Centre for Internet and Society

Token security or tokenized security?

Admin — 2018-01-17T00:17:41Z

Implementing a system of tokenization for Aadhaar verification will address the security loopholes highlighted in recent reports.

The article by Manasa Venkataraman and Ajay Patri was published in Livemint on January 9, 2018.

Those who were reassured that the Aadhaar architecture is safe and secure have faced a few rude shocks lately. First, there was the recent report in The Tribune on how one of its reporters was easily able to log in to the Aadhaar website and access any enrolled Indian’s personal information, all for a grand fee of Rs500. While the veracity of this report is still being contested by the Unique Identification Authority of India (UIDAI), it has stirred panic over the security of personal data entrusted to the government. This came close on the heels of reports last month that a telecom company was utilizing the eKYC (know your customer) data of its mobile subscribers to open payment bank accounts without their consent.

These two instances highlight scenarios where data from the Aadhaar database is vulnerable. In the first, the weaknesses in security measures and processes around the database leave information susceptible to an attack. In the second, providing third-party entities loosely regulated access to an individual’s data leaves scope for abuse.

There is a need to protect the data belonging to individuals in these situations, providing the government with two possible policy options: it can choose to either overhaul the Aadhaar architecture completely, or it can build in additional security measures to ensure that individual data is not compromised.

Uninventing Aadhaar is not a practical proposal. It would have to include repealing the statute on Aadhaar, disbanding the database already created, and figuring out alternative means of delivering the services that are now dependent on Aadhaar. A more sustainable way forward is to better secure Aadhaar. This will involve not only the secure collection and storage of personal data, but also a safe regulation of the manner in which third parties use it for authentication.

One way to protect Aadhaar-related communications is to channel them through a secure conduit. This can be achieved through a system of temporary tokens for Aadhaar-based verifications. Sunil Abraham from the Centre for Internet and Society (CIS) has recommended a system of using dummy or virtual Aadhaar numbers along with a smart card to protect information belonging to individuals.

Tokenization is the process of masking sensitive personal data with another innocuous dataset, allowing it to be shared with third parties without the risk of the personal data being exposed. So, every time a service provider asks for identification, the individual can provide a one-time-ID number generated by an Aadhaar app or on UIDAI’s website. The service provider can authenticate the one-time-ID number with the Aadhaar database, without needing to know or store the Aadhaar number. The algorithm used to generate the one-time-ID number must be constructed using hard-to-replicate information and kept a well-guarded secret. No two service providers will have the same one-time ID, making it harder for personal profiles to be constructed by mining data from multiple service providers, thus enabling a higher level of privacy protection.

Allowing such a system of tokenization for every eKYC can create a welcome layer of ambiguity around individuals’ personal data and preserve the individuals’ Aadhaar-related information with the government. This system also breaks the link between the Aadhaar database and any third party having access to an individual’s Aadhaar number. If this link is not broken, then any entity—government or private—would have access to potentially millions of Aadhaar card numbers, opening endless possibilities for data abuse.

The tokenization process allows the authority to arrest any attempts at data abuse. In fact, to make this system of tokens or one-time-ID numbers effective, the law must build in measures to penalize any attempt to recreate an individual’s Aadhaar number from the unique token number. In other words, the service provider is given a token number for authentication, but prohibited from obtaining the Aadhaar number it corresponds to.

Tokenization is an improvement over the status quo, but only in one aspect—making Aadhaar secure. It is imperative that the government pays equal attention to the manner in which all data is collected, stored and disposed of by the authority. There are two facets to be explored here: first, ensuring secure storage of the vast information database, and second, plugging security loopholes that happen at collection by limiting access to the database.

The adoption of appropriate technical safeguards is indispensable to thwart external threats to the Aadhaar database, such as ransomware attacks. Having appropriate security, and having periodic audits to test the adequacy of such security, is indispensable.

Equally, limiting access to the database is crucial for preventing leaks, such as the ones reported in The Tribune. It is important that only a select few individuals have access to the database and that these personnel are properly vetted before being vested with such responsibility.

These various facets of the Aadhaar ecosystem are likely to be further examined in the public in the weeks to come as the Supreme Court gears up to hear the petitions on Aadhaar. Regardless of the verdict, there is an urgent need to improve the safety of the Aadhaar ecosystem and the use of tokenization goes some way towards achieving this objective.

Manasa Venkataraman and Ajay Patri are researchers at the Takshashila Institution, an independent, non-partisan think tank and school of public policy.

For more details visit https://cis-india.org/internet-governance/news/livemint-january-9-2018-manasa-venkataraman-ajay-patri-token-security-or-tokenized-security

Aadhaar-privacy debate: How the 12-digit number went from personal identifier to all pervasive transaction tool

Admin — 2018-01-18T15:01:48Z

Depending on who you ask, the Aadhaar is either a convenience or a curse.

The article was published by First Post on January 18, 2018.

The ongoing hearing in the Supreme Court is testing the constitutional validity of a scheme that has been around in one shape or another since 2003, ever since the need for an identification project was first felt.

By the government's own estimates, the Aadhaar initiative has covered 98 percent of the adult population in India and, as of 7 September, the Unique Identification Authority of India (UIDAI) has generated cards for 105.11 crore people. So, if you are an Indian adult, chances are that you possess an Aadhaar card by now.

The Aadhaar database is one of the largest government databases on the planet, where a 12 digit unique-identity number has been assigned to the majority of the Indian citizens. This database contains both the demographic as well as biometric data of the citizens.

What started as a unique identification number to streamline the distribution of welfare to the needy has now turned into an all-pervasive tool that can arm the government with sensitive data of all Indians. At the heart of this issue is the sheer quantity of data being amassed as part of the scheme and the many privacy and security concerns generated as a result of it.

The Aadhaar of today, in addition to basic personal information, includes biometric data like your fingerprints, your iris scan and now even your facial scans (albeit introduced as a safety feature). This is designed to address the issue of failed biometric authentication, as an alternative for people having difficulty authenticating, due to factors like worn out fingerprints, or changing biometric data due to old age, hard work conditions, accidents and the like.

But what it fails to address is the growing unease among citizens about the scale of the project, its intent, and the actual legality of enabling such an architecture, which could threaten the citizens with the possibility of State surveillance.

The sheer amount of private and confidential data amassed in one singular database has given rise to concerns over data security and its privacy.

However, worst fears about Aadhaar have come true after the developments that have happened over the past few weeks. A recent investigation by The Tribune revealed that the details of any of the billion Aadhaar numbers issued in India were accessible for as little as Rs 500.

Since then, the UIDAI and every other government machinery have been in top gear, trying to allay the fears around Aadhaar. It even introduced a flurry of steps to make sure that the database is safe and secure, and that the data is protected. But not everyone is convinced. Critics say, biometrics only make the citizen transparent to the State and that it does not make the State transparent to citizens.

"We warned the government six years ago, but they ignored us," Sunil Abraham, executive director of Bengaluru-based research organisation, Centre for Internet and Society, was quoted by The Hindu Business Line as saying.

According to him, the legislation implementing Aadhaar has almost no data protection guarantees for citizens. He also believes that by opting for biometrics instead of smart cards the government is using surveillance technology instead of e-governance technology.

On the other hand, finance minister Arun Jaitley said recently that an Aadhaar card could become the sole identifier for a person in future. "A stage may come that the unique identity will become the only card," Jaitley said. "There are many countries where such a situation exists. There is a social security number in America and in India it (Aadhaar) could be the counterpart."

Since its inception, the Aadhaar was always pitched as a scheme integral to the modernisation of social welfare in India.

But, according to a Scroll report, state governments are struggling to use Aadhaar-based fingerprint authentication in ration shops. Whereas, at the same time, a rising number of companies are integrating Aadhaar into their databases for private services that have nothing to do with the welfare delivery system.

So, why is the scheme failing at the very job it was created for, while proving useful to private endeavours elsewhere? Why did the BJP, a dispensation critical of Aadhaar in 2014, make a complete u-turn and become a champion for a cause backed by the UPA in its time? Are the security, privacy concerns a small price to pay for better delivery of welfare schemes or is it an instrument of surveillance and a potential goldmine for hackers?

The debate around Aadhaar and the explanations for its need and/or threats are biased, incomplete and solely depend on who you ask. Therefore, it might do well to trace the roots of the Aadhaar mission and retrace its critical moments.

Origins of Aadhaar

According to the Scroll report, India first fiddled with the idea to assign numbers to people in 2003, in the aftermath of the Kargil war.

With rising security concerns, the then BJP government under Atal Bihari Vajpayee wanted every Indian citizen to be accounted for. This desire eventually took the shape of the National Population Register, that aimed to identify citizens amongst the country's residents.

The Citizenship Act was amended in 2004 by the incumbent Congress government to make way for the National Population Register (NPR).

The second and major push for an identity project was introduced subsequently by the UPA-1 government in late 2008. With welfare spending on the rise, adds the report, bureaucrats in the erstwhile Planning Commission were worried about leakages.

Thus, the idea of constituting an authority that would aggregate all databases of social welfare programmes to create a mother database emerged.

Such a database would "weed out ghosts and duplicates so that a person who gets the LPG subsidy doesn’t also get the kerosene subsidy," Scroll quoted a former UIDAI official as saying, on conditions of anonymity.

Eventually, in 2009, Aadhaar, or UIDAI, surfaced as a 12-digit identification number that served as proof of identity and address — meaning, it applies to all residents whether they are citizens or not, unlike with the NPR. Biometric data was not in the picture at this time.

And then, in 2016, the Centre notified the new Aadhaar Act, which gives the unique identity number assigned to each Indian citizen statutory backing. The idea of this Act was to empower Aadhaar with legal backing for the purpose of transferring subsidies and government benefits to beneficiaries through designated bank accounts.

The government said in a notification that the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016 will provide “efficient, transparent, and targeted delivery of subsidies, benefits and services, the expenditure for which is incurred from the Consolidated Fund of India, to individuals residing in India through assigning of unique identity numbers to such individuals."

Another interesting aspect of the Aadhaar debate is the politics of it all. The Opposition, BJP back then and UPA now, has shaped much of the debate against the use of Aadhaar. But one thing that stands out in this melee is that many in the current dispensation, who are currently the biggest proponents of the scheme, had once opposed it vehemently.

"The people who thought of themselves as having given birth to IT in this country refused to listen to a common man like me. Even the SC has demanded answers,” Narendra Modi had famously said when he was the Gujarat chief minister. He had alleged that the Aadhaar programme was a bundle of lies to loot the country’s treasury.

In 2014, Modi had tweeted: "On Aadhaar, neither the team that I met nor PM could answer my Qs on security threat it can pose. There is no vision, only political gimmick."

So, how was it that one of Aadhaar's most vehement opponents became its biggest proponent?

According to a report in The Hindu Business Line, the destiny of the Aadhaar scheme was shaped by two meetings – between Nilekani and Modi with Jaitley, and the second with Vijay Madan, the UIDAI director general and mission director.

Through the course of these meetings, the potential savings from plugging subsidy leakageswas put across to Modi, a figure of "up to ₹50,000 crore a year".

Modi in his keenness to showcase the arrival of "acche din", the report adds, immediately sought a 100-crore enrolment target at the ‘earliest’, putting paid to speculations that the new government would shelve the UIDAI project.

Thus, the current Aadhaar project was born.

Inclusion of biometric data

Although an extension of UPA's idea, the new Aadhaar act had some crucial differences:

- As per the new Act, "any person who has resided in India for 182 days (in the one year preceding the application for Aadhaar)". The UPA's Bill said any person residing in India.

- Further, the new Act says that the number can be used to verify the identity of any person, for any purpose, by any public or private entity. In the UPA's Bill, no such provision was there.

- The new Act stipulated all these identity facets to be maintained: photograph, biometric information (iris scan and fingerprint), demographic information (name, date of birth, address but excludes race, religion, caste, etc.), and Aadhaar number. The authority may specify any other biological and demographic information to be collected.

Data security debate

Over the last one year, there have been multiple instances of Aadhaar data leaking online through government websites or its mobile app. The most recent case was when an RTI query pushed UIDAI to reveal that about 210 government websites made the Aadhaar details of people with Aadhaar, public on the internet.

Centre for Internet and Society (CIS) also pointed out that about 130 million Aadhar numbers along with other sensitive data were available on the internet.

The recent Tribune report has only highlighted the deeper, infrastructural fallibility of singular mega-database of sensitive data.

As per this Firstpost piece, the UIDAI's response to such an obvious data breach and violation of privacy is extremely worrying. It is yet another reiteration of the privacy concerns with Aadhaar, and the constant denial of privacy concerns by the UIDAI instead of sitting up and addressing the problem at hand.

The large-scale collection of data and the binding of said data with almost all services raises a pertinent question: Is the government capable of safeguarding the massive amounts of data collected as part of the Aadhaar project? The answer, again, depends on who you ask.

Concerns over privacy

Apart from the security concerns, Aadhaar has brought up a question of the citizen's privacy, given that access to such sensitive data empowers the government to keep a close scrutiny of a person's financial, personal information.

The Supreme Court had held recently that privacy is a fundamental right under the Constitution with reasonable restrictions. This decision is bound to impact the Aadhaar project in one way or another, as collectively biometric data of citizens can be construed as a violation of said right.

The Supreme Court started hearing the crucial cases related to the constitutional validity of Aadhaar on Wednesday. A five-judge bench heard the arguments of the petitioner, maintaining that the government's mandatory biometric identification project is, in essence, seeking to change a people's Constitution into State's Constitution.

The petitioners made submissions ranging from the Standing Committee's observations, to the precedents as adopted by other nations to pointing out basic moral and administrative defects in amassing biometric data of citizens on such a large scale, perhaps trying to patiently drive the point that the Aadhaar project can never be safely assumed to be leakproof, hence safe, ergo, legal.

The petitioner also argued that Aadhaar could lead to millions of people being denied access to essential services and benefits in violation of their human rights, as he pointed out that biometric details of almost 6.2 crore people have been rejected, mainly due to calloused hands and fingertips, wherein biometric data could not be recorded.

"These are not dishonest people or ghosts," he said. Even the Standing Committee report on Aadhaar points out: "..it has been proven again and again that in the Indian environment, the failure to enrol with fingerprints is as high as 15 percent due to the prevalence of a huge population dependent on manual labour. These are essentially the poor and marginalised sections of the society. So, while the poor do indeed need identity proofs, Aadhaar is not the right way to do that"

In December 2017, the court had extended the deadline for mandatory linking of Aadhaar with various services and welfare schemes till 31 March, 2018. It had also modified its earlier order with regard to linking Aadhaar with mobile services and said the deadline of 6 February, 2018 for this purpose also stood extended till 31 March.

Right to Privacy and its effect on Aadhaar

In August 2017, the Supreme Court in a unanimous 9:0 judgment had declared the Right to Privacy to be a Fundamental Right. It was hailed as a big victory for pro-privacy advocates who could now point to the Constitutional Bench judgment should the right ever be questioned.

However, the judgment only established the theoretical Right to Privacy. It removed the earlier hurdles of the cases of MP Sharma and Kharak Singh which had held Right to Privacy not to be a Fundamental Right. However, the actual freedoms protected by the Right had to be enshrined into in separate judgments.

As far Aadhaar is concerned, the judgment did not invalidate it in any way. However, it did give a boost to anti-Aadhaar arguments which rely on privacy as now the government can no longer say that there is no Right to Privacy.

With 1.08 billion citizens already enrolled, the ‘mandatory vs. voluntary’ debate on Aadhaar is now mostly a thing of the past. What remains to be seen now is how the Supreme Court will rule on the constitutional validity of the Aadhaar and if the government will be willing to reform/modify the current scheme to allay fears over data security and privacy in order to retailer the project to meet its original goal, the timely and secure delivery of welfare to those who need it.

With inputs from agencies

For more details visit https://cis-india.org/internet-governance/news/first-post-january-18-2018-aadhaar-privacy-debate-how-the-12-digit-number-went-from-personal-identifier-to-all-pervasive-transaction-tool

Aadhaar's new security measures are good, it is still work in progress

Admin — 2018-01-26T01:52:51Z

Here's a rundown of the three new features that the UIDAI will introduce to make Aadhaar seemingly more secure.

The article by Alnoor Peermohamed was published in Business Standard on January 25, 2018.

While public pressure over the security of Aadhaar might have forced the Unique Identification Authority of India (UIDAI) to introduce new features such as face authentication, virtual ID and limited KYC, experts who have worked on the system say such updates are incremental and need to keep happening.

Be it Google, Facebook or Aadhaar, a digital system serving billions of people needs to remain secure for which it continually has to evolve, sometimes adapting to issues that are found. The three new features will certainly help improve security, but many questions still remain over how the UIDAI will tackle the recently highlighted issue of rogue Aadhaar agents.

An article in the Tribune newspaper which claimed that Aadhaar information of individuals was on sale for as little as Rs 500, sparked off the biggest security scare against the digital identity keeper in a while. Even though the UIDAI asserted that its systems had not been breached, proof that Aadhaar details of an individual could be bought had been delivered. The agency has also not inspired confidence among public and security researchers with the way it has responded to Aadhaar data that has been put in public domain in violation of privacy of individuals.

"As an economy and an ecosystem, we have to understand that there is no such thing as a 100 percent secure system. When it was on paper it was not secure and now that it is digital, it is not a 100 percent secure. Security gaps may exist, but those should not cause large-scale theft of people's identity or cause significant damage. It's an arms race and this means that Aadhaar has to improve constantly," says Lalitesh Katragadda, former head of Google's product centre in India who has helped build Aadhaar.

Here's a rundown of the three new features that the UIDAI will introduce to make Aadhaar seemingly more secure:

Face Auth

Face Authentication or 'Face Auth' is an additional biometric that the UIDAI will roll out in order to cut down on the number of failed attempts which is increasingly being highlighted as an issue. By matching a user's face, captured through a camera at the time of authentication to the image of their face which was taken at the time of Aadhaar enrolment, the identity of an individual can be more accurately verified.

Facial recognition in the consumer landscape has once again been popularised by Apple's latest iPhone X device that uses an array of sensors and infrared light to map a person's face in three dimensions. The company claims this is more accurate than its previous fingerprint-based TouchID technology, but this isn't the case with UIDAI's facial recognition technology.

The UIDAI will utilise webcams and low-end hardware to enable Face Auth and therefore the conscious decision to use a person's face in conjunction to another layer of authentication - fingerprint, iris scan or a one-time password sent to the user's registered mobile device was taken.

How exactly applications built on Aadhaar will utilise this new Face Auth feature is not known yet, and neither are the technical specifications. Srikanth Nadhamuni, the former Chief Technology Officer of Aadhaar, envisions a scenario where a farmer using Aadhaar to get his PDS witnesses a failure to authenticate using his fingerprint, prompting the application to capture his photo and check whether it matches with the existing photo on the UIDAI's database.

Activists, however, point out that it's far easier to fake facial recognition software, which in some cases get fooled into giving out positives by simply holding photos of the user in front of a camera. "At the end of the day your face is again biometric, and that comes with the same host of issues that are plaguing the other biometrics that has so far been used," says Sunil Abraham, Executive at Bengaluru-based think tank Centre for Internet and Society (CIS).

Virtual ID

As its name suggests, Virtual ID gives users a stand-in for their 12-digit Aadhaar number if they're worried that it will be stolen, leaked online or misused in any way. Any Aadhaar user will be able to log into an online portal, visit an Aadhaar enrollment centre or use the mAadhaar app to generate a 16-digit Virtual ID.

By virtue, the UIDAI has built the Virtual ID to be temporary and a user can ask for any number of Virtual IDs - when a new one is generated, the old one is destroyed and can even be assigned to another user. The key here is that only the UIDAI will be able to make the link to a Virtual ID and Aadhaar number and no-one else.

After years of arguing that leaking of the Aadhaar number itself wasn't an issue, the UIDAI is finally giving users a tool that allows them to keep their Aadhaar number private. While Abraham agrees that the feature will make Aadhaar safer, he says its effectiveness will only be valid if a user opts in as it has not been made a feature by design.

Nadhamuni argues on the contrary, that making Virtual ID a mandatory process would hurt more people than it helps. "A lot of people in rural India are using their Aadhaar for authentication of PDS and MNREGA and so on and it's working for them.

You don't want to confuse all of them and ask them to create yet another number. You'd have to make a farmer understand the concept of Virtual ID when he's completely happy with the way things are today," he says.

Limited KYC

The process of KYC (Know Your Customer) through Aadhaar has all along given public bodies and private companies access to a user's details such as name, age, sex, address and photograph. With limited KYC, the UIDAI will categorise a body seeking aadhaar details into two buckets, ones that get the full information and ones with whom only partial information is shared.

Realising that not all bodies or companies need all the Aadhaar details, is the biggest change that Limited KYC will bring in. The idea is that the fewer places a person's Aadhaar details are stored, the fewer chances of it leaking. Moreover, by giving only critical services full Aadhaar details the UIDAI is hoping it will eliminate its problem of having to share details with less secure systems.

Limited KYC will also bring in a tokenized system for agencies to ensure uniqueness while not storing a user's Aadhaar number on their databases. A 72 digit alphanumeric UID Token will be generated at the time of authentication which only UIDAI will be able to map back to a particular Aadhaar number. However, there isn't clarity on who will be exempt from this as there is word that banks and tax authorities will be allowed to store user Aadhaar numbers.

The UID Tokens will also be backdated, meaning all previous KYC attempts a user had made with a particular body or company will also be migrated to the new system, ensuring that if two databases leak, the perpetrators are not able to easily use Aadhaar numbers to match users and improve the quality of the data they've stolen. Some details on this are still missing though.

Security: Work in Progress

Experts who worked on building Aadhaar say that such features were discussed during the very inception of the national biometric database, but were not rolled out until now to avoid complexity. Katragadda, who has worked on building many large APIs at Google agrees that all large systems avoid complexity during the kickoff and add them based on needs of users later.

Like him, both Nadhamuni and even Abraham agree that the new features will make Aadhaar more secure, while the latter had his reservations on how secure it would be which only the fine print would reveal. The experts also agree that the public discourse which Aadhaar security has taken is a good thing, since the digital security of over a billion people is now public discussion.

"Security breaches are like earthquakes. It's better to have many tiny tremors than be oblivious to gaps in our system and lose everything with that one massive earthquake. So it's better to have our ears close to the ground, have ethical hacking competitions where we ask people to hack the Aadhaar system, find gaps in security. The best APIs in the world do this," says Katragadda.

He adds that India should not be scared to build large digital systems for public good in the fear that there will be security breaches. Even the paper based system before Aadhaar had several security lapses, but were not visible. "Otherwise we need to have this holy grail of a system which is perfectly automated and we're at least 20 years away from full robotics," he adds.

For more details visit https://cis-india.org/internet-governance/news/business-standard-january-25-2018-alnoor-peermohamed-aadhaars-new-security-measures-are-good-it-is-still-work-in-progress

After Supreme Court Setback, Fintech Firms Await Clarity On Aadhaar

Admin — 2018-10-01T23:39:42Z

The 12-digit Aadhaar number is now out of bounds for fintech companies in India.

The article by Nishant Sharma was published in Bloomberg Quint on September 27, 2018. Pranesh Prakash was quoted.

Video

With the Supreme Court on Wednesday terming Aadhaar authentication by private companies as “unconstitutional”, companies such as online wallets and e-tailers, among others, will now have to make changes to how they onboard and verify customers, in addition to how they transact.

In a 567-page majority judgment authored by Justice Sikri and concurred upon by two other judges—Chief Justice Dipak Misra and Justice AM Khanwilkar—it said that Section 57 of the Aadhaar Act, which allows private companies to use Aadhaar for authentication services based on a contract between the corporate and an individual, would enable commercial exploitation of private data and hence is unconstitutional.

“What it essentially means is that the private bodies, such as lending platforms, wallets, or any private entity, cannot use Aadhaar for authentication,” said Anirudh Rastogi founder at Ikigai Law (formerly TRA), a law firm that specialises in representing businesses on data privacy.

The decision is set to impact private companies right from Flipkart-owned PhonePe, Paytm, Reliance Jio and Amazon, among others, which rely on Aadhaar for e-verification. Amazon recently launched cardless equated monthly installments on Amazon Pay through the digital finance platform Capital Float and asked customers to provide Aadhaar numbers or virtual ID and PAN details on the Amazon app for verification.

'Aadhaar Is Just Another ID'

Pranesh Prakash, fellow, Centre for Internet and Society, said that with this judgment Aadhaar is no longer an identity infrastructure as its creators have dreamt of. “It is now just another ID.”

For those opposed to Aadhaar, on privacy and security grounds, this may be a part victory. But for the Fintech industry it stymies the use of quick Aadhaar-based e-KYC (know your customer norms) to onboard customers. “The fintech industry thrives on the instant paperless mantra, and this move will curb its rapid growth, ” Amrish Rau, co-founder of PayU, said in a text message.

The verdict is also set to push up costs for the industry. Rau said: “Conducting physical KYC would be a costly affair, with every physical KYC costing about Rs 100 per person.”

Companies like PhonePe await more clarity. “We are waiting to hear from bodies like the Reserve Bank of India, UIDAI on what KYC that will be required for wallets moving ahead," Sameer Nigam, cofounder of PhonePe, said. "Whether we go to no KYC, lower limit environment or go to the physical KYC environment."

The judgment also stated that the identification number will not be mandatory for opening bank accounts, mobile-phone connections or for admissions into educational institutions. However, Aadhaar will continue to be mandatory for the distribution of state-sponsored welfare schemes including direct benefit transfers and the public distribution system. Taxpayers will have to link their Permanent Account Numbers to the biometric database.

Aadhaar-Based KYC: Allowed With Consent?

The Supreme Court has concluded that the part of section 57 which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals.

Prasanna S, a Supreme Court advocate and lawyer for one of the petitioners in the Aadhaar matter interpreted it to mean that even if a customer voluntarily wants to use Aadhaar for e-KYC, businesses cannot accept it.

They have struck down the part of Section 57 that allows use of Aadhaar based on a contract. A contract, by nature is voluntary, But since the court has struck down this part, even voluntary use won’t be permitted.

Prasanna S, Advocate, Supreme Court

Jaitley Hints At Legal Backing

Meanwhile, Finance Minister Arun Jaitley on Wednesday hinted that the Centre is likely to examine whether separate legal backing is needed for Section 57 of the Aadhaar Act, the newswire PTI reported. “So, let us first read the judgement. There are two-three prohibited areas. Are they because they are totally prohibited or are they because they need legal backing,” Jaitley was quoted as saying.

Rastogi of Ikigai Law said that the court has left open for the government to promulgate a law to enable private parties to use Aadhaar that can withstand judicial scrutiny.

Rahul Matthan, a technology partner at law firm Trilegal differed with this view. He said that since the apex court has ruled that private entities cannot access the Aadhaar infrastructure, it means that even if the government brings a specific law to allow for that, it would be unconstitutional.

Prasanna agreed with this interpretation.

The court has hinted that commercial exploitation of personal information will fail the proportionality test laid down by it in the Right to Privacy judgment. This is one of the grounds for them to conclude that Section 57 is unconstitutional. So even a law is introduced, private access will be impermissible.

Prasanna S, Advocate, Supreme Court

Are Aadhaar-Based KYCs Tainted?

Since the use of Aadhaar by private entities has been struck down, does it mean entities who have used it for KYC so far have to re-do that exercise? And data that was collected as part of Aadhaar-based KYC- does that need to be deleted?

The majority order hasn’t specifically addressed these questions, Matthan pointed out. But went on to explain that his reading of the judgment is that the court wants things to remain as they are.

The Supreme Court has said that collection of data before the Aadhaar Act was introduced is valid. If you follow that sentiment, may be we can argue that there’s no requirement to delete the data.

Rahul Matthan, Partner, Trilegal

Whatever has been done without the authority of law has to go, Prasanna said. But this outcome may not be practical and another hearing before the Supreme Court may be required to clear these questions, he added.

Private entities such as the online cab aggregator Ola have already removed eKYC from its e-wallet when BloombergQuint last checked. Others may follow suit.

For more details visit https://cis-india.org/internet-governance/news/bloomberg-quint-nishant-sharma-september-27-2018-after-sc-setback-fintech-firms-await-clarity-on-aadhaar

Clarification on the Information Security Practices of Aadhaar Report

Amber Sinha and Srinivas Kodali — 2018-11-05T12:08:06Z

We are issuing a second clarificatory statement on our report titled “Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information” published on May 1, 2017.

The report concerned can be accessed here, and the first clarificatory statement (dated May 16, 2017) can be accessed here.

This clarificatory statement is being issued in response to reports that misrepresent our research. In light of repeated questions we have received, which seem to emanate from a misunderstanding of our report, we would like to make the following clarifications.

Our research involved documentation and taking illustrative screenshots (included in our report) of public webpages on the four government websites listed in our report. These screenshots were taken to demonstrate that the vulnerability existed.
The figure of 130-135 million Aadhaar Numbers quoted in our Report are, as clearly stated, derived directly by adding the aggregate numbers (of beneficiaries/individuals whose data were listed in the three government websites concerned) and published by the portals themselves in the MIS reports publicly available on the portals. The numbers are as follows:
- 10,97,60,343 from NREGA,
- 63,95,317 from NSAP, and
- 2,05,60,896 from Chandranna Bima (screenshots included in the report).
We did not arrive at this number by downloading data ourselves but by adding the figures on the government websites. To our knowledge, no harm, financial or otherwise has been caused to anyone due to the public availability. Further, it must be noted that we published the report only after ascertaining that the websites in questions had masked or removed the data. Therefore our report only points to the possibility that there could be harm caused by malicious actors before the data was taken down. However, we are not aware of any such cases of exploitation, nor do we suggest so anywhere in our report.

We sincerely hope that this clarification helps with a clearer comprehension of the argument and implications of the said report. We urge those who are using our report in their research to reach out to us to prevent the future misinterpretation of the report.

— Amber Sinha and Srinivas Kodali

For more details visit https://cis-india.org/internet-governance/blog/clarification-on-the-information-security-practices-of-aadhaar-report

Registering for Aadhaar in 2019

sunil — 2019-01-03T14:59:04Z

It is a lot less scary registering for Aadhaar in 2019 than it was in 2010, given how the authentication modalities have since evolved.

The article was published in Business Standard on January 2, 2019.

Last November, a global committee of lawmakers from nine countries the UK, Canada, Ireland, Brazil, Argentina, Singapore, Belgium, France and Latvia summoned Mark Zuckerberg to what they called an “international grand committee” in London. Mr. Zuckerberg was too spooked to show up, but Ashkan Soltani, former CTO of the FTC was among those who testified against Facebook. He said “in the US, a lot of the reticence to pass strong policy has been about killing the golden goose” referring to the innovative technology sector. Mr. Soltani went on to argue that “smart legislation will incentivise innovation”. This could be done either intentionally or unintentionally by governments. For example, a poorly thought through blocking of pornography can result in innovative censorship circumvention technologies. On other occasions, this can happen intentionally. I hope to use my inaugural column in these pages to provide an Indian example of such intentional regulatory innovation.

Eight years ago, almost to this date, my colleague Elonnai Hickok wrote an open letter to the Parliamentary Finance Committee on what was then called the UID or Unique Identity. She compared Aadhaar to the digital identity project started by the National Democratic Alliance (NDA) government in 2001. Like the Vajpayee administration which was working in response to the Kargil War, she advocated a decentralised authentication architecture using smart cards based on public key cryptography. Last year, even before the five-judge constitutional bench struck down Section 57 of the Aadhaar Act, the UIDAI preemptively responded to this regulatory development by launching offline Aadhaar cards. This was to be expected especially since from the A.P. Shah Committee report, the Puttaswamy Judgment, the B.N. Srikrishna Committee consultation paper, report and bill, the principle of “privacy by design” was emerging as a key Indian regulatory principle in the domain of data protection.

The introduction of the offline Aadhaar mechanism eliminates the need for biometrics during authentication. I have previously provided 11 reasons why biometrics is inappropriate technology for e-governance applications by democratic governments, and this comes as a massive relief for both human rights activists and security researchers. Second, it decentralises authentication, meaning that there is a no longer a central database that holds a 360-degree view of all incidents of identification and authentication. Third, it dramatically reduces the attack surface for Aadhaar numbers, since only the last four digits remain unmasked on the card. Each data controller using Aadhaar will have to generate his/her own series of unique identifiers to distinguish between residents. If those databases leak or get breached, it won’t tarnish the credibility of Aadhaar or the UIDAI to the same degree. Fourth, it increases the probability of attribution in case a data breach were to occur; if the breached or leaked data contains identifiers issued by a particular data controller, it would become easier to hold them accountable and liable for the associated harms. Fifth, unlike the previous iteration of the Aadhaar “card”, on which the QR code was easy to forge and alter, this mechanism provides for integrity and tamper detection because the demographic information contained within the QR code is digitally signed by the UIDAI. Finally, it retains the earlier benefit of being very cheap to issue, unlike smart cards.

Thanks to the UIDAI, the private sector is also being forced to implement privacy by design. Previously, since everyone was responsible for protecting Aadhaar numbers, nobody was. Data controllers would gladly share the Aadhaar number with their contractors, that is, data processors, since nobody could be held responsible. Now, since their own unique identifiers could be used to trace liability back to them, data controllers will start using tokenisation when they outsource any work that involves processing of the collected data. Skin in the game immediately breeds more responsible behaviour in the ecosystem.

The fintech sector has been rightfully complaining about regulatory and technological uncertainty from last year’s developments. This should be addressed by developing open standards and free software to allow for rapid yet secure implementation of these changes. The QR code standard itself should be an open standard developed by the UIDAI using some of the best practices common to international standard setting organisations like the World Wide Web Consortium, Internet Engineers Task Force and the Institute of Electrical and Electronics Engineers. While the UIDAI might still choose to take the final decision when it comes to various technological choices, it should allow stakeholders to make contributions through comments, mailing lists, wikis and face-to-face meetings. Once a standard has been approved, a reference implementation must be developed by the UIDAI under liberal licences, like the BSD licence that allows for both free software and proprietary software derivative works. For example, a software that can read the QR code as well as send and receive the OTP to authenticate the resident. This would ensure that smaller fintech companies with limited resources can develop secure systems.

Since Justice Dhananjaya Y. Chandrachud’s excellent dissent had no other takers on the bench, holdouts like me must finally register for an Aadhaar number since we cannot delay filing taxes any further. While I would still have preferred a physical digital artefact like a smart card (built on an open standard), I must say it is a lot less scary registering for Aadhaar in 2019 than it was in 2010, given how the authentication modalities have since evolved.

For more details visit https://cis-india.org/internet-governance/blog/business-standard-january-2-2019-registering-for-aadhaar-in-2019

Atmanirbhar Bharat Meets Digital India: An Evaluation of COVID-19 Relief for Migrants

ankan — 2021-06-03T12:53:57Z

With the onset of the national lockdown on 24th March 2020 in response to the outbreak of COVID-19, the fate of millions of migrant workers was left uncertain. In addition, lack of enumeration and registration of migrant workers became a major obstacle for all State Governments and the Central Government to channelize relief and welfare measures.

A majority of workers were dependent on relief provided by NGOs, Civil Society Organizations and individuals or credit via kinship networks. With mounting domestic and international pressures, various relief and welfare schemes were rolled out but they were too little, too late and more often than not characterised by poor implementation.

The aim of this report is to qualitatively assess health conditions of migrant workers and access to welfare during the first COVID-19 lockdown. The primary focus is on the host states of Tamil Nadu, Maharashtra and Haryana. 20 in-depth interviews were conducted remotely with migrant workers working in various sectors. Their access to welfare schemes of the Central Government as well as of their host states was ascertained. Emphasis was also laid on their access to healthcare facilities in relation to COVID-19 and non-COVID-19 ailments.

The findings of the report showcase a dismal state of affairs. No one in our sample group received any kind of dry ration or cooked food in a sustained manner and, in the rare occasions when they did, it was woefully inadequate. Of the three states considered, we found that relief distribution was the best in Tamil Nadu followed by Maharashtra and then Haryana. Even the Direct Cash Transfer Scheme of the Central Government under ‘Atmanirbhar Bharat’ did not reach the migrant workers. Moreover, the migrant workers were apprehensive to report any COVID-19 related symptom due to the draconian treatment that followed therein and the crumbling healthcare sector made it impossible to avail facilities in non-COVID-19 related issues. Lastly, a case has been made for the creation of bottom-level infrastructures to further dialogue between various stakeholders, including associations of migrant workers, for the implementation of schemes and policies which can consolidate migrant workers as a relevant political subject. As migrant workers reel from the impact of the second wave, pushing for on-ground infrastructure and supporting community-based organisations becomes even more urgent.

Click here to read the report authored by Ankan Barman and edited by Ayush Rathi. [PDF, 882 kb]

For more details visit https://cis-india.org/raw/migrant-workers-solidarity-network-and-cis-ankan-barman-atmanirbhar-bharat-meets-digital-india-an-evaluation-of-covid-19-relief-for-migrants

Live Chat: Aadhaar: An identity crisis?

praskrishna — 2015-04-03T06:54:25Z

The Aadhaar card is not compulsory for citizens and "no person should be denied any benefits or ‘suffer’ for not having the Aadhaar cards issued by Unique Identification Authority of India," the Supreme Court ruled on Monday.

The live chat was published in the Hindu on March 17, 2015. Sunil Abraham took part in the discussions.

Four years after Aadhaar was launched – and touted as a panacea to access social services and subsidies – its users continue to be dogged by an array of problems ranging from technical glitches to procedural delays. And those who do not have an Aadhaar card find themselves quizzed by government authorities.

The Hindu’s Tamil Nadu edition today highlighted the challenges ordinary citizens - both those who have cards and those who do not – face, be it from non-availability of application forms or glitches in the biometrics process.

We will be hosting a live chat on Aadhaar at 5 pm today. You can pose questions and share your views with Sunil Abraham, Executive Director of Bangalore-based research organisation, Centre for Internet and Society; K. Gopinath, Professor at the Computer Science and Automation Department at the Indian Institute of Science (IISc) and The Hindu’s K. Venkatraman.

Comment From Anon

What could have happened such that the current government, who were once in the opposition, were members of the parliamentary committee that strongly opposed UIDAI, now suddenly wants to use it everywhere? What could have transpired such that the PM got so convinced that it would help its citizens more than it could potentially harm?

Sunil Abraham: Usually the party that is in power is pro-surveillance and anti-censorship and the opposition is pro-privacy and pro-free speech. After the elections - if the parties swap positions as a result of the mandate - then they usually also swap positions on surveillance and censorship. This phenomenon is not specific to India.

K. Gopinath: The leakage in the current models is very high. Hence, the attraction.

The issue earlier was whether there was some costs to the use of sw (esp. proprietary) from outside the country. Probably, these have been addressed.

Comment From Saurabh

Aadhaar was supposed to be a good 2 factor authentication mechanism, what happens to it now ?

Sunil Abraham: Aadhaar architecture was designed to allow for multiple authentication factors. Unfortunately biometrics is a poor authentication factor since it cannot be revoked. Any two-factor authentication scheme where one factor is biometrics is in reality only a one-factor scheme. Pin code as with credit cards and debit cards would have been much more secure for authentication.

K Venkataramanan: It will continue to be relevant, but is unlikely to be mandatory for quite some time.

K. Gopinath: Real-time 2-factor auth (biometrics, signatures) are not easy, esp over Internet, and would require a much longer rollout

Comment From Saurabh

I did not get Aadhar for myself or my family. Does this mean, I will not have to as yet.

Sunil Abraham: As per the UIDAI - Aadhaar is not mandatory. Also according to the latest remarks from the Supreme Court - Aadhaar should not be made mandatory without enabling law. But many state and central government agencies have ignored the comments made by the SC and have made Aadhaar mandatory for various programmes and schemes.

The Hindu: Is Aadhaar virtually redundant now following the SC order? Nothing more than an expensive experiment?

K. Gopinath: I think it will be used as an addl auth mechanism (just like elec./ph. receipts). May be once the technology is demo'ed properly (it has not been done seriously anywhere else), it will be taken up again.

Comment From Abubacker

I am an NRI and need to have Aadhaar Card? How to obtain Appointmet - I am from Tuticorin, Tamil Nadu

K Venkataramanan: Your family member or representative living in Tuticorin may apply for Aadhaar through the local body. It may be possible to get a date for recording biometrics. However, you have to come down here for recording biometric details.

Comment From Kishore J

Why is Govt. not able to legalize the Aadhar, I'm assuming the only reason Supreme court keeps blocking it is because its not a law passed by Parliament ?

K. Gopinath: SC goes by the constitution. If there is some concern someone is being "excluded", they will block it.

Sunil Abraham: The NIA bill was proposed in parliament and then referred to a Standing Committee. Our summary and detailed feedback to the Bill is available here: http://cis-india.org/intern... The Standing Committee harshly criticized the Bill. See: http://164.100.47.134/lsscommittee/Finance/42%20Report.pdf After which the Bill has not been reworked by the UIDAI or the Planning Commission /Niti Aayog for re-presentation to the Parliament.

Sunil Abraham: No - it is not just an expensive experiment. It is much more dangerous - it is what security experts call a Honey Pot. A centralized repository of biometrics harvested from residents of India. These biometrics can be used to authenticate transactions in the UIDAI database and other services. If there is a breach - then this huge collection of authentication factors will end us in the hands of criminal elements or some foreign state.

Comment From vaz

Aadhar is a joke, i have so many IDs and i cannot get any benefits out of it, it is simply wasting time, if Govt really want mandate make it easy for people, i pay taxes and Govt should treat me like one , i can not waste my time standing in queues to get that card, get me time slot and don't waste my time.

Sunil Abraham: This is because the process of registration has been outsourced to private agencies. These private agencies have futher outsourced to others and so on and so forth. Consequently, there is very poor management and quality control by these agencies. If indeed corruption was a priority - we should have tackled high-ticket corruption first. We could have had biometric registration just for only the politicians and bureaucrats. We could use biometric authentication with them to create a non-repudiable audit trail of subsidies flowing from the Centre to the Panchayat. Unfortunately, we tried to register everybody simultaneously and that has resulted in poor quality of biometrics and demographic data. We have visited some of the registration centre and have seen the reality on the ground.

Comment From Guest

I have been threatened by Gas Agency people if i don't link Aadhar to Bank Account, won't be given a refilling cylinder.Is this a right one?

K Venkataramanan: There is an option for getting DBT even without Aadhaar. The bank account and the gas agency consumer account can be linked without Aadhar. Please check www.mylpg.in for knowing how to apply for DBT registration without Aadhaar

The Hindu: Your views Prof Gopinath? Do you see it as a biometrics Honey Pot too?

K. Gopinath: From a security pov, it is certainly risky. It needs really robust technologies before one can think of rolling out. For example, we have "denial of service" attacks. ie, a service can be shut out by random bombardment of msgs. Most curr large scale systems are designed to handle it but some cannot handle it if large numbers collude. This only prevents access to service but other attacks can exfiltrate (take out) data, modify data, etc.

The Hindu: And Mr. Venkataramanan, your thoughts?

Comment From kuldeep singh chauhan

We need a strong law for data security. Aadhar is collecting data but there is no provision except some provisions of IT Act and IPC for data security.

K. Gopinath: Yes, the legislation is weak or unnecessarily vague (eg. the IT2000 act) or too broad in scope. I think what we need is a citizen's charter for data access, security and privacy. Also, what needs to be done when systems do not work!

Sunil Abraham: There are two interpretations of Sec. 43A of the IT Act. Acccording to most experts it only applies to Body Corporates in other words it does not apply to the Government when it plays the role of a data controller. According to an order issued by the IT Secy of Maharastra [the court of first instance for 43A of ITA] -this section will also apply to the Government. But beyond that order we have no clarity on this question.

Comment From Pavan

With no privacy laws, isn't it a bad idea to store citizen's data in a database? We all know how inept our government is in ensuring any security/privacy.

Sunil Abraham: With or without laws. Centralized approaches to identity/authentication management are much more fragile and vulnerable compared to decentralized options. The Internet is secured by digital signatures - there is no centralized repository of all these signatures. Therefore there is no centralized point of failure for the Internet. If the Aadhaar project was based on Smart Cards instead of Biometrics - then just like the Internet it would be robust without a central point of failure. http://cis-india.org/intern...

K. Gopinath: Storing all info in a single place is a big security risk. It needs very robust technologies (such as replication and "secret sharing protocols") that work inspite of failures. These have been done here and there but doing it on a large scale requires care.

Comment From Kunal Soni

SC Adhar card recommendations, ok Got it! But what about the banks for example SBI who ask for adhar cards stating its the bank's rule? Who's going to answer the question as they would never listen to common man and they never did.

Comment From Sandeep

Hi,May be it is a strong message, but what exactly is the need to make/introduce the Adhaar card, which is not recognizable worldwide? Why dont we make our passport smart enough and reduce it to a chip as in Europe. This will also enable everyone to get enrolled in our administrative system. Basically, we are only repeating the entire process with no international recognition.

Comment From Krishna Rao

Need to make it mandatory in the lines of SSN in US. Else it would be very difficult to manage and ensure the subsidies and benefits reach the really deserved section.

Comment From Ramesh

It is a great concept it all information like property purchases, tax returns, ration card, pf, esi, bank accounts , rail, air tickets are all linked. will reduce corrupt practice considerably. It should be the main identity of an Indian

Comment From arun

@Sunil what are the privacy safeguards that are in place currently regarding protection of information collected by the government and private agencies designated for this?

Sunil Abraham: Do you mean legal or technical?

K Venkataramanan: @The Hindu: Yes, there are serious privacy issues involved in a centralised database. However, their is a counter-view that this is no different from any other data base available in the hands of the government such as the one relating to PAN. The main concern of those worried about the privacy problem in Aadhaar is that data collection is done by private agencies, and details such as biometric data could be misused

The Hindu: Sunil, a question for you from arun

Comment From Pawan

Govt should give it legal recognition and give legal guarantee about the usage and storage of the data... After that there would be no concern related to identity security or enforcing it on the people.. People would trust it and come forward to register for it.

Sunil Abraham: Legal recognition and guarantees are not sufficient. You cannot use the law to fix poor technology design. The security of the Internet is not a function of good law. It is a function of good technological design.

Comment From Pappan

the so called Europe, US an other developed countries already have Social security numbers, why cant we just look at it like that?

Sunil Abraham: Social Security Number are an additional identifier. The database just contains a collection of identifiers. If that database is compromised the information cannot be used to authenticate transactions. This is very unlike the UIDAI centralized database which is a collection of authentication factors. Think of it as a database filled with the passwords of all Indian residents.

K Venkataramanan: @Kunal Soni - SBI can't insist on it as of now. The person who issued any circular to that effect may be hauled up in court

Comment From Guest

I have two questions. First, why is the honourable supreme court strking down aadhar, on what grounds? Second, how can the government come around those objections and allay the courts fears/objections? The informed panelists may please give their opinions too. Thank you

Sunil Abraham: There are 3 sets of petitioners who are being heard by the SC in the combined case. Some of them associated with the right are arguing that the UID is a threat to national security as it legitimizes illegal immigrants. Those associated with the left are arguing that it is a violation of the right to privacy. Still other who are ex-officers from the armed forces are arguing that the project is mired in corrupt practices.

K Venkataramanan: The Court has not struck down Aadhaar. It has only passed interim orders protecting the access to services of those who have not yet had them.

Comment From Aashish Gupta

Aadhaar was supposed to usher in portability of benefits. That is, you could migrate to a different state and still get the benefit you deserved.

Sunil Abraham: The Aadhaar database only contains information that identifies you and also allow you to authenticate against that database. It does not indicate eligibility for various schemes/subsidies. The migration across State level eligibility lists has to be done by the State. It is not a functionality provided by the UIDAI.

Comment From Ramesh

Supreme Court should have suggested a better option instead of coming down heavily on the Aadhar Card. The card will straight eliminate multiple rations cards and voter ids.

Sunil Abraham: The previous technology adopted by the NDA government - smart cards or SCOSTA [for the MNIC]. This technology option is free from many of the flaws of UIDAI's current design.

Comment From Mrigesh

Why is Aadhaar needed? I am for a middle class or for the elite class?

Comment From Geetha

Has the government (or concerned agencies/departments) formulated any policy on using the Aadhar information collected? For instance, what agency can use the information, under what conditions, with whose approval, for what limited purposes? Is this policy publicly available?

Sunil Abraham: No. Anyone who is approved by the UIDAI as a legitimate can use the KYC API. Absolutely anyone can use the Authentication API. There is no policy on what data collection/retention practices must be adhered to by the users of both these APIs.

Comment From Arun Jayapal

Has the government ever considered/analyzed a way to link the existing resources (such as ration card, DL, passport, voter id, etc.,) and not have come up with a completely new system (aadhaar). Is this not an absolute waste of time and resources?

Sunil Abraham: Yes, you are absolutely right. The government should have used biometrics as a means to dedup an existing high value database like the Electoral Rolls or more importantly the PAN Card database. That would have been better RoI for our anti-corruption Rupee.

K Venkataramanan: @Ramesh The Court has come down heavily on only officials who insist on Aadhar for delivery of services when there are clear orders that it should not be mandatory

Comment From George J

I'm an NRI. I presently work and live in a country where the first order of business on landing/Birth is to register one self and get a unique ID number and ID. This the case for expats as well as residents be they foreigners or Citizens. The registration process includes collection of Biometric data. This single No and Id is used for everything from Bank Accounts to School Admissions. It is good that India is doing something similar. It is high time people with multiple ration cards, Passports and the like are weeded out and provided a single verifiable identity. Data Security is of essence and necessary safeguards are available.

Sunil Abraham: Could you name the country? And can you use biometrics your country to authenticate transactions in a centralized database for all sorts of transactions? If yes, then the technology design in your country is as poor as in ours and it is only a question of time when the centralized database leaks.

Comment From Aashish Gupta

Apart from the Honey Pot, Aadhaar does not serve its primary purpose: tackling corruption. Most pilots of Aadhaar have crash landed, and as a result, state governments have created their own simpler systems to tackle corruption.

Sunil Abraham: See: http://www.thehindu.com/opi... If the authentication match is not working [1:1 match]. Then basically the dedup will not work [1:n] match. That is why they are doing demographic dedup before biometric dedup - because they know that the biometric dedup is fallible.

Comment From Balu

A citizenship card , backed with a strond database is a must for every citixen . Some serious thoughts should be done in this matter at the earliest , instead of wasting time and money on different schemes .

Sunil Abraham: We should use decentralized Internet scale technologies based on open standards that are already proven. If we had used smart cards based on SCOSTA or EMV standard we would be in a much better place.

Comment From PRASHANTH

Comment From vikash

supreme court should not have to push such legal hurdles given that the 750 million card has already been generated.A lot of money has been investad in the project

Comment From Saket

Aaadhar card is full of errors. At the place where I got registered person was issuing it in a hurry which creates lots of typing errors in DOB and Place.

Comment From Aashish Gupta

The supreme court has not struck down aadhaar, it has said that aadhaar cannot be mandatory. This is to make sure that people who do not have an aadhaar card do not miss out on their entitlements.

Comment From Ramesh

Aadhaar should be made mandatory with necessary safeguards. Unless there is an ultimatum and time frame to get the card it will never be implemented. Even now many do not know where to get it done.

Comment From Aadharam

Could you clarify whether this is an interim order or a final order on Aadhar? Is there scope for a retraction/shift on the Supreme Court's part?

Comment From Onkar Tiwari

Why supreme court doesnt understand Adhar is necessary? it can curb corruption. it wll reduce corruption specially in manrega where people enters fake details and grab the money.

K Venkataramanan: It is only an interim order. The Court will, hopefully, resolve the questions raised by the petitioners about privacy and data security issues

Comment From George J

I have taken Aadhar Card. The procedure asks the applicant themselves to verify the data entered for typing mistakes etc. before being uploaded, in fact where I registered they had asked for a sign off on the final data on a printout. So how errors can creep in is beyond me. However the photography equipment and skill of the data entry operator leave much to be desired as the mug shot is not very kind to me!

Comment From Guest

There should be a guide line which need to be followed as it is in the hands of private partners who are also ask for bribe from the poor people for the aadhar and they have no other option to pay for it as they thought that this only can help them to get the govt. facilities and subsidies.

K Venkataramanan: @Onkar Tiwari, It is up to the government to convince the court that Aadhaar will help curb corruption, and how. The Court is unlikely to stop the use of technology to improve delivery of services and curb corruption.

Comment From v subrahmanian

help line over phone and the email correspondence is total waste.. they themselves are helpless. Any query has never been replied to the caller's satisfaction. Getting them on line itself is a challenge. It's so complex. Of course, every eligible citizen of this complex country must have the identity card. Why not if it is done through employer in case of organized salaried employees?

Comment From Ramakrishna Rao

Hi !! I request the panelists to kindly sum up in few 4 or 5 points the reasons/grounds on which the parliamentary committee has rejected the aadhar

Comment From Guest

The agencies who are collecting data for Aadhar Card are not doing good. The aadhar card is full with many kind of errors including Name and DOB.. Even a person is able to register twice under this scheme.

The Hindu: Mr. Venkataramanan would you like to respond to Ramakrishna Rao?

Comment From Guest

@K Gopinath - how robust is the de-duplication UID claims to have. And in real time transactions, is it possible to authenticate n request without 'false positives' or 'negatives'?

K. Gopinath: Dedup claims assume “good” conditions. For example, a farmhand may have rough skin, etc that may make the fingerprints problematic. 1% errors have been reported in the past. Real time txns: I think the current Aadhar is not geared for it. The connectivity is not there. Also, with fingerprint technologies, the ability to check large number of fingerprints for a match is not good enough. It has never been scaled to the extent that is being planned.

Comment From Sandeep

Still not sure if Aadhaar then other ID cards not needed ? Or Still all along with Aadhaar ? then what is meaning of Aadhaar ? Only for LPG connection? Why not govt making Aadhaar is mandatory in all other fields as well , As Govt spent huge money for Aadhaar

Comment From Guest

@ Sunil - How plausible is the idea that govt can use UID data to profile public?

Comment From Sushubh

I for one is very happy that at least the Supreme Court is not falling for this privacy infringing scam. People defending this card here on this platform needs to read more about it.

Comment From Guest

Govt. created panic among public regarding adhaar. Public is highly annoyed with the way the government is handling this adhaar project. Only court reprimands,govt. backtracks as far as the adhaar is concerned. It is high time for govt. to have serious insight into this.

K Venkataramanan: The parliamentary committee on Finance had objected to the UID being extended to non-citizens on the ground that it may end up in illegal immigrants getting Aadhaar numbers.

It had also questioned the rollout ofthe scheme before legislation was passed. It had objected to its implementation without regard to its consequences.

Comment From Srinivasa

I believe Nandan Nilkeni had mentioned certain very good examples of the system flagging duplicates. So I assume the system is robust. We need to make it mandatory for all services delivery and have suitable policy and technology to protect data.

Sunil Abraham: I don't think we can go by the assurance of someone no longer associated with the project. It is not persons that keep us safe it is proper technology and law.

The Hindu: Welcome back Sunil! Lots of questions await you

K Venkataramanan: The committee had said UIDAI had no conceptual clarity, no proper assessment of the costs involved, and that it could end up in the hands of private agencies, that the technology was untested and the UID may not meet the objectives for which it was conceived

Sunil Abraham: Sorry I was logged out.

Comment From Guest

There was a recent news in The Hindu about linking of Adhar cards to election voter ID cards in Andhra Pradesh. Do you think that adopting such moves by every state result in mandating the procedure eventually?

Comment From Guest

First Passport then PAN , voter id and now adahar, in any country there is only passport and SSN, why india needs so many identity cards

K. Gopinath: The PAN database has been problematic just as the voter id. Hence, every technology cycle, a new system is usually attempted that attempts to be "better" than the before. However, this requires care which is not in good supply in the govt where the "lowest" bidder wins or outsourcing happens.

The Hindu: We have Prof Gopinatha back too. Sorry about that technical glitch.

Comment From Deepak Vasudevan

Why are different apex agencies managing Aadhar like UIDAI, Census and NPR? There should be one root (apex) body and others should report onto it.

Sunil Abraham: Yes. The division of work between UIDAI and NPR is not very clear and has added to the confusion.

K Venkataramanan: The parliamentary standing committee, too pointed out the overlap of functions involving UIDAI and NPR

The Hindu: There was this question for you earlier on the thread @K Gopinath - how robust is the de-duplication UID claims to have. And in real time transactions, is it possible to authenticate n request without 'false positives' or 'negatives'?

Comment From Guest

When Union Of India aimed to greater transparency... these are the road blocks they get... If Aadhar is not mandatory... then make Voter ID, PAN Card, Ration card also not mandatory in their respective Govt Businesses ... make self declaration as mandatory .. lets go to the stone age in this Information age. Instead SC should direct the center to come up with procedure to accommodate legitimate citizens of India into the scheme in a time bound manner and frame policies to avoid misuse of the personal data. are we looking the current world Information age thru the same old glasses... it is time to adopt the change...

Sunil Abraham: Indeed we need more transparency. But privacy protections must be inversely proportionate to power and as Julian Assange says transparency requirements should be directly proportionate to power See: http://openup2014.org/priva...

K Venkataramanan: Linking Aadhaar and voter ID cards is also being tried out in other states It is only one more means of eliminating fake voters or duplicates, but is unlikely tobe a ground to make Aadhaar mandatory

Comment From Ganesh

@Mr.Sunil, The current technology adopted for UIDAI is not good compared to last regime?

Sunil Abraham: Please see my our open letter on this question http://cis-india.org/intern...

Comment From Madhavan R

Just because UPA government bring this, its not good for NDA to object it.. STOP wasting our money.. Just try to make best out of it..

Sunil Abraham: Pouring more money into a failed project will not save it. It has serious technological flaw and without addressing it we are just making a bad situation worse.

Comment From George J

Currently all embassy's are collecting biometric data when you apply for a visa. Most of this collection is done by private parties on behalf of the respective governments. So if an Indian has travelled abroad the chances of his Biometric data being available to foreign govts is 99%. So what is the big scare about this? The need that it should be secure and should not be misused is sacrosanct. with the kind of revelations that have been made about mass eavesdropping I think people should get used to living in glass houses!

Comment From Pappan

@Sunil, please clarify about your comment on technology inadequecy

Comment From Yuvaraj

I strongly support Adhaar card implemenataion. intially they may face challeneges but for the long run its very effective mechanism to monitor every thing

Sunil Abraham: Monitoring everything means you monitor nothing. The bigger the haystack the harder it is to find the needle. Good surveillance practices means targetting survelliance not en masse data collection.

Comment From Guest

It is heard that privacy of citizens is at stake with adhaar card. can panelists respond to this?

Sunil Abraham: I have dealt with your question here: http://www.business-standar...

Comment From Srinivasa

That comparison of the two standards (SCOSTA and Aadhar) made interesting reading. Why not a system where you collect biometrics and iris and then issue a SCOSTA card? the biometrics and iris can be used to remove duplicates and maintain a clean registry by failing the duplicate SCOSTA cards. And all further transactions will only need a card based access.

Comment From Loganathan

This is one the worst move by any government in the center to remember. With no motive for the card, they introduced just to add to the loss in exchequer and there is no benefit out of it. Many have wrong data entered against their name and totally the waste one of all

Comment From Sabari Arasu

I am aware of someone who is not Indian citizen got Aadhar card for himself and his family. This scares me a lot as anyone(read Bangaladheshis, Sri Lankans, Pakintanis, etc..) can get Aadhar card. Is there a measure taken by Government to identify these issues?

Sunil Abraham: This is possible because the technology [biometrics] cannot verify citizenship. Even worse biometrics can be imported from foreign countries and can be used to create resident ghosts. This is because the technology cannot even verify if the person in India. We will need surveillance cameras at every point of registration to take care of this possible fraud.

Comment From Chandra Sekhar

Aadhaar card was a huge opportunity for the government to improve the efficiency of governance.It was a challenging task and required great amount accuracy.The way this project was executed is a question mark on efficiency of governance.

The Hindu: Sunil, Venkatramanan, Gopinath - would you agree that Aadhaar was an opportunity to improve governance? @chandra sekhar

Comment From Guest

Freebee lovers/netas will always oppose when you want to implement some thing which might deny them the benefit.

Sunil Abraham: Any evidence to backup this statement?

Comment From Guest

if the ASDHAAR is nt necessary as per SC then why everywhere it is being preferred identity such as Subsidy, Passport etc.

Sunil Abraham: Preference is not the same as a mandatory requirement.

For more details visit https://cis-india.org/internet-governance/news/the-hindu-march-17-2015-aadhaar-an-identity-crisis

Mandatory Aadhaar card for govt scholarships violates SC order

praskrishna — 2016-07-30T15:55:38Z

There seems to be no end to the government’s legal troubles.

The article by Neelam Pandey and Aloke Tikku was published in the Hindustan Times on July 15, 2016. Sunil Abraham was quoted.

The human resource development (HRD) ministry has made Aadhaar mandatory for government scholarship and fellowship from this academic year, a move that violates the Supreme Court’s order.

Under this decision, the government will transfer the funds to the students’ bank accounts only after they submit their Aadhaar number.

The court had last August barred the government from using Aadhaar for any purpose other than distributing food grain and cooking fuel such as kerosene and LPG. The SC had gone further to rule that production of Aadhaar would not be condition for obtaining any benefits due to a citizen.

It was this SC order that prompted the government to push the Aadhaar law through Parliament to ensure that the court’s restriction did not come in the way of expanding the direct benefit transfer project.

The law – that was passed by Parliament – gave the government powers to make Aadhaar mandatory for receiving any benefit, facility or service that involved any expenditure from the public exchequer.

But most provisions of the Aadhaar law have not come into force yet.

This week, it notified provisions that enabled it to appoint the chairperson of the Unique Identification Authority of India (UIDAI) that issues the 12-digit unique number and set up offices in cities outside Delhi.

“This appears to be contempt of court,” said Sunil Abraham, head of the Bengaluru-headquartered advocacy group, Centre for Internet and Society.

Thomas Mathew, one of the petitioners in the case pending before the Supreme Court, agreed. “I am going to move a contempt petition against the HRD ministry and UGC,” Mathew said, pointing that oil companies were also forcing people to get Aadhaar.

The UGC directive to central universities sets July-end as the deadline for scholars at central universities to get their Aadhaar number. Many scholars who did not have an Aadhaar number said the fellowship were an important source of income for them to get by.

For more details visit https://cis-india.org/internet-governance/news/hindustan-times-neelam-pandey-aloke-tikku-july-15-2016-mandatory-aadhaar-card-for-govt-scholarships-violates-sc-order

Why experts are worried about Aadhaar-based authentication

praskrishna — 2016-08-07T02:16:29Z

As private companies are increasingly using Aadhaar data, is the privacy and security of personal data really at risk? What do those defending Aadhaar have to say?

The post was published in Citizen Matters on August 2, 2016. Amber Sinha was quoted.

The Unique Identification numbers of Aadhaar card holders are being extensively used by government and private agencies for authentication purposes, as we have already seen in an earlier article.

There are 246 registered Authentication User Agencies in India, both government and private, which are helping organisations and individuals in executing the authentication process. In simple terms, they help the organisation that has placed the authentication request, to confirm the identity of a person during hiring, lending loans or while implementing welfare schemes.

But all does not seem well with the Aadhaar authentication process. Concerns have been raised about the privacy and security aspects and, loopholes in the law.

The amended Aadhaar Bill (now, Aadhaar Act) has a clause that allows the UIDAI to respond to any authentication query “with a positive, negative or any other appropriate response.” This move has drawn a lot of criticism from the activist fraternity. They have questioned the government on framing an Act that places the security and privacy of individual citizens at risk.

Even before the Bill was passed, legal scholar Usha Ramanathan had, in an article published in Scroll.in, expressed concern over private agencies using the Aadhaar database for authenticating the identity of an individual.

“Very little was heard about the interest private companies would have in this information data base. It is not until the 2016 Bill was introduced in Lok Sabha that we were told, expressly, that just about any person or company may draw on the Aadhaar system for its purposes. There are no qualifications or limits on who may use it and why. It depends on the willingness of the Unique Identification Authority of India, which is undertaking the project, to let them become a part of the Aadhaar system,” she wrote.

What’s crucial in the entire process is how the government is allowing private players to use Aadhaar-based information, putting the privacy of Aadhaar-holders at stake. The government is technically allowed to share the Aadhaar information with other agencies, only if the holder has given consent to sharing his information, during enrollment.

The guidelines for recording Aadhaar demographic data states: “Ask resident’s consent to whether it is alright with the resident if the information captured is shared with other organisations for the purpose of welfare services including financial services. Select appropriate circle to capture residents response as - Yes/No.”

In 2011, Citizen Matters had published a report on how people wanting to register for Aadhaar were not asked if they would agree to share their personal information. Citizens seemingly were unaware of the provision for sharing information with a third party and data operators had reportedly not asked them for their consent before marking ‘yes’ for the consent option.

There remains a regulatory vacuum

In less than four months of the enactment of the Aadhaar Act, the number of private agencies using Aadhaar database for identity authentication too has grown long. Amber Sinha, Programme Officer at the Center for Internet and Society expresses concern over the privacy implications that a project of this magnitude would lead to.

“The original idea of Aadhaar was to use it for providing services under welfare schemes. But the Aadhaar Act lets private agencies avail the Aadhaar authentication service. The scope of the Act itself doesn’t envisage sharing the data with private parties, but if any third party wants to authenticate the identity of an individual, they can use the UIDAI repository for the purpose,” he points out.

In the process, Amber says, the CIDR has to send a reply in ‘yes’ or ‘no’ format, for any request seeking to confirm the identity of an individual. The new legislation gives scope for the authorities to respond to a query with a positive, negative or any other appropriate response.

“The Aadhaar enrollment information includes demographic and biometric details. So at this stage, we do not know what that “other appropriate response” stands for. Further, while there are requirements to take the data subject’s consent under the Act, there is lack of clarity on the oversight mechanisms and control mechanisms in place when a private party collects information for authentication. The UIDAI is yet to frame the rules and the rules will probably determine this. Until the rules are framed, some of the issues will exist in regulatory vacuum,” Amber observes.

Under the current circumstances, Amber says, the responsible thing to do for UIDAI is not to make such services available until the rules are framed.

But why has the Authority then started the authentication process even before the rules have been framed? Assistant Director General of the Authentication and Application Division of UIDAI, Ajai Chandra says the rules when framed will have retrospective effect, from the date the Act was enacted.

Activists have also questioned the UIDAI for allowing private agencies to use and authenticate Aadhaar data, when the Supreme Court has restricted the use of Aadhaar. In its last order dated 15 October 2015, the Apex Court allowed the government to use Aadhaar in implementing selective welfare schemes such as PDS, LPG distribution, MGNREGS, pension schemes, PMJDY and EPFO. It makes no mention about the UIDAI using the Aadhaar data repository to provide services to private agencies.

“When the Supreme Court has restricted the use of Aadhaar number to a few specific government programmes only, how can UIDAI allow the data to be used for any other programmes, let alone by private agencies?” Amber asks.

In a very brief conversation, Reena Saha, Additional DG, UIDAI told Citizen Matters that UIDAI was acting as per the Supreme Court’s order dated October 15th. “We aren’t sharing the data with private agencies,” she said.

‘Authentication happening only with consent’

Srikanth Nadhamuni, CEO of Khosla Labs - a registered Authentication User Agency, who was also the Head of Technologies at UIDAI, rejects the accusations on the security aspect, saying that the authentication system is completely secure and foolproof.

“We have made a secure system so that there is no man in the middle taking the biometric information. The biometric information shared on the application is encrypted and neither the AUA nor the Authentication Service Agency (an intermediary between the AUA and the CIDR) can open it. Both the AUA and ASA will sign on the packet and forward it to the data repository as it is. There is no way that we can figure out what is inside the packet. Once the request reaches the data repository, they will unlock the signatures, run the authentication and reply in ‘yes’ or ‘no’ or with an error code,” Srikanth explains.

ADG Chandra says that at present the CIDR is replying to authentication requests in an “yes/no” format. “We aren’t sharing the data with any agencies. Upon receiving the request for authentication, be it demographic, biometric or one time pin (OTP), a notification is sent to the registered mobile / email address of the Aadhaar holder,” he says. So if the Aadhaar holder has changed the address, phone number, email ID etc after Aadhaar enrollment, he/she should update the data with UIDAI by placing a request online or through post. This will avoid any confusion that may occur during the authentication.

Ajai Chandra further clarifies, “the private agencies seeking authentication (the Authentication User Agency) are not given direct access to the database. On receiving the request, the intermediary Authentication Service Agencies first examine the format of the authentication request. The request is forwarded to the CIDR only if it complies with the format.”

Apart from authentication, the eKYC (Know Your Customer) option also allows companies to retrieve eKYC data of the Aadhaar holder. This data includes photo, name, address, gender and date of birth (excludes mobile number and email ID). But in this case too, “eKYC data can be retrieved only with the consent of the Aadhaar card holder, the person has to be adequately informed about the retrieval and the data cannot be shared with a third party,” says Chandra.

Though Aadhaar Act allows the UIDAI to perform authentication of Aadhaar number, subject to the requesting entity paying the fee, UIDAI at present is providing the service free of cost. “We will provide free service till December 2016 and may levy the fee thereafter,” the ADG says.

For more details visit https://cis-india.org/internet-governance/news/bangalore-citizen-matters-august-2-2016-akshatha-why-experts-are-worried-about-aadhaar-based-authentication

New Approaches to Information Privacy – Revisiting the Purpose Limitation Principle

amber — 2016-11-09T13:54:28Z

Article on Aadhaar throwing light on privacy and data protection.

This was published in Digital Policy Portal on July 13, 2016.

Introduction

Last year, Mukul Rohatgi, the Attorney General of India, called into question existing jurisprudence of the last 50 years on the constitutional validity of the right to privacy.¹ Mohatgi was rebutting the arguments on privacy made against Aadhaar, the unique identity project initiated and implemented in the country without any legislative mandate.² The question of the right to privacy becomes all the more relevant in the context of events over the last few years—among them, the significant rise in data collection by the state through various e-governance schemes,³ systematic access to personal data by various wings of the state through a host of surveillance and law enforcement initiatives launched in the last decade,⁴ the multifold increase in the number of Indians online, and the ubiquitous collection of personal data by private parties.⁵

These developments have led to a call for a comprehensive privacy legislation in India and the adoption of the National Privacy Principles as laid down by the Expert Committee led by Justice AP Shah.⁶ There are privacy-protection legislation currently in place such as the Information Technology Act, 2000 (IT Act), which was enacted to govern digital content and communication and provide legal recognition to electronic transactions. This legislation has provisions that can safeguard—and dilute—online privacy. At the heart of the data protection provisions in the IT Act lies section 43A and the rules framed under it, i.e., Reasonable security practices and procedures and sensitive personal data information.⁷Section 43A mandates that body corporates who receive, possess, store, deal, or handle any personal data to implement and maintain ‘reasonable security practices’, failing which, they are held liable to compensate those affected. Rules drafted under this provision also mandated a number of data protection obligations on corporations such the need to seek consent before collection, specifying the purposes of data collection, and restricting the use of data to such purposes only. There have been questions raised about the validity of the Section 43A Rules as they seek to do much more than mandate in the parent provisions, Section 43A— requiring entities to maintain reasonable security practices.

Privacy as control?

Even setting aside the issue of legal validity, the kind of data protection framework envisioned by Section 43A rules is proving to be outdated in the context of how data is now being collected and processed. The focus of Section 43 A Rules—as well as that of draft privacy legislations in India⁸—is based on the idea of individual control. Most apt is Alan Westin’s definition of privacy: “the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to other.”⁹ Westin and his followers rely on the normative idea of “informational self- determination”, the notion of a pure, disembodied, and atomistic self, capable of making rational and isolated choices in order to assert complete control over personal information. More and more this has proved to be a fiction especially in a networked society.

Much before the need for governance of information technologies had reached a critical mass in India, Western countries were already dealing with the implications of the use of these technologies on personal data. In 1973, the US Department of Health, Education and Welfare appointed a committee to address this issue, leading to a report called ‘Records, Computers and Rights of Citizens.’¹⁰ The Committee’s mandate was to “explore the impact of computers on record keeping about individuals and, in addition, to inquire into, and make recommendations regarding, the use of the Social Security number.” The Report articulated five principles which were to be the basis of fair information practices: transparency; use limitation; access and correction; data quality; and security. Building upon these principles, the Committee of Ministers of the Organization for Economic Cooperation and Development (OECD) arrived at the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980.¹¹ These principles— Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation and Accountability—are what inform most data protection regulations today including the APEC Framework, the EU Data Protection Directive, and the Section 43A Rules and Justice AP Shah Principles in India.

Fred Cate describes the import of these privacy regimes as such:

“All of these data protection instruments reflect the same approach: tell individuals what data you wish to collect or use, give them a choice, grant them access, secure those data with appropriate technologies and procedures, and be subject to third-party enforcement if you fail to comply with these requirements or individuals’ expressed preferences”¹²

This is in line with Alan Westin’s idea of privacy exercised through individual control. Therefore the focus of these principles is on empowering the individuals to exercise choice, but not on protecting individuals from harmful or unnecessary practices of data collection and processing. The author of this article has earlier written¹³ about the sheer inefficacy of this framework which places the responsibility on individuals. Other scholars like Daniel Solove,¹⁴ Jonathan Obar¹⁵ and Fred Cate¹⁶ have also written about the failure of traditional data protection practices of notice and consent. While these essays dealt with the privacy principles of choice and informed consent, this paper will focus on the principles of purpose limitation.

Purpose Limitation and Impact of Big Data

The principles of purpose limitation or purpose specification seeks to ensure the following four objectives:

Personal information collected and processed should be adequate and relevant to the purposes for which they are processed.
The entities collect, process, disclose, make available, or otherwise use personal information only for the stated purposes.
In case of change in purpose, the data’s subject needs to be informed and their consent has to be obtained.
After personal information has been used in accordance with the identified purpose, it has to be destroyed as per the identified procedures.

The purpose limitation along with the data minimisation principle—which requires that no more data may be processed than is necessary for the stated purpose—aim to limit the use of data to what is agreed to by the data subject. These principles are in direct conflict with new technology which relies on ubiquitous collection and indiscriminate uses of data. The main import of Big Data technologies on the inherent value in data which can be harvested not by the primary purposes of data collection but through various secondary purposes which involve processing of the data repeatedly.¹⁷Further, instead to destroying the data when its purpose has been achieved, the intent is to retain as much data as possible for secondary uses. Importantly, as these secondary uses are of an inherently unanticipated nature, it becomes impossible to account for it at the stage of collection and providing the choice to the data subject.

Followers of the discourse on Big Data would be well aware of its potential impacts on privacy. De-identification techniques to protect the identities of individuals in dataset face a threat from an increase in the amount of data available either publicly or otherwise to a party seeking to reverse-engineer an anonymised dataset to re-identify individuals. ¹⁸ Further, Big Data analytics promise to find patterns and connections that can contribute to the knowledge available to the public to make decisions. What is also likely is that it will lead to revealing insights about people that they would have preferred to keep private.¹⁹In turn, as people become more aware of being constantly profiled by their actions, they will self-regulate and ‘discipline’ their behaviour. This can lead to a chilling effect.²⁰ Meanwhile, Big Data is also fuelling an industry that incentivises businesses to collect more data, as it has a high and growing monetary value. However, Big Data also promises a completely new kind of knowledge that can prove to be revolutionary in fields as diverse as medicine, disaster-management, governance, agriculture, transport, service delivery, and decision-making.²¹ As long as there is a sufficiently large and diverse amount of data, there could be invaluable insights locked in it, accessing which can provide solutions to a number of problems. In light of this, it is important to consider what kind of regulatory framework is most suitable which could facilitate some of the promised benefits of Big Data and at the same time mitigate its potential harm. This, coupled with the fact that the existing data protection principles have, by most accounts, run their course, makes the examination of alternative frameworks even more important. This article will examine some alternate proposals made to the existing framework of purpose limitation below.

Harms-based approach

Some scholars like Fred Cate²² and Daniel Solove²³ have argued that there is a need for the primary focus of data protection law to move from control at the stage of data collection to actual use cases. In his article on the failure of Fair Information Practice Principles,²⁴Cate puts forth a proposal for ‘Consumer Privacy Protection Principles.’ Cate envisions a more interventionist role of the data protection authorities by regulating information flows when required, in order to protect individuals from risky or harmful uses of information. Cate’s attempt is to extend the principles of consumer protection law of prevention and remedy of harms.

In a re-examination of the OECD Privacy Principles, Cate and Viktor Mayer Schöemberger attempt to discard the use of personal data to only purposes specified. They felt that restricting the use of personal to only specified purposes could significantly threaten various research and beneficial uses of Big Data. Instead of articulating a positive obligations of what personal data collected could be used for, they attempt to arrive at a negative obligation of use-cases prevented by law. Their working definition of the Use specification principle broaden the scope of use cases by only preventing use of data “if the use is fraudulent, unlawful, deceptive or discriminatory; society has deemed the use inappropriate through a standard of unfairness; the use is likely to cause unjustified harm to the individual; or the use is over the well-founded objection of the individual, unless necessary to serve an over-riding public interest, or unless required by law.”²⁵

While most standards in the above definition have established understanding in jurisprudence, the concept of unjustifiable harm is what we are interested in. Any theory of harms-based approach goes back to John Stuart Mill’s dictum that the only justifiable purpose to exert power over the will of an individual is to prevent harm to others. Therefore, any regulation that seeks to control or prevent autonomy of individuals (in this case, the ability of individuals to allow data collectors to use their personal data, and the ability of data collectors to do so, without any limitation) must clearly demonstrate the harm to the individuals in question.

Fred Cate articulates the following steps to identify tangible harm and respond to its presence:²⁶

Focus on Use — Actual use of the data should be considered, not mere possession. The assumption is that the collection, possession, or transfer of information do not significantly harm people, rather it is the use of information following such collection, possession, or transfer.
Proportionality — Any regulatory measure must be proportional to the likelihood and severity of the harm identified.
Per se Harmful Uses — Uses which are always harmful must be prohibited by law
Per se not Harmful Uses — If uses can be considered inherently not harmful, they should not be regulated.
Sensitive Uses — In case where the uses are not per se harmful or not harmful, individual consent must be sought for using that data for those purposes.

The proposal by Cate argues for what is called a ‘use based system’, which is extremely popular with American scholars. Under this system, data collection itself is not subject to restrictions; rather, only the use of data is regulated. This argument has great appeal for both businesses who can reduce their overheads significantly if consent obligations are done away with as long as they use the data in ways which are not harmful, as well as critics of the current data protection framework which relies on informed consent. Lokke Moerel explains the philosophy of ‘harms based approach’ or ‘use based system’ in United States by juxtaposing it against the ‘rights based approach’ in Europe.²⁷ In Europe, rights of individuals with regard to processing of their personal data is a fundamental human right and therefore, a precautionary principle is followed with much greater top-down control upon data collection. However, in the United States, there is a far greater reliance on market mechanisms and self-regulating organisations to check inappropriate processing activities, and government intervention is limited to cases where a clear harm is demonstrable.²⁸

Continuing research by the Centre for Information Policy Leadership under its Privacy Risk Framework Project looks at a system of articulating what harms and risks arising from use of collected data. They have arrived a matrix of threats and harms. Threats are categorised as —a) inappropriate use of personal information and b) personal information in the wrong hands. More importantly for our purposes, harms are divided into: a) tangible harms which are physical or economic in nature (bodily harm, loss of liberty, damage to earning power and economic interests); b) intangible harms which can be demonstrated (chilling effects, reputational harm, detriment from surveillance, discrimination and intrusion into private life); and c) societal harm (damage to democratic institutions and loss of social trust).²⁹For any harms-based system, a matrix like above needs to emerge clearly so that regulation can focus on mitigating practices leading to the harms.

Legitimate interests

Lokke Moerel and Corien Prins, in their article “Privacy for Homo Digitalis – Proposal for a new regulatory framework for data protection in the light of Big Data and Internet of Things”³⁰ use the ideal of responsive regulation which considers empirically observable practices and institutions while determining the regulation and enforcement required. They state that current data protection frameworks—which rely on mandating some principles of how data has to be processed—is exercised through merely procedural notification and consent requirements. Further, Moerel and Prins feel that data protection law cannot only involve a consideration of individual interest but also needs to take into account collective interest. Therefore, the test must be a broader assessment than merely the purpose limitation articulating the interests of the parties directly involved, but whether a legitimate interest is achieved.

Legitimate interest has been put forth as an alternative to the purpose limitation. Legitimate is not a new concept and has been a part of the EU Data Protection Directive and also finds a place in the new General Data Protection Regulation. Article 7 (f) of the EU Directive³¹ provided for legitimate interest balanced against the interests or fundamental rights and freedoms of the data subject as the last justifiable reason for use of data. Due to confusion in its interpretation, the Article 29 Working Party, in 2014,³²looked into the role of legitimate interest and arrived at the following factors to determine the presence of a legitimate interest— a) the status of the individual (employee, consumer, patient) and the controller (employer, company in a dominant position, healthcare service); b) the circumstances surrounding the data processing (contract relationship of data subject and processor); c) the legitimate expectations of the individual.

Federico Ferretti has criticised the legitimate interest principle as vague and ambiguous. The balancing of legitimate interest in using the data against fundamental rights and freedoms of the data subject gives the data controllers some degree of flexibility in determining whether data may be processed; however, this also reduces the legal certainty that data subject have of their data not being used for purposes they have not agreed to.³³However, it is this paper’s contention that it is not the intent of the legitimate interest criteria but the lack of consensus on its application which creates an ambiguity. Moerel and Prins articulate a test for using legitimate interest which is cognizant of the need to use data for the purpose of Big Data processing, as well as ensuring that the rights of data subjects are not harmed.

As demonstrated earlier, the processing of data and its underlying purposes have become exceedingly complex and the conventional tool to describe these processes ‘privacy notices’ are too lengthy, too complex and too profuse in numbers to have any meaningful impact.³⁴The idea of information self-determination, as contemplated by Westin in American jurisprudence, is not achieved under the current framework. Moerel and Prins recommend five factors³⁵ as relevant in determining the legitimate interest. Of the five, the following three are relevant to the present discussion:

Collective Interest — A cost-benefit analysis should be conducted, which examines the implications for privacy for the data subjects as well as the society, as a whole.
The nature of the data — Rather than having specific categories of data, the nature of data needs to be assessed contextually to determine legitimate interest.
Contractual relationship and consent not independent grounds — This test has two parts. First, in case of contractual relationship between data subject and data controller: the more specific the contractual relationship, the more restrictions apply to the use of the data. Second, consent does not function as a separate principle which, once satisfied, need not be revisited. The nature of the consent (opportunities made available to data subject, opt in/opt out, and others) will continue to play a role in determining legitimate interest.

Conclusion

Replacing the purpose limitation principles with a use-based system as articulated above poses the danger of allowing governments and the private sector to carry out indiscriminate data collection under the blanket guise that any and all data may be of some use in the future. The harms-based approach has many merits and there is a stark need for more use of risk assessments techniques and privacy impact assessments in data governance. However, it is important that it merely adds to the existing controls imposed at data collection, and not replace them in their entirety. On the other hand, the legitimate interests principle, especially as put forth by Moerel and Prins, is more cognizant of the different factors at play — the inefficacy of existing purpose limitation principles, the need for businesses to use data for purposes unidentified at the stage of collection, and the need to ensure that it is not misused for indiscriminate collection and purposes. However, it also poses a much heavier burden on data controllers to take into account various factors before determining legitimate interest. If legitimate interest has to emerge as a realistic alternative to purpose limitation, there needs to be greater clarity on how data controllers must apply this principle.

Endnotes

Prachi Shrivastava, “Privacy not a fundamental right, argues Mukul Rohatgi for Govt as Govt affidavit says otherwise,” Legally India, Jyly 23, 2015, http://www.legallyindia.com/Constitutional-law/privacy-not-a-fundamental-right-argues-mukul-rohatgi-for-govt-as-govt-affidavit-says-otherwise.
Rebecca Bowe, “Growing Mistrust of India’s Biometric ID Scheme,” Electronic Frontier Foundation, May 4, 2012, https://www.eff.org/deeplinks/2012/05/growing-mistrust-india-biometric-id-scheme.
Lisa Hayes, “Digital India’s Impact on Privacy: Aadhaar numbers, biometrics, and more,” Centre for Democracy and Technology, January 20, 2015, https://cdt.org/blog/digital-indias-impact-on-privacy-aadhaar-numbers-biometrics-and-more/.
“India’s Surveillance State,” Software Freedom Law Centre, http://sflc.in/indias-surveillance-state-our-report-on-communications-surveillance-in-india/.
“Internet Privacy in India,” Centre for Internet and Society, http://cis-india.org/telecom/knowledge-repository-on-internet-access/internet-privacy-in-india.
Vivek Pai, “Indian Government says it is still drafting privacy law, but doesn’t give timelines,” Medianama, May 4, 2016, http://www.medianama.com/2016/05/223-government-privacy-draft-policy/.
Information Technology (Intermediaries Guidelines) Rules, 2011,
http://deity.gov.in/sites/upload_files/dit/files/GSR314E_10511%281%29.pdf.
Discussion Points for the Meeting to be taken by Home Secretary at 2:30 pm on 7-10-11 to discuss the drat Privacy Bill, http://cis-india.org/internet-governance/draft-bill-on-right-to-privacy.
Alan Westin, Privacy and Freedom (New York: Atheneum, 2015).
US Secretary’s Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens, http://www.justice.gov/opcl/docs/rec-com-rights.pdf.
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm
Fred Cate, “The Failure of Information Practice Principles,” in Consumer Protection in the Age of the Information Economy, ed. Jane K. Winn (Burlington: Aldershot, Hants, England, 2006) http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1156972.
Amber Sinha and Scott Mason, “A Critique of Consent in Informational Privacy,” Centre for Internet and Society, January 11, 2016, http://cis-india.org/internet-governance/blog/a-critique-of-consent-in-information-privacy.
Daniel Solove, “Privacy self-management and consent dilemma,” Harvard Law Review 126, (2013): 1880.
Jonathan Obar, “Big Data and the Phantom Public: Walter Lippmann and the fallacy of data privacy self management,” Big Data and Society 2(2), (2015), doi: 10.1177/2053951715608876.
Supra Note 12.
Supra Note 14.
Paul Ohm, “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization” available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1450006; Arvind Narayanan and Vitaly Shmatikov, “Robust De-anonymization of Large Sparse Datasets” available at https://www.cs.utexas.edu/~shmat/shmat_oak08netflix.pdf.
D. Hirsch, “That’s Unfair! Or is it? Big Data, Discrimination and the FTC’s Unfairness Authority,” Kentucky Law Journal, Vol. 103, available at: http://www.kentuckylawjournal.org/wp-content/uploads/2015/02/103KyLJ345.pdf
A Marthews and C Tucker, “Government Surveillance and Internet Search Behavior”, available at http://ssrn.com/abstract=2412564; Danah Boyd and Kate Crawford, “Critical Questions for Big Data: Provocations for a cultural, technological, and scholarly phenomenon”, Information, Communication & Society, Vol. 15, Issue 5, (2012).
Scott Mason, “Benefits and Harms of Big Data”, Centre for Internet and Society, available at http://cis-india.org/internet-governance/blog/benefits-and-harms-of-big-data#_ftn37.
Cate, “The Failure of Information Practice Principles.”
Solove, “Privacy self-management and consent dilemma,” 1882.
Cate, “The Failure of Information Practice Principles.”
Fred Cate and Viktor Schoenberger, “Notice and Consent in a world of Big Data,” International Data Privacy Law 3(2), (2013): 69.
Solove, “Privacy self-management and consent dilemma,” 1883.
Lokke Moerel, “Netherlands: Big Data Protection: How To Make The Draft EU Regulation On Data Protection Future Proof”, Mondaq, March 11. 2014, http://www.mondaq.com/x/298416/data+protection/Big+Data+Protection+How+To+Make+The+Dra%20ft+EU+Regulation+On+Data+Protection+Future+Proof%20al%20Lecture.
Moerel, “Netherlands: Big Data Protection.”
Centre for Information Policy Leadership, “A Risk-based Approach to Privacy: Improving Effectiveness in Practice,” Hunton and Williams LLP, June 19, 2014, https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/white_paper_1-a_risk_based_approach_to_privacy_improving_effectiveness_in_practice.pdf.
Lokke Moerel and Corien Prins, “Privacy for Homo Digitalis: Proposal for a new regulatory framework for data protection in the light of Big Data and Internet of Things”, Social Science Research Network, May 25, 2016, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2784123.
EU Directive 95/46/EC – The Data Protection Directive, https://www.dataprotection.ie/docs/EU-Directive-95-46-EC-Chapter-2/93.htm.
Article 29 Data Protection Working Party, “Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC,” http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf.
Frederico Ferretti, “Data protection and the legitimate interest of data controllers: Much ado about nothing or the winter of rights?,” Common Market Law Review 51(2014): 1-26. http://bura.brunel.ac.uk/bitstream/2438/9724/1/Fulltext.pdf.
Sinha and Mason, “A Critique of Consent in Informational Privacy.”
Moerel and Prins, “Privacy for Homo Digitalis.”

For more details visit https://cis-india.org/internet-governance/blog/digital-policy-portal-july-13-2016-new-approaches-to-information-privacy-revisiting-the-purpose-limitation-principle

Aadhaar-enabled smartphones will ease money transfer

praskrishna — 2016-08-10T13:33:54Z

With its plans to make smartphones Aadhaar-enabled, the government hopes to provide users a means to do self-authentication and let businesses and banks verify the identity of their clients through their smartphones, a move that could potentially lead the way to a cashless society.

The article by Neha Alawadhi and Gulveen Aulakh was published in the Economic Times on August 10, 2016. Sunil Abraham was quoted.

"Iris and fingerprint sensors are now becoming a standard feature in smartphones anyway, and this requirement will only take a minor tweak to the operating system. Once enabled, people will be able to use phones to do self-authentication and KYC (know your customer)," Nandan Nikelani, former chairman of the Unique Identification Authority of India, told ET, welcoming the government's plan to make smartphones Aadhaar-enabled.

ET was the first to report that on July 27 a meeting between UIDAI, which administers Aadhaar, and senior executives of smartphone-makers discussed ways to allow smartphone handsets let citizens authenticate their fingerprints and iris on the phone to get services. The most immediate use for the Aadhaar-enabled smartphones is the Unified Payment Interface (UPI), the new payment system that allows money transfer between any two parties using mobile phones and a virtual payment address.

"The two-factor authentication in UPI is now being done with mobile phone as one factor, and MPIN as the second factor. But once you have Aadhaar authentication on the phone, then the second factor can be biometric authentication through Aadhaar," said Nilekani. Over time, the idea is to open Aadhaar authentication to third party apps, said another person familiar with the ongoing discussions, who did not wish to be named.

In effect, biometric and iris scan authentication could become one of the permissions a user grants to different third party apps, such as access to camera, contacts, phone book and so on. Handset makers have raised concerns about some security issues on using iris scan for Aadhar authentication. Also, companies such as Apple that have very closed ecosystems, would not be easy to get on board, several people told ET.

"The primary challenge lies in safe storing of the iris scan between the time it is captured by the camera and then sent to UIDAI server seeking authentication," said an industry insider, who is aware of the discussions, requesting anonymity. The proposal for smartphone makers includes a "hardware secure zone" where biometric data will be encrypted and sent out. It will not leave the electronic secure zone without encryption, and every phone doing Aadhaar authentication will be registered in the UID system.

"Unfortunately, from the biometric sensor the data goes to the hardware secure zone via the operating system. Therefore, the biometric data can be intercepted by the operating system before it is sent to the hardware secure zone," said Sunil Abraham, executive director at Bengaluru-based research organisation, the Centre for Internet and Society.

"The reluctance to make changes at the vendor level are mainly coming from a desire for control of biometric data for strategic and commercial purposes. Privacy and security are bogus reasons," Nilekani said, adding that both ends - the handset and the Aadhaar database -- will use the highest level of encryption.

Samsung India, which in May launched the Galaxy Tab Iris, a device that uses Aadhaar authentication, said it has taken care that its user's biometric data does not fall into the wrong hands. "We ensure that biometric data is encrypted as per UIDAI specifications in device itself for Galaxy Tab Iris," Sukesh Jain, vice president, Samsung India Electronics, told ET in an email response.

For more details visit https://cis-india.org/internet-governance/news/economic-times-august-10-2016-neha-alawadhi-gulveen-aulakh-aadhaar-enabled-smartphones-will-ease-money-transfer

And now, Aadhaar-enabled smartphones for easy verification and money transfer

praskrishna — 2016-08-12T02:50:58Z

As reported earlier, the Indian government has planned to make Aadhaar-enabled smartphones , with which users would be able to self-authenticate and let businesses and banks verify the identity of their clients. This would also help in the government's aim of a cashless society.

The article was published in Business Insider on August 10, 2016. Sunil Abraham was quoted.

While applauding this plan Nandan Nikelani, former chairman of UIDAI told ET that, "Iris and fingerprint sensors are now becoming a standard feature in smartphones anyway, and this requirement will only take a minor tweak to the operating system. Once enabled, people will be able to use phones to do self-authentication and KYC (know your customer)."

In July, senior executives of UIDAI and smartphone companies met to discuss ways to allow smartphones let citizens authenticate their fingerprints and iris on the phone, so that they could avail government services from the comfort of their homes.

The most immediate use for these smartphones would be the Unified Payment Interface (UPI), a new payment system which would allow money transfer between any two parties by simply using their mobile phones and a virtual payment address.

"The two-factor authentication in UPI is now being done with mobile phone as one factor, and MPIN as the second factor. But once you have Aadhaar authentication on the phone, then the second factor can be biometric authentication through Aadhaar," said Nilekani.

With time, Aadhaar authentication will also be made open to third party apps, said another person familiar with the ongoing discussions on the condition of anonymity.

This would let users allow apps to access their biometric and iris scans, just like they grant access to other features like camera, contacts, SMS etc. However, from their end, handset makers have raised security concerns about using iris scan for Aadhar authentication.

"The primary challenge lies in safe storing of the iris scan between the time it is captured by the camera and then sent to UIDAI server seeking authentication," said an industry insider.

For this, the he proposal includes a "hardware secure zone" which would encrypt biometric data before sending it out. However, even this isn't a foolproof idea.

"Unfortunately, from the biometric sensor the data goes to the hardware secure zone via the operating system. Therefore, the biometric data can be intercepted by the operating system before it is sent to the hardware secure zone," said Sunil Abraham, executive director at Bengaluru-based research organisation, the Centre for Internet and Society.

To this, Nilekani said, "the reluctance to make changes at the vendor level is mainly coming from a desire for control of biometric data for strategic and commercial purposes. Privacy and security are bogus reasons." He added that both ends, the handset and the Aadhaar database, will be using the highest level of encryption.

For more details visit https://cis-india.org/internet-governance/news/business-insider-august-10-2016-and-now-aadhaar-enabled-smartphones-for-easy-verification-and-money-transfer

UIDAI and Welfare Services: Exclusion and Countermeasures (Bangalore, August 27)

sumandro — 2016-08-22T13:25:03Z

The Centre for Internet and Society (CIS) invites you to a one day workshop, on Saturday, August 27, 2016, to discuss, raise awareness of, and devise countermeasures to exclusion due to implementation of UID-based verification for and distribution of welfare services. We look forward to making this a forum for knowledge exchange and a learning opportunity for our friends and colleagues.

Invitation

Download (PDF)

Venue

Institution of Agricultural Technologists, No. 15, Queen’s Road, Bangalore, 560 052.

Location on Google Map: https://www.google.com/maps/place/Institution+of+Agricultural+Technologists/.

Agenda

10:00-10:30 Tea and Coffee

10:30-11:00 Introductions and Updates from Delhi Workshop

11:00-12:45 Reconfiguration of Welfare Governance by UIDAI

12:45-14:00 Lunch

14:00-15:00 Updates on Ongoing Cases against UIDAI

15:00-15:15 Tea and Coffee

15:15-16:45 Open Discussion on Countering Welfare Exclusion

16:45-17:00 Tea and Coffee

For more details visit https://cis-india.org/internet-governance/events/uidai-and-welfare-services-exclusion-and-countermeasures-aug-27

Extending Aadhaar to more areas is a hare-brained idea, it should be dropped

praskrishna — 2016-08-24T03:05:01Z

News reports that the mandatory use of Aadhaar could be extended to a host of new areas are extremely disturbing. According to these reports, the Unique Identification Authority of India (UIDAI) has identified 20 new areas for which Aadhaar can be made mandatory. This includes registration of companies and NGOs, insurance, competitive examinations and property and vehicle registration.

The article by Seetha was published in First Post on August 23, 2016. CIS article by Pranesh Prakash and Amber Sinha was quoted.

If this happens, then it confirms the worst suspicions of all those who are opposed to Aadhaar – and this spans ideological divides – that it can be used to seriously compromise individual privacy.

A villager scanning fingerprint for Aadhaar. Reuters file photo

The defenders of Aadhaar – mainly the previous and current governments, the UIDAI and Nandan Nilekani, the father of the Aadhaar – have always argued that these concerns are exaggerated. They have pointed out that Aadhaar does not take any details that are not already in the public domain – name, date of birth and permanent address – and that the biometric data is not shared with any of the authorities that seek verification by Aadhaar. That data remains with the UIDAI and it only confirms that a person with a particular Aadhaar number is who he claims he is.

But Aadhaar’s opponents have argued that the extensive use of Aadhaar allows disparate bits of information to be linked and this could become a genuine concern if this hare-brained idea gets official approval.

Now, there is certainly no doubt that Aadhaar is, in the absence of anything better, the best technological tool for establishing identity. It is not entirely fool-proof – there are issues relating to the fingerprints of manual labourers and iris scan of aged people or those with cataract – a solution needs to be found for this. According to this report by the Centre for Internet and Society, there was fingerprint authentication failure in 290 of 790 ration card holders in Andhra Pradesh who did not lift rations, and there was an ID mismatch in 93 instances. These problems notwithstanding, there is no denying that Aadhaar has helped in significantly containing (perhaps not entirely eliminating) the problem of identity theft for diversion of government doles and other benefits.

So making Aadhaar compulsory for such cases is perfectly justifiable. Indeed, the Act giving legal status to Aadhaar is called Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.

Mandatory quoting of Aadhaar can even be justified in the cases where duplication or falsification of identity can be used by criminals or those who fall foul of the law. Passports, for example, can be brought under the ambit of Aadhaar. Or even driving licences. A person whose licence has been suspended for repeated traffic violations should not be allowed to get another one under the same name or an assumed name.

But why should it be mandatory for bank accounts, if an individual is not interested in getting government doles? The quoting of Aadhaar for property transactions also does not make sense. If the idea is to prevent fraudulent transactions, it will not be foolproof. A person intending to sell an already sold property or one he does not own can do so even with an Aadhaar number, since people are allowed to own more than one piece of property. What will prevent this from happening is compulsory registration and digitisation of records as well as mandatory property titling; there has been little progress on both.

When filing of income tax returns is not possible without a PAN, there is little rationale for making Aadhaar mandatory for filing returns and even for PAN. It is not clear how quoting of Aadhaar is going to help in ensuring that fly-by-night companies and NGOs do not get established.

The insistence of Aadhaar on purchase of vehicles, landline and mobile phone connections and demat accounts is seriously violative of individual privacy and has enormous potential for misuse. The Act does give the government unbridled power to access data in the name of national security. This itself is worrying, since it can allow security agencies to go an random fishing expeditions to access personal financial transactions. Making it mandatory for even buying cars and phone connections (even though it is not illegal to own more than one vehicle or telephone connection) makes it even riskier – private agencies get access to one’s Aadhaar number. Forget security agencies, even unscrupulous private persons can track an individual’s personal activities, especially financial transactions.

As it is, investigating agencies want to tap Aadhaar and biometric data at the drop of a hat. The UIDAI had to approach the Supreme Court in 2014 against a Goa High Court order ordering it to share biometric details of everyone enrolled in the state for solving a gang rape case. Even after the Supreme Court ruled in favour of UIDAI, a Kerala special investigation team wanted it to share biometric details to solve another rape case. If Aadhaar now becomes mandatory for a host of financial and other transactions, the points of potential privacy breaches only increase.

The move to extend the mandatory use of Aadhaar has to be stopped in its tracks. The mandatory use should be limited to delivery of government welfare benefits and doles (after ensuring that glitches are eliminated) and security-related services like passports. For everything else, it should be purely voluntary. There can be no compromise on this.

For more details visit https://cis-india.org/internet-governance/news/first-post-august-23-2016-seetha-extending-aadhaar-to-more-areas-is-a-hare-brained-idea-it-should-be-dropped