The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 11 to 25.
The Last Chance for a Welfare State Doesn’t Rest in the Aadhaar System
https://cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system
<b>Boosting welfare is the message, which is how Aadhaar is being presented in India. The Aadhaar system as a medium, however, is one that enables tracking, surveillance, and data monetisation. This piece by Sumandro Chattapadhyay was published in The Wire on April 19, 2016.</b>
<p> </p>
<p><em>Originally published in and cross-posted from <a href="http://thewire.in/2016/04/19/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system-30256/">The Wire</a>.</em></p>
<hr />
<p>Once upon a time, a king desired that his parrot should be taught all the ancient knowledge of the kingdom. The priests started feeding the pages of the great books to the parrot with much enthusiasm. One day, the king asked the priests if the parrot’s education has completed. The priests poked the belly of the parrot but it made no sound. Only the rustle of undigested pages inside the belly could be heard. The priests declared that the parrot is indeed a learned one now.</p>
<p>The fate of the welfare system in our country is quite similar to this parrot from Tagore’s parable. It has been forcefully fed identification cards and other official documents (often four copies of the same) for years, and always with the same justification of making it more effective and fixing the leaks. These identification regimes are in effect killing off the welfare system. And some may say that that has been the actual plan in any case.</p>
<p>The Aadhaar number has been recently offered as <a href="http://indianexpress.com/article/opinion/columns/aadhaar-project-uidai-last-chance-for-a-welfare-state/">the ‘last chance’ for the ailing welfare system</a> – a last identification regime that it needs to gulp down to survive. This argument wilfully overlooks the acute problems with the Aadhaar project.</p>
<p>Firstly, the ‘last chance’ for a welfare state in India is not provided by implementing a new and improved identification regime (Aadhaar numbers or otherwise), but by enabling citizens to effectively track, monitor, and ensure delivery of welfare, services, and benefits. This ‘opening up’ of the welfare bureaucracy has been most effectively initiated by the Right to Information Act. Instead of a centralised biometrics-linked identity verification platform, which gives the privilege of tracking and monitoring welfare flows only to a few expert groups, an effective welfare state requires the devolution of such privilege and responsibility.</p>
<p>We should harness the tracking capabilities of electronic financial systems to disclose how money belonging to the Consolidated Fund of India travel around state agencies and departmental levels. Instead, the Aadhaar system effectively stacks up a range of entry barriers to accessing welfare – from malfunctioning biometric scanners, to connectivity problems, to the burden of keeping one’s fingerprint digitally legible under all labouring and algorithmic circumstances.</p>
<p>Secondly, authentication of welfare recipients by Aadhaar number neither make the welfare delivery process free of techno-bureaucratic hurdles, nor does it exorcise away corruption. Anumeha Yadav has recently documented the emerging <a href="http://scroll.in/article/805909/in-rajasthan-there-is-unrest-at-the-ration-shop-because-of-error-ridden-aadhaar">‘unrest at the ration shop’ across Rajasthan</a>, as authentication processes face technical and connectivity delays, people get ‘locked out’ of public services for not having or having Aadhaar number with incorrect demographic details, and no mechanisms exist to provide rapid and definitive recourse.</p>
<p>RTI activists at the <a href="http://www.snsindia.org/">Satark Nagrik Sangathan</a> have highlighted that the Delhi ration shops, using Aadhaar-based authentication, maintain only two columns of data to describe people who have come to the shop – those who received their ration, and those who did not (without any indication of the reason). This leads to erasure-by-design of evidence of the number of welfare-seekers who are excluded from welfare services when the Aadhaar-based authentication process fails (for valid reasons, or otherwise).</p>
<p>Reetika Khera has made it very clear that using Aadhaar Payments Bridge to directly transfer cash to a beneficiary’s account, in the best case scenario, <a href="http://www.epw.in/journal/2013/05/commentary/cost-benefit-analysis-uid.html">may only take care of one form of corruption</a>: deception (a different person claiming to be the beneficiary). But it does not address the other two common forms of public corruption: collusion (government officials approving undue benefits and creating false beneficiaries) and extortion (forceful rent seeking after the cash has been transferred to the beneficiary’s account). Evidently, going after only deception does not make much sense in an environment where collusion and extortion are commonplace.</p>
<p>Thirdly, the ‘relevant privacy question’ for Aadhaar is not limited to how UIDAI protects the data collected by it, but expands to usage of Aadhaar numbers across the public and private sectors. The privacy problem created by the Aadhaar numbers does begin but surely not end with internal data management procedures and responsibilities of the UIDAI.</p>
<p>On one hand, the Aadhaar Bill 2016 has reduced the personal data sharing restrictions of the NIAI Bill 2010, and <a href="http://scroll.in/article/806297/no-longer-a-black-box-why-does-the-revised-aadhar-bill-allow-sharing-of-identity-information">has allowed for sharing of all data except core biometrics (fingerprints and iris scan)</a> with all agencies involved in authentication of a person through her/his Aadhaar number. These agencies have been asked to seek consent from the person who is being authenticated, and to inform her/him of the ways in which the provided data (by the person, and by UIDAI) will be used by the agency. In careful wording, the Bill only asks the agencies to inform the person about “alternatives to submission of identity information to the requesting entity” (Section 8.3) but not to provide any such alternatives. This facilitates and legalises a much wider collection of personal demographic data for offering of services by public agencies “or any body corporate or person” (Section 57), which is way beyond the scope of data management practices of UIDAI.</p>
<p>On the other hand, the Aadhaar number is being seeded to all government databases – from lists of HIV patients, of rural citizens being offered 100 days of work, of students getting scholarships meant for specific social groups, of people with a bank account. Now in some sectors, such as banking, inter-agency sharing of data about clients is strictly regulated. But we increasingly have non-financial agencies playing crucial roles in the financial sector – from mobile wallets to peer-to-peer transaction to innovative credit ratings. Seeding of Aadhaar into all government and private databases would allow for easy and direct joining up of these databases by anyone who has access to them, and not at all by security agencies only.</p>
<p>When it becomes publicly acceptable that <a href="http://indianexpress.com/article/opinion/columns/aadhaar-project-uidai-last-chance-for-a-welfare-state/">the <em>money bill route</em> was a ‘remedial’ instrument to put the Rajya Sabha ‘back on track’</a>, one cannot not wonder about what was being remedied by avoiding a public debate about the draft bill before it was presented in Lok Sabha. The answer is simple: <em>welfare is the message, surveillance is the medium</em>.</p>
<p>Acceptance and adoption of all medium requires a message, a content. The users are interested in the message. The message, however, is not the business. Think of Free Basics. Facebook wants people with none or limited access to internet to enjoy parts of the internet at zero data cost. Facebook does not provide the content that the users consume on such internet. The content is created by the users themselves, and also provided by other companies. Facebook own and control the medium, and makes money out of all content, including interactions, passing through it.</p>
<p>The UIDAI has set up a biometric data bank and related infrastructure to offer authentication-as-a-service. As the Bill clarifies, almost all agencies (public or private, national or global) can use this service to verify the identity of Indian residents. Unlike Facebook, the content of these services do not flow through the Aadhaar system. Nonetheless, Aadhaar keeps track of all ‘authentication records’, that is records of whose identity was authenticated by whom, when, and where. This database is gold (data) mine for security agencies in India, and elsewhere. Further, as more agencies use authentication based on Aadhaar numbers, it becomes easier for them to combine and compare databases with other agencies doing the same, by linking each line of transaction across databases using Aadhaar numbers.</p>
<p>Welfare is the message that the Aadhaar system is riding on. The message is only useful for the medium as far as it ensures that the majority of the user population are subscribing to it. Once the users are enrolled, or on-boarded, the medium enables flow of all kinds of messages, and tracking and monetisation (perhaps not so much in the case of UIDAI) of all those flows. It does not matter if the Aadhaar system is being introduced to remedy the broken parliamentary process, or the broken welfare distribution system. What matters is that the UIDAI is establishing the infrastructure for a universal surveillance system in India, and without a formal acknowledgement and legal framework for the same.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system'>https://cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system</a>
</p>
No publishersumandroUIDData SystemsPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-04-19T13:18:42ZBlog EntryThe Aadhaar Case
https://cis-india.org/internet-governance/blog/the-aadhaar-case
<b>In 2012 a writ petition was filed by Justice K.S. Puttaswamy in the Supreme Court of India challenging the policy of the government in making an Aadhaar card for every person in India and its later plans to link various government benefit schemes to the same.</b>
<p style="text-align: justify; ">Over time a number of other cases have been filed in the Supreme Court challenging the Aadhaar mechanism and/or its procedure most of which have now been linked to the main petition filed by Justice Puttaswamy.<a href="#_ftn1" name="_ftnref1">[1]</a> This means that the Supreme Court now hears all these cases together (i.e. at the same time) since they throw up similar questions and involve the same or similar issues. The court while hearing the case made an interim order on September 23, 2013 whereby it ordered that no person should suffer on account of not having an Aadhaar card and that Aadhaar cards should not be issued to any illegal immigrants. The relevant extract from the Order of the court is reproduced below:</p>
<p style="text-align: justify; ">"No person should suffer for not getting the Aadhaar card in spite of the fact that some authority had issued a circular making it mandatory and when any person applies to get the Aadhaar card voluntarily, it may be checked whether that person is entitled for it under the law and it should not be given to any illegal immigrant."<a href="#_ftn2" name="_ftnref2">[2]</a></p>
<p style="text-align: justify; ">It must be noted that the above order was only an interim measure taken by the Supreme Court till the time it finally decided all the issues involved in the case, which is still pending in the Supreme Court.</p>
<p style="text-align: justify; ">In November 2013 during one of the hearings of the matter, the Supreme Court came to the conclusion that it was an important enough matter for all the states and union territories to be impleaded as parties to the case and passed an order to this effect.<a href="#_ftn3" name="_ftnref3">[3]</a> This was probably because the Aadhaar cards will be issued in the entire country and this is a national issue and therefore it is possible that the court thought that if any of the states have any concerns regarding the issue they should have the opportunity to present their case.</p>
<p style="text-align: justify; ">In another petition filed by the Unique Identification Authority of India (UIDAI), the Supreme Court on March 24, 2014 reiterated its earlier order and held that no person shall be deprived of any service just because such person lacked an aadhaar number if he/she was otherwise eligible for the service. A direction was issued to all government authorities and departments to modify their forms/circulars, etc., so as to not compulsorily require an aadhaar number. In the same order the Supreme Court also restrained the UIDAI from transferring any biometric data to any agency without the consent of the person in writing as an interim measure.<a href="#_ftn4" name="_ftnref4">[4]</a> After passing these orders the Supreme Court linked this case as well to the petition filed by Justice Puttaswamy on which final arguments were being heard in February 2014 which so far do not seem to have concluded.</p>
<p style="text-align: justify; "><b>Note</b> : Please note that the case is still being heard by the Supreme Court and the orders given so far and explained in this blog are all interim measures till the case is finally disposed off. The status of the cases can be seen on the following link:</p>
<p style="text-align: justify; "><a href="http://courtnic.nic.in/supremecourt/casestatus_new/caseno_new_alt.asp">http://courtnic.nic.in/supremecourt/casestatus_new/caseno_new_alt.asp</a></p>
<p style="text-align: justify; ">The names and number of the cases that have been covered in this blog are given below:</p>
<ul>
<li>W.P(C) No. 439 of 2012 titled <i>S. Raju </i>v. <i>Govt. of India and Others </i> pending before the D.B. of the High Court of Judicature at Madras.</li>
<li>PIL No. 10 of 2012 titled <i>Vickram Crishna and Others</i> v. <i>UIDAI and Others</i> pending before the High Court of Judicature at Bombay.</li>
<li>W.P. No. 833 of 2013 titled <i>Aruna Roy & Anr</i> v. <i>Union of India & Ors</i>.</li>
<li>W.P. No. 829 of 2013 titled <i>S.G. Vombatkere & Anr</i> v. <i>Union of India & Ors.</i></li>
<li>Petition(s) for Special Leave to Appeal (Crl) No(s).2524/2014 titled <i>Unique Identification Authority of India & another</i> v. <i>Central Bureau of Investigation</i>. </li>
</ul>
<p style="text-align: justify; ">All the above cases have now been linked with the ongoing Supreme Court case of <i>K. Puttaswamy</i> v. <i>Union of India</i>.</p>
<div style="text-align: justify; ">
<hr />
<div id="ftn1">
<p><a href="#_ftnref1" name="_ftn1">[1]</a> W.P(C) No. 439 of 2012 titled <i>S. Raju </i>v. <i>Govt. of India and Others </i> pending before the D.B. of the High Court of Judicature at Madras and PIL No. 10 of 2012 titled <i>Vickram Crishna and Others</i> v. <i>UIDAI and Others</i> pending before the High Court of Judicature at Bombay were transferred to the Supreme Court vide Order dated September 23, 2013. Also W.P. No. 833 of 2013 titled Aruna Roy & Anr Vs Union of India & Ors, W.P. No. 829 of 2013 titled S G Vombatkere & Anr Vs Union of India & Ors and Petition(s) for Special Leave to Appeal (Crl) No(s).2524/2014 titled <i>Unique Identification Authority of India & another</i> v. <i>Central Bureau of Investigation</i>.</p>
</div>
<div id="ftn2">
<p><a href="#_ftnref2" name="_ftn2">[2]</a> <a href="http://judis.nic.in/temp/494201232392013p.txt">http://judis.nic.in/temp/494201232392013p.txt</a></p>
</div>
<div id="ftn3">
<p><a href="#_ftnref3" name="_ftn3">[3]</a> <a href="http://judis.nic.in/temp/4942012326112013p.txt">http://judis.nic.in/temp/4942012326112013p.txt</a></p>
</div>
<div id="ftn4">
<p><a href="#_ftnref4" name="_ftn4">[4]</a> <a href="http://courtnic.nic.in/supremecourt/temp/sr%20252414p.txt">http://courtnic.nic.in/supremecourt/temp/sr%20252414p.txt</a></p>
</div>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-aadhaar-case'>https://cis-india.org/internet-governance/blog/the-aadhaar-case</a>
</p>
No publishervipulUIDInternet GovernancePrivacy2014-09-05T09:12:21ZBlog EntryThe Aadhaar Act is Not a Money Bill
https://cis-india.org/internet-governance/blog/the-aadhaar-act-is-not-a-money-bill
<b>While the authority of the Lok Sabha Speaker is final and binding, Jairam Ramesh’s writ petition may allow the Supreme Court to question an incorrect application of substantive principles. This article by Amber Sinha was published by The Wire on April 24, 2016.</b>
<p> </p>
<p>Originally published by <a href="http://thewire.in/2016/04/24/the-aadhaar-act-is-not-a-money-bill-31297/">The Wire</a> on April 24, 2016.</p>
<hr />
<p>Since its introduction as a money bill in the Lok Sabha in the first week of March <strong>[1]</strong>, the Aadhaar (Targeted delivery of Financial and other subsidies, benefits and services) Bill, 2016 has been embroiled in controversy. The Lok Sabha rejected the five recommendations of the Rajya Sabha and adopted the bill on March 16 and only presidential assent was required for it become to become valid law. However, former Union Minister Jairam Ramesh filed a writ petition contesting the decision to treat the Aadhaar Bill as a money bill. The petition is due to be heard before the Supreme Court on April 25, and should the court decide to entertain the petition, it could have far-reaching implications for the Aadhaar project and the manner in which money bills are passed by the Parliament.</p>
<p>There are three broad categories of bills (all legislations or Acts are known as ‘bills’ till they are passed by the Parliament) that the Parliament can pass. The first kind, Constitution Amendment Bills, are those that seek to amend a provision in the Constitution of India. The second are financial bills which contain provisions on matters of taxation and expenditure. Money bills are a subset of the financial bills which contain provisions only related to taxation, financial obligations of the government, expenditure from or receipt to the Consolidated Fund of India and any matters incidental to the above. The third category is of ordinary bills which includes all other bills. The process for the enactment of all these bills is different. Money bills are peculiar in that they can only be introduced in the Lok Sabha where it can be passed by simple majority. Following this, it is transmitted to the Rajya Sabha. The Rajya Sabha’s powers are restricted to giving recommendations on the Bill and sending it back to the Lok Sabha, which the Lok Sabha is under no obligation to accept. The decision to introduce the Aadhaar Bill as a money bill has been widely seen as an attempt to circumvent the Rajya Sabha where the ruling party is in a minority.</p>
<p>Article 110 (1) of the Constitution defines a money bill as one containing provisions only regarding the matters enumerated or any matters incidental to them. These are a) imposition, regulation and abolition of any tax, b) borrowing or other financial obligations of the Government of India, c) custody, withdrawal from or payment into the Consolidated Fund of India (CFI) or Contingent Fund of India, d) appropriation of money out of CFI, e) expenditure charged on the CFI or f) receipt or custody or audit of money into CFI or public account of India. Article 110 is modelled on Section 1(2) of the (UK) Parliament Act, 1911 which also defines the money bills as those only dealing with certain enumerated matters. The use of the word “only” was brought up by Ghanshyam Singh Gupta during the Constituent Assembly Debates. He pointed out that the use of the word “only” limits the scope of money bills to only those legislations which did not deal with other matters. His amendment to delete the word “only” was rejected clearly establishing the intent of the framers of the Constitution to keep the ambit of money bills extremely narrow.</p>
<p>While the Aadhaar Bill does make references to benefits, subsidies and services funded by the Consolidated Fund of India (CFI), even a cursory reading of the bill reveals its main objectives as creating a right to obtain a unique identification number and providing for a statutory apparatus to regulate the entire process. The mere fact of establishing the Aadhaar number as the identification mechanism for benefits and subsidies funded by the CFI does not give it the character of a money bill. The bill merely speaks of facilitating access to unspecified subsidies and benefits rather than their creation and provision being the primary object of the legislation. Erskine May’s seminal textbook, ‘Parliamentary Practice” is instructive in this respect and makes it clear that a legislation which simply makes a charge on the Consolidated Fund does not becomes a money bill if otherwise its character is not that of one.</p>
<p>PDT Achary, former secretary general of the Lok Sabha, has expressed concern about the use of Money Bills as a means to circumvent the Rajya Sabha. He has written here <strong>[2]</strong> and here <strong>[3]</strong>, on what constitutes a money bill and how the attempts to pass off financial bills like the Aadhaar Bill as money bills could erode the supervisory role Rajya Sabha is supposed to play. This is especially true in the case of a legislation like the Aadhaar Bill which has far reaching implications for individual privacy as it governs the identification system conceptualised to provide a unique and lifelong identity to residents of India dealing with both the analog and digital machinery of the state and by virtue of Section 57 of any private entities. Already over 1 billion people have been enrolled under this identification scheme, and the project has been a subject of much debate and a petition before the Supreme Court. The project has been portrayed as both the last hope for a welfare state and surveillance infrastructure. Regardless of which of the two ends of spectrum one leans towards, it is undeniable that the law governing the Aadhaar project deserved a proper debate in the Parliament. Even those who are strong proponents of the project must accept the decision to pass it off as a money bill undermines the importance of democratic processes and is a travesty on the Constitution and a blatant abrogation of the constitutional duties of the speaker.</p>
<p>The petition by Jairam Ramesh would hinge largely on the powers of the judiciary to question the decision of the Speaker of the Lok Sabha. Article 110 (3) is very clear in pronouncing the authority of the Speaker as final and binding. Additionally, Article 122 prohibits the courts from questioning the validity of any proceedings in Parliament on the ground of any alleged irregularity of procedure. The powers of privilege that Parliamentarians enjoy are integral to the principle of separation of powers. However, the courts may be able to make a fine distinction between inquiring into procedural irregularity which is prohibited by the Constitution; and questioning an incorrect application of substantive principles, which I would argue, is the case with the Speaker decision.</p>
<h3>References</h3>
<p><strong>[1]</strong> See: <a href="http://thewire.in/2016/03/07/arun-jaitley-introduces-money-bill-on-aadhar-in-lok-sabha-24115/">http://thewire.in/2016/03/07/arun-jaitley-introduces-money-bill-on-aadhar-in-lok-sabha-24115/</a>.</p>
<p><strong>[2]</strong> See: <a href="http://indianexpress.com/article/opinion/columns/show-me-the-money-4/">http://indianexpress.com/article/opinion/columns/show-me-the-money-4/</a>.</p>
<p><strong>[3]</strong> See: <a href="http://www.thehindu.com/opinion/lead/circumventing-the-rajya-sabha/article7531467.ece">http://www.thehindu.com/opinion/lead/circumventing-the-rajya-sabha/article7531467.ece</a>.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-aadhaar-act-is-not-a-money-bill'>https://cis-india.org/internet-governance/blog/the-aadhaar-act-is-not-a-money-bill</a>
</p>
No publisherAmber SinhaUIDPrivacyInternet GovernanceDigital IndiaAadhaar2016-04-25T10:51:37ZBlog EntrySeminar on Understanding Financial Technology, Cashless India, and Forced Digitalisation (Delhi, January 24)
https://cis-india.org/internet-governance/news/seminar-on-understanding-financial-technology-cashless-india-and-forced-digitalisation-delhi-jan-24-2017
<b>The Centre for Financial Accountability is organising a seminar on "Understanding Financial Technology, Cashless India, and Forced Digitalisation" on Tuesday, January 24, at YWCA, Ashoka Road, New Delhi. Sumandro Chattapadhyay will participate in the seminar and speak on the emerging architecture of FinTech in India, as being developed and deployed by UIDAI and NPCI.</b>
<p> </p>
<p><em>Cross-posted from <a href="https://letstalkfinancialaccountability.wordpress.com/2017/01/20/understanding-financial-technology-cashless-india-forced-digitalisation/">Centre for Financial Accountability</a>.</em></p>
<hr />
<h2>Programme Schedule</h2>
<h4>09.30 - Registration</h4>
<h4>10:00 - Introduction to the Seminar & Setting the Context</h4>
<p>Madhuresh Kumar, National Alliance of People’s Movements</p>
<h4>10:15–11:30 - Session 1 - Understanding the Political Context of FinTech</h4>
<p>B P Mathur, Former Dy CAG</p>
<p>Prabir Purkayastha, Free Software Movement of India and Knowledge Commons</p>
<p>C P Chandrasekhar, Centre for Economic Studies and Planning, JNU</p>
<h4>11:30-11:45 – Tea / Coffee break</h4>
<h4>11:45-13:15 - Session 2 - How will FinTech Impact the Poor, and Labour and Banking Sector?</h4>
<p>Ashim Roy, New Trade Union of India</p>
<p>Nikhil Dey, Mazdoor Kisan Shakti Sangathan</p>
<p>Ravinder Gupta, General Secretary, State Bank of India Officers Association</p>
<h4>13:15-14:00 – Lunch</h4>
<h4>14:00-15:30 - Session 3 - Understanding the Economic Context of FinTech</h4>
<p>Indira Rajaraman, Former Director, RBI</p>
<p>Tony Joseph, Sr. Journalist</p>
<h4>15:30-17:00 - Session 4 - Understanding the Architecture of FinTech: Linkages to Aadhaar, IndiaStack etc</h4>
<p>Sumandro Chattapadhyay, the Centre for Internet and Society</p>
<p>Gopal Krishna, ToxicsWatch</p>
<h4>17:00 – Tea</h4>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/seminar-on-understanding-financial-technology-cashless-india-and-forced-digitalisation-delhi-jan-24-2017'>https://cis-india.org/internet-governance/news/seminar-on-understanding-financial-technology-cashless-india-and-forced-digitalisation-delhi-jan-24-2017</a>
</p>
No publishersumandroUnified Payments InterfaceFinancial TechnologyDigital IDBig DataDigital EconomyUIDInternet GovernanceDigital IndiaAadhaarFinancial InclusionBiometricsDigital Payment2017-01-23T13:17:19ZBlog EntrySalient Points in the Aadhaar Bill and Concerns
https://cis-india.org/internet-governance/salient-points-in-the-aadhaar-bill-and-concerns
<b>Since the release of the Aadhaar Bill, the Centre for Internet and Society has been writing a number of posts analyzing the Bill and calling out problematic areas and the implications of the same. This post is meant to contribute to this growing body of writing and call out our major concerns with the Bill. </b>
<p id="docs-internal-guid-7301bf10-976a-ed8c-7f3d-7dde76418a24" dir="ltr"><strong>Use of Aadhaar Number</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<ul id="docs-internal-guid-7301bf10-9771-2472-c5e8-991b7fefebd0"><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Used to establish identity: The Aadhaar number can be used by any government or private agency to validate a person’s identity for any lawful purpose, but it cannot be used as a proof of citizenship. (Sections 4, 6, and 57)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Mandatory for access to government services: The government can make it mandatory for a person to authenticate her/his identity using Aadhaar number before receiving any government subsidy, benefit, or service whose expenditure is incurred from the Consolidated Fund of India.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Those without a number, must apply for one: If someone attempting to access an applicable service does not have an Aadhaar number, he/she should make an application for enrolment, and will be allowed to use an alternative method of identification in the meantime. (Section 7)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Open to use by public and private bodies: The Bill does not prevent the use of Aadhaar number to establish identity for other lawful purposes by the State or other private bodies. (Section 57)</p>
</li></ul>
<em>Concerns:</em>
<ul id="docs-internal-guid-7301bf10-9773-5f01-28d6-bc08ffea2788"><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Aadhaar is not voluntary: Section 7 makes its mandatory to have an Aadhaar number to access services, subsidies and benefits, and stipulates that in case one does not have the Aadhaar number they must apply for it. This is counter to the repeated claims about Aadhaar being purely voluntary, and the Supreme Court order dated August 11, 2015 which prevents making Aadhaar mandatory, barring a few specified services. The Bill does not limit mandatory use of Aadhaar to those services, and leaves the door open for the government to route more benefits, subsidies and services through the Consolidated Fund of India and expand the scope of Aadhaar.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">There are limited and unclear alternatives: While there is a proviso in the Act which speaks for “viable and alternative” means of identification where Aadhaar number is not issued, the language is not clear and speaks of cases where Aadhaar “is not assigned” rather than simply stating that it is applicable to anyone who does not have an Aadhaar number.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">There is a conflict in the objects and actual scope of the Bill: There is a conflict between the objects of the Bill which is stated as identification of individuals for targeted delivery of entitlements and Section 57 which allows all entities, public or private, to use the Aadhaar number for authentication.</p>
</li></ul>
<p dir="ltr"><strong><br /></strong></p>
<p dir="ltr"><strong>Enrollment Process</strong></p>
<strong>
</strong>
<p dir="ltr"><em>What the Bill says:</em></p>
<em>
</em>
<ul id="docs-internal-guid-7301bf10-9772-9fda-b2a1-8587dbdd816b"><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Enrolling agencies must provide notice: At the time of enrollment, the enrolling agency will inform the individual of the following details— i) how their information will be used; ii) what type of entities the information will be shared with; and iii) that they have a right to access their information, and also tell them how they can access their information. (Section 3)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Biometrics and demographics will be collected: Biometric information and demographic information will be collected at enrollment. Biometric information means photograph, fingerprint, Iris scan, or any other biological attributes specified by regulations. Demographic information includes information relating to the name, date of birth, address and other relevant information as specified by regulations. (Section 2)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Special measures to ensure enrollment for all: The UIDAI will take special measures to issue Aadhaar number to women, children, senior citizens, persons with disability, unskilled and unorganised workers, nomadic tribes or to such other persons who do not have any permanent residence and similar categories of individuals as specified by the regulations. (Section 5)</p>
</li></ul>
<p dir="ltr"><em>Concerns:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">The Bill fails to address implementation issues: The Bill does not address issues that have arising during enrolment processes that have already been implemented. These include: the collection of additional and unnecessary information, unclear retention, storage, and destruction standards for data collected by enrollment agencies, abuse of methods used to ensure all have access to the enrollment process, inaccuracy in the collection of data. Detailed procedure and chain of custody for the enrollment process needs to be addressed through provisions in the Bill particularly as this process is undertaken by contracted third party registrars and enrolling agencies.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Definition of “Biometric Information” is broad and ambiguous: The Bill defines “biometric information” as “photograph, fingerprint, iris scan, or other such biological attributes of an individual.” This definition is broad and gives sweeping discretionary power to the UIDAI / Central Government to determine “other such biological attributes of an individual”. The definition should be precise and exhaustive in its scope. Any modification to this, and other terms in the Bill, should take place only through a legislative act.</p>
</li></ul>
<p> </p>
<p dir="ltr"><strong>Authentication Process</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Consent and use limitation during authentication: The Bill states that any requesting entity will— (a) take consent from the individual before collecting his/her Adhaar information; (b) use the information only for authentication with the CIDR.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Notice during authentication: Further, the entity requesting authentication will also inform the individual of the following— (a) what type of information will be shared for authentication; (b) what will the information be used for; and (c) whether there is any alternative to submitting the Aadhaar information to the requesting entity. (Section 8)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Retention of authentication records: The UIDAI will maintain the authentication records in the manner and for as long as specified by regulations. (Section 32) The UIDAI will not collect, keep or maintain any information about the purpose of authentication. (Section 32)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Ability to obtain authentication records: Every Aadhaar number holder may obtain his authentication record as specified by regulations. (Section 32)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Requirement to update information: The UIDAI has the power to require residents to update their demographic and biometric information from time to time. (Section 6)</p>
</li></ul>
<p dir="ltr"><em>Concerns:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of strong consent mechanism: While the Bill does provide for seeking consent for collecting and using an Aadhaar for authentication, the Bill does not specify that this must be informed consent with an ‘opt out’ mechanism and does not specify the manner in which such consent should be sought. This leaves it it in the hands of the UIDAI and possibly the third requesting entity to determine the form of consent that is to be taken. This could result in ambiguous, misleading, or inconsistent consent mechanisms being used. </p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of strong notice mechanism: While the Bill does provide that individuals should be given notice of the type of information be shared and what the information will be used for, and any alternative identity that will be accepted during the authentication process this is a minimal notice and does not meet the standards in the (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 which require individuals to be notified of a) the fact that the information is being collected b) the purposes for which the information is being collected c) the intended recipients of the information d) the name and address of the agency collecting the information and the agency that will retain the information. Furthermore, the Bill does not require the UIDAI, contracted bodies, or requesting entities to notify individuals of any changes in organizational privacy policies. </p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">“Obtaining” rather than the right to access: Instead of providing the individual with a clear right to access the information that the UIDAI holds about him or her, the Bill waters down this safeguard by giving the individual the ability to obtain only his authentication record. What ‘obtaining’ will entail and how one will go about it is delegated to regulations. </p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of ability to opt out, withdraw consent and/or ‘exit’ Aadhaar: There are no opt-out mechanisms in the Aadhaar Act.This means that individuals cannot:</p>
</li>
<ul><li style="list-style-type: circle;" dir="ltr">
<p dir="ltr">Opt out and leave the Aadhaar ‘ecosystem’ once enrolled and their information is not deleted.</p>
</li><li style="list-style-type: circle;" dir="ltr">
<p dir="ltr">Opt out of sharing of information at the enrollment stage or authentication stage.</p>
</li><li style="list-style-type: circle;" dir="ltr">
<p dir="ltr">Opt out of any use, disclosure, or retention of their information prescribed by the Act.</p>
</li></ul>
</ul>
<p> </p>
<p dir="ltr"><strong>Security</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Security measures for information with UIDAI: The UIDAI will take measures to ensure that all information with the UIDAI, including CIDR records is secured and protected against access, use or disclosure and against destruction, loss or damage. (Section 28)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Security measures through contract: The UIDAI will adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons. (Section 28)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Security protocol via regulations: The UIDAI has the power to prescribe via regulation various processes relating to data management, security protocol and other technology safeguards (Section 54) </p>
</li></ul>
<p dir="ltr"><em>Concerns:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Undefined security measures: The Bill specifies that appropriate technical and organisational security measures shall be put in place without elaborating upon what those measure should be or defining any standards that they will adhere to. The Bill gives the Authority the power to define broad regulations pertaining to security protocol.</p>
</li></ul>
<p> </p>
<p dir="ltr"><strong>Confidentiality</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Restriction on Sharing, Disclosure, and Use: Unless otherwise provided, the UIDAI or its agents will not reveal any information in the CIDR to anyone. (Section 28) The core biometric information collected will not be a) shared with anyone for any reason, and b) used for any purpose other generation of Aadhaar numbers and authentication. (Section 29) Identity information, other than core biometric information, may be shared as per this Act and regulations specified under it. (Section 29) Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual’s consent. (Section 29) Aadhaar numbers or core biometric information will not be made public except as specified by regulations. (Section 30)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Application of Information Technology Act: All biometric information collected and stored in electronic form will be deemed to be “electronic record” and “sensitive personal data or information” under Information Technology Act, 2000 and its provisions and rules will apply to it in addition to this Act. (Section 30)</p>
</li></ul>
<p dir="ltr"><em>Concerns:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Aadhaar numbers and biometric information to be made public: It is unclear for what purposes it would be necessary for Aadhaar numbers and core biometric information to be made public and it is concerning that such circumstances are left to be defined by regulation. This is different from the Telegraph Act and the IT Act which define the circumstances for interception in the Act and define the procedure for carrying out interception orders in associated Rules. Defining circumstances for such information to be made public is against the disclosure standards in the 43A Rules - which would be applicable to the UIDAI and the disclosure of core biometric information.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Unclear application of Section 43 A Rules: The Bill characterises biometric information collected as ‘sensitive personal data or information’ under the Information Technology Act, 2000 and Section 43A Rules and states that the Act and Rules would be applicable to biometric information. If this is the case, than any body corporate (including the UIDAI) collecting, processing, or storing biometric information would need to follow the standards established in the Rules - including standards for collection, consent, disclosure, sharing, retention, and security. Yet, the Bill allows the UIDAI to make regulations for collection, disclosure, security etc.</p>
</li></ul>
<p> </p>
<p dir="ltr"><strong>Disclosure</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Disclosure during authentication: During authentication, the UIDAI will respond to the authentication request with yes, no, or other appropriate response and share identity information about the Aadhaar number holder, but not share any biometric information. (Section 8)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Exceptions to confidentiality provisions: The UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. Any such order may only be made after UIDAI is allowed to appear in a hearing. (Section 33) The confidentiality provisions in Sections 28 and 29 will not apply with respect to disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose. (Section 33)</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Oversight Committee: An Oversight Committee comprising Cabinet Secretary, and Secretaries of two departments — Department of Legal Affairs and DeitY— will review every direction under 33 B above. Any directions in the interest of national security above are valid for 3 months, after which they may be extended following a review by the Oversight Committee. (Section 33) </p>
</li></ul>
<p dir="ltr"><em>Concerns:</em></p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Unnecessary disclosure during authentication: Usually authentication would be a binary process leading to a yes or no result, however, Section 8 also allows sharing of identity information in certain cases. It is unclear why any additional information would need to be shared in the authentication process.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of opportunity to data subject: In case of a court order identity information and authentication records of an individual can be revealed without any notice or opportunity of hearing to the individual affected. Aside from allowing the UIDAI a right to be heard, the Bill does not provide any means by which an individual can contest such an order or challenge it after it has been passed.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of defined functions and responsibilities of oversight mechanisms: Section 33 currently specifies a procedure for oversight by a committee, however, there are no substantive provisions laid down as the guiding principles establishing the responsibilities and powers of the oversight mechanism.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Low standards for disclosure order: Though a court order from a District Judge is required to authorize disclosure of information, the Bill fails to define important standards that such an order must meeting including that the order is necessary and proportionate.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Sweeping exception of National Security: Disclosures that are made ‘in the interest of national security’ do not require authorization by a judge and instead can be authorized by the Joint Secretary of the Government of India - a standard lower than that established in the Telegraph Act and IT Act for the interception of communications.</p>
</li></ul>
<p> </p>
<p dir="ltr"><strong>Power of UIDAI to make rules and regulations</strong></p>
<p dir="ltr"><em>What the Bill says:</em></p>
<p dir="ltr">The matters on which the UIDAI may frame rules include:</p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">The process of collecting information,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Verification of information,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Individual access to information,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Sharing and disclosure of information,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Alteration of information,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Request and response for authentication,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Defining use of Aadhaar numbers,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Defining privacy and security processes,</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Specifying processes relating to data management, security protocols and other technology safeguards under this Act</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Establishing redressal mechanisms.</p>
</li></ul>
<p dir="ltr"><em>Concerns</em>:</p>
<ul><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Over delegation of powers to the UIDAI: This Bill follows in the tradition of laws like the Information Technology Act, which allows the executive a very high degree of discretionary power. As mentioned above, a number of important powers which should ideally be within the purview of the legislature are delegated to the UIDAI. The UIDAI has been administrating the project since its inception, and a number of problems have already been documented in process such as collection, verification, sharing of information, privacy and security processes. Rather than addressing these problems, the Bill allows the UIDAI to continue to have similar powers.</p>
</li><li style="list-style-type: disc;" dir="ltr">
<p dir="ltr">Lack of independence of grievance redressal mechanism: Within the text of the Bill there are no grievance redressal mechanism created under the Bill. The power to set up such a mechanism is delegated to the UIDAI under Section 23 (2) (s) of the Bill. However, making the entity administering a project, also responsible for providing for the frameworks to address the grievances arising from the project, severely compromises the independence of the grievance redressal body.</p>
</li></ul>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/salient-points-in-the-aadhaar-bill-and-concerns'>https://cis-india.org/internet-governance/salient-points-in-the-aadhaar-bill-and-concerns</a>
</p>
No publisherAmber Sinha and Elonnai HickokUIDPrivacyInternet GovernanceAadhaarBiometrics2016-03-21T04:37:48ZBlog EntryRight to Food Campaign, Ranchi Convention, 2016
https://cis-india.org/internet-governance/news/right-to-food-campaign-ranchi-convention-2016
<b>The Right to Food Campaign held its 2016 Convention in Ranchi during September 23-25, 2016. While three years have elapsed since the passage of the National Food Security Act, despite improvements in the Public Distribution System (PDS), large implementation gaps remain. This is what the Convention focused on, and gathered researchers and campaigners from across the country to share experiences and case studies on effectiveness and exclusions from the PDS. Sumandro Chattapadhyay took part in a session of the Convention to discuss how UID-linked welfare delivery is being rolled out across key programmes like provision of pension and rationed distribution of essential commodities, and their impact on people's right to welfare services.</b>
<p> </p>
<h4>Right to Food Campaign: <a href="http://www.righttofoodcampaign.in/">Website</a>.</h4>
<h4>Right to Food Campaign: <a href="https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnxoYXFyb3ppcm90aXxneDo3MmQ3MTMyZjU2N2FjOGU">Cash Transfers and UID: Our Main Demands</a>.</h4>
<h4>Ranchi Convention, 2016: <a href="https://docs.google.com/document/d/110_asJ1t14IWALbhWN1RjDiOV8WE-fIK2xJC5Yltyc4/edit">Programme</a>.</h4>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/right-to-food-campaign-ranchi-convention-2016'>https://cis-india.org/internet-governance/news/right-to-food-campaign-ranchi-convention-2016</a>
</p>
No publishersumandroBig DataData SystemsInternet GovernanceSurveillanceAadhaarWelfare GovernanceBiometricsBig Data for DevelopmentUID2019-03-16T04:40:52ZBlog EntryRequest for Specifics: Rebuttal to UIDAI
https://cis-india.org/internet-governance/blog/economic-and-political-weekly-journal-vol-51-issue-36-september-3-2016-hans-varghese-mathews-request-for-specifics
<b>Responding to the Unique Identification Authority of India’s article that found “serious mathematical errors” in “Flaws in the UIDAI Process” (EPW 12 March 2016), the main mathematical argument used to arrive at the number of duplicates in the biometric database is explained.</b>
<p style="text-align: justify; ">The article was published in the <a class="external-link" href="http://www.epw.in/journal/2016/36/documents/request-specifics-rebuttal-uidai.html">Economic & Political Weekly</a> on September 3, 2016, Vol.51, Issue No.36.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The author of a technical paper will be alarmed when he is convicted of “serious mathematical errors” by someone who has not bothered himself with “going too deep into the mathematics” used. The man must possess miraculous powers of divination one feels: fears rather. The UIDAI seems to have even such formidable diviners in their employ: who have dismissed just so peremptorily, in their rebuttal, the calculations made in my paper titled Flaws in the UIDAI process. The paper appeared in the issue of this journal dated to February 27 of this year. The rebuttal was published in the issue dated to the 12th of March. The interested reader can confirm that I have only repeated what was said there. The rebuttal does not specify, in any way, the mathematical mistakes I am supposed to have made. So I shall rehearse the relevant calculations very broadly: and the experts of the UIDAI will then exhibit, I trust, the specific mistakes they impute to me.<a href="#ftn*">[*]</a></p>
<hr />
<p style="text-align: justify; "><a name="ftn*">[*]</a>My reply to the UIDAIs attempted rebuttal was sent in to the EPW a few days after that appeared in print: and published as a “web exclusive” article in Volume 51, Issue Number 36 of the EPW, on 03/09/2016.</p>
<p style="text-align: justify; "><b><a class="external-link" href="http://cis-india.org/internet-governance/files/requestForSpecifics.pdf">Read the Full Article</a></b></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/economic-and-political-weekly-journal-vol-51-issue-36-september-3-2016-hans-varghese-mathews-request-for-specifics'>https://cis-india.org/internet-governance/blog/economic-and-political-weekly-journal-vol-51-issue-36-september-3-2016-hans-varghese-mathews-request-for-specifics</a>
</p>
No publisherhansUIDAadhaarInternet GovernancePrivacy2016-10-30T15:06:31ZBlog EntryReport on Understanding Aadhaar and its New Challenges
https://cis-india.org/internet-governance/blog/report-on-understanding-aadhaar-and-its-new-challenges
<b>The Trans-disciplinary Research Cluster on Sustainability Studies at Jawaharlal Nehru University collaborated with the Centre for Internet and Society, and other individuals and organisations to organise a two day workshop on “Understanding Aadhaar and its New Challenges” at the Centre for Studies in Science Policy, JNU on May 26 and 27, 2016. The objective of the workshop was to bring together experts from various fields, who have been rigorously following the developments in the Unique Identification (UID) Project and align their perspectives and develop a shared understanding of the status of the UID Project and its impact. Through this exercise, it was also sought to develop a plan of action to address the welfare exclusion issues that have arisen due to implementation of the UID Project.</b>
<p> </p>
<h4>Report: <a href="https://cis-india.org/internet-governance/files/report-on-understanding-aadhaar-and-its-new-challenges/at_download/file">Download</a> (PDF)</h4>
<hr />
<p style="text-align: justify;">This Report is a compilation of the observations made by participants at the workshop relating to myriad issues under the UID Project and various strategies that could be pursued to address these issues. In this Report we have classified the observations and discussions into following themes:</p>
<p><strong>1.</strong> <a href="#1">Brief Background of the UID Project</a></p>
<p><strong>2.</strong> <a href="#2">Legal Status of the UIDAI Project</a></p>
<ul>
<li><a href="#21">Procedural issues with passage of the Act</a></li>
<li><a href="#22">Status of related litigation</a></li></ul>
<p><strong>3.</strong> <a href="#3">National Identity Projects in Other Jurisdictions</a></p>
<ul>
<li><a href="#31">Pakistan</a></li>
<li><a href="#32">United Kingdom</a></li>
<li><a href="#33">Estonia</a></li>
<li><a href="#34">France</a></li>
<li><a href="#35">Argentina</a></li></ul>
<p><strong>4.</strong> <a href="#4">Technologies of Identification and Authentication</a></p>
<ul>
<li><a href="#41">Use of Biometric Information for Identification and Authentication</a></li>
<li><a href="#42">Architectures of Identification</a></li>
<li><a href="#43">Security Infrastructure of CIDR</a></li></ul>
<p><strong>5.</strong> <a href="#5">Aadhaar for Welfare?</a></p>
<ul>
<li><a href="#51">Social Welfare: Modes of Access and Exclusion</a></li>
<li><a href="#52">Financial Inclusion and Direct Benefits Transfer</a></li></ul>
<p><strong>6.</strong> <a href="#6">Surveillance and UIDAI</a></p>
<p><strong>7.</strong> <a href="#7">Strategies for Future Action</a></p>
<p><strong>Annexure A</strong> <a href="#AA">Workshop Agenda</a></p>
<p><strong>Annexure B</strong> <a href="#AB">Workshop Participants</a></p>
<hr />
<h3 id="1" style="text-align: justify;"><strong>1. Brief Background of the UID Project</strong></h3>
<p style="text-align: justify;">In the year 2009, the UIDAI was established and the UID project was conceived by the Planning Commission under the UPA government to provide unique identification for each resident in India and to be used for delivery of welfare government services in an efficient and transparent manner, along with using it as a tool to monitor government schemes. The objective of the scheme has been to issue a unique identification number by the Unique Identification Authority of India, which can be authenticated and verified online. It was conceptualized and implemented as a platform to facilitate identification and avoid fake identity issues and delivery of government benefits based on the demographic and biometric data available with the Authority.</p>
<p style="text-align: justify;">The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “<strong>Act</strong>”) was passed as a money bill on March 16, 2016 and was notified in the gazette March 25, 2016 upon receiving the assent of the President. However, the enforceability date has not been mentioned due to which the bill has not come into force.</p>
<p style="text-align: justify;">The Act provides that the Aadhaar number can be used to validate a person’s identity, but it cannot be used as a proof of citizenship. Also, the government can make it mandatory for a person to authenticate her/his identity using Aadhaar number before receiving any government subsidy, benefit, or service. At the time of enrolment, the enrolling agency is required to provide notice to the individual regarding how the information will be used, the type of entities the information will be shared with and their right to access their information. Consent of an individual would be obtained for using his/her identity information during enrolment as well as authentication, and would be informed of the nature of information that may be shared. The Act clearly lays that the identity information of a resident shall not be sued for any purpose other than specified at the time of authentication and disclosure of information can be made only pursuant to an order of a court not inferior to that of a District Judge and/or disclosure made in the interest of national security.</p>
<h3 id="2" style="text-align: justify;"><strong>2. Legal Status of the UIDAI Project</strong></h3>
<p style="text-align: justify;">In this section, we have summarised the discussions on the procedural issues with the passage of the Act. The participants had criticised the passage of the Act as a money bill in the Parliament. The participants also assessed the litigation pending in the Supreme Court of India that would be affected by this law. These discussions took place in the session titled, ‘Current Status of Aadhaar’ and have been summarised below.</p>
<h3 id="21" style="text-align: justify;">Procedural Issues with Passage of the Act</h3>
<p style="text-align: justify;">The participants contested the introduction of the Act in the form of a money bill. The rationale behind this was explained at the session and is briefly explained here. Article 110 (1) of the Constitution of India defines a money bill as one containing provisions only regarding the matters enumerated or any matters incidental to the following: a) imposition, regulation and abolition of any tax, b) borrowing or other financial obligations of the Government of India, c) custody, withdrawal from or payment into the Consolidated Fund of India (CFI) or Contingent Fund of India, d) appropriation of money out of CFI, e) expenditure charged on the CFI or f) receipt or custody or audit of money into CFI or public account of India. The Act makes references to benefits, subsidies and services which are funded by the Consolidated Fund of India (CFI), however the main objectives of the Act is to create a right to obtain a unique identification number and provide for a statutory mechanism to regulate this process. The Act only establishes an identification mechanism which facilitates distribution of benefits and subsidies funded by the CFI and this identification mechanism (Aadhaar number) does not give it the character of a money bill. Further, money bills can be introduced only in the Lok Sabha, and the Rajya Sabha cannot make amendments to such bills passed by the Lok Sabha. The Rajya Sabha can suggest amendments, but it is the Lok Sabha’s choice to accept or reject them. This leaves the Rajya Sabha with no effective role to play in the passage of the bill.</p>
<p style="text-align: justify;">The participants also briefly examined the writ petition that has been filed by former Union minister Jairam Ramesh challenging the constitutionality and legality of the treatment of this Act as a money bill which has raised the question of judiciary’s power to review the decisions of the speaker. Article 122 of the Constitution of India provides that this power of judicial review can be exercised to look into procedural irregularities. The question remains whether the Supreme Court will rule that it can determine the constitutionality of the decision made by the speaker relating to the manner in which the Act was introduced in the Lok Sabha. A few participants mentioned that similar circumstances had arisen in the case of Mohd. Saeed Siddiqui v. State of U.P. <a href="#ftn1">[1]</a>.</p>
<p style="text-align: justify;">where the Supreme Court refused to interfere with the decision of the Uttar Pradesh legislative assembly speaker certifying an amendment bill to increase the tenure of the Lokayukta as a money bill, despite the fact that the bill amended the Uttar Pradesh Lokayukta and Up-Lokayuktas Act, 1975, which was passed as an ordinary bill by both houses. The Court in this case held that the decision of the speaker was final and that the proceedings of the legislature being important legislative privilege could not be inquired into by courts. The Court added, “the question whether a bill is a money bill or not can be raised only in the state legislative assembly by a member thereof when the bill is pending in the state legislature and before it becomes an Act.”</p>
<p style="text-align: justify;">However, it is necessary to carve a distinction between Rajya Sabha and State Legislature. Unlike the State Legislature, constitution of Rajya Sabha is not optional therefore significance of the two bodies in the parliamentary process cannot be considered the same. Participants also made another significant observation about a similar bill on the UID project (National Identification Authority of India (NIDAI) Bill) that was introduced before by the UPA government in 2010 and was deemed unacceptable by the standing committee on finance, headed by Yashwant Sinha. This bill was subsequently withdrawn.</p>
<h3 id="22" style="text-align: justify;">Status of Related Litigation</h3>
<p style="text-align: justify;">A panellist in this session briefly summarised all the litigation that was related to or would be affected by the Act. The panellist also highlighted several Supreme Court orders in the case of <em>KS Puttuswamy v. Union of India</em> <a href="#ftn2">[2]</a> which limited the use of Aadhaar. We have reproduced the presentation below.</p>
<ul>
<li style="text-align: justify;"><em>KS Puttuswamy v. Union of India</em> - This petition was filed in 2012 with primary concern about providing Aadhaar numbers to illegal immigrants in India. It was contended that this could not be done without a law establishing the UIDAI and amendment to the Citizenship laws. The petitioner raised concerns about privacy and fallibility of biometrics.</li>
<li style="text-align: justify;"> Sudhir Vombatkere & Bezwada Wilson <a href="#ftn3">[3]</a> - This petition was filed in 2013 on grounds of infringement of right to privacy guaranteed under Article 21 of the Constitution of India and the security threat on account of data convergence.</li>
<li style="text-align: justify;">Aruna Roy & Nikhil Dey <a href="#ftn4">[4]</a> - This petition was filed in 2013 on the grounds of large scale exclusion of people from access to basic welfare services caused by UID. After their petition, no. of intervention applications were filed. These were the following:</li>
<li style="text-align: justify;">Col. Mathew Thomas <a href="#ftn5">[5]</a> - This petition was filed on the grounds of threat to national security posed by the UID project particularly in relation to arrangements for data sharing with foreign companies (with links to foreign intelligence agencies).</li>
<li style="text-align: justify;">Nagrik Chetna Manch <a href="#ftn6">[6]</a> - This petition was filed in 2013 and led by Dr. Anupam Saraph on the grounds that the UID project was detrimental to financial service regulation and financial <em>inclusion.</em></li>
<li style="text-align: justify;">S. Raju <a href="#ftn7">[7] </a> - This petition was filed on the grounds that the UID project had implications on the federal structure of the State and was detrimental to financial inclusion.</li>
<li style="text-align: justify;"><em>Beghar Foundation</em> - This petition was filed in 2013 in the Delhi High Court on the grounds invasion of privacy and exclusion specifically in relation to the homeless. It subsequently joined the petition filed by Aruna Roy and Nikhil Dey as an intervener.</li>
<li style="text-align: justify;">Vickram Crishna – This petition was originally filed in the Bombay High Court in 2013 on the grounds of surveillance and invasion of privacy. It was later transferred to the Supreme Court.</li>
<li style="text-align: justify;">Somasekhar – This petition was filed on the grounds of procedural unreasonableness of the UID project and also exclusion & privacy. The petitioner later intervened in the petition filed by Aruna Roy and Nikhil Dey in 2013.</li>
<li style="text-align: justify;">Rajeev Chandrashekhar– This petition was filed on the ground of lack of legal sanction for the UID project. He later intervened in the petition filed by Aruna Roy and Nikhil Dey in 2013. His position has changed now.</li>
<li style="text-align: justify;">Further, a petition was filed by Mr. Jairam Ramesh initially challenging the passage of the Act as a money bill but subsequently, it has been amended to include issues of violation of right to privacy and exclusion of the poor and has advocated for five amendments that were suggested to the Aadhaar Bill by the Rajya Sabha.</li></ul>
<h3 id="23" style="text-align: justify;">Relevant Orders of the Supreme Court</h3>
<p>There are six orders of the Supreme Court which are noteworthy.</p>
<ul>
<li style="text-align: justify;">Order of Sept. 23, 2013 - The Supreme court directed that: 1) no person shall suffer for not having an aadhaar number despite the fact that a circular by an authority makes it mandatory; 2) it should be checked if a person applying for aadhaar number voluntarily is entitled to it under the law; and 3) precaution should be taken that it is not be issued to illegal immigrants.</li>
<li style="text-align: justify;">Order of 26th November, 2013 – Applications were filed by UIDAI, Ministry of Petroleum & Natural Gas, Govt of India, Indian Oil Corporation, BPCL and HPCL for modifying the September 23rd order and sought permission from the Supreme Court to make aadhaar number mandatory. The Supreme Court held that the order of September 23rd would continue to be effective.</li>
<li style="text-align: justify;">Order of 24th March, 2014 – This order was passed by the Supreme Court in a special leave petition filed in the case of <em>UIDAI v CBI</em> <a href="#ftn8">[8] </a> wherein UIDAI was asked to UIDAI to share biometric information of all residents of a particular place in Goa to facilitate a criminal investigation involving charges of rape and sexual assault. The Supreme Court restrained UIDAI from transferring any biometric information of an individual without to any other agency without his consent in writing. The Supreme Court also directed all the authorities to modify their forms/circulars/likes so as to not make aadhaar number mandatory.</li>
<li style="text-align: justify;">Order of 16th March, 2015 - The SC took notice of widespread violations of the order passed on September 23rd, 2013 and directed the Centre and the states to adhere to these orders to not make aadhaar compulsory.</li>
<li style="text-align: justify;">Orders of August 11, 2015 – In the first order, the Central Government was directed to publicise the fact that aadhaar was voluntary. The Supreme Court further held that provision of benefits due to a citizen of India would not be made conditional upon obtaining an aadhaar number and restricted the use of aadhaar to the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene and the LPG Distribution Scheme. The Supreme Court also held that information of an individual that was collected in order to issue an aadhaar number would not be used for any purpose except when directed by the Court for criminal investigations. Separately, the status of fundamental right to privacy was contested and accordingly the Supreme Court directed that the issue be taken up before the Chief Justice of India.</li>
<li style="text-align: justify;">Orders of October 16, 2015 – The Union of India, the states of Gujarat, Maharashtra, Himachal Pradesh and Rajasthan, and authorities including SEBI, TRAI, CBDT, IRDA , RBI applied for a hearing before the Constitution Bench for modification of the order passed by the Supreme Court on August 11 and allow use of aadhaar number schemes like The Mahatma Gandhi National Rural Employment Guarantee Scheme MGNREGS), National Social Assistance Programme (Old Age Pensions, Widow Pensions, Disability Pensions) Prime Minister's Jan Dhan Yojana (PMJDY) and Employees' Providend Fund Organisation (EPFO). The Bench allowed the use of aadhaar number for these schemes but stressed upon the need to keep aadhaar scheme voluntary until the matter was finally decided.</li></ul>
<p style="text-align: justify;">Status of these orders<br />The participants discussed the possible impact of the law on the operation of these orders. A participant pointed out that matters in the Supreme Court had not become infructuous because fundamental issues that were being heard in the Supreme Court had not been resolved by the passage of the Act. Several participants believed that the aforementioned orders were effective because the law had not come into force. Therefore, aadhaar number could only be used for purposes specified by the Supreme Court and it could not be made mandatory. Participants also highlighted that when the Act was implemented, it would not nullify the orders of the Supreme Court unless Union of India asked the Supreme Court for it specifically and the Supreme Court sanctioned that.</p>
<h3 id="3" style="text-align: justify;"><strong>3. National Identity Projects in Other Jurisdictions</strong></h3>
<p style="text-align: justify;">A panellist had provided a brief overview of similar programs on identification that have been launched in other jurisdictions including Pakistan, United Kingdom, France, Estonia and Argentina in the recent past in the session titled ‘Aadhaar - International Dimensions’. This presentation mainly sought to assess the incentives that drove the governments in these jurisdictions to formulate these projects, mandatory nature of their adoption and their popularity. The Report has reproduced the presentation here.</p>
<h3 id="31" style="text-align: justify;">Pakistan</h3>
<p style="text-align: justify;">The Second Amendment to the Constitution of Pakistan in 2000 established the National Database and Regulation Authority in the country, which regulates government databases and statistically manages the sensitive registration database of the citizens of Pakistan. It is also responsible for issuing national identity cards to the citizens of Pakistan. Although the card is not legally compulsory for a Pakistani citizen, it is mandatory for:</p>
<ul>
<li>Voting</li>
<li>Obtaining a passport</li>
<li>Purchasing vehicles and land</li>
<li>Obtaining a driver licence</li>
<li>Purchasing a plane or train ticket</li>
<li>Obtaining a mobile phone SIM card</li>
<li>Obtaining electricity, gas, and water</li>
<li>Securing admission to college and other post-graduate institutes</li>
<li>Conducting major financial transactions</li></ul>
<p style="text-align: justify;">Therefore, it is pretty much necessary for basic civic life in the country. In 2012, NADRA introduced the Smart National Identity Card, an electronic identity card, which implements 36 security features. The following information can be found on the card and subsequently the central database: Legal Name, Gender (male, female, or transgender), Father's name (Husband's name for married females), Identification Mark, Date of Birth, National Identity Card Number, Family Tree ID Number, Current Address, Permanent Address, Date of Issue, Date of Expiry, Signature, Photo, and Fingerprint (Thumbprint). NADRA also records the applicant's religion, but this is not noted on the card itself. (This system has not been removed yet and is still operational in Pakistan.)</p>
<h3 id="32" style="text-align: justify;">United Kingdom</h3>
<p style="text-align: justify;">The Identity Cards Act was introduced in the wake of the terrorist attacks on 11th September, 2001, amidst rising concerns about identity theft and the misuse of public services. The card was to be used to obtain social security services, but the ability to properly identify a person to their true identity was central to the proposal, with wider implications for prevention of crime and terrorism. The cards were linked to a central database (the National Identity Register), which would store information about all of the holders of the cards. The concerns raised by human rights lawyers, activists, security professionals and IT experts, as well as politicians were not to do with the cards as much as with the NIR. The Act specified 50 categories of information that the NIR could hold, including up to 10 fingerprints, digitised facial scan and iris scan, current and past UK and overseas places of residence of all residents of the UK throughout their lives. The central database was purported to be a prime target for cyber attacks, and was also said to be a violation of the right to privacy of UK citizens. The Act was passed by the Labour Government in 2006, and repealed by the Conservative-Liberal Democrat Coalition Government as part of their measures to “reverse the substantial erosion of civil liberties under the Labour Government and roll back state intrusion.”</p>
<h3 id="33" style="text-align: justify;">Estonia</h3>
<p style="text-align: justify;">The Estonian i-card is a smart card issued to Estonian citizens by the Police and Border Guard Board. All Estonian citizens and permanent residents are legally obliged to possess this card from the age of 15. The card stores data such as the user's full name, gender, national identification number, and cryptographic keys and public key certificates. The cryptographic signature in the card is legally equivalent to a manual signature, since 15 December 2000. The following are a few examples of what the card is used for:</p>
<ul>
<li>As a national ID card for legal travel within the EU for Estonian citizens</li>
<li>As the national health insurance card</li>
<li>As proof of identification when logging into bank accounts from a home computer</li>
<li>For digital signatures</li>
<li>For i-voting</li>
<li>For accessing government databases to check one’s medical records, file taxes, etc.</li>
<li>For picking up e-Prescriptions</li>
<li>(This system is also operational in the country and has not been removed)</li></ul>
<h3 id="34" style="text-align: justify;">France</h3>
<p style="text-align: justify;">The biometric ID card was to include a compulsory chip containing personal information, such as fingerprints, a photograph, home address, height, and eye colour. A second, optional chip was to be implemented for online authentication and electronic signatures, to be used for e-government services and e-commerce. The law was passed with the purpose of combating “identity fraud”. It was referred to the Constitutional Council by more than 200 members of the French Parliament, who challenged the compatibility of the bill with the citizens’ fundamental rights, including the right to privacy and the presumption of innocence. The Council struck down the law, citing the issue of proportionality. “Regarding the nature of the recorded data, the range of the treatment, the technical characteristics and conditions of the consultation, the provisions of article 5 touch the right to privacy in a way that cannot be considered as proportional to the meant purpose”.</p>
<h3 id="35" style="text-align: justify;">Argentina</h3>
<p style="text-align: justify;">Documento Nacional de Identidad or DNI (which means National Identity Document) is the main identity document for Argentine citizens, as well as temporary or permanent resident aliens. It is issued at a person's birth, and updated at 8 and 14 years of age simultaneously in one format: a card (DNI tarjeta); it's valid if identification is required, and is required for voting. The front side of the card states the name, sex, nationality, specimen issue, date of birth, date of issue, date of expiry, and transaction number along with the DNI number and portrait and signature of the card's bearer. The back side of the card shows the address of the card's bearer along with their right thumb fingerprint. The front side of the DNI also shows a barcode while the back shows machine-readable information. The DNI is a valid travel document for entering Argentina, Bolivia, Brazil, Chile, Colombia, Ecuador, Paraguay, Peru, Uruguay, and Venezuela. (System still operational in the country)</p>
<h3 id="4" style="text-align: justify;"><strong>4. Technologies of Identification and Authentication</strong></h3>
<p style="text-align: justify;">The panel in the session titled ‘Aadhaar: Science, Technology, and Security’ explained the technical aspects of use of biometrics and privacy concerns, technology architecture for identification and inadequacy of infrastructure for information security. In this section, we have summarised the presentation and the ensuing discussions on these issues.</p>
<h3 id="41" style="text-align: justify;">Use of Biometric Information for Identification and Authentication</h3>
<p style="text-align: justify;">The panelists explained with examples that identification and authentication were different things. Identity provides an answer to the question “who are you?” while authentication is a challenge-response process that provides a proof of the claim of identity. Common examples of identity are User ID (Login ID), cryptographic public keys and ATM or Smart cards while common authenticators are passwords (including OTPs), PINs and cryptographic private keys. Identity is public information but an authenticator must be private and known only to the user. Authentication must necessarily be a conscious process and active participation by the user is a must. It should also always be possible to revoke an authenticator. After providing this understanding of the two processes the panellist then explained if biometric information could be used for identification or authentication under the UID Project. Biometric information is clearly public information and it is questionable if it can be revoked. Therefore it should never be used for authentication, but only for identity verification. There is a possibility of authentication by fingerprints under the UID Project, without conscious participation of the user. One could trace the fingerprints of an individual from any place the individual has been in contact with. Therefore, authentication must certainly be done by other means. The panellist pointed out that there were five kinds of authentication under the UID Project, out of which two-factor authentication and one time password were considered suitable but use of biometric information and demographic information was extremely threatening and must be withdrawn.</p>
<h3 id="42" style="text-align: justify;">Architectures of Identification</h3>
<p style="text-align: justify;">The panelists explained the architecture of the UID Project that has been designed for identification purposes, highlighted its limitations and suggested alternatives. His explanations are reproduced below.</p>
<p style="text-align: justify;">Under the UID Project, there is a centralised means of identification i.e. the aadhaar number and biometric information stored in one place, Central Identification Data Repository (CIDR). It is better to have multiple means of identification than one (as contemplated under the UID Project) for preservation of our civil liberties. The question is what the available alternatives are. Web of trust is a way for operationalizing distributed identification but the challenge is how one brings people from all social levels to participate in it. There is a need for registrars who will sign keys and public databases for this purpose.</p>
<p style="text-align: justify;">The aadhaar number functions as a common index and facilitates correlation of data across Government databases. While this is tremendously attractive it raises several privacy concerns as more and more information relating to an individual is available to others and is likely to be abused.</p>
<p style="text-align: justify;">The aadhaar number is available in human readable form. This raises the risk of identification without consent and unauthorised profiling. It cannot be revoked. Potential for damage in case of identity theft increases manifold.</p>
<p style="text-align: justify;">Under the UID Project, for the purpose of information security, Authentication User Agencies (“<strong>AUA</strong>”) are required to use local identifiers instead of aadhaar numbers but they are also required to map these local identifiers to the aadhaar numbers. Aadhaar numbers are not cryptographically secured; in fact they are publicly available. Hence this exercise for securing information is useless. An alternative would be to issue different identifiers for different domains and cryptographically embed a “master identifier” (in this case, equivalent of aadhaar number) into each local identifier.</p>
<p style="text-align: justify;">All field devices (for example POS machines) should be registered and must communicate directly with UIDAI. In fact, UIDAI must verify the authenticity (tamper proof) of the field device during run time and a UIDAI approved authenticity certificate must be issued for field devices. This certificate must be made available to users on demand. Further, the security and privacy frameworks within which AUAs work must be appropriately defined by legal and technical means.</p>
<h3 id="43" style="text-align: justify;">Security Infrastructure of CIDR</h3>
<p style="text-align: justify;">The panelists also enumerated the security features of the UID Project and highlighted the flaws in these features. These have been summarised below.</p>
<p>The security and privacy infrastructure of UIDAI has the following main features:</p>
<ul>
<li>2048 bit PKI encryption of biometric data in transit</li>
<li>End-to-end encryption from enrolment/POS to CIDR</li>
<li>HMAC based tamper detection of PID blocks</li>
<li>Registration and authentication of AUAs</li>
<li>Within CIDR only a SHA 1 Hash of Aadhaar number is stored</li>
<li>Audit trails are stored SHA 1 encrypted. Tamper detection?</li>
<li>Only hashes of passwords and PINs are stored. (biometric data stored in original form though!)</li>
<li>Authentication requests have unique session keys and HMAC</li>
<li>Resident data stored using 100 way sharding (vertical partitioning). First two digits of Aadhaar number as shard keys</li>
<li>All enrolment and update requests link to partitioned databases using Ref IDs (coded indices)</li>
<li>All accesses through a hardware security module</li>
<li>All analytics carried out on anonymised data</li></ul>
<p style="text-align: justify;">The panellists pointed out the concerns about information security on account of design flaws, lack of procedural safeguards, openness of the system and too much trust imposed on multiple players. All symmetric and private keys and hashes are stored somewhere within UIDAI. This indicates that trust is implicitly assumed which is a glaring design flaw. There is no well-defined approval procedure for data inspection, whether it is for the purpose of investigation or for data analytics. There is a likelihood of system hacks, insider leaks, and tampering of authentication records and audit trails. The ensuing discussions highlighted that the UIDAI had admitted to these security risks. The enrolment agencies and the enrolment devices cannot be trusted. AUAs cannot be trusted with biometric and demographic data; neither can they be trusted with sensitive user data of private nature. There is a need for an independent third party auditor for distributed key management, auditing and approving UIDAI programs, including those for data inspection and analytics, whitebox cryptographic compilation of critical parts of the UIDAI programs, issue of cryptographic keys to UIDAI programs for functional encryption, challenge-response for run-time authentication and certification of UIDAI programs. The panellist recommended that there was a need to to put a suitable legal framework to execute this.</p>
<p style="text-align: justify;">The participants also discussed that information infrastructure must not be made of proprietary software (possibility for backdoors for US) and there must be a third party audit with a non-negotiable clause for public audit.</p>
<h3 id="5" style="text-align: justify;"><strong>5. Aadhaar for Welfare?</strong></h3>
<p style="text-align: justify;">The Report has summarised the discussions that took place in the sessions on ‘Direct Benefits Transfers’ and ‘Aadhaar: Broad Issues - II’ where the panellists critically analysed the claims of benefits and inclusion of Aadhaar made by the government in light of the ground realities in states where Aadhaar has been adopted for social welfare schemes.</p>
<h3 id="51" style="text-align: justify;">Social Welfare: Modes of Access and Exclusion</h3>
<p style="text-align: justify;">Under the Act, a person may be required to authenticate or give proof of the aadhaar number in order to receive subsidy from the government (Section 7). A person is required to punch their fingerprints on POS machines in order to receive their entitlement under the social welfare schemes such as LPG and PDS. It was pointed out in the discussions that various states including Rajasthan and Delhi had witnessed fingerprint errors while doling out benefits at ration shops under the PDS scheme. People have failed to receive their entitled benefits because of these fingerprint errors thus resulting in exclusion of beneficiaries <a href="#ftn9">[9]</a>. A panellist pointed out that in Rajasthan, dysfunctional biometrics had led to further corruption in ration shops. Ration shop owners often lied to the beneficiaries about functioning of the biometric machines (POS Machines) and kept the ration for sale in the market therefore making a lot of money at the expense of uninformed beneficiaries and depriving them of their entitlements.</p>
<p style="text-align: justify;">Another participant organisation also pointed out similar circumstances in the ration shops in Patparganj and New Delhi constituencies. Here, the dealers had maintained the records of beneficiaries who had been categorized as follows: beneficiaries whose biometrics did not match, beneficiaries whose biometrics matched and entitlements were provided, beneficiaries who never visited the ration shop. It had been observed that there were no entries in the category of beneficiaries whose biometrics did not match however, the beneficiaries had a different story to tell. They complained that their biometrics did not match despite trying several times and there was no mechanism for a manual override. Consequently, they had not been able to receive any entitlements for months. The discussions also pointed out that the food authorities had placed complete reliance on authenticity of the POS machines and claim that this system would weed out families who were not entitled to the benefits. The MIS was also running technical glitches as a result there was a problem with registering information about these transactions hence, no records had been created with the State authority about these problems. A participant also discussed the plight of 30,000 widows in Delhi, who were entitled to pension and used to collect their entitlement from post offices, faced exclusion due to transition problems under the Jan Dhan Yojana (after the Jandhan was launched the money was transferred to their bank accounts in order to resolve the problem of misappropriation of money at the hands of post office officials). These widows were asked to open bank accounts to receive their entitlements and those who did not open these accounts and did not inform the post office were considered bogus.</p>
<p style="text-align: justify;">In the discussions, the participants also noted that this unreliability of fingerprints as a means of authentication of an individual’s identity was highlighted at the meeting of Empowered Group of Ministers in 2011 by J Dsouza, a biometrics scientist. He used his wife’s fingerprints to demonstrate that fingerprints may change overtime and in such an event, one would not be able to use the POS machine anymore as the machine would continue to identify the impressions collected initially.</p>
<p style="text-align: justify;">The participants who had been working in the field had contributed to the discussions by busting the myth that the UID Project helped to identify who was poor and resolve the problem of exclusion due to leakages in the social welfare programs. These discussions have been summarised below.</p>
<ul>
<li style="text-align: justify;">It is important to understand that the UID Project is merely an identification and authentication system. It only helps in verifying if an individual is entitled to benefits under a social security scheme. It does not ensure plugging of leakages and reducing corruption in social security schemes as has been claimed by the Government. The reduction in leakage of PDS, for instance, should be attributed to digitization and not UID. The Government claims, that it has saved INR 15000 crore in provision of LPG on identification of 3.34 crore inactive accounts on account of the UID Project. This is untrue because the accounts were weeded by using mechanisms completely unrelated to the UID Project. Consequently, the savings on account of UID are only of INR 120 crore and not 15000 crore.</li>
<li style="text-align: justify;">The UID Project has resulted in exclusion of people either because they do not have an aadhaar number, or they have a wrong identification, or there are errors of classification or wilful misclassification. About 99.7% people who were given aadhaar numbers already had an identification document. In fact, during enrolment a person is required to produce one of 14 identification documents listed under the law in order to get an aadhaar number which makes it very difficult for a person with no identity to become entitled to a social welfare scheme.</li></ul>
<p style="text-align: justify;">A participant condemned the Government’s claim that the UID Project had helped in removing fake, bogus and duplicate cards and said that these terms could not be used synonymously and the authorities had no clarity about the difference between the meanings of these terms. The UID Project had only helped in removal of duplicate cards but had not helped in combating the use of fake and bogus cards.</p>
<h3 id="52" style="text-align: justify;">Financial Inclusion and Direct Benefits Transfer</h3>
<p style="text-align: justify;">The participants also engaged in the discussions about the impact of the UID project on financial inclusion in India in the sessions titled ‘Aadhaar: Broad Issues - I & II’. We have summarised these discussions below.</p>
<p style="text-align: justify;">The UID Project seeks to directly transfer money to a bank account in order to combat corruption. The discussions highlighted that this was nothing but introducing a neo liberal thrust in social policy and that it was not feasible for various reasons. First, 95% of rural India did not have functioning banks and banks are quite far away. Second, in order to combat this dearth of banks the idea of business correspondents, who handled banking transactions and helped in opening of bank accounts, had been introduced which had created various problems. The Reserve Bank of India reported that there was dearth of business correspondents as there was very little incentive to become one; their salary is merely INR 4000. Third, there were concerns about how an aadhaar number was considered a valid document for Know Your Customer (KYC) checks. There was a requirement for scrutiny and auditing of documents submitted during the time of enrolment which, in the present scheme of things, could not be verified. Fourth, there were no restrictions on number of bank accounts that could be opened with a single aadhaar number which gave rise to a possibility of opening multiple and shell accounts on a single aadhaar number. Therefore, records only showed transactions when money was transferred from an aadhaar number to another aadhaar number as opposed to an account-to-account transfer. The discussion relied on NPCI data which shows which bank an aadhaar number is associated with but does not show if a transaction by an aadhaar number is overwritten by another bank account belonging to the same aadhaar number.</p>
<h3 id="6" style="text-align: justify;"><strong>6. Surveillance and UIDAI</strong></h3>
<p style="text-align: justify;">The participants had discussed the possibility of an alternative purpose for enrolling Aadhaar in the session titled ‘Privacy, Surveillance, and Ethical Dimensions of Aadhaar’. The discussion traced the history of this project to gain insight on this issue. We have summarised below the key take aways from this discussion.</p>
<p style="text-align: justify;">There are claims that the main objective of launching the UID Project is not to facilitate implementation of social security schemes but to collect personal (financial and non-financial) information of the citizens and residents of the country to build a data monopoly. For this purpose, PDS was chosen as a suitable social security scheme as it has the largest coverage. Several participants suggested that numerous reports authored by FICCI, KPMG and ASSOCHAM contained proposals for establishing a national identity authority which threw some light on the commercial intentions behind information collection under the UID Project.</p>
<p style="text-align: justify;">It was also pointed out that there was documented proof that information collected under the UID Project might have been shared with foreign companies. There are suggestions about links established between proponents of the UID Project and companies backed by CIA or the French Government which run security projects and deal in data sharing in several jurisdictions.</p>
<h3 id="7" style="text-align: justify;"><strong>7. Strategies for Future Action</strong></h3>
<p>The participants laid down a list of measures that must be taken to take the discussions forward. We have enumerated these recommendations below.</p>
<ul>
<li>Prepare and compile an anthology of articles as an output of this workshop. </li>
<li>Prepare position papers on specific issues related to the UID Project </li>
<li>Prepare pamphlets/brochures on issues with the UID Project for public consumption </li>
<li>Prepare counter-advertisements for Aadhaar</li>
<li>Publish existing empirical evidence on the flaws in Aadhaar.</li>
<li>Set up an online portal dedicated to providing updates on the UID Project and allows discussions on specific issues related to Aadhaar.</li>
<li>Use Social Media to reach out to the public. Regularly track and comment on social media pages of relevant departments of the government.</li>
<li>Create groups dedicated to research and advocacy of specific aspects of the UID Project. </li>
<li>Create a Coordination Committee preferably based in Delhi which would be responsible for regularly holding meetings and for preparing a coordinated plan of action. Employ permanent to staff to run the Committee.</li>
<li>Organise an advocacy campaign against use of Aadhaar in collaboration with other organisations and build public domain acceptance. </li>
<li>The campaign must specifically focus on the unfettered scope of UID and expanse, misrepresentation of the success of Aadhaar by highlighting real savings, technological flaws, status of pilot programs and increasing corruption on account of the UID Project</li>
<li>Prepare a statement of public concern regarding the UID Project and collect signatures from eminent persons including academics, technical experts, civil society groups and members of parliament.</li>
<li>Organise events and discussions on issues relating to Aadhaar and invite members og government departments to speak and discuss the issues. </li>
<li style="text-align: justify;">Write to Members of Parliament and Members of Legislative Assemblies raising questions on their or their parties’ support for Aadhaar and silence on the problems created by the UID Project. </li>
<li style="text-align: justify;">Organise public hearings in states like Rajasthan to observe and document ground realities of the UID Project and share these outcomes with the state government and media. </li>
<li>Plan a national social audit and public hearing on the working of UID Project in the country. </li>
<li style="text-align: justify;">File Contempt Petitions in the Supreme Court and High Courts against mandatory use of Aadhaar number for services not allowed by the Supreme Court. </li>
<li style="text-align: justify;">Reach out to and engage with various foreign citizens and organisations that have been fighting on similar issues. The organisations and individuals who could be approached would include EPIC, Electronic Frontier foundation, David Moss, UK, Roger Clarke, Australia, Prof. Ian Angel, Snowden, Assange and Chomsky.</li>
<li style="text-align: justify;">Work towards increasing awareness about the UID Project and gaining support from the student and research community, student organisations, trade unions, and other associations and networks in the unorganised sector.</li></ul>
<h3 id="AA" style="text-align: justify;"><strong>Annexure A – Workshop Agenda</strong></h3>
<h4>May 26, 2016</h4>
<table>
<tbody>
<tr>
<td>
<p>9:00-9:30</p>
</td>
<td>
<p><strong>Registration</strong></p>
</td>
</tr>
<tr>
<td>
<p>9:30-10:00</p>
</td>
<td>
<p>Prof. Dinesh Abrol - <em>Welcome</em><br />
<em>Self-introduction and expectations of participants</em><br />
Dr. Usha Ramanathan - <em>Overview of the Workshop</em></p>
</td>
</tr>
<tr>
<td>
<p>10:00-11:00</p>
</td>
<td>
<p><strong>Session 1: Current Status of Aadhaar</strong><br />
Dr. Usha Ramanathan, Legal Researcher, New Delhi - <em>What the 2016 Law Says, and How it Came into Being</em><br />
S. Prasanna, Advocate, New Delhi - <em>Status and Force of Supreme Court Orders on Aadhaar</em><br /> <em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>11:00-11:30</p>
</td>
<td>
<p><strong>Tea Break</strong></p>
</td>
</tr>
<tr>
<td>
<p>11:30-13:30</p>
</td>
<td>
<p><strong>Session 2: Direct Benefits Transfers</strong><br />
Prof. Reetika Khera, Indian Institute of Technology, Delhi - <em>Welfare Needs Aadhaar like a Fish Needs a Bicycle</em><br />
Prof. R. Ramakumar, Tata Institute of Social Sciences, Mumbai - <em>Aadhaar and the Social Sector: A critical analysis of the claims of benefits and inclusion</em><br />
Ashok Rao, Delhi Science Forum - <em>Cash Transfers Study</em><br />
<em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>13:30-14:30</p>
</td>
<td>
<p><strong>Lunch</strong></p>
</td>
</tr>
<tr>
<td>
<p>14:30-16:00</p>
</td>
<td>
<p><strong>Session 3: Aadhaar: Science, Technology, and Security</strong><br />
Prof. Subashis Banerjee, Dept of Computer Science & Engineering, IIT, Delhi - <em>Privacy and Security Issues Related to the Aadhaar Act</em><br />
Pukhraj Singh, Former National Cyber Security Manager, Aadhaar, New Delhi - <em>Aadhaar: Security and Surveillance Dimensions</em><br />
<em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>16:00-16:30</p>
</td>
<td>
<p><strong>Tea Break</strong></p>
</td>
</tr>
<tr>
<td>
<p>16:30-17:30</p>
</td>
<td>
<p><strong>Session 4: Aadhaar - International Dimensions</strong><br />
Joshita Pai, Center for Communication Governance, National Law University, Delhi - <em>Biometrics and Mandatory IDs in Other Parts of the World</em><br />
Dr. Gopal Krishna, Citizens Forum for Civil Liberties - <em>International Dimensions of Aadhaar</em><br />
<em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>17:30-18:00</p>
</td>
<td>
<p><strong>High Tea</strong></p>
</td>
</tr>
</tbody>
</table>
<h4>May 27, 2016</h4>
<table>
<tbody>
<tr>
<td>
<p>9:30-11:00</p>
</td>
<td>
<p><strong>Session 5: Privacy, Surveillance and Ethical Dimensions of Aadhaar</strong><br />
Prabir Purkayastha, Free Software Movement of India, New Delhi - <em>Surveillance Capitalism and the Commodification of Personal Data</em><br />
Arjun Jayakumar, SFLC - <em>Surveillance Projects Amalgamated</em><br />
Col Mathew Thomas, Bengaluru - <em>The Deceit of Aadhaar<em></em><br />
<em>Discussion</em></em></p>
<em>
</em></td>
</tr>
<tr>
<td>
<p>11:00-11:30</p>
</td>
<td>
<p><strong>Tea Break</strong></p>
</td>
</tr>
<tr>
<td>
<p><em>11:30-13:00</em></p>
</td>
<td>
<p><strong>Session 6: Aadhaar - Broad Issues I</strong><br />
Prof. G Nagarjuna, Homi Bhabha Center for Science Education, Tata Institute of Fundamental Research, Mumbai - <em>How to prevent linked data in the context of Aadhaar</em><br />
Dr. Anupam Saraph, Pune - <em>Aadhaar and Moneylaundering</em><br />
<em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>13:00-14:00</p>
</td>
<td>
<p><strong>Lunch</strong></p>
</td>
</tr>
<tr>
<td>
<p>14:00-15:30</p>
</td>
<td>
<p><strong>Session 7: Aadhaar - Broad Issues II</strong><br />
Prof. MS Sriram, Visiting Faculty, Indian Institute of Management, Bangalore - <em>Financial lnclusion</em><br />
Nikhil Dey, MKSS, Rajasthan - <em>Field witness: Technology on the Ground</em><br />
Prof. Himanshu, Centre for Economic Studies & Planning, JNU - <em>UID Process and Financial Inclusion</em><br />
<em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>15:30-16:00</p>
</td>
<td>
<p><strong>Session 8: Conclusion</strong></p>
</td>
</tr>
<tr>
<td>
<p>16:00-18:00</p>
</td>
<td>
<p><strong>Informal Meetings</strong></p>
</td>
</tr>
</tbody>
</table>
<h3 id="AB" style="text-align: justify;"><strong>Annexure B – Workshop Participants</strong></h3>
<p>Anjali Bhardwaj, Satark Nagrik Sangathan</p>
<p>Dr. Anupam Saraph</p>
<p>Arjun Jayakumar, Software Freedom Law Centre</p>
<p>Ashok Rao, Delhi Science Forum</p>
<p>Prof. Chinmayi Arun, National Law University, Delhi</p>
<p>Prof. Dinesh Abrol, Jawaharlal Nehru University</p>
<p>Prof. G Nagarjuna, Homi Bhabha Center for Science Education, Tata Institute of Fundamental Research, Mumbai</p>
<p>Dr. Gopal Krishna, Citizens Forum for Civil Liberties</p>
<p>Prof. Himanshu, Jawaharlal Nehru University</p>
<p>Japreet Grewal, the Centre for Internet and Society</p>
<p>Joshita Pai, National Law University, Delhi</p>
<p>Malini Chakravarty, Centre for Budget and Governance Accountability</p>
<p>Col. Mathew Thomas</p>
<p>Prof. MS Sriram, Indian Institute of Management, Bangalore</p>
<p>Nikhil Dey, Mazdoor Kisan Shakti Sangathan</p>
<p>Prabir Purkayastha, Knowledge Commons and Free Software Movement of India</p>
<p>Pukhraj Singh, Bhujang</p>
<p>Rajiv Mishra, Jawaharlal Nehru University</p>
<p>Prof. R Ramakumar, Tata Institute of Social Sciences, Mumbai</p>
<p>Dr. Reetika Khera, Indian Institute of Technology, Delhi</p>
<p>Dr. Ritajyoti Bandyopadhyay, Indian Institute of Science Education and Research, Mohali</p>
<p>S. Prasanna, Advocate</p>
<p>Sanjay Kumar, Science Journalist</p>
<p>Sharath, Software Freedom Law Centre</p>
<p>Shivangi Narayan, Jawaharlal Nehru University</p>
<p>Prof. Subhashis Banerjee, Indian Institute of Technology, Delhi</p>
<p>Sumandro Chattapadhyay, the Centre for Internet and Society</p>
<p>Dr. Usha Ramanathan, Legal Researcher</p>
<p><em>Note: This list is only indicative, and not exhaustive.</em></p>
<hr />
<p><a name="ftn1"><strong>[1]</strong></a> Civil Appeal No. 4853 of 2014</p>
<p><a name="ftn2"><strong>[2]</strong></a> WP(C) 494/2012</p>
<p><a name="ftn3"><strong>[3]</strong> </a>. WP(C) 829/2013</p>
<p><a name="ftn4"><strong>[4]</strong></a> WP(C) 833/2013</p>
<p><a name="ftn5"><strong>[5]</strong></a> WP (C) 37/2015; (Earlier intervened in the Aruna Roy petition in 2013)</p>
<p><a name="ftn6"><strong>[6]</strong></a> WP (C) 932/2015</p>
<p><a name="ftn7"><strong>[7]</strong></a> Transferred from Madras HC 2013.</p>
<p style="text-align: justify;"><a name="ftn8"><strong>[8]</strong></a> SLP (Crl) 2524/2014 filed against the order of the Goa Bench of the Bombay HC in CRLWP 10/2014 wherein the High Court had directed UIDAI to share biometric information held by them of all residents of a particular place in Goa to help with a criminal investigation in a case involving charges of rape and sexual assault.</p>
<p><a name="ftn9"><strong>[9]</strong></a> See :http://scroll.in/article/806243/rajasthan-presses-on-with-aadhaar-after-fingerprint-readers-fail-well-buy-iris-scanners</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/report-on-understanding-aadhaar-and-its-new-challenges'>https://cis-india.org/internet-governance/blog/report-on-understanding-aadhaar-and-its-new-challenges</a>
</p>
No publisherJapreet Grewal, Vanya Rakesh, Sumandro Chattapadhyay, and Elonnai HickockBig DataData SystemsPrivacyResearchers at WorkInternet GovernanceAadhaarWelfare GovernanceBiometricsBig Data for DevelopmentUID2019-03-16T04:42:52ZBlog EntryPress Release, March 15, 2016: The New Bill Makes Aadhaar Compulsory!
https://cis-india.org/internet-governance/blog/press-release-aadhaar-15032016-the-new-bill-makes-aadhaar-compulsory
<b>We published and circulated the following press release on March 15, 2016, to highlight the fact that the Section 7 of the Aadhaar Bill, 2016 states that authentication of the person using her/his Aadhaar number can be made mandatory for the
purpose of disbursement of government subsidies, benefits, and services; and in case the person does not have an Aadhaar number, s/he will have to apply for Aadhaar enrolment. </b>
<p> </p>
<p>Nandan Nilekani, the former chairperson of the Unique Identification Authority of India had repeatedly stated that Aadhaar is not mandatory. However, in the last few years various agencies and departments of the government, both at the central and state level, had made it mandatory in order to be able to avail beneficiary schemes or for the arrangement of salary, provident fund disbursals, promotion, scholarship, opening bank account, marriages and property registrations. In August 2015, the Supreme Court passed an order mandating that the Aadhaar number shall
remain optional for welfare schemes, stating that no person should be denied any benefit for reason of not having an Aadhaar number, barring a few specified services.</p>
<p>The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, however, has not followed this mandate. Section 7 of the Bill states that “a person should be authenticated or give proof of the Aadhaar number to establish his/her identity” “as a condition for receiving subsidy, benefit or service”. Further, it reads, “In the case a person does not have an Aadhaar number, he/she should make an application for enrollment.” The language of the provision is very clear in making enrollment in Aadhaar mandatory, in order to be entitled for welfare services. Section 7 also says that “the person will be offered viable and alternate means of identification for receiving the subsidy, benefit or service. However, these unspecified alternate means will be made available in the event “an Aadhaar number is not assigned”. This language is vague and it is not clear whether it mandates alternate means of identification for those who choose not to apply for an Aadhaar number for any reason. The fact that it does make it mandatory to apply for an Aadhaar number for persons without it, may lead to the presumption that the alternate means are to be made available for those who may have applied for an Aadhaar number but it has not been assigned for any reason. It is also noteworthy that draft legislation is silent on what the “viable and
alternate means of identification” could be. There are a number of means of identification, which are recognised by the state, and a schedule with an inclusive list could have gone a long way in reducing the ambiguity in this provision.</p>
<p>Another aspect of Section 7 which is at odds with the Supreme Court order is that it allows making an Aadhaar number mandatory for “for receipt of a subsidy, benefit or service for which the expenditure is incurred” from the Consolidated Fund of India. The Supreme Court had been very specific in articulating that having an Aadhaar number could not be made compulsory except for “any purpose other than the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene” or for the purpose of the LPG scheme. The restriction in the Supreme Court order was with respect to the welfare schemes, however, instead of specifying the schemes, Section 7 specified the source of expenditure from which subsidies, benefits and services can be funded, making the scope much broader. Section 7, in effect, allows the Central Government to circumvent the Supreme Court
order if they choose to tie more subsidies, benefits and services to the Consolidated Fund of India.</p>
<p>These provisions run counter to the repeated claims of the government for the last six years that Aadhaar is not compulsory, nor is the specification by the Supreme Court for restricting use of Aadhaar to a few services only, reflected anywhere in the Bill. The “viable and alternate means” clause is too vague and inadequate to prevent denial of benefits to those without an Aadhaar number. The sum effect of these factors is to give the Central Government powers to make Aadhaar mandatory, for all practical purposes.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/press-release-aadhaar-15032016-the-new-bill-makes-aadhaar-compulsory'>https://cis-india.org/internet-governance/blog/press-release-aadhaar-15032016-the-new-bill-makes-aadhaar-compulsory</a>
</p>
No publisherAmber SinhaUIDBig DataPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-03-16T10:11:32ZBlog EntryPress Release, March 11, 2016: The Law cannot Fix what Technology has Broken!
https://cis-india.org/internet-governance/blog/press-release-aadhaar-11032016-the-law-cannot-fix-what-technology-has-broken
<b>We published and circulated the following press release on March 11, 2016, as the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. This Bill was proposed by finance minister, Mr. Arun Jaitley to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).</b>
<p> </p>
<p>The Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 today. This Bill was proposed by finance minister, Mr. Arun Jaitley to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).</p>
<p>The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. The Bill has made it compulsory for an individual to enrol under Aadhaar in order to receive any subsidy,
benefit or service from the Government. Biometric information that is required for the purpose of enrolment has been deemed "sensitive personal information" and restrictions have been imposed on use, disclosure and sharing of such information for purposes other than authentication, disclosure made pursuant to a court order or in the interest of national security. Here, the Bill has acknowledged the standards of protection of sensitive personal information established under Section 43A of the Information Technology Act, 2000. The Bill has also laid down several penal provisions for acts that include impersonation at the time of enrolment, unauthorised access to the
Central Identities Data Repository, unauthorised use by requesting entity, noncompliance with intimation requirements, etc.</p>
<h3>Key Issues</h3>
<h4>1. Identification without Consent</h4>
<p>Before the Aadhaar project it was not possible for the Indian government to identify citizens without their consent. But once the government has created a national centralized biometric database it will be possible for the government to identify any citizen without their consent. Hi-resolution photography and videography make it trivial for governments and also any other actor to harvest biometrics remotely. In other words, the technology makes consent irrelevant. A German ministers fingerprints were captured by hackers as she spoke using hand gesture at at conference. In a similar manner the government can now identify us both as individuals and also as groups without requiring our cooperation. This has direct implications for the right to privacy as we will be under constant government surveillance in the future as CCTV camera resolutions improve and there will be chilling effects on the
right to free speech and the freedom of association. The only way to fix this is to change the technology configuration and architecture of the project. The law cannot be used as band-aid on really badly designed technology.</p>
<h4>2. Fallible Technology</h4>
<p>The technology used for collection and authentication as been said to be fallible. It is understood that the technology has been feasible for a population of 200 million. The Biometrics Standards Committee of UIDAI has acknowledged the lack of data on how a biometric authentication technology will scale up where the population is about 1.2 billion. Further, a report by 4G Identity Solutions estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population.</p>
<p>We know that the Aadhaar number has been issued to dogs, trees (with the Aadhaar letter containing the photo of a tree). There have been slip-ups in the Aadhaar card enrolment process, some cards have ended up with
pictures of an empty chair, a tree or a dog instead of the actual applicants. An RTI application has revealed that the Unique Identification Authority of India (UIDAI) has identified more than 25,000 duplicate Aadhaar numbers in the country till August 2015.</p>
<p>At the stage of authentication, the accuracy of biometric identification depends on the chance of a false positive— the probability that the identifiers of two persons will match. For the current population of 1.2 billion the expected proportion of duplicates is 1/121, a ratio which is far too high. In a recent paper in EPW by Hans Mathews, a mathematician with CIS, shows that as per UIDAI's own statistics on failure rates, the programme would badly fail to uniquely identify individuals in India. <strong>[1]</strong></p>
<h3>Endnote</h3>
<p><strong>[1]</strong> See: <a href="http://cis-india.org/internet-governance/blog/epw-27-february-2016-hans-varghese-mathews-flaws-in-uidai-process">http://cis-india.org/internet-governance/blog/epw-27-february-2016-hans-varghese-mathews-flaws-in-uidai-process</a></p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/press-release-aadhaar-11032016-the-law-cannot-fix-what-technology-has-broken'>https://cis-india.org/internet-governance/blog/press-release-aadhaar-11032016-the-law-cannot-fix-what-technology-has-broken</a>
</p>
No publisherJapreet Grewal and Sunil AbrahamUIDBig DataPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-03-16T10:10:40ZBlog EntryPratap Vikram Singh - Why Aadhaar is Baseless?
https://cis-india.org/internet-governance/news/gov-now-pratap-vikram-singh-17032016-why-aadhaar-is-baseless
<b>This article by Pratap Vikram Singh, Governance Now, discusses the problems emerging out of the UIDAI project due to its lack of mechanisms for informed and granular consent, and for seeking recourse in the case of denial of service. The article quotes Sumandro Chattapadhyay and mentions Hans Varghese Mathew's work on the biometric basis of UIDAI. It was written before the Aadhaar bill was passed in Lok Sabha.</b>
<p> </p>
<p><em>Cross-posted from <a class="external-link" href="http://www.governancenow.com/news/regular-story/baseless-aadhaar">Governance Now</a>.</em></p>
<hr />
<p style="text-align: justify;">It was no less than a roller-coaster ride for Aadhaar, a programme formulated by the UPA government to assign a 12-digit unique number to every Indian resident. From the time it came into being in 2009, Aadhaar drew a volley of criticism, thanks to the misgivings and apprehensions that various critics and civil society organisations had. It was criticised for lack of a clear purpose, degree of effectiveness and absence of a privacy law and was virtually thrown into the bin by a parliamentary panel headed by BJP’s Yashwant Sinha in December 2011.</p>
<p style="text-align: justify;">When the finance minister Arun Jaitley, in his budget speech, announced that the government would introduce the Aadhaar bill during the budget session, expectations were already set high. The bill, giving statutory backing to the unique identification authority of India (UIDAI), the implementing authority, was passed by the Lok Sabha on March 11. While the privacy and voluntary versus mandatory provisions are under the consideration of the supreme court, the bill makes way for linking Aadhaar with all government subsidies, benefits and services. The law on Aadhaar, former UIIDAI chairman Nandan Nilekani wrote in the Indian Express, will help the government in going paperless, presence-less and cashless. The legislation, however, fails to deliver on several counts.</p>
<p style="text-align: justify;">However, prior to evaluating the bill (yet to be passed by the Rajya Sabha at the time of this writing though it is a money bill), let us take a look at its major aspects. For those, who always wondered whether Aadhaar is mandatory or voluntary, the bill 2016 makes it mandatory to avail subsidy, benefit or a service from the government.</p>
<p style="text-align: justify;">The bill has provisions related to information security and confidentiality (section 28) which not only extend to employees of the UIDAI but also consultants and external agencies working with the authority.</p>
<p style="text-align: justify;">The proposed law restricts information sharing. It bars UIDAI from sharing core biometric information – the bill defines it as fingerprints and iris scan – with “anyone for any reason whatsoever” or “used for any purpose other than generation of Aadhaar numbers and authentication under this Act”. The section 32 of the bill entitles Aadhaar number holders to access her or his authentication record. It also bars the authority from collecting, keeping or maintaining information about the purpose of authentication.</p>
<h3>Odd Drives the Bill</h3>
<p style="text-align: justify;">While the intent is clear and is aimed at streamlining welfare schemes to ensure it reaches the bottom of the pyramid, cutting through the long chain of pilferage and subversion, the bill, however, has several shortcomings. To begin with, the government should not have taken the money bill route to pass the legislation – tactfully avoiding any conclusive discussion and debate in the Rajya Sabha, where it is in minority.</p>
<p style="text-align: justify;">The bill assumes that the technology and the biometric system used by the UIDAI are flawless and it doesn’t provide any recourse in case of denial of a service. “If your fingerprint is not matching and you lose out on service, then what is the alternative mechanism you have,” asks Sumandro Chattapadhyay, research director, centre for internet and society (CIS). The bill doesn’t provide for recourse. “What if the scanning machine fails? What if the identifiers of two people match?”</p>
<p style="text-align: justify;">Based on experiments conducted in the initial days of the Aadhaar programme, Hans Verghese Mathews, another CIS researcher, did a study on the probability of matching of identifiers of two persons. “For the current population of 1.2 billion the expected proportion of duplicands (users whose identifiers match) is 1/121, a ratio which is far too high,” Mathews wrote in the Economic and Political Weekly in February.</p>
<p style="text-align: justify;">“It is like putting the technology in a black box – which can’t be reviewed,” says Chattapadhyay. The bill doesn’t talk about setting up an independent body to review the logs and keep an eye on wrong and duplicate matches.</p>
<h3>Who Defines National Security?</h3>
<p style="text-align: justify;">According to public policy experts, it is an attempt to seek “minimal legitimacy” from parliament and further adds to the unbridled power of the executive.</p>
<p style="text-align: justify;">Although the bill restricts information sharing in section 29, sections 33 and 48 provide exemption in cases of national security and public emergency, respectively. The legislation, nevertheless, doesn’t elaborate on what constitutes national security and public emergency, leaving it to the executives. The section 33 reads: “Nothing contained in… shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security….”</p>
<p style="text-align: justify;">Similarly, section 48 states that if, at any time, the central government is of the opinion that a public emergency exists, “the central government may, by notification, supersede the Authority for such period, not exceeding six months, as may be specified in the notification and appoint a person or persons as the president may direct to exercise powers and discharge functions under this Act”.</p>
<p style="text-align: justify;">Says Jayati Ghosh, professor, centre for economic studies and planning, Jawaharlal Nehru University, “National security is a very opaque term. Who decides what national security is? Today, the whole JNU is being projected as a threat to national security.” Swagato Sarkar, associate professor and executive director, Jindal school of government and public policy, OP Jindal Global University, says, “The bill has provisions for oversight on the use of Aadhaar, but then it suspends those provisions in case of emergency in the later sections, giving the state the power to use biometric information for whatever it deems fit.”</p>
<p style="text-align: justify;">Sarkar adds, “It seems the bill is simply an instrument for seeking minimum legitimacy from parliament. The bill tries to address the concern of privacy minimally and it hardly serves any purpose.” He believes that there is a need to define the broader contours of democratic control of the state and reassess the changing state-citizen relationship, instead of rejecting the whole idea on the basis of surveillance and privacy. In other words, there is a need for strong parliamentary oversight, and that the Aadhaar related matters shouldn’t be completely delegated to the executive.</p>
<p style="text-align: justify;">In its recommendations on formulating Privacy Act, the justice AP Shah committee in 2012 provided for establishing the office of privacy commissioner at the regional and central levels, defining the role of self-regulating organisations and co-regulation, and creating a system of complaints and redressal for aggrieved individuals. Since the country still doesn’t have any legislation on privacy, people are left on their own in case of an infringement or violation of privacy. Moreover, section 47 states, “No court shall take cognizance of any offence punishable under this Act, save on a complaint made by the Authority or any officer or person authorised by it.”</p>
<p style="text-align: justify;">In its report, the parliamentary committee headed by Yashwant Sinha notes that “enactment of national data protection law… is a prerequisite for any law that deals with large scale collection of information from individuals and its linkages across separate databases”. The committee notes that in absence of data protection legislation, it would be difficult to deal with issues of access, misuse of personal information, surveillance, profiling, linking and matching of databases and securing confidentiality of information.</p>
<h3>Subsidy-Aadhaar Linkage</h3>
<p style="text-align: justify;">The Sinha committee also takes a cautious view of the role of Aadhaar in curbing leakages in subsidy distribution, as beneficiary identification is done by states. It notes, “Even if the Aadhaar number links entitlements to targeted beneficiaries, it may not even ensure that beneficiaries have been correctly identified. Thus, the present problem of proper identification would persist.”</p>
<p style="text-align: justify;">According to Ghosh, the biggest danger in using Aadhaar for social welfare programmes is that the fingerprints of the rural working class is not always in good shape and hence Aadhaar will not be the best way of identification. “If I am misidentified, I can go to so many places for recourse. But what if a labourer in a remote Jharkhand village is misidentified? Where and whether he would go?” the economist asks. Besides, the bill doesn’t limit the use of Aadhaar and defines areas where it can be used. Section 57 says that the law will not prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, “whether by the state or anybody corporate or person, pursuant to any law, for the time being in force or any contract to this effect.”</p>
<p style="text-align: justify;">According to a PRS Legislative review, since the bill also allows private persons to use Aadhaar as a proof of identity for any purpose, the provision will open a floodgate and enable private entities such as airlines, telecom, insurance and real estate companies to mandate Aadhaar as a proof of identity for availing their services.</p>
<p style="text-align: justify;">Since the bill doesn’t restrict its application, people will not have a choice to identify themselves other than using Aadhaar when corporate organisations make it mandatory, says Chattapadhyay of the CIS. Adds Sarkar, “The bill should clearly mention sectors or services where Aadhaar will be potentially used (or made mandatory). Every time a new sector or service is added to the list, it is done after parliamentary approval.”</p>
<p style="text-align: justify;">So far, 98 crore people have been assigned Aadhaar number. So far the project has costed Rs 8,000 crore.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/gov-now-pratap-vikram-singh-17032016-why-aadhaar-is-baseless'>https://cis-india.org/internet-governance/news/gov-now-pratap-vikram-singh-17032016-why-aadhaar-is-baseless</a>
</p>
No publisherpraskrishnaUIDPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-04-02T05:31:30ZNews ItemNo party's got a clear stand, Aadhaar's fate hangs in balance
https://cis-india.org/news/governance-now-april-13-2014-pratap-vikram-singh-no-party-has-got-clear-stand-aadhaar-fate-hangs-in-balance
<b>A non-UPA government for sure will review the multi-crore UID programme, but none of the parties have yet talked about scrapping it.</b>
<p style="text-align: justify; ">The article by Pratap Vikram Singh was <a class="external-link" href="http://www.governancenow.com/news/regular-story/no-partys-got-clear-stand-aadhaars-fate-hangs-balance">published in GovernanceNow.com</a> on April 13, 2014. Sunil Abraham is quoted.</p>
<hr />
<p style="text-align: justify; ">Since inception, Aadhaar’s foundation has been shaky. The Unique Identification Authority of India (UIDAI) has been functioning on an executive fiat, without parliamentary ratification. When the government first came up with a bill on the UID programme, it was rejected by the parliamentary standing committee, which questioned the purpose of the programme.</p>
<p style="text-align: justify; ">Aadhaar’s acceptability as proof of residence and its issuance to the illegal immigrants too has courted controversy. The opposition and the ministry of home affairs have repeatedly flagged the issue. Recently, the supreme court (SC) instructed the government to withdraw all orders mandating Aadhaar number for service delivery. In September last year too the apex court had ruled that no one should be denied a service for want of Aadhaar.</p>
<p style="text-align: justify; ">While the Congress hasn’t changed its position on Aadhaar and wishes to continue with Aadhaar-linked benefits transfer, the BJP hasn’t mentioned it even once in its 52-page manifesto. On April 8, Narendra Modi, BJP’s prime ministerial candidate, in an election rally near Bangalore was quoted as saying, “I asked several questions on the Aadhaar project. I asked them questions relating to illegal migrants and national security. They (the government) did not have any answer.”</p>
<p style="text-align: justify; ">Rajendra Pratap Gupta, member of BJP’s core committee on manifesto, told Governance Now: “If we come to power we will review this in totality. There is scepticism around the whole project and even the SC has ruled against mandating it.” He called Aadhaar one of the ‘biggest scams’ of the UPA. “We have found people owning multiple Aadhaar cards. It (Aadhaar) is not a very secure system,” he added.</p>
<p style="text-align: justify; ">On the other hand, Aam Aadmi Party doesn’t oppose the idea of Aadhaar, though it is critical of its linkage to delivering food and other subsidies. Atishi Marlena, the party’s manifesto committee chief, said, “In principle, we don’t oppose the Aadhaar programme. If it’s about providing an identification proof to the poor who don’t have other documents, we certainly welcome it. But Aadhaar’s linkage with benefits-transfer needs to be questioned. Who gets what and who doesn’t should be determined by gram sabhas and mohalla sabhas. It should be done via people participation.”</p>
<p style="text-align: justify; ">The CPI(M), in its manifesto, called for halting the project unless it gets parliamentary approval. It also underlined the need for a privacy and data protection law prior to the rollout of the UID programme. “The moment Aadhaar is linked with service delivery, the scope for exclusion widens. You need to have universal coverage of Aadhaar and banking before you roll out the benefits transfer programme,” CPI(M) Rajya Sabha member Tapan Sen said.</p>
<p style="text-align: justify; ">In its manifesto, the party has talked about ‘constituting an independent high-level expert panel for an appraisal of the technology of biometrics used in the project’.</p>
<p style="text-align: justify; ">Sunil Abraham of the Centre for Internet and Society said, “The centralised online authentication automatically raises issues of privacy infringement. The authentication, in a decentralised fashion, with help of smart cards, is less intrusive, as the logs are stored in a local fashion and not centralised as in the case of Aadhaar. It will be a welcome move if the next government selects resident ID (smart) card, issued by the home ministry, as proof for identification and service delivery.”</p>
<p>
For more details visit <a href='https://cis-india.org/news/governance-now-april-13-2014-pratap-vikram-singh-no-party-has-got-clear-stand-aadhaar-fate-hangs-in-balance'>https://cis-india.org/news/governance-now-april-13-2014-pratap-vikram-singh-no-party-has-got-clear-stand-aadhaar-fate-hangs-in-balance</a>
</p>
No publisherpraskrishnaUIDInternet GovernancePrivacy2014-05-05T06:01:08ZNews ItemMongoDB startup hired by Aadhaar got funds from CIA VC arm
https://cis-india.org/news/economic-times-december-30-2013-lison-joseph-mongo-db-startup-hired-by-aadhar-got-funds-from-cia-vc-arm
<b>Two weeks ago, Max Schireson, chief executive of MongoDB, a New York-based technology startup, was in New Delhi to sew up a very important contract for his company — with the Unique Identification Authority of India (UIDAI).</b>
<p>The article by Lison Joseph was <a class="external-link" href="http://articles.economictimes.indiatimes.com/2013-12-03/news/44710564_1_uidai-chairman-nandan-nilekani-uid-data-in-q-tel">published in the Economic Times</a> on December 3, 2013. Sunil Abraham is quoted.</p>
<hr />
<p style="text-align: justify; ">The contract is yet to be announced but what could raise eyebrows is the fact that <a href="http://economictimes.indiatimes.com/topic/MongoDB">MongoDB</a> is part-funded by the US' <a href="http://economictimes.indiatimes.com/topic/Central%20Intelligence%20Agency">Central Intelligence Agency</a>.</p>
<p style="text-align: justify; ">The company is expected to help in capturing and analysing data related to the ambitious plan to issue a unique identity number — Aadhaar — to over a billion citizens.</p>
<p style="text-align: justify; ">MongoDB, which makes software that helps manage large databases, especially unstructured data, has raised $231 million (Rs1,400 crore) since being founded in 2007. Some of its funding is from In-Q-Tel, the not-for-profit venture capital arm of CIA.</p>
<p style="text-align: justify; ">While MongoDB lists In-Q-Tel as one of its investors on its website, the company has not disclosed the quantum of funding received from it. The fund's stated mission is to identify, adapt and deliver innovative technology solutions to support the missions of CIA and the broader US intelligence community.</p>
<p style="text-align: justify; ">Besides CIA, In-Q-Tel works with National Geospatial-Intelligence Agency, Defense Intelligence Agency and Department of Homeland Security Science and Technology Directorate.</p>
<table class="plain" style="text-align: justify; ">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/copy_of_crunchingdata.png" alt="crunching data" class="image-inline" title="crunching data" /></th>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">"Once an investment is made, IQT (the fund) works with the company and the intelligence community partner agency to complete a work program and facilitate solution delivery," the fund's website said. The quote describes IQT's relationship with any company in which it invests in and is not specific to MongoDB.</p>
<p style="text-align: justify; ">Neither <a href="http://economictimes.indiatimes.com/topic/UIDAI">UIDAI</a> nor MongoDB responded to queries from ET on whether the CIA link was considered before entering into a partnership. UIDAI Chairman <a href="http://economictimes.indiatimes.com/topic/Nandan%20Nilekani">Nandan Nilekani</a> did not respond to emails, messages and phone calls.</p>
<p style="text-align: justify; ">A senior UIDAI official confirmed the agency has entered into an agreement with MongoDB and that the company's database software is already being used for analysing the pace at which registration of new beneficiaries is taking place.</p>
<p style="text-align: justify; ">It is not clear if MongoDB's vendor relationship would be with UID directly or with one of the system integrators that UID works with. Schireson, the CEO, was also one of the national co-chairs for Technology for Obama, an interest group that campaigned for the reelection of President <a href="http://economictimes.indiatimes.com/topic/Barack%20Obama">Barack Obama</a> after his first term.</p>
<p style="text-align: justify; ">There is no evidence in the public domain that the firm is controlled or significantly influenced by the CIA in any manner.</p>
<p style="text-align: justify; ">But the revelations of <a href="http://economictimes.indiatimes.com/topic/Edward%20Snowden">Edward Snowden</a>, a former NSA contractor-turned-whistleblower that US intelligence agencies routinely intercepted communication in Europe and Asia, including in India has raised concerns. Experts said the UID's centralised design could pose a risk, where even a single mistake can make the whole system disproportionately vulnerable.</p>
<p style="text-align: justify; ">"The risk exposure because of CIA involvement (could be that) if MongoDB is a data controller, then secret courts and secret court orders could be used to get access to the UID data," said Sunil Abraham, executive director at the Centre for Internet and Society.</p>
<p style="text-align: justify; ">He added that even if UIDAI is only using the source code without getting into a commercial relationship with MongoDB, they should audit the source code to check if CIA has introduced any back doors. "This is because Snowden has told us that the army of mathematicians working for the US government has compromised some standards even though they were developed in an open, participatory and transparent fashion." MongoDB, whose name is a play on the word humongous, competes with Oracle, IBM and Microsoft. It has around 320 employees and some 600 customers. At its latest round of $150 million in fund-raising in October, the company was valued at about $1.2 billion, according to Bloomberg. Other investors include Intel Capital, Salesforce-.com, Red Hat and Sequoia.</p>
<p>
For more details visit <a href='https://cis-india.org/news/economic-times-december-30-2013-lison-joseph-mongo-db-startup-hired-by-aadhar-got-funds-from-cia-vc-arm'>https://cis-india.org/news/economic-times-december-30-2013-lison-joseph-mongo-db-startup-hired-by-aadhar-got-funds-from-cia-vc-arm</a>
</p>
No publisherpraskrishnaUIDInternet Governance2013-12-13T11:53:32ZNews ItemList of Recommendations on the Aadhaar Bill, 2016 - Letter Submitted to the Members of Parliament
https://cis-india.org/internet-governance/blog/list-of-recommendations-on-the-aadhaar-bill-2016
<b>On Friday, March 11, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and
Assembly. Based on these concerns, and numerous others, we submitted an initial list of recommendations to the Members of Parliaments to highlight the aspects of the Bill that require immediate attention.</b>
<p> </p>
<h4>Download the submission letter: <a href="https://github.com/cis-india/website/raw/master/docs/CIS_Aadhaar-Bill-2016_List-of-Recommendations_2016.03.16.pdf">PDF</a>.</h4>
<p> </p>
<h3>Text of the Submission</h3>
<p>On Friday, March 11, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. The Bill has made it compulsory for all Indian to enroll for Aadhaar in order to receive any subsidy, benefit, or service from the Government whose expenditure is incurred from the Consolidate Fund of India. Apart from the issue of centralisation of the national biometric database leading to a deep national vulnerability, the Bill also keeps unaddressed two serious concerns regarding the technological framework concerned:</p>
<ul><li><strong>Identification without Consent:</strong> Before the Aadhaar project it was not possible for the Indian government or any private entity to identify citizens (and all residents) without their consent. But biometrics allow for non-consensual and covert identification and authentication. The only way to fix this is to change the technology configuration and architecture of the project. The law cannot be used to correct the problems in the technological design of the project.<br /><br /></li>
<li><strong>Fallible Technology:</strong> The Biometrics Standards Committee of UIDAI has acknowledged the lack of data on how a biometric authentication technology will scale up where the population is about 1.2 billion. The technology has been tested and found feasible only for a population of 200 million. Further, a report by 4G Identity Solutions estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population. For the current Indian population of 1.2 billion the expected proportion of duplicates is 1/121, a ratio which is far too high. <strong>[1]</strong></li></ul>
<p>Based on these concerns, and numerous others, we sincerely request you to ensure that the Bill is rigorously discussed in Rajya Sabha, in public, and, if needed, also by a Parliamentary Standing Committee, before considering its approval and implementation. Towards this, we humbly submit an initial list of recommendations to highlight the aspects of the Bill that require immediate attention:</p>
<ol><li><strong>Implement the Recommendations of the Shah and Sinha Committees:</strong> The report by the Group of Experts on Privacy chaired by the Former Chief Justice A P Shah <strong>[2]</strong> and the report by the Parliamentary Standing Committee on Finance (2011-2012) chaired by Shri Yashwant Sinha <strong>[3]</strong> have suggested a rigorous and extensive range of recommendations on the Aadhaar / UIDAI / NIAI project and the National Identification Authority of India Bill, 2010 from which the majority sections of the Aadhaar Bill, 2016, are drawn. We request that these recommendations are seriously considered and incorporated into the Aadhaar Bill, 2016.<br /><br /></li>
<li><strong>Authentication using the Aadhaar number for receiving government subsidies, benefits, and services cannot be made mandatory:</strong> Section 7 of the Aadhaar Bill, 2016, states that authentication of the person using her/his Aadhaar number can be made mandatory for the purpose of disbursement of government subsidies, benefits, and services; and in case the person does not have an Aadhaar number, s/he will have to apply for Aadhaar enrolment. This sharply contradicts the claims made by UIDAI earlier that the Aadhaar number is “optional, and not mandatory”, and more importantly the directive given by the Supreme Court (via order dated August 11, 2015). The Bill must explicitly state that the Aadhaar number is only optional, and not mandatory, and a person without an Aadhaar number cannot be denied any democratic rights, and public subsidies, benefits, and services, and any private services.<br /><br /></li>
<li><strong>Vulnerabilities in the Enrolment Process:</strong> The Bill does not address already documented issues in the enrolment process. In the absence of an exhaustive list of information to be collected, some Registrars are permitted to collect extra and unnecessary information. Also, storage of data for elongated periods with Enrollment agencies creates security risks. These vulnerabilities need to be prevented through specific provisions. It should also be mandated for all entities including the Enrolment Agencies, Registrars, CIDR and the requesting entities to shift to secure system like PKI based cryptography to ensure secure method of data transfer.<br /><br /></li>
<li><strong>Precisely Define and Provide Legal Framework for Collection and Sharing of Biometric Data of Citizens:</strong> The Bill defines “biometric information” is defined to include within its scope “photograph, fingerprint, iris scan, or other such biological attributes of an individual.” This definition gives broad and sweeping discretionary power to the UIDAI / Central Government to increase the scope of the term. The definition should be exhaustive in its scope so that a legislative act is required to modify it in any way.<br /><br /></li>
<li><strong>Prohibit Central Storage of Biometrics Data:</strong> The presence of central storage of sensitive personal information of all residents in one place creates a grave security risk. Even with the most enhanced security measures in place, the quantum of damage in case of a breach is extremely high. Therefore, storage of biometrics must be allowed only on the smart cards that are issued to the residents.<br /><br /></li>
<li><strong>Chain of Trust Model and Audit Trail:</strong> As one of the objects of the legislation is to provide targeted services to beneficiaries and reduce corruption, there should be more accountability measures in place. A chain of trust model must be incorporated in the process of enrolment where individuals and organisations vouch for individuals so that when a ghost is introduced someone has can be held accountable blame is not placed simply on the technology. This is especially important in light of the questions already raised about the deduplication technology. Further, there should be a transparent audit trail made available that allows public access to use of Aadhaar for combating corruption in the supply chain.<br /><br /></li>
<li><strong>Rights of Residents:</strong> There should be specific provisions dealing with cases where an individual is not issued an Aadhaar number or denied access to benefits due to any other factor. Additionally, the Bill should make provisions for residents to access and correct information collected from them, to be notified of data breaches and legal access to information by the Government or its agencies, as matter of right. Further, along with the obligations in Section 8, it should also be mandatory for all requesting entities to notify the individuals of any changes in privacy policy, and providing a mechanism to opt-out.<br /><br /></li>
<li><strong>Establish Appropriate Oversight Mechanisms:</strong> Section 33 currently specifies a procedure for oversight by a committee, however, there are no substantive provisions laid down that shall act as the guiding principles for such oversight mechanisms. The provision should include data minimisation, and “necessity and proportionality” principles as guiding principles for any exceptions to Section 29.<br /><br /></li>
<li><strong>Establish Grievance Redressal and Review Mechanisms:</strong> Currently, there are no grievance redressal mechanism created under the Bill. The power to set up such a mechanism is delegated to the UIDAI under Section 23 (2) (s) of the Bill. However, making the entity administering a project, also responsible for providing for the frameworks to address the grievances arising from the project, severely compromises the independence of the grievance redressal body. An independent national grievance redressal body with state and district level bodies under it, should be set up. Further, the NIAI Bill, 2010, provided for establishing an Identity Review Committee to monitor the usage pattern of Aadhaar numbers. This has been removed in the Aadhaar Bill 2016, and must be restored.</li></ol>
<p> </p>
<h3>Endnotes</h3>
<p><strong>[1]</strong> See: <a href="http://cis-india.org/internet-governance/blog/Flaws_in_the_UIDAI_Process_0.pdf.">http://cis-india.org/internet-governance/blog/Flaws_in_the_UIDAI_Process_0.pdf</a>.</p>
<p><strong>[2]</strong> See: <a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf</a>.</p>
<p><strong>[3]</strong> See: <a href="http://164.100.47.134/lsscommittee/Finance/15_Finance_42.pdf">http://164.100.47.134/lsscommittee/Finance/15_Finance_42.pdf</a>.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/list-of-recommendations-on-the-aadhaar-bill-2016'>https://cis-india.org/internet-governance/blog/list-of-recommendations-on-the-aadhaar-bill-2016</a>
</p>
No publisherAmber Sinha, Sumandro Chattapadhyay, Sunil Abraham, and Vanya RakeshUIDBig DataPrivacyInternet GovernanceFeaturedDigital IndiaAadhaarBiometricsHomepage2016-03-21T08:50:09ZBlog EntryIdentity of the Aadhaar Act: Supreme Court and the Money Bill Question
https://cis-india.org/internet-governance/blog/identity-of-the-aadhaar-act-supreme-court-and-the-money-bill-question
<b>A writ petition has been filed by former Union minister Jairam Ramesh on April 6 challenging the constitutionality and legality of the treatment of this Act as a money bill. The Supreme Court heard the matter on April 25 and invited the Union government to present its view. It is our view that the Supreme Court can not only review the Lok Sabha speaker’s decision, but should also ask the government to draft the Aadhaar Bill again, this time with greater parliamentary and public deliberation. Vanya Rakesh and Sumandro Chattapadhyay wrote this article on The Wire.</b>
<p> </p>
<p>Published by and cross-posted from <a href="http://thewire.in/2016/05/09/identity-of-the-aadhaar-act-supreme-court-and-the-money-bill-question-34721/">The Wire</a>.</p>
<hr />
<p>The Aadhaar Act 2016, passed in the Lok Sabha on March 16, 2016, <a href="http://www.thehindu.com/news/national/opposition-picks-holes-in-aadhaar-bill/article8361213.ece">faced opposition</a> ever since it was tabled in parliament. In particular, the move to introduce it as a money bill has been vehemently challenged on grounds of this being an attempt to bypass the Rajya Sabha completely. <a href="http://www.thehindu.com/news/national/jairam-ramesh-moves-supreme-court-against-treating-aadhaar-bill-as-money-bill/article8446997.ece">A writ petition has been filed by former Union minister Jairam Ramesh on April 6</a> challenging the constitutionality and legality of the treatment of this Act as a money bill. The Supreme Court heard the matter on April 25 and invited the Union government to present its view.</p>
<p>It is our view that the Supreme Court can not only review the Lok Sabha speaker’s decision, but should also ask the government to draft the Aadhaar Bill again, this time with greater parliamentary and public deliberation.</p>
<h3>The money bill question</h3>
<p>M.R. Madhavan <a href="http://indianexpress.com/article/opinion/columns/aadhaar-bill-money-bill-name-of-the-bill-2754080/">has argued</a> that the Aadhaar Act contains matters other than “only” those incidental to expenditure from the consolidated fund, as it establishes a biometrics-based unique identification number for beneficiaries of government services and benefits, but also allows the number to be used for other purposes beyond service delivery. While Pratap Bhanu Mehta <a href="http://indianexpress.com/article/opinion/columns/privacy-after-aadhaar-money-bill-rajya-sabha-upa/">calls this a subversion</a> of “the spirit of the constitution”, P.D.T. Achary, former secretary general of the Lok Sabha, <a href="http://indianexpress.com/article/opinion/columns/show-me-the-money-4/">expressed concern</a> about the attempts to pass off financial bills like Aadhaar as money bills as a means to <a href="http://www.thehindu.com/opinion/lead/circumventing-the-rajya-sabha/article7531467.ece">circumvent</a> and erode the supervisory role of the Rajya Sabha. Arvind Datar has further emphasised that when the primary purpose of a bill is not governed by Article 110(1), then certifying it as a money bill is <a href="http://indianexpress.com/article/opinion/columns/making-a-money-bill-of-it/">an unconstitutional act</a>.</p>
<p>Article 110(1) of the Constitution identifies a bill as a money bill if it contains “only” provisions dealing with the following matters, or those incidental to them:</p>
<ol>
<li>imposition and regulation of any tax,</li>
<li>financial obligations undertaken by Indian Government,</li>
<li>payment into or withdrawal from the Consolidated Fund of India (CFI) or Contingent Fund of India,</li>
<li>appropriation of money and expenditure charged on the CFI or receipt, and</li>
<li>custody, issue or audit of money into CFI or public account of India.</li></ol>
<p>However, the link of the Act with the Consolidated Fund of India is rather tenuous, since it depends on the Union or state governments declaring a certain subsidy to be available upon verification of the Aadhaar number. The objectives and validity of the Act would not actually change if the Aadhaar number no longer was directly connected to the delivery of services. The use of the word “if” in section 7 explicitly leaves scope for a situation where the government does not declare an Aadhaar verification as necessary for accessing a subsidy. In such a scenario, the Act will still be valid but without any formal connection with any charges on the Consolidated Fund of India.</p>
<h3>A case of procedural irregularity?</h3>
<p>The constitution of India borrows the idea of providing the speaker with the authority to certify a bill as money bill from British law, but operationalises it differently. In the UK, though the speaker’s certificate on a money bill is <a href="https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/480476/Money_Bills__12_Nov_2015___accessible_PDF_.pdf">conclusive</a> for all purposes under section 3 of the Parliament Act 1911, the speaker is <a href="http://www.publications.parliament.uk/pa/ld201011/ldselect/ldconst/97/9703.htm">required to consult</a> two senior members, usually one from either side of the house, appointed by the committee from amongst those senior MPs who chair general committees. In India, the speaker makes the decision on her own.</p>
<p>Although article 110 (3) of the Indian constitution states that the decision of the speaker of the Lok Sabha shall be final in case a question arises regarding whether a bill is a money bill or not, this does not restrict the Supreme Court from entertaining and hearing a petition contesting the speaker’s decision. As the Aadhaar Act was introduced in the Lok Sabha as a money bill even though it does not meet the necessary criteria for such a classification, this treatment of the bill may be considered as an instance of <em>procedural irregularity</em>.</p>
<p>There is ample jurisprudence on what happens when the Supreme Court’s power of judicial review comes up against Article 122 – which states that the validity of any proceeding in the parliament can (only) be called into question on the grounds of procedural irregularities. In the crucial judgment of <a href="https://indiankanoon.org/doc/1757390/"><em>Raja Ram Pal vs Hon’ble Speaker, Lok Sabha and Others</em></a> (2007), the court evaluated the scope of judicial review and observed that although parliament is supreme, unlike Britain, proceedings which are found to suffer from substantive illegality or unconstitutionality, cannot be held protected from judicial scrutiny by article 122, as opposed to mere irregularity. Deciding upon the scope for judicial intervention in respect of exercise of power by the speaker, in <a href="https://indiankanoon.org/doc/1686885/"><em>Kihoto Hollohan vs Zachillhu and Ors.</em></a> (1992), the Supreme Court held that though the speaker of the house holds a pivotal position in a parliamentary democracy, the decision of the speaker (while adjudicating on disputed disqualification) is subject to judicial review that may look into the correctness of the decision.</p>
<p>Several past decisions of the Supreme Court discuss how the tests of legality and constitutionality help decide whether parliamentary proceedings are immune from judicial review or not. In <a href="https://indiankanoon.org/doc/1249806/"><em>Ramdas Athawale vs Union of India</em></a> (2010), the case of <a href="https://indiankanoon.org/doc/638013/"><em>Keshav Singh vs Speaker, Legislative Assembly</em></a> (1964) was referred to, in which the judges had unequivocally upheld the judiciary’s power to scrutinise the actions of the speaker and the houses. It was observed that if the parliamentary procedure is illegal and unconstitutional, it would be open to scrutiny in a court of law and could be a ground for interference by courts under <a href="https://indiankanoon.org/doc/981147/">Article 32</a>, though the immunity from judicial interference under this article is confined to matters of irregularity of procedure. These observations were reiterated in <a href="https://indiankanoon.org/docfragment/108219590/?formInput=lokayukta"><em>Mohd. Saeed Siddiqui vs State of Uttar Pradesh</em></a> (2014) and <a href="https://indiankanoon.org/doc/199851373/"><em>Yogendra Kumar Jaiswal vs State of Bihar</em></a> (2016).</p>
<p>Thus, the decision of the Lok Sabha speaker to pass and certify a bill as a money bill is definitely not immune from judicial review. Additionally, the Supreme Court has the power to issue directions, orders or writs for enforcement of rights under Article 32 of the constitution, therefore, allowing the judiciary to decide upon the manner of introducing the Aadhaar Act in parliament.</p>
<h3>National implications demand public deliberation</h3>
<p>As the provisions of the Aadhaar Act have <a href="http://indianexpress.com/article/opinion/columns/privacy-after-aadhaar-money-bill-rajya-sabha-upa/">far reaching implications</a> for the fundamental and constitutional rights of Indian citizens, the Supreme Court should look into the matter of its identification and treatment as a money bill and whether such decisions lead to the thwarting of legislative and procedural justice.</p>
<p>The Supreme Court may also take this opportunity to reflect on the very decision making process for classification of bills in general. As <a href="http://www.thehoot.org/media-watch/law-and-policy/aadhar-why-classification-matters-in-law-making-9281">Smarika Kumar argues</a>, experience with the Aadhaar Act reveals a structural concern regarding this classification process, which may have substantial implications in terms of undermining public and parliamentary deliberative processes. This “trend,” as <a href="http://indianexpress.com/article/opinion/columns/making-a-money-bill-of-it/">Arvind Datar notes</a>, of limiting legislative discussions and decisions of national importance within the space of the Lok Sabha must be swiftly curtailed.</p>
<p>Apart from deciding upon the legality of the nature of the bill, it is vital that the apex court ask the government to categorically respond to the concerns red-flagged by the <a href="http://164.100.47.134/lsscommittee/Finance/15_Finance_42.pdf">Standing Committee on Finance</a>, which had taken great exception to the continued collection of data and issuance of Aadhaar numbers in its report, and to the recommendations <a href="http://thewire.in/2016/03/16/three-rajya-sabha-amendments-that-will-shape-the-aadhaar-debate-24993/">passed in the Rajya Sabha recently</a>. Further, the repeated violation of the Supreme Court’s interim orders – that the Aadhaar number cannot be made mandatory for availing benefits and services – in contexts ranging from <a href="http://www.caravanmagazine.in/vantage/how-get-married-without-aadhaar-number">marriages</a> to the <a href="http://www.thehindu.com/news/national/payment-denied-for-nrega-workers-without-uidai-cards-in-jharkhand/article5674969.ece">guaranteed work programme</a> should also be addressed and responses sought from the Union government.</p>
<p>Evidently, the substantial implications of the Aadhaar Act for national security and fundamental rights of citizens, primarily privacy and data security, make it imperative to conduct a duly balanced public deliberation process, both within and outside the houses of parliament, before enacting such a legislation.</p>
<p> </p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/identity-of-the-aadhaar-act-supreme-court-and-the-money-bill-question'>https://cis-india.org/internet-governance/blog/identity-of-the-aadhaar-act-supreme-court-and-the-money-bill-question</a>
</p>
No publisherVanya Rakesh and Sumandro ChattapadhyayUIDBig DataPrivacyInternet GovernanceAadhaar2016-05-09T11:52:44ZBlog Entry