relation to their identity information;
Comply with the procedures and processes as may be specified by the Authority for this purpose.

(3) Residents may also raise grievances by visiting the regional offices of the Authority or through any other officers or channels as may be specified by the Authority.

Observations:

While the setting up of a grievance redressal mechanism under the regulations is a welcome move, there is little clarity about the procedure to be followed, nor is a timeline for it specified. The chapter on grievance redressal is in fact one of the shortest chapters in the regulations. The only provision in this chapter deals with the setting up of a contact centre, a curious choice of term for what is supposed to be the primary quasi judicial grievance redressal body for the Aadhaar project. In line with the indifferent and insouciant terminology of ‘contact centre’, the chapter is restricted to the matters of the logging of queries and grievances by the contact centre, and does not address the matter of procedure or timelines, and even the substantive provisions about the nature of redress available. Furthermore, the obligation on the contact centre to protect information received is limited to ‘ensuring safety’ an ambiguous standard that does not speak to any other standards in Indian law.

Aadhaar (Authentication) Regulations, 2016^{^[6]}

These regulations, framed under sub-section (1), and sub-clauses (f) and (w) of sub-section (2) of Section 54 of the Aadhaar Act deals with the authentication framework for Aadhaar numbers, the governance of authentication agencies and the procedure for collection, storage of authentication data and records.

Provisions:

Sub-Regulation 5 (1)

At the time of authentication, a requesting entity shall inform the Aadhaar number holder of the following details:—

(a) the nature of information that will be shared by the Authority upon authentication;

(b) the uses to which the information received during authentication may be put; and

Sub-Regulation 6 (2)

A requesting entity shall obtain the consent referred to in sub-regulation (1) above in physical or preferably in electronic form and maintain logs or records of the consent obtained in the manner and form as may be specified by the Authority for this purpose.

Observations:

Sub-regulation 5 mentions that at the time of authentication, requesting entities shall inform the Aadhaar number holder of alternatives to submission of identity information for the purpose of authentication. Similarly, sub-regulation 6 mentions that requesting entity shall obtain the consent of the Aadhaar number holder for the authentication. However, in neither of the above circumstances do the regulations specify the clearly defined options that must be made available to the Aadhaar number holder in case they do not wish submit identity information, nor do the regulations specify the procedure to be followed in case the Aadhaar number holder does not provide consent.

Most significantly, this provision does little by way of allaying the fears raised by the language in Section 8 (4) of the Aadhaar Act which states that UIDAI “shall respond to an authentication query with a positive, negative or any other appropriate response sharing such identity information.” This section gives a very wide discretion to UIDAI to share personal identity information with third parties, and the regulations do not temper or qualify this power in any way.

Sub-Regulation 11 (1) and (4)

The Authority may enable an Aadhaar number holder to permanently lock his biometrics and temporarily unlock it when needed for biometric authentication.

The Authority may make provisions for Aadhaar number holders to remove such permanent locks at any point in a secure manner.

Observations:

A welcome provision in the regulation is that of biometric locking which allows Aadhaar number holders to permanently lock his biometrics and temporarily unlock it only when needed for biometric authentication. However, in the same breath, the regulation also provides for the UIDAI to make provisions to remove such locking without any specified grounds for doing so.

Provision: Sub-Regulation 18 (2), (3) and (4)

The logs of authentication transactions shall be maintained by the requesting entity for a period of 2 (two) years, during which period an Aadhaar number holder shall have the right to access such logs, in accordance with the procedure as may be specified.

Upon expiry of the period specified in sub-regulation (2), the logs shall be archived for a period of five years or the number of years as required by the laws or regulations governing the entity, whichever is later, and upon expiry of the said period, the logs shall be deleted except those records required to be retained by a court or required to be retained for any pending disputes.

The requesting entity shall not share the authentication logs with any person other than the concerned Aadhaar number holder upon his request or for grievance redressal and resolution of disputes or with the Authority for audit purposes. The authentication logs shall not be used for any purpose other than stated in this sub-regulation.

Observations:

While it is specified that the authentication logs collected by the requesting entities shall not be shared with any person other than the concerned Aadhaar number holder upon their request or for grievance redressal and resolution of disputes or with the Authority for audit purposes, and that the authentication logs may not be used for any other purpose, the maintenance of the logs for a period of seven years seems excessive. Similarly, the UIDAI is also supposed to store Authentication transaction data for over five years. This is in violation of the widely recognized data minimisation principles which seeks that data collectors and data processors delete personal data records when the purpose for which it has been collected if fulfilled. While retention of data for audit and dispute-resolution purpose is legitimate, the lack of specification of security standards and the overall lack of transparency and inadequate grievance redressal mechanism greatly exacerbate the risks associated with data retention.

Aadhaar (Sharing of Information) Regulations, 2016 and Aadhaar (Data security) Regulations, 2016^{^[7]}

Framed under the powers conferred by sub-section (1), and sub-clause (o) of sub-section (2), of Section 54 read with sub-clause (k) of sub-section (2) of Section 23, and sub-sections

(2) and (4) of Section 29, of the Aadhaar Act, the Sharing of Information regulations look at the restrictions on sharing of identity information collected by the UIDAI and requesting entities. The Data Security regulation, framed under powers conferred by clause (p) of subsection (2) of section 54 of the Aadhaar Act, looks at security obligations of all service providers engaged by the UIDAI.

Provision: Sub-Regulation 6 (1)

All agencies, consultants, advisors and other service providers engaged by the Authority, and ecosystem partners such as registrars, requesting entities, Authentication User Agencies and Authentication Service Agencies shall get their operations audited by an information systems auditor certified by a recognised body under the Information Technology Act, 2000 and furnish certified audit reports to the Authority, upon request or at time periods specified by the Authority.

Observations:

The regulation states that audits shall be conducted by an information systems auditor certified by a recognised body under the Information Technology Act, 2000. However, there is no such certifying body under the Information Technology Act. This suggests a lack of diligence in framing the rules, and will inevitably to lead to inordinate delays, or alternately, a lack of a clear procedure in the appointment of an auditor. Further, instead of prescribing a regular and proactive process of audits, the regulation only limits audits to when requested or as deemed appropriate by UIDAI. This is another, in line of many provisions, whose implication is power being concentrated in the hands of UIDAI, with little scope for accountability and transparency.

Conclusion

In conclusion, it must be stated that the regulations promulgated by the UIDAI leave a lot to be desired. Some of the most important issues raised against the Aadhaar Act, which were delegated to the UIDAI’s rule making powers have not been addressed at all. Some of the most important issues such as data security policies, right to access records of Aadhaar number holders, procedure to be followed by the grievance redressal bodies, uploading of the enrolment packet to the CIDR, procedure for enrolling residents with biometric exceptions, procedure for informing residents about acceptance/rejection of enrolment application have left unaddressed and ‘may be specified’ at a later data. These failures leave a gaping hole especially in light of the absence of a comprehensive data protection legislation in India, as well the speed and haste with the enrolment and seeding has been done by the UIDAI, and the number of services, both private and public, which are using or planning to use the Aadhaar number and the authentication process as a primary identifier for residents.

^{^[1]} Available at https://uidai.gov.in/legal-framework/acts/regulations.html

^{^[2]} https://www.irda.gov.in/ADMINCMS/cms/frmGeneral_Layout.aspx?page=PageNo62&flag=1

^{^[3]} http://www.sebi.gov.in/acts/boardregu.html

^{^[4]} Available at https://uidai.gov.in/legal-framework/acts/regulations.html

^{^[5]} Available at: https://uidai.gov.in/images/resource/aadhaar_registered_devices_2_0_09112016.pdf

^{^[6]} Available at https://uidai.gov.in/legal-framework/acts/regulations.html

^{^[7]} Available at https://uidai.gov.in/legal-framework/acts/regulations.html

For more details visit https://cis-india.org/internet-governance/blog/analysis-of-key-provisions-of-aadhaar-act-regulations

It’s the technology, stupid

sunil — 2017-04-07T12:53:21Z

Eleven reasons why the Aadhaar is not just non-smart but also insecure.

The article was published in Hindu Businessline on March 31, 2017.

Aadhaar is insecure because it is based on biometrics. Biometrics is surveillance technology, a necessity for any State. However, surveillance is much like salt in cooking: essential in tiny quantities, but counterproductive even if slightly in excess. Biometrics should be used for targeted surveillance, but this technology should not be used in e-governance for the following reasons:

One, biometrics is becoming a remote technology. High-resolution cameras allow malicious actors to steal fingerprints and iris images from unsuspecting people. In a couple of years, governments will be able to identify citizens more accurately in a crowd with iris recognition than the current generation of facial recognition technology.

Two, biometrics is covert technology. Thanks to sophisticated remote sensors, biometrics can be harvested without the knowledge of the citizen. This increases effectiveness from a surveillance perspective, but diminishes it from an e-governance perspective.

Three, biometrics is non-consensual technology. There is a big difference between the State identifying citizens and citizens identifying themselves to the state. With biometrics, the State can identify citizens without seeking their consent. With a smart card, the citizen has to allow the State to identify them. Once you discard your smart card the State cannot easily identify you, but you cannot discard your biometrics.

Four, biometrics is very similar to symmetric cryptography. Modern cryptography is asymmetric. Where there is both a public and a private key, the user always has the private key, which is never in transit and, therefore, intermediaries cannot intercept it. Biometrics, on the other hand, needs to be secured during transit. The UIDAI’s (Unique Identification Authority of India overseeing the rollout of Aadhaar) current fix for its erroneous choice of technology is the use of “registered devices”; but, unfortunately, the encryption is only at the software layer and cannot prevent hardware interception.

Five, biometrics requires a centralised network; in contrast, cryptography for smart cards does not require a centralised store for all private keys. All centralised stores are honey pots — targeted by criminals, foreign States and terrorists.

Six, biometrics is irrevocable. Once compromised, it cannot be secured again. Smart cards are based on asymmetric cryptography, which even the UIDAI uses to secure its servers from attacks. If cryptography is good for the State, then surely it is good for the citizen too.

Seven, biometrics is based on probability. Cryptography in smart cards, on the other hand, allows for exact matching. Every biometric device comes with ratios for false positives and false negatives. These ratios are determined in near-perfect lab conditions. Going by press reports and even UIDAI’s claims, the field reality is unsurprisingly different from the lab. Imagine going to an ATM and not being sure if your debit card will match your bank’s records.

Eight, biometric technology is proprietary and opaque. You cannot independently audit the proprietary technology used by the UIDAI for effectiveness and security. On the other hand, open smart card standards like SCOSTA (Smart Card Operating System for Transport Applications) are based on globally accepted cryptographic standards and allow researchers, scientists and mathematicians to independently confirm the claims of the government.

Nine, biometrics is cheap and easy to defeat. Any Indian citizen, even children, can make gummy fingers at home using Fevicol and wax. You can buy fingerprint lifting kits from a toystore. To clone a smart card, on the other hand, you need a skimmer, a printer and knowledge of cryptography.

Ten, biometrics undermines human dignity. In many media photographs — even on the @UIDAI’s Twitter stream — you can see the biometric device operator pressing the applicant’s fingers, especially in the case of underprivileged citizens, against the reader. Imagine service providers — say, a shopkeeper or a restaurant waiter — having to touch you every time you want to pay. Smart cards offer a more dignified user experience.

Eleven, biometrics enables the shirking of responsibility, while cryptography requires a chain of trust.

Each legitimate transaction has repudiable signatures of all parties responsible. With biometrics, the buck will be passed to an inscrutable black box every time things go wrong. The citizens or courts will have nobody to hold to account.

The precursor to Aadhaar was called MNIC (Multipurpose National Identification Card). Initiated by the NDA government headed by Atal Bihari Vajpayee, it was based on the open SCOSTA standard. This was the correct technological choice.

Unfortunately, the promoters of Aadhaar chose biometrics in their belief that newer, costlier and complex technology is superior to an older, cheaper and simpler alternative.

This erroneous technological choice is not a glitch or teething problem that can be dealt with legislative fixes such as an improved Aadhaar Act or an omnibus Privacy Act. It can only be fixed by destroying the centralised biometric database, like the UK did, and shifting to smart cards.

In other words, you cannot fix using the law what you have broken using technology.

For more details visit https://cis-india.org/internet-governance/blog/the-hindu-businessline-march-31-2017-sunil-abraham-its-the-technology-stupid

How Aadhaar compromises privacy? And how to fix it?

sunil — 2017-04-01T07:00:06Z

Aadhaar is mass surveillance technology. Unlike targeted surveillance which is a good thing, and essential for national security and public order – mass surveillance undermines security. And while biometrics is appropriate for targeted surveillance by the state – it is wholly inappropriate for everyday transactions between the state and law abiding citizens.

The op-ed was published in the Hindu on March 31, 2017.

When assessing a technology, don't ask - “what use is it being put to today?”. Instead, ask “what use can it be put to tomorrow and by whom?”. The original noble intentions of the Aadhaar project will not constrain those in the future that want to take full advantage of its technological possibilities. However, rather than frame the surveillance potential of Aadhaar in a negative tone as three problem statements - I will propose three modifications to the project that will reduce but not eliminate its surveillance potential.

Shift from biometrics to smart cards: In January 2011, the Centre for Internet and Society had written to the parliamentary finance committee that was reviewing what was then called the “National Identification Authority of India Bill 2010”. We provided nine reasons for the government to stop using biometrics and instead use an open smart card standard. Biometrics allows for identification of citizens even when they don't want to be identified. Even unconscious and dead citizens can be identified using biometrics. Smart cards, on the other hand, require pins and thus citizens' conscious cooperation during the identification process. Once you flush your smart cards down the toilet nobody can use them to identify you. Consent is baked into the design of the technology. If the UIDAI adopts smart cards, we can destroy the centralized database of biometrics just like the UK government did in 2010 under Theresa May's tenure as Home Secretary. This would completely eliminate the risk of foreign governments, criminals and terrorists using the biometric database to remotely, covertly and non-consensually identify Indians.

Destroy the authentication transaction database: The Aadhaar Authentication Regulations 2016 specifies that transaction data will be archived for five years after the date of the transaction. Even though the UIDAI claims that this is a zero knowledge database from the perspective of “reasons for authentication”, any big data expert will tell you that it is trivial to guess what is going on using the unique identifiers for the registered devices and time stamps that are used for authentication. That is how they put Rajat Gupta and Raj Rajratnam in prison. There was nothing in the payload ie. voice recordings of the tapped telephone conversations – the conviction was based on meta-data. Smart cards based on open standards allow for decentralized authentication by multiple entities and therefore eliminate the need for a centralized transaction database.

Prohibit the use of Aadhaar number in other databases: We must, as a nation, get over our obsession with Know Your Customer [KYC] requirements. For example, for SIM cards there is no KYC requirement is most developed countries. Our insistence on KYC has only resulted in retardation of Internet adoption, a black market for ID documents and unnecessary wastage of resources by telecom companies. It has not prevented criminals and terrorists from using phones. Where we must absolutely have KYC for the purposes of security, elimination of ghosts and regulatory compliance – we must use a token issued by UIDAI instead of the Aadhaar number itself. This would make it harder for unauthorized parties to combine databases while at the same time, enabling law enforcement agencies to combine databases using the appropriate authorizations and infrastructure like NATGRID. The NATGRID, unlike Aadhaar, is not a centralized database. It is a standard and platform for the express assembly of sub-sets of up to 20 databases which is then accessed by up to 12 law enforcement and intelligence agencies.

To conclude, even as a surveillance project – Aadhaar is very poorly designed. The technology needs fixing today, the law can wait for tomorrow.

For more details visit https://cis-india.org/internet-governance/blog/hindu-op-ed-sunil-abraham-march-31-2017-how-aadhaar-compromises-privacy-and-how-to-fix-it

क्‍या आधार पर जल्दबाज़ी में है सरकार?

praskrishna — 2017-03-29T03:52:08Z

Amber Sinha took part in a discussion on Aadhaar aired by NDTV on March 27, 2017.

एक जुलाई 2017 से आयकर रिटर्न भरने और पैन नंबर के लिए आधार नंबर देना अनिवार्य हो जाएगा. बिना आधार के अब आयकर रिटर्न नहीं भरा जा सकेगा. जिस किसी के पास पैन कार्ड है उसे एक जुलाई तक आधार नंबर देना होगा. अगर ऐसा नहीं करेंगे तो पैन कार्ड अवैध हो जाएगा. माना जाएगा कि आपके पास पैन कार्ड या पैन नंबर नहीं है. आयकर फार्म और पैन नंबर में आधार को अनिवार्य किये जाने से कई सवाल फिर से उठे हैं. 2009 से लेकर 2017 के बीच आधार के इस्तमाल को लेकर, इसके लीक होने से लेकर अनिवार्य किये जाने के ख़तरे को लेकर कई बहसें सुनी, पचासों लेख पढ़े. दूसरी तरफ हमने समाज में देखा कि आधार को लेकर ग़ज़ब का उत्साह है.

Watch the Video on NDTV

For more details visit https://cis-india.org/internet-governance/news/ndtv-march-27-2017-discussion-on-aadhaar

IDRC - Open Development Book - Authors' Workshop

praskrishna — 2017-03-29T03:47:14Z

Sumandro Chattapadhyay participated in the authors' workshop organized by the International Development Research Centre (IDRC) and the Centre for Innovation in Learning and Teaching at the University of Cape Town in South Africa on March 11 and 12, 2017.

The workshop gathered the contributers to an upcoming book by IDRC on open development. This volume will continue, extend, and reflect back on the previously published "Open Development: Networked Innovations in International Development" (Edited by Matthew L. Smith and Katherine M. A. Reilly). Elonnai Hickok, Gus Hosein from Privacy International and Sumandro Chattapadhyay are writing a chapter for this book that is tentative titled as "Six Principles for Openness and Privacy in the Time of Data Revolution".

This chapter will bring together personal and institutional experiences from policy advocacy and grounded practice in open data and privacy across the “South” and the “West” to discuss a potential framing of these two concerns as not opposing but complimentary rights. We locate this discussion of openness and privacy within the context of the ongoing “data revolution”, and propose six principles towards engaging with present and future challenges in generation and management of, innovation with, and reliance on data as an economic and social resource.

For more details visit https://cis-india.org/openness/news/idrc-open-development-book-authors-workshop

India’s biometric ID scans make sci-fi a reality

praskrishna — 2017-03-28T02:45:28Z

I have been thinking about my fingerprints and the secrets that may lie within my eyes — and whether I want to share them with the Indian government. I may not however have a choice.

The article by Amy Kazmin was published in the Financial Times on March 27, 2017. Sunil Abraham was quoted.

India has the world’s largest domestic biometric identification system, known as Aadhaar. Since 2010, the government has collected fingerprints and iris scans from more than 1bn residents, and each has been assigned a 12-digit identification number.

The scheme is championed by Nandan Nilekani, the billionaire co-founder of IT company Infosys. It was initially conceived to ensure poor Indians received subsidised food entitlements and other welfare benefits that were previously siphoned off by unscrupulous intermediaries. It was also seen as offering poor Indians, many of whom lack birth certificates, with a portable ID that can be used anywhere in the country.

Until now, obtaining an Aadhaar number was voluntary, though most Indians enrolled without hesitation as they see its potential benefits. But New Delhi is now enlisting Aadhaar, which means “foundation” or “base” in Hindi, in more than just welfare schemes. This would mean sharing one’s biometric details isn’t really optional any more despite a Supreme Court ruling that it should be “purely voluntary”.

Last week, the government issued a rule requiring an Aadhaar number for filing tax returns, ostensibly to improve tax compliance. It has also decided that all cell phone numbers must be linked to an Aadhaar number by 2018. Even Indian Railways has plans to demand Aadhaar from those booking train tickets online.

What was once touted as an initiative to improve delivery of welfare suddenly now seems like the foundation of a surveillance state — and I admit the prospect of putting my own biometrics in the database leaves me uneasy.

As a US citizen, I’ve never had to give my biometric data to my government. Domestically, fingerprints are only taken from criminal suspects, or applicants for government jobs, though I know foreign citizens are fingerprinted on arrival.

To me, the idea of sharing eye scans evokes the dystopian Hollywood film, Minority Report, which depicts a near future in which optical-recognition cameras allow the authorities to identify anyone in any public place. The hero on the run, played by Tom Cruise, has an illegal eye transplant to avoid detection.

In recent days, many Indian academics and activists have raised concerns about Aadhaar data security, the lack of privacy rules and the absence of any accountability structure if data are misused.

"Biometrics is being weaponised," says Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society. "What you need to be worried about is that someone will clean out your bank account or frame you in a crime," he says.

Pratap Bhanu Mehta, director of the Centre for Policy Research, has written of the “conversion of Aadhaar from a tool of citizen empowerment to a tool of state surveillance and citizen vulnerability”.

I call Mr Nilekani, of whose honourable intentions I have no doubt. After leaving Infosys in 2009, he spent five years in government, working to get Aadhaar off the ground. He says he is “extremely offended” when his project is accused of being part of a surveillance society, a narrative he says is “completely misrepresenting” the project. “I can steal your fingerprint off your glass. I don’t need this fancy technology,” he says. “Surveillance is far better done by following my phone, or when I use a map to order a taxi: the map knows where I am. Our internet companies know where you are.”

But in a society known for ingenious means of bypassing rules, such as having multiple taxpayer ID cards to aid evasion, Mr Nilekani says biometric authentication of individuals can bring discipline and reduce cheating. “It’s like you are creating a rule-based society,” he says, “it’s the transition that is going on right now.” I hang up, hardly reassured. To me, it seems clear that in India, as in so many places these days, Big Brother is increasingly watching.

For more details visit https://cis-india.org/internet-governance/news/financial-times-march-27-2017-amy-kazmin-indias-biometric-id-scans-make-sci-fi-a-reality

Centre for Internet and Society

Opposition questions govt move to make Aadhaar must

Privacy in the Age of Big Data

Aadhaar: Privacy concerns

Privacy, what? Bengaluru police leaks 46,000 phone numbers on Twitter

India’s National ID Program May Be Turning The Country Into A Surveillance State

“You can’t change your fingerprints”

Bengaluru cops' twitter handle in ethical storm

Right to be Forgotten: A Tale of Two Judgements

Background

Issues in application

The two Indian judgments

Conclusion

Aadhaar marks a fundamental shift in citizen-state relations: From ‘We the People’ to ‘We the Government’

How Did Aadhaar Change?

Security Concerns

Get an Aadhaar card if you don't have one

The Aadhaar of all things

Analysis of Key Provisions of the Aadhaar Act Regulations

Introduction

Unique Identification Authority of India (Transactions of Business at Meetings of the Authority) Regulations[1]

Provision: Sub-Regulation 3.

Observations:

Provision: Sub-Regulation 8 (5)

Observations:

Provision: Sub-Regulation 14 (4)

Observations:

Unique Identification Authority of India (Enrolment and Update) Regulations[4]

Provisions:

Observations:

Provision: Sub-Regulation 32

Observations:

Aadhaar (Authentication) Regulations, 2016[6]

Provisions:

Observations:

Sub-Regulation 11 (1) and (4)

Observations:

Provision: Sub-Regulation 18 (2), (3) and (4)

Observations:

Aadhaar (Sharing of Information) Regulations, 2016 and Aadhaar (Data security) Regulations, 2016[7]

Provision: Sub-Regulation 6 (1)

Observations:

Conclusion

It’s the technology, stupid

How Aadhaar compromises privacy? And how to fix it?

क्‍या आधार पर जल्दबाज़ी में है सरकार?

IDRC - Open Development Book - Authors' Workshop

India’s biometric ID scans make sci-fi a reality

Unique Identification Authority of India (Transactions of Business at Meetings of the Authority) Regulations^{^[1]}

Unique Identification Authority of India (Enrolment and Update) Regulations^{^[4]}

Aadhaar (Authentication) Regulations, 2016^{^[6]}

Aadhaar (Sharing of Information) Regulations, 2016 and Aadhaar (Data security) Regulations, 2016^{^[7]}