Centre for Internet and Society

Vulnerabilities in the UIDAI Implementation Not Addressed by the Aadhaar Bill, 2016

Pooja Saxena and Amber Sinha — 2016-03-21T08:33:53Z

In this infographic, we document the various issues in the Aadhaar enrolment process implemented by the UIDAI, and highlight the vulnerabilities that the Aadhaar Bill, 2016 does not address. The infographic is based on Vidushi Marda’s article 'Data Flow in the Unique Identification Scheme of India,' and is designed by Pooja Saxena, with inputs from Amber Sinha.

Download the infographic: PDF and PNG.

Credits: The illustration uses the following icons from The Noun Project - Thumpbrint created by Daouna Jeong, Duplicate created by Pham Thi Dieu Linh, Copy created by Mahdi Ehsaei.

License: It is shared under Creative Commons Attribution 4.0 International License.

For more details visit https://cis-india.org/internet-governance/blog/vulnerabilities-in-the-uidai-implementation-not-addressed-by-the-aadhaar-bill-2016

Virtual Aadhaar ID: too little, too late?

Admin — 2018-01-16T23:59:21Z

Problems persist as many have already shared their 12-digit number with various entities, say experts

The article by Yuthika Bhargava was published in the Hindu on January 11, 2018

The move to introduce an “untested” virtual ID to address security concerns over Aadhaar database is a step in the right direction, but may be a case of too little, too late, according to experts, as many of the 119 crore Aadhaar holders have already shared their 12-digit numbers with various entities.

“What about all the databases that are already linked up with our Aadhaar number? Virtual ID will therefore not attack the root of the problem. At best, it is band-aid,” said Reetika Khera, faculty, Indian Institute of Technology-Delhi.

“Can we realistically expect rural folks to use this to protect themselves? Or are we pushing the barely literate into the hands of middlemen who will ‘help’ them navigate it?” she questioned.

The Unique Identification Authority of India (UIDAI) on Wednesday introduced the concept of a virtual ID that can be used in lieu of the Aadhaar number at the time of authentication, thus eliminating the need to share and store Aadhaar numbers. It can be generated only by the Aadhaar number-holder via the UIDAI website, Aadhaar enrolment centre, or its mobile application.

Experts pointed out that the virtual ID is voluntary and the Aadhaar number will still need to be used at some places.

“Unless all entities are required to use virtual IDs or UID tokens, and are barred from storing Aadhaar numbers, the new measures won’t really help,” said Pranesh Prakash, Policy Director, Centre for Internet and Society, Bengaluru.

Kiran Jonnalagadda, co-founder of the Internet Freedom Foundation, agreed. “The idea is good but it should have been done in 2010, as now all the data is already out. Now, what can be done is revoke everybody’s Aadhaar and give new IDs.”

Mr. Jonnalagadda added that Authentication User Agencies (AUAs) categorised as ‘global AUAs’ by the UIDAI will be exempted from using the virtual IDs. “These are likely to be entities which require de-duplication for subsidy transfer, such as banks and government agencies. All the leaks have happened till now from these entities. So, basically, the move will exempt the parties that are the problem,” he said.

Vipin Nair, one of the advocates representing the petitioners who have challenged the Aadhaar Act in the Supreme Court said, “It is potentially a case of unmitigated chaos purely from an Information Technology perspective.”

For more details visit https://cis-india.org/internet-governance/news/hindu-yuthika-bhargava-january-11-2018-virtual-aadhaar-id-too-little-too-late

Vijay Mallya cries foul after his Twitter and email accounts are hacked

praskrishna — 2016-12-10T13:50:25Z

The attackers said they were able to access over a gigabyte of data from Mallya's email.

The article by Alnoor Peermohamed was published in Business Standard on December 10, 2016. Sunil Abraham was quoted.

Liquor baron Vijay Mallya on Friday cried foul over his Twitter account being hacked by a group calling itself ‘Legion’. The group is believed to be the same as the one behind the hack of Congress vice-president Rahul Gandhi’s Twitter and e-mail servers last week.

Several tweets alleging that Mallya’s e-mail had been compromised and documents related to his offshore investments and bank accounts had been stolen were made from his official Twitter account in early on Friday.

“Outfit called Legion has hacked my e-mail accounts and are blackmailing me!! What a joke,” Mallya tweeted after seemingly taking back control of his account.

The attackers said they were able to access over a gigabyte of data from Mallya’s e-mail and shared a link for the public to gain access to it. They also tweeted the rest of the information on Mallya would be made public in the coming weeks, targeted at bringing him to justice for committing fraud.

The Twitteratti (the general public on the social networking platform), including several of Mallya’s 5.51 million followers, emerged in support of the hackers, who they proclaimed were working in the interest of the Indian people. Mallya has defaulted Rs 7,200 crores in loans and is being investigated for it.

“The e-mail hack is interesting because it’s the same global pattern. People are following Julian Assange’s advice — transparency should be directly proportional to power. What one really means is, public interest should be preserved,” says Sunil Abraham, executive director at Bengaluru-based Centre for Internet and Society.

While a lot of hacks continue to be carried out for monetary gain through extortion, several Internet vigilante groups have cropped up over the past decade, the most famous being WikiLeaks and more recently Anonymous. As India’s politicians, businessmen and the general public increasingly use technology and the Internet, they too are becoming targets for such hackers.

“If Mallya’s email account is hacked and all we get out of it is gossip, then it’s of no use. But if we as a nation ensure that the law is followed, or laws are improved, or corporate governance is evolved, all of that is positive impact of such an event. So hacktivists have to be very responsible when they do this, otherwise they spoil the name of whistleblowers and so on,” added Abraham.

Mallya is currently wanted by Indian law enforcement agencies and has a non-bailable warrant issued against his name by the court. He has currently exiled himself in the UK and refuses to travel to the country unless offered amnesty. While often denying any wrongdoing, the general public perception among Indians is that the billionaire playboy Mallya portrayed himself to be is guilty.

For more details visit https://cis-india.org/internet-governance/business-standard-alnoor-peermohamed-december-10-2016-vijay-mallya-cries-foul-after-his-twitter-and-email-accounts-are-hacked

VII NLSIR Symposium

praskrishna — 2014-01-09T07:08:33Z

The National Law School of India Review (NLSIR) - the flagship journal of the National Law School of India University (NLSIU), Bangalore is pleased to announce the seventh NLSIR Symposium on “Bridging the Security-Liberty Divide” scheduled to be held on December 21 and December 22, 2013 at the National Assessment and Accreditation Council (NAAC, opposite NLSIU Campus, Nagarhavi) Conference Hall, Bangalore.

This was published by NLSIR on December 20, 2013.

The decade following September 11 has been dubbed “liberty’s lost decade”, not just for the United States of America but for the world at large, marked by increasing tension between State interests in national security and individual liberty. As we continue to grapple with the implications of this clash, one clear winner seems to be emerging, best observed by examining changes in legal systems throughout this decade. The recent upsurge of criticism against NSA activity globally, however, could be seen as indicative of a changing trend. The VIIth NLSIR Symposium seeks to trace this dialogue between competing notions of security and liberty, and hopes to assess and analyse similar developments in India Confirmed speakers for the symposium include renowned legal experts such as Hon’ble Justice Muralidhar, Menaka Guruswamy, Mrinal Satish, Bharat Karnad, Aparna Chandra, Chinmayi Arun, Shyam Diwan, Bhairav Acharya, Roshni, Yug Mohit Chaudhary and Saikat Datta.

This year, the discussions will be divided into four panels:

Session I: Securing Liberty from the State - Redefining Criminal Thresholds in Law
(Forenoon, December 21, 2013, Saturday)

Session II: Intrusive Intelligence - Surveillance Programs and Privacy in India
(Afternoon, December 21, 2013, Saturday)

Session III: Beyond Borders - Extradition, Asylum and Concerns of State Security
(Forenoon, December 22, 2013, Sunday)

Session IV: Connecting the Dots
(Afternoon, December 22, 2013, Sunday)

For more details visit https://cis-india.org/news/nlsir-december-21-2013-nlsir-symposium

Vidhi Doshi - Fingerprint Payments Prompt Privacy Fears in India (The Guardian)

Vidhi Doshi — 2017-02-13T09:21:42Z

This article by Vidhi Doshi on the use of Aadhaar-based payments by private companies in India was published by The Guardian on February 09, 2017. Sumandro Chattapadhyay is quoted in the article.

Originally published by The Guardian.

For two years, Indian officials have been trawling the country, from city slums to unelectrified villages, zapping eyeballs, scanning fingerprints and taking photographs.

Last month, Indian shoppers started to see the results. With the launch of a government-backed fingerprint payment system, tied to India’s growing biometric data bank, registered citizens can – in theory at least – now pay for things with the touch of a finger.

India’s extraordinary biometric database, named Aadhaar after a Hindi word for ‘foundation’, is the biggest of its kind in the world. It was initially sold to the public as a welfare delivery mechanism that would ensure the country’s 1.25bn citizens were each receiving the right quantity of subsidised rice or cooking fuel, while weeding out fraudsters.

But now this pool of more than a billion people’s biometric data is being used by banks, credit checking firms and other private companies to identify customers, raising questions about privacy and security.

As one of his flagship policies, prime minister Narendra Modi pledged to create a “digital India” in which the country’s cash-centric economy would switch to credit and debit cards, squeezing the parallel economy of untaxed cash transactions and giving more citizens access to digital financial services.

In a surprise television announcement last November, Modi announced the demonetisation of 500 and 1,000 rupee notes (around £6 and £12), wiping out 85% of the country’s circulating currency overnight.

Two days later, when the banks reopened, long queues snaked around almost every branch, with millions lining up to open bank accounts for the first time. Many used their 12-digit Aadhaar number, linked to their biometric profile, to sign up. Within three weeks, 3m bank accounts had been opened using fingerprint verification, according to estimates.

The moment marked a radical change for India’s banking system, under which applicants were traditionally required to file photocopies of passports or voter IDs. Banks could take weeks, sometimes months, to verify them. Now applicants’ encrypted biometric data can be sent to the Unique Identification Authority of India (UIDAI), a government agency, to be matched against their Aadhaar data, re-encrypted and sent back to the bank.

Despite technical teething problems, the system is designed to allow very fast authorisation. “All this happens in a matter or two or three seconds,” explains Ajay Bhushan Pandey, UIDAI’s director general.

For Pandey, the benefits are clear: paper documents are easy to forge and hard to verify, especially in India where until recently thousands of people still used handwritten passports. Not so biometric data.

Privacy fears

Pandey emphasises that private banks and companies aren’t able to access the entire Aadhaar database, only to use the government interface, which allows them to verify identities.

Nonetheless, many Indians are worried about the privacy implications. Sumandro Chattapadhyay, a director at the Centre for Internet and Society thinktank, is one of them.

For starters, says Chattapadhyay, the law governing use of the biometric database, fast-tracked through parliament last year, is flimsy when it comes to the private sector. Since India lacks a general privacy or data protection law, this leaves corporate use of Aadhaar services effectively unregulated, he says.

This is particularly worrying, says Chattapadhyay, because of the data-sharing possibilities opened up by Aadhaar. It makes it easier for companies not only to share information on individuals’ consumption and mobility habits, but also to link this data up with public records like the electoral register, he says. “Both lead to significant threats to privacy of individuals.”

Chattapadhyay’s fear is that private companies could eventually gain access to government-held personal data, such as income or medical records, while the government could use company data like phone records to target specific individuals in political campaigns.

Already companies are linking Aadhaar numbers with collected metadata. Credit-checking startup CreditVidya, for example, identifies clients using their biometric ID in combination with their internet browsing history and other data, to assign credit scores for users who have no record of loan repayments. Banks then store this processed metadata, for example whether or not someone’s Facebook name is consistent with the name on their bank account.

Its founder Abhishek Agarwal admits there are risks for users: “[I]f someone managed to hack the bank’s security system, as well as the Aadhaar database, they could potentially be able to link your Facebook or LinkedIn data with your biometric information.” But he says this would be hard to do.

Pandey insists the companies are carefully vetted before they can use Aadhaar authentication. But, like Agarwal, he acknowledges the system can never be 100% secure: ““I wouldn’t say it is impossible to break the system, but it is very, very difficult.”

For more details visit https://cis-india.org/internet-governance/news/vidhi-doshi-fingerprint-payments-prompt-privacy-fears-in-india-the-guardian

Video Surveillance and Its Impact on the Right to Privacy

Vaishnavi Chillakuru — 2011-09-29T05:35:56Z

The need for video surveillance has grown in this technologically driven era as a mode of law enforcement. Video Surveillance is very useful to governments and law enforcement to maintain social control, recognize and monitor threats, and prevent/investigate criminal activity. In this regard it is pertinent to highlight that not only are governments using this system, but residential communities in certain areas are also using this system to create a safer environment.

However, this move is fundamentally opposed by many civil rights and privacy groups across different jurisdictions and have expressed concern that by allowing continual increases in government surveillance of citizens that we will end up in a mass surveillance society, with extremely limited, or non-existent political and/or personal freedoms.

European Union

The Data Protection Directive [1]of 1995, a Directive was issued by the European Union (EU) to regulate the processing and free movement of personal data. In pursuance with this Directive, every country of the EU passed a legislation to govern the protection of personal data. In this regard, the United Kingdom (UK) enacted the Data Protection Act (DPA) in 1998 and the same was brought into force in the year 2001.

The DPA sets forth eight, Data Protection Principles (DPP)[2] to protect personal data in the public sphere. Although video surveillance has not been explicitly referred to in the legislation, the definition given by the DPA is broad enough to encompass it. The application of these principles to video surveillance has been made explicit through the publication of the CCTV Code of Practice (CoP) by the information commissioner. The CoP does not apply to surveillance cameras used for household purposes. Images captured for recreational purposes with a camera, video recorder, etc., are also exempt. The main features of the CoP have been summarized below:

It is important to ascertain who has the responsibility for the control of the images i.e., deciding what is to be recorded, how the images should be used and to whom they may be disclosed. The body which makes these decisions is called the data controller and is responsible for the compliance with the DPA. The body has to notify the information commissioner as to who the data controller is.
An impact assessment should be done to evaluate the scheme’s impact on the privacy rights of the public. While conducting such an assessment, the data controller should take into account what benefits can be gained, whether better solutions exist, and what effect it may have on individuals. The results of the assessment should be used to determine whether video surveillance is justified and if so, how it should be operated.
The camera equipment should be chosen so as to fulfill the purposes for which the surveillance is being carried out. They should have the necessary technical specification so that the images are of appropriate quality. The camera should be positioned in such a way that only those areas which are intended to be the subject of surveillance are covered.
Viewing of live feed must be restricted to authorized personnel only. The data controller should try and protect the images from public view. Disclosure of recorded images should also be controlled and limited to the purpose for which the surveillance was set up. All other requests for viewing images should be considered carefully and balanced against the privacy rights of other individuals who may be affected by the disclosure of the images.
The DPA does not prescribe any minimum or maximum period of retention. It should be ascertained keeping in mind the purpose for which the surveillance system was set up. However, the images should not be kept for longer than is strictly necessary.
There should be prominently placed signs to let people know that they are in an area which is under video surveillance. This can be supplemented by an audio announcement in places where public announcements are already being used, such as in stations. Systems in public spaces and shopping centres should have signs giving the name and contact details of the company, organisation or authority responsible.
Staff operating the system needs to be aware of the rights of the individual under the DPA.

Canada

Canada has two federal laws which deal with privacy — the Privacy Act, 1985 and the Personal Information Protection and Electronic Documents Act, 2000 (PIPEDA). The former protects privacy rights by limiting the collection, use and disclosure of personal information by the federal government departments and agencies whereas the latter deals with the collection, use and disclosure of personal information by private sector organizations. In addition to these two legislations, every province or territory has their own privacy legislations.

A privacy commissioner is appointed to receive and investigate complaints filed by Canadian citizens pertaining to allegations of violation of the Acts. They also conduct research into privacy issues and promote awareness. The privacy commissioner reports directly to the House of Commons and the Senate. Every province or territory may also have its own commissioner or ombudsman authorized to investigate complaints. The Office of the Privacy Commissioner of Canada (OPC) published two sets of guidelines in order to define and circumscribe the use of video surveillance and ensure that the impact on privacy is minimized.

The first set of guidelines is meant to guide the regulation of video surveillance (by law enforcement agencies) in public spaces i.e., in places where there is free and unrestricted access to everyone. These guidelines were drawn up after extensive discussions between the OPC and the Royal Canadian Mount Police (RCMP). However, these guidelines are to be considered merely as an aid and notwithstanding anything stated in the guidelines, the RCMP has the right to carry out its functions as it deems fit. Some of the important pointers are[3]

Video surveillance should only be used to address a "real and pressing problem" which is of sufficient in magnitude so as to warrant the overriding of the privacy rights of citizens. Hence, there should be "real and verifiable" instances of crime or concern for public safety.
Video surveillance should be conducted only as a last resort i.e., in circumstances where there in no other less privacy-intrusive alternative.
A "privacy impact assessment" should be conducted beforehand to assess the degree of interference that will result due to the video surveillance.
Relevant stakeholders (for example, members of the communities that will be affected by the surveillance systems) should be considered before arriving at a decision.
Video surveillance must comply with all applicable laws including over arching laws such as the Canadian Charter of Rights and Freedoms.
The video surveillance should be conducted in such a way that impact on the privacy rights of citizens is minimized. For example, limited use of video surveillance (e.g., for limited periods of day, public festivals, peak periods) should be preferred to be always on surveillance if it will achieve substantially the same result.
The public should be informed that they are under surveillance. Clear signs should be put up mentioning the perimeter of the surveillance areas, the person responsible for surveillance and his contact details in case of any queries.
Security of the equipment and images should be assured.
People whose images are recorded should be able to request access to their recorded personal information.

The second set of guidelines is with respect to video surveillance in private sector organizations. These guidelines apply to overt video surveillance of the public by private sector organizations in publicly accessible areas. They do not apply to covert video surveillance nor do they apply to the surveillance of employees.

"Determine whether a less privacy-invasive alternative to video surveillance would meet your needs.
Establish the business reason for conducting video surveillance and use video surveillance only for that reason.
Develop a policy on the use of video surveillance.
Limit the use and viewing range of cameras as much as possible.
Inform the public that video surveillance is taking place.
Store any recorded images in a secure location, with limited access, and destroy them when they are no longer required for business purposes.
Be ready to answer questions from the public. Individuals have the right to know who is watching them and why, what information is being captured, and what is being done with recorded images.
Give individuals access to information about themselves. This includes video images.
Educate camera operators on the obligation to protect the privacy of individuals.
Periodically evaluate the need for video surveillance."

United States of America

Statutory laws governing the regulation of video surveillance in America are scarce. While there are some state laws which regulate aspects of public video surveillance, there are virtually no federal laws which directly deal with it. However, video surveillance implicates certain constitutional doctrines — especially the first and the fourth amendments. Although it cannot be denied that the liberties enshrined by these amendments can be severely affected by continuous surveillance, so far, the American courts and jurisprudence on the subject have been very permissive.

Another important directive is the "Fair Information Practices" (FIP) originating from the recommendations written by the United States Government which provide certain rights to individuals with respect to the use and dissemination of personal information. Although these guidelines do not have the force of law, they can prove to be a valuable guide for the treatment of any government-held record containing personally identifiable information. The rights of individuals listed by the FIP, in their most basic form, have been given below:[4]

"Notice and awareness of the purpose of data collection, and how such information is used;
Consent to the collection of personal information, and choice concerning how it is used;
Access to and participation in the process of data collection and use, including the right to correct errors;
Integrity and security adequate to protect the information against loss or misuse; and
Redress and accountability for injury resulting from loss or misuse of personal information."

Also, the American Bar Association, in 1999, published standards for technologically-assisted physical surveillance, including video surveillance. Some of the key points of these guidelines are given below:

While regulating the use of video surveillance for law enforcement purposes, certain factors should be kept in mind. For example, the nature of the law enforcement objective or objectives sought to be achieved, the extent to which the surveillance will achieve the law enforcement objectives, the nature and extent of the crime involved, etc.
The extent to which the surveillance invades privacy should be assessed. While conducting such an assessment, care should be taken to enhance the privacy of the location under surveillance by taking into consideration the nature of the place, activity, condition, or location.
Alternate measures should be preferred over video surveillance in order to maintain a balance between the right to privacy and the need for surveillance.
Notice of the surveillance should be given when appropriate.
The scope of the surveillance should be limited to its authorized objectives and be terminated when those objectives are achieved.

Australia

Neither the Australian Federal Constitution nor the Constitutions of the six states and two territories contain any express provisions relating to privacy. However, there are several state and federal privacy laws governing specific sectors and aspects. The primary federal statute is the Privacy Act of 1988 (PA). This statute was enacted in a bid to give effect to Australia's commitment to the International Covenant on Civil and Political Rights and the Organization for Economic Cooperation and Development (OECD). There are four key areas of application of the Act out of which only two are relevant in the context of video surveillance. The first is the eleven Information Privacy Principles (IPPs), based on the OECD Guidelines. These principles are applicable to federal government agencies. The second is the National Privacy Principles (NPP) which regulates private sector organizations. However, private organizations can set forth their own "code of practice" and get it approved by the privacy commissioner as long as it does not go against the broad framework laid down by the NPPs.

Apart from the PA, each state or territory may have its own laws or practices regarding video surveillance. For instance, covert video surveillance in New South Wales is governed by the Workplace Video Surveillance Act, 1998. The Government of New South Wales also published a report on CCTV in public places. Similarly, Victoria is governed by the Surveillance Devices Act, 1999 and Western Australia by the Surveillance Devices Act, 1998. However, South Australia, Tasmania, Northern Territory and Australian Capital Region have no legislation dealing with the use of video surveillance.

Japan

The Constitution of Japan does not contain any express provisions guaranteeing the right to privacy. Till 2003, even statutory law in the field of data protection was non-existent and the government followed a policy of self regulation. It was only in 2003 that the Japanese Parliament enacted the Protection of Personal Information Act. The law underlying privacy in Japan[6] protects only personal information that is obtained and held by administrative agencies, private agencies. It seeks to set forth penal provisions in order to curb leakage of personal information by the government. The subsequent amendments to this Act have widened its scope to cover data that is paper based as well as computerized. Therefore, it can be said that the instant legislation is broad enough to encompass video surveillance data as well.

In this regard it is set forth that there exists no consolidated law to govern video-surveillance systems. Nevertheless, Japan uses video surveillance systems in order to assist the law enforcement agencies. The National Police Agency uses a video surveillance system called the "N system"[7] in order to record license plate numbers of vehicles on roads, highways, etc. This facilitates effective and efficacious law enforcement in Japan. Furthermore, Tokyo police have been operating surveillance cameras on utility poles and buildings to monitor pedestrians in the several densely populated districts of the city.[8] However, this mechanism has been challenged severely by litigants and many privacy groups in the court of law.

Conclusion

We have now moved into an age where security seems to be the primary issue for most countries and their citizens. Video surveillance is increasingly being used to assuage the fears of the citizens and bring perpetrators to justice. In such a scenario, the issue of privacy rights of individuals seems to have taken a backseat. While some countries such as Canada and Britain have attempted to strike a balance between the need for surveillance and the privacy rights of the people, other countries such as the United States of America and Japan do not seem to have made much progress in terms of creating video surveillance norms or regulations to protect the privacy rights of citizens.

Considering the pressing need for video surveillance to address national security issues, India surprisingly has no laws on the same. In this regard, India needs to draw from the experience of the United Kingdom and Canada. The first step is to enact laws permitting video surveillance.

These laws should be tightly worded and strictly connoted, considering the encroachment on civil liberties. Further, in order to balance security with privacy, the next step is to create an office for the information commissioner. It should be created and powers should be conferred to ensure that the privacy related disputes are handled efficiently and expeditiously. Furthermore, the misuse of the powers conferred upon surveillance authorities should be deterred by giving further powers to the commissioner to impose pecuniary liability.

Bibliography

European Union

Canada

United States of America:

Australia:

Japan

https://www.privacyinternational.org/article/phr2006-japan#[45]

Notes

[1]Directive 95/46/EC.

[2]See http://www.ico.gov.uk/for_organisations/data_protection/the_guide/the_principles.aspx (eight data protection principles)

[3]Full guidelines: http://www.priv.gc.ca/information/guide/vs_060301_e.cfm.

[4]Full guidelines: http://www.americanbar.org/publications/criminal_justice_section_archive/crimjust_standards_taps_blk.html#9.

[5]http://www.proactivestrategies.com.au/library/Loss%20Prevention/Video%20Surveillance%20National%20article.PDF.

[6]This law extends to private businesses, government organizations and independent administrative agencies.

[7]540 locations on expressways and major highways throughout the country; it automatically records the license plate number of every passing car.

[8]This regime has also been litigated upon thoroughly with lawyers claiming the same to be unconstitutional.

For more details visit https://cis-india.org/internet-governance/blog/privacy/video-surveillance-privacy

Very Big Brother

sunil — 2014-04-14T11:39:09Z

The Centre for Internet and Society, the organization I work for, currently serves on a committee established by the Government of India's Department of Biotechnology, Ministry of Science and Technology in January 2013. The committee has been charged with preparing a report on the draft Human DNA Profiling Bill.

The article was originally published in GeneWatch (January - April 2014) issue.

Why should an organization that focuses on the Internet be invited to such a committee? There are some obvious reasons related to data protection and big data. CIS had previously served on the Justice AP Shah committee that was tasked by the Planning Commission to make recommendations on the draft Privacy Bill in 2012. There are also some less obvious connections, such as academic research into cyborgs wherein the distinction between human and machine/technology is blurred; where an insulin pump makes one realize that the Internet of Things could include the Internet of Body Parts. But for this note I will focus on biometrics - quantifiable data related to individual human characteristics - and their gate-keeping function on the Internet.

The bouquet of biometric options available to technologists is steadily expanding - fingerprint, palm print, face recognition, DNA, iris, retina, scent, typing rhythm, gait, and voice. Biometrics could be used as authentication or identification to ensure security and privacy. However, biometrics are different from other types of authentication and identification factors in three important ways that have implications for human rights in information societies and the Internet.

Firstly, biometrics allow for non-consensual authentication and identification. Newer, more advanced and more expensive biometric technologies usually violate human rights more extensively and intensively than older, more rudimentary and inexpensive biometrics. For example, it is possible to remotely harvest iris information when a person is wide awake without even being aware that their identification or authentication factors have been compromised. It isn't difficult to imagine ways to harvest someone's fingerprints and palm prints without their knowledge, and you cannot prevent a security camera from capturing your gait. You could use specialized software like Tor to surf the World Wide Web anonymously and cover your digital tracks, but it is much harder to leave no trail of DNA material in the real world.

Secondly, biometrics rely on probabilistic matching rather than discrete matching - unlike, for example, a password that you use on a social media platform. In the 2007 draft of India's current Human DNA Profiling Bill, the preamble said "the Deoxyribose Nucleic Acid (DNA) analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead, without any doubt." This extract from the bill was quoted in an ongoing court case to use tampered chain of custody for DNA as the means to seek exoneration of the accused. And the scientists on the committee insist that the DNA Data Bank Manager "...shall communicate, for the purposes of the investigation or prosecution in a criminal offence, the following information to a court, tribunal, law enforcement agency ... as to whether the DNA profile received is already contained in the Data Bank" - in other words, a "yes" or "no" answer. This is indeed odd for those who come from the world of Internet policy - especially when one DNA lab worker confidentially shared that after a DNA profile was generated the "standard operating procedure" included checking it against the DNA profile of the lab worker to ensure that there was no contamination during the process of generating the profile. This would not be necessary for older forms of biometrics such as the process of developing a photograph. In other words, chain of custody issues with every generation of biometric technology are getting more and more complex. In the developing world, the disillusioned want to believe that "technology is the solution." The fallibility of technology must determine its evidentiary status.

Finally, biometrics are only machine-scrutable. This means machines and not human beings will determine whether you are guilty or innocent; whether you should get subsidized medicine, grain, or fuel; whether you can connect to the Internet via mobile phone, cybercafe or broadband. DNA evidence is not directly observable by judges and therefore the technology and equipment have to be made increasingly transparent so that ordinary citizens as well as the scientific community can audit their effectiveness. In 2009, the Second District Court of Appeal and Circuit Court in Florida upheld a 2005 ruling requiring CMI Inc, the manufacturer of Intoxilyzer 5000, to release source code, failing which evidence from the breathalyzer would be rendered inadmissible in more than 100 drunk driving cases. If the transparency of machines is important when prosecuting misdemeanors then surely this is something we must advocate for when culpability for serious crimes is determined through DNA evidence and other types of biometric technologies. This could be accomplished by the triad of mandates for free/open source software, open standards and open hardware. This is not necessary for all DNA technology and equipment that is used in the market, but only for a small sub-set of these technologies that impinge on our rights as human beings via law enforcement and the judicial system.

It has been nine years since India started the process of drafting this bill. We hope that the delays will only result in a robust law that upholds human rights, justice and scientific progress.

Sunil Abraham is Executive Director of the Centre for Internet and Society, based in Bangalore, India.

For more details visit https://cis-india.org/internet-governance/blog/council-for-responsible-genetics-april-2014-sunil-abraham-very-big-brother

Use of Visuals and Nudges in Privacy Notices

saumyaa — 2018-08-22T13:16:15Z

Nudging in privacy notices can be a privacy-enhancing tool. For example, informing users of how many people would have access to their data would help them make a decision. However, nudges can also be used to influence users towards making choices that compromise their privacy. For example, the visual design of default options on digital platforms currently nudge users to share their data. It is critical to ensure that there is mindful use of nudges, and that it is directed at the well being of the users.

Edited by Elonnai Hickok and Amber Sinha

Former Supreme Court judge, Justice B.N. Srikrishna, who is currently involved in drafting the new data-privacy laws for India, was quoted recently by the Bloomberg^[1]. Acknowledging the ineffectiveness of consent forms of tech companies that leads to users’ data being collected and misused, he asked if we should have pictograph warnings for consent much like the warnings that are given on cigarette packets. His concern is that an average Indian does not realise how much data they are generating or how it is being used. He attributed this to the access issues with the consent forms presented by companies which are in the English language. In the Indian context, Justice Srikrishna pointed out, considerations around literacy and languages should be addressed.

The new framework being worked on by Srikrishna and his committee comprising academics and government officials, would make the tech companies more accountable for data collection and use, and allow users to have more control over their own data. But, in addition to this regulatory step towards privacy and data protection, the concern towards communication of companies’ data practices through consent forms or privacy notices is also critical for users. Currently, the cryptic notices are a barrier for users, as are the services that do not provide incremental information about the use of the service - for example, what data is being shared with how many people or what data is being collected at what point, instead relying on blanket consent forms taken at the beginning of a service. Visuals can go a long way in making these notices and services accessible to users.

Although, Justice Srikrishna chose the extreme example of warnings on cigarette packets, visually depicting the health risks of cigarette smoking using repulsive imagery, the underlying intent seems to be of using visuals as a means of giving an immediate and clear warning about how people’s data is being used and by whom. It must be noted that the effectiveness of warnings on cigarette packets is debatable. These warnings are also a way in which manufacturers consider their accountability met, which is a possible danger with privacy notices as well. Most companies consider that their accountability is limited to giving all the information to the users without ensuring that the information is communicated to help the user understand the risks. Hence, one has to be cautious of the role of visuals in notices so that they are used with the primary purpose of meaningful communication and accessibility that can be used to inform further action. The visual summary of the data practice in terms of how it will affect the user will also serve as a warning.

The warning images on cigarette packets are an example of the user-influencing design approach called nudging^{^[2]}. While nudging techniques are meant to be aimed at the users’ well being, it brings forward the question of who decides what is beneficial for the users. Moreover, the harm in cigarette smoking is more obvious, and thus the favourable choice for the users is also clearer. But, in the context of data privacy, the harms are less apparent. It is difficult to demonstrate the harms or benefits of data use, particularly when data is re-purposed or used indirectly. There is also no single choice that can be pushed when it comes to the use and collection of data. Different users may have different preferences or degrees to which they would like to allow the use of their data. This raises deeper questions about the extent to which privacy law and regulation should be paternalistic.

Nudges are considered to follow the soft or libertarian paternalism approach, where the user is not forbidden any options but only given a push to alter their behaviour in a predictable way^{^[3]}. It is crucial to differentiate between the strong paternalistic approach that doesn’t allow a choice at all, the usability approach, and the soft paternalistic approach of nudging, as mentioned by Alessandro Acquisti in his paper, ‘The Behavioral Economics of Personal Information’^{^[4]}. In the usability approach, the design of the system would make it intuitive for users to change settings and secure their data. The soft paternalistic approach of nudging would be a step further and present secure settings as a default. Usability is often prioritised by designers. However, soft paternalism techniques help to enhance choice for users and lead to larger welfare^{^[5]}.

Nudging in privacy notices can be a privacy-enhancing tool. For example, informing users of how many people would have access to their data would help them make a decision^{^[6]}. However, nudges can also be used to influence users towards making choices that compromise their privacy. For example, the visual design of default options on digital platforms currently nudge users to share their data. It is critical to ensure that there is mindful use of nudges, and that it is directed at the well being of the users.

The design of privacy notices should be re-conceptualised to ensure that they inform the users effectively, keeping in mind certain best practices. For instance, a multilayered privacy notice can be used, which includes a very short notice designed for use on portable digital devices where there is limited space, condensed notice that contains all the key factors in an easy to understand way, and a complete notice with all the legal requirements^{^[7]}. Along with the layering of information, the timing of notices should also be designed to be at setup, just in time of the user’s action, or at periodic intervals. In terms of visuals, infographics can be used to depict data flows in a system. Another best practice is to integrate privacy notices with the rest of the system. Designers are needed to be involved early in the process so that the design decisions are not purely visual but also consider information architecture, content design, and research.

Practice based frameworks should be developed for communication designers in order to have a standardised vocabulary around creating privacy notices. Additionally, multiple user groups and their varied privacy preferences must be taken into account. Finally, an ethical framework must be put into place for design practitioners in order to ensure that the users’ well being is prioritised, and notices are designed to facilitate informed consent. Further recommendations and concerns regarding the design of privacy notices, and the use of visuals can be read here.

Justice Srikrishna’s statement is an important step towards creating effective privacy notices with visuals. The conversation on the need to design privacy notices can lead to clearer and more comprehensible notices. Combined with the enforcement of fair collection and use of data by companies, well designed notices will allow users more control and a real choice to opt-in or out of a service and make informed choices as they engage with a service. Justice Srikrishna’s analogy seems to recommend using visuals to describe what type of data is being collected and for what purposes at the time of taking consent. Though cigarette warnings may not be the most appropriate analogy, this is a good start, and it is important to explore how visuals and design can be used throughout a service - from beginning to end - to convey and promote awareness and informed choices by users. It is also important to extend this conversation outside of privacy into the realm of security and understand how visuals and design can inform users’ awareness and personal choices around security when using a service.

^{^[1]} https://www.bloomberg.com/news/articles/2018-06-10/tech-giants-nervous-as-judge-drafts-first-data-rules-in-india

^{^[2]} http://www.ijdesign.org/index.php/IJDesign/article/viewFile/1512/584

^{^[3]} https://www.andrew.cmu.edu/user/pgl/psosm2013.pdf

^{^[4]} https://www.heinz.cmu.edu/~acquisti/papers/acquisti-privacy-nudging.pdf

^{^[5]} https://www.heinz.cmu.edu/~acquisti/papers/acquisti-privacy-nudging.pdf

^{^[6]} https://cis-india.org/internet-governance/files/rethinking-privacy-principles

^{^[7]} https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/ten_steps_to_develop_a_multilayered_privacy_notice__white_paper_march_2007_.pdf

For more details visit https://cis-india.org/internet-governance/blog/use-of-visuals-and-nudges-in-privacy-notices

Unpacking Data Protection Law: A Visual Representation

amber — 2018-02-15T13:22:00Z

This visual explainer unpacking data protection law was developed by Amber Sinha (research) and Pooja Saxena (design), and published as part of the Data Privacy Week celebrations on the Privacy International blog. Join the conversation on Twitter using #dataprivacyweek.

Cross-posted from Privacy International blog.

Credits: Flag illustrations, when not created by the authors, are from Ibrandify / Freepik.

For more details visit https://cis-india.org/internet-governance/blog/unpacking-data-protection-law-a-visual-representation

Unique Identity Number (UID), National Population Register (NPR), and Governance

praskrishna — 2013-03-01T04:32:06Z

The Centre for Internet and Society and the Say No to UID campaign invite you to a workshop to discuss and learn about the present state of the UID and the NPR schemes. The event will be held on Saturday, March 2, 2013, at TERI, Bangalore, from 10.30 a.m. to 2.00 p.m.

Among other questions, the workshop will address:

What is the UID and NPR?
How do the UID and NPR impact citizenship?
Will NPR and UID schemes transform governance?
Why and how is national security linked with UID / NPR?
What is the relationship between UID and Big Data?

Speakers:

Usha Ramanathan, Independent Law Researcher and Human Rights Activist
Anant Maringanti, Hyderabad Urban Labs & Right to the City Foundation
Kaveri R, Researcher, CES, IISc

For more details visit https://cis-india.org/internet-governance/events/uid-and-npr

Unique Identification Scheme (UID) & National Population Register (NPR), and Governance

elonnai — 2014-04-30T05:03:51Z

This post examines the UID, NPR and Governance as it exists in India. The background note gives a summary of what is the NPR, the legal grounding of NPR, its objectives, and the information which could be collected under the NPR. The post also throws light on the UID, its objectives, process of enrollment in UID, how UID is being adopted by different states in India, and finally the differences and controversies in UID and NPR.

This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC.

Video

The above video is from the "UID, NPR, and Governance" conference held on March 2, 2013 at TERI, Bangalore.

What is the NPR?
In 2010, the Government of India initiated the NPR which entails the creation of the National Citizens Register. This register is being prepared at the local, sub-district, district, state and national level. The database will contain thirteen categories of demographic information and three categories of biometric data collected from all residents aged five and above. Collection of this information was initially supposed to take place during the House listing and Housing Census phase of Census 2011 during April 2010 to September 2010.[1]

What is the legal grounding of the NPR?
The NPR is legally grounded in the provisions of the Citizenship Act, 1955 and the Citizenship Rules 2003. It is mandatory for every usual resident in India to register in the NPR as per Section 14A of the Citizenship Act, 1955, as amended in 2004. The collection of biometrics is not accounted for in the statute or rules.

What are the objectives of the NPR?
The objectives of the NPR as stated by the Citizenship Act is for the creation of a National Citizen Register. The National Citizen Register is intended to assist in improving security by checking for illegal migration. Additional objectives that have been articulated include: providing services to the residents under government schemes and programmes, checking for identity frauds, and improving planning.[2]

What is the process of enrollment for the NPR?
NPR enrollment is being carried out through house to house canvassing. The Office of the Registrar General and Census Commissioner, India has assigned Department of Information Technology (DIT) the responsibility of collecting and digitizing demographic data in 17 states and 2 Union Territories of India.[2] Collected information will then be printed and displayed in the local area where it is scrutinized by local officers and vetted by local bodies called ´Gram Sabha/Ward Committees´.[4] This process of social audit is meant to bring in transparency, equity, and ensure accuracy.

What information will be collected under the NPR?
The NPR database will include thirteen categories of demographic information and three categories of biometrics. The collection biometrics has not been provided for in the text of the Citizenship Rules, and is instead appears to be authorized through guidelines,[5] which do not have statutory backing. Currently, two iris scans, ten fingerprints, and a photograph are being collected. According to a 2010 Committee note, only the photograph and fingerprints were initially envisioned to be collected.

What is the Resident Identity Card?
The proposed Resident Identity card is a smart card with a micro-processor chip of 6.4 Kb capacity; the demographic and biometric attributes of each individual will be personalized in this chip. The UID number will be placed on the card as well. Currently, the government is only considering the possibility of distributing smart cards to all residents over the age of 18.[6]

What is the UID?
The Unique Identification Authority of India (UIDAI) was established in January 2009 and is part of the Planning Commission of India. UIDAI aims to provide a unique 12 digit ID number to all residents in India on a voluntary basis. The number will be known as AADHAAR. The UIDAI will own and operate a Unique Identification Number database which will contain biometric and demographic data of citizens.[7]

What is the objective of the UID?
According to the UIDAI, the UID will provide identity for individuals. The scheme has been promoted by the UIDAI as enabling a number of social benefits including improving the public distribution system, enabling financial inclusion, and improving the Mahatma Gandhi National Rural Employment Guarantee Scheme (NREGS). Despite these benefits, the UIDAI only guarantees identity, and does not guarantee rights, benefits or entitlement.[8]

What is the process for enrollment in the UID?
To enroll in the UID, individuals must go to enrollment centers with the appropriate documentation. Once documents are verified and biometrics taken, individuals will receive an acknowledgment slip and their UID number will be sent in the mail.[9] The UIDAI will enroll up to 600 million residents in 16 States and territories.[10] Online registration prior to enrollment at a Center is also now being offered.

How is UID being adopted by different States?
The adoption of the UID by different states and platforms has been controversial as the UID is not a mandatory number, yet with states and services adopting the number for different governmental services, the UID is becoming mandatory by default. Some ways in which states are using the UID include:

Gas and vehicles: The UPA Government has required that citizens have a UID number for services such as purchasing cooking gas, issuing a RTI request, and registering vehicles.[11]
Education: The Kerala government has required that all students must have UID number in order to be tracked through the system.[12] This mandate was questioned by the National Commission for Protection of Child Rights.
First Information Reports (FIR’s): The high court in Bombay has ordered the state home department to direct all police stations in Maharashtra to record the Unique Identification (UID) numbers of accused individuals and witnesses filing a FIR.[13]
Banks: The National Payment Corporation of India has collaborated UIDAI and is issuing ‘RuPay cards’ (Dhan Aadhaar cards) which will serve as ATM/micro-ATM cards. In 2011 the Bank of India had issued 250 cards.[14]
Railway: Railways are proposing to use the UID database for bookings and validation of passengers.[15]
Social Security: Commencing January 1, 2013, MGNREGA, the Rajiv Gandhi Awas Yojana (RGAY), the Ashraya housing scheme, Bhagyalakshmi and the social security and pension scheme have included the UID in the Mysore district

Has there been duplication of UID numbers?
According to news reports:

The UIDAI has blacklisted an operator and a supervisor in Andhra Pradesh for issuing fake UID numbers.

The UIDAI is looking into six complaints regarding the misuse of personal data while issuing the UID numbers to individuals.

The UIDAI has received two received complaints regarding duplication of UID numbers.[17]

What are the differences between the UID and NPR?

Voluntary vs. Mandatory: It is compulsory for all Indian residents to register with the NPR, while registration with the UIDAI is considered voluntary. However, the NPR will store individuals UID number with the NPR data and place it on the Resident Indian Card. In this way and others, the UID number is becoming compulsory by various means.
Number vs. Register: UID will issue a number, while the NPR is the prelude to the National Citizens Register. Thus, it is only a Register. Though earlier the MNIC card was implemented along the coastal area, there has been no proposal to extend the MNIC to the whole country. The smart card that is proposed under the NPR has only been raised for discussion, and there has been no official decision to issue a card.
Statute vs. Bill: The enrollment of individuals for the NPR is legally backed by the Citizenship Act, except in relation to the collection of biometrics, while the UID as proposed a bill which has not been passed for the legal backing of the scheme.
Authentication vs. Identification: The UID number will serve as an authenticator during transactions. It can be adopted and made mandatory by any platform. The National Resident Card will signify resident status and citizenship. It is unclear what circumstances the card will be required for use in.
UIDAI vs. RGI: The UIDAI is responsible for enrolling individuals in the UID scheme, and the RGI is responsible for enrolling individuals in the NPR scheme. It is important to note that the UIDAI is located in the Planning Commission, but its status is unclear, as the NIC had indicated that the data held is not being held by the government.
Door to door canvassing vs. center enrollment: Individuals will have to go to an enrollment center and register for the UID, while the NPR will carry out part of the enrollment of individuals through door to door canvassing. Note: Individuals will still have to go to centers for enrolling their biometrics for the NPR scheme.
Prior documentation vs. census material: The UID will be based off of prior forms of documentation and identification, while the NPR will be based off of census information.
Online vs. Offline: For authentication of an individual’s UID number, the UID will require mobile connectivity, while the NPR can perform offline verification of an individual’s card.

What is the controversy between the UID and NPR?

Effectiveness: There is controversy over which scheme would be more effective and appropriate for different purposes. For example, the Ministry of Home Affairs has argued that the NPR would be more suited for distributing subsidies than the UID, as the NPR has data linking each individual to a household.[18]
Legality of sharing data: Both the legality of the UID and NPR collecting data and biometrics has been questioned. For example, it has been pointed out that the collection of biometric information through the NPR, is beyond the scope of subordinate legislation. Especially as this appears to be left only to guidelines.[19] Collection of any information under the UID scheme is being questioned as the Bill has not been approved by the Parliament.
Accuracy: The UIDAI's use of multiple registrars and enrolment agencies, the reliance on 'secondary information' via existing ID documents for enrollment in the UID, and the original plan to enroll individuals via the 'introducer' system has raised by Home Minister Chidambaram in January 2012 about how accurate the data collected by the UID is is that will be collected.[20] To this extent, the UIDAI has changed the introducer system to a ‘verifier’ system. In this system, Government officials verify individuals and their documents prior to enrolling them.
Biometrics: Though biometrics are mandatory for the UID scheme, according to information on the NPR website, if an individual has already enrolled with the UID, they will not need to provide their biometrics again for the NPR. Application of this standard has been haphazard as some individuals have been required to provide biometrics for both the UID and the NPR, and others have not been required to provide biometrics for the NPR.[21]

What court cases have been filed against the UID?
The following cases are currently filed in courts around the country:

Supreme Court:

K S Puttaswamy, a retired judge of Karnataka High Court filed a Public Interest Litigation (PIL) in the Supreme Court challenging the legality of UIDAI.[22]

Chandigarh: A petition was filed in Chandigarh by Sanjeev Pandey which sought to quash executive order passed in violation of the Motor Vehicles Act, 1988, and Central Motor Vehicle Rules, 1989 by which UID cards had been made mandatory for registration of vehicles and grant of learner/regular driving license.[23]
Karnataka: Mathew Thomas and Mr. VK Somasekhar have filed a civil suit in the Bangalore City Civil Courts (numbered 8181 of 2012) asking for the UID project to be stopped. The suit was dismissed, and they have appealed the case to the High Court (numbered 1780 and 1825 of 2013).
Chennai: A PIL has been filed in the Madras High Court challenging the constitutional validity of the UIDAI and its issue of UID numbers.[24]
Bombay: In January 2012 a case was filed in the Mumbai high Court. The petitioners to the case are R. Ramkumar, G. Nagarjuna, Kamayani Mahabal, Yogesh Pawar and Vickram Crishna & Ors.

What is the relationship between UID, NPR, and National Security
The UID and the NPR have both stated improving security as an objective for the projects. To this extent, it is envisioned that the UID and the NPR could be used to track and identify individuals, and determine if they are residents of India. In the case of the NPR, a distinction will be made between residents and citizens. Yet, concerns have also been raised that these projects instead raise national security threats, given the size of the databases that will be created, the centralized nature of the databases, the sensitive nature of the information held in the databases, and the involvement of international agencies.[25]

What is the relationship between UID and Big Data?
Aspects of the UID scheme allow it to generate a large amount of data from a variety of sources. Namely, the UID scheme aims to capture 12 billion fingerprints, 1.2 billion photographs and 2.4 billion iris scans and can be adopted by any platform. This data in turn can be stored, analyzed, and used for a number of purposes by a number of stakeholders in both the government and the private sectors. This is already happening to a certain extent as in November 2012 the UID established a Public Data Portal for the UID project. According to UIDAI officials the data portal will allow for big data analysis using crowd sourcing models.[26]

How is UID being used for BPL direct cash transfers?
Registration with the UID scheme is considered essential to determine whether beneficiaries belong in the BPL category and to provide transparency to the distribution of cash. In this way, the UID requirement is thought to prevent the leakage of social security benefits and subsidies to non-intended beneficiaries, as cash will only be made available to the person identified by the UID as the intended recipient. One of the main prerequisites of a below poverty line (BPL) direct cash transfer in India has become the registration with the UIDAI and the acquisition of a UID number. For example:

The "Cash for Food" programme requires that individuals applying for aid have a bank account, and a UID number. The money is transferred, electronically and automatically, to the bank account and the beneficiary should be able to withdraw it from a micro-ATM using the UID number.[27] It is important to note that micro-ATMs are not actual ATMs, but instead are handheld machines which may give information on bank balance and such, but will not dispense or maintain privacy of transaction. Most importantly, the transaction is mediated though a banking correspondent.
The government plans to cover the target BPL families and deposit USD 570 billion per year in the bank accounts of 100 million poor families by 2014.[28]
Currently, only beneficiaries of thirteen government schemes and LPG connection holders have been identified as being entitled to register for a UID number.[29] Though these schemes have been identified, as of yet, adoption has happened in very few districts.

What are the concerns regarding the use of biometrics in the UID and NPR scheme?
Both the UID and the NPR rely on biometrics as a way to identify individuals. Yet, many concerns have been raised about the use of biometrics in terms of legality, effectiveness, and accuracy of the technology. With regards to the accuracy and effectiveness of biometrics – the following concerns have been raised:

Biometrics are not infallible: Inaccuracies can arise from variations in individuals attributes and inaccuracies in the technology.
Environment matters: An individual’s biometrics can change in response to a number of factors including age, environment, stress, activity, and illness.
Population size matters: Because biometrics have differing levels of stability – the larger the population is the higher the possibility for error is.
Technology matters: The accuracy of a biometric match also depends on the accuracy of the technology used. Many aspects of biometric technology can change including: calibration, sensors, and algorithms.
Spoofing: It is possible to spoof a fingerprint and fool a biometric reader.[30]

[1]. Government of India. Ministry of Home Affairs. Office of the Registrar General & Census Commissioner. http://bit.ly/IiySDh

[2]. This is according to a 2010 Cabinet note and the official website of the NPR.

[3]. Department of Information Technology: http://ditnpr.nic.in/frmStatelist.aspx - These include: (1) Arunachal Pradesh (2) Assam (3) Bihar (4) Chhattisgarh (5) Haryana (6) Himachal Pradesh (7)Jammu & Kashmir (8) Jharkhand (9) Madhya Pradesh (10)Meghalaya (11)Mizoram (12)Punjab (13)Rajasthan (14)Sikkim (15)Tripura (16)Uttar Pradesh (17)Uttarakhand Union Territories:-(1) Dadra & Nagar Haveli (2) Chandigarh.

[4]. Government of India. Ministry of Home Affairs. Office of the Registrar General & Census Commissioner: http://bit.ly/IiySDh

[5]. Department of Information Technology. National Population Register. Question 22. What are the procedures to be followed for creating the NPR? The procedures to be followed for creating the NPR have been laid down in the Citizenship (Registration of Citizens and issue of National Identity Cards) Rules, 2003, and the guidelines being issued from time to time.

[6]. The Unique Identification Government of India. Ministry of Home Affairs. Office of the Registrar General & Census Commissioner: http://censusindia.gov.in/2011-Common/IntroductionToNpr.html Authority of India. http://uidai.gov.in/

[7]. Unique Identification Authority of India. http://uidai.gov.in/

[8]. The point was made by R. Ramachandran. How reliable is UID? Frontline. Volume 28- Issue 24: November 19- December 02, 2011. Available at: http://bit.ly/13UMiSv

[9]. For more information see: How to get an Aadhaar. http://bit.ly/R2jBOP

[10]. Mazumdar. R. UIDAI targets 400 million enrolments by mid 2013, Aadhar hopes to give unique identity to some 1.2 bn residents. Economic Times. December 2012. Available at: http://bit.ly/ZC3Yve. Last accessed: February 28th 2013.

[11]. Malu. B. The Aadhaar Card – What are the real intentions of the UPA Government? DNA. February 18^th 2013. Available at: http://bit.ly/150BXRj. Last accessed: February 28th 2013.

[12]. Government of Kerala. General Education Department Circular No. 52957/G2?2012/G.Edn. Available at: http://bit.ly/15Oiq8J

[13]. Plumber, M. Make UID numbers must in FIRs: Bombay HC. DNA. October 2011. Available at: http://bit.ly/tVsInl. Last accessed: February 28th 2013.

[14]. Press Information Bureau. Government of India. Identity Card to Every Adult Resident of the Country under NPR; No Card being issued by UIDAI. December 2011. Available at: http://bit.ly/tJwZG1

[15]. TravelBiz. Railways to use Aadhar database for passenger validation. February 2013. Available at: http://bit.ly/YcW5wl. Last accessed: February 28th 2013.

[16]. Vombatkere. S.G. Questions for Mr. Nilekani. The Hindu. February 2013. Available at: http://bit.ly/YqPlK1. Last accessed: February 28th 2013.

[17]. Economic Times. UIDAI orders probe into duplication of Aadhaar numbers. http://bit.ly/ZORowg. Last accessed: February 28th 2013.

[18]. Jain. B. Battle over turf muddies waters. Times of India. February 2013. Available at: http://bit.ly/16ud3gm. Last accessed: February 28th 2013

[19]. Rediff. Aadhaar’s allocation is Parliament’s contempt. February 2013. Available at: http://bit.ly/Y638JS. Last accessed: February 28th 2013.

[20]. Ibid 17.

[21]. Times of India. Confused over Aadhaar, Cabinet clears GoM. February 2013. Available at http://bit.ly/UTH2JS. Last accessed: February 28th 2013.

[22]. Times of India. Supreme Court notice to govt on PIL over Aadhar. December 2012. Available at: http://bit.ly/13UNs0i. Last accessed: February 2013.

[23]. The Indian Express. HC issues notice to Centre, UT over mandatory UID for license. January 2013. Available at: http://bit.ly/WJq43M. Last accessed: February 28th 2013.

[24]. Economic Times. PIL seeks to scrap Nandan Nilekani’s Aadhar project. January 2012. Available at: http://bit.ly/zB1H07. Last accessed: February 28th 2013.

[25]. Times of India. UID poses national security threat: BJP. January 2012. Available at: http://bit.ly/WeM6KA. Last accessed: February 28th 2013.

[26]. Zeenews. UIDAI launches Public Data Portal for Aadhaar. November 8th 2012. Available at: http://bit.ly/T9NdX3. Last Accessed: November 12th 2012.

[27]. Punj, S. Wages of Haste: Implementing the cash transfer scheme is proving a challenge. January 2013. Available at: http://bit.ly/1024Dwo. Last accessed: February 28th 2013.

[28]. The International Business Times. India to Roll Out World’s Biggest Direct Cash Transfer Scheme for the Poor. November 2012. Available at: http://bit.ly/UYbtw4. Last accessed: February 28th 2013.

[29]. Mid Day. Do not register for Aadhaar card before March 15: UID in –charge. February 2013. Available at: http://bit.ly/Xymx9d. Last accessed: February 28th 2013.

[30]. These points were raised in the following frontline article Ibid: Ramachandran, R. How reliable is UID? Frontline. Volume 28 – Issue 24 November 19th – December 2nd 2011. Available at: http://bit.ly/13UMiSv. Last accessed February 28th 2013.

For more details visit https://cis-india.org/internet-governance/blog/uid-and-npr-a-background-note

Unique ID System: Pros and Cons

Natasha Vaz — 2012-02-29T11:28:58Z

On September 16, 2011, the Citizen’s Voluntary Initiative for the City and Centre for Advocacy and Research organized a public consultation titled “Unique ID System: Pros and Cons” in Bangalore. The consultation was on the utility and impact of the UID system in India and featured a panel discussion with T. Prabhakar, public relations officer, e-governance, Ashok Dalwai, UIDAI regional deputy director, Somashekar V.K., managing trustee of Grahak Shakti and Col. Mathew Thomas, civic activist and retired army officer.

Col. Mathew Thomas began his presentation by a comparative analysis of the Indian and the British experience in providing a unique identity to its citizens. In Britain, this initiative was labelled as ‘intrusive bullying’ and ‘an assault on personal liberties’. Additionally, the government recognized that they must conduct their business as servants of the public and not as their masters. The project was terminated on the grounds that it could not achieve the claimed objectives, and it was dangerous costly.

Nevertheless, the unique identification (UID) system in India is being perscribed as a prestigious project that will eliminate identity fraud, financial exclusion, enhance accessibility for the poor, enable the government to better manage welfare schemes and target corruption in social programs such as the National Rural Employment Guarantee Act (NREGA), the public distribution system (PDS), public health and financial inclusion.

Col. Mathew Thomas chronicled ID schemes. He explained that the advent and growth of information technology increased the availability of technology, which led to a commercial interest to exploit technology for profit. Technological solutions were heavily marketed, however, it is a mistaken belief that there is a technological fix to every problem (technology could solve any problem). Post 9/11 paranoia resulted in the notion that ID cards were the best possible counter measure to terrorism. “The inherent ridiculousness of this notion is that militants do not come with ID cards, but with AK-47s, and possession of ID cards or citizenship does not prevent one from becoming a terrorist”, says Mathew Thomas. National ID cards do not stop or deter terrorist actions.

India’s history with the UID project can be traced to the recommendations made by the Kargil Review Committee chaired by K. Subrahmanyam.The Committee recommended the issuing of ID cards to people in border areas to prevent infiltration and extend the system to the whole country to combat terrorism. Consequently, in 2003 the Citizenship Act of 1955 was amended by the NDA Government so as to compulsorily register all citizens into a “National Population Register” (NPR) and issue a Multi-purpose National Identity Card (MNIC). The NPR database will be inked to the UID. Subsequently, the UPA Government promoted the UID, as a pro-poor project.

Col. Mathew Thomas discussed the various questionable aspects of the UID project: its legality, financial prudence, ethics and its uses and abuses.

UID and Legality

Firstly, there is no law governing the functioning of the Unique Identification Authority of India (UIDAI). The illegal implementation of the UID is a complete insult to the Parliament and citizens, considering that the National Identification Authority of India Bill 2010 was drafted long after the implementation of the UID commenced.

UID and Financial Prudence

The high-level of apprehension surrounding the UID project stems from the fact that a project of this magnitude, cost and impact on the entire population would be undertaken without a feasibility study and a cost-benefit analysis. There exist two studies: one by the London School of Economics, regarding the UK project, and another by the Indian Institute of Management Ahmedabad, on UID in India. Both have concluded that such schemes are unworkable and too costly.

UID and Ethics

Ethical questions related to the UID are regarding its history, participation and ubiquity. Firstly, the UIDAI website is silent on the history prior to 2006. It fails to mention the significant historical roots of the UID, specifically, the Kargil War and the National Population Registry. Second, the UID has been promoted as a pro-poor project, whereas huge possibilities for commercial exploitation exist. Lastly, the UIDAI asserts that enrollment for the UID is ‘voluntary’. Although participation in the UID scheme is supposed to be voluntary, service providers can make it compulsory, thereby making it ubiquitous. A subtle campaign is being carried on, hinting at denial of benefits and services to those without UID.

Uses and Abuses

UID claims to transform governance, make ‘Bharath’ part of the growth process, plug ‘leakages’ & ‘slippages’ in welfare schemes, bring about all round prosperity and put India on a ‘fast-track’ growth by becoming the pivot around which all anti-poverty measures will rotate. One can conclude that UID is a panacea or a ‘one size fits all’ solution. Mathew Thomas questioned how these ambitions can be achieved by fingerprinting and scanning the irises of 1.2 billion people and storing the data for use by agencies responsible for the delivery of services.

These claims revolve around the assumptions that a lack of identity denies people welfare benefits; denies access to opportunities and services; and that a unique identification and de-duplication using biometrics would prevent “leakages”, “slippages” and in effect, all corruption. These assumptions need to be tested and verified so as to ensure validity.

The Public Distribution System and UID

Col. Mathew Thomas examined the PDS to analyze the use and claims of UID. He described the supply and demand of the PDS. The ‘supply’ side involves the fixing of minimum support prices, procurement by the centre and state governments, transport to FCI and state storages, distribution by centre to states and distribution by states to fair-price (ration) shops. All of the stages are affected by corruption and surprisingly UID beneficiaries have no role in any of the aforementioned stages.

‘Leakages’ in the supply process could potentially occur during the fixing of the minimum support prices (if deals exist with large farmers), during procurement (if they lift less quantity than what was paid for) and during accounting and storage (if they write off larger quantities than the actual damage; write off against bogus ration-cards; and show more quantity in storage and shops than is actually there).

The ‘demand’ process of the PDS system requires for state governments to decide on the eligibility of BPL people, issue ration cards, allocate ration-card holders to specific ration shops and requires the ration-card holders go to designated shops and collect entitlements. Corruption is possible, probable and happens in this discretionary decision-making. However, the only stage at which UID would find some use, if at all, is when ration-card holders collect rations.

Col. Mathew Thomas provided an excellent example of the government’s lopsided priorities. He describes the UID in PDS as the story of the ‘fence eating the corn’. The ‘fence’ then says, “let’s brand the cattle to find who is stealing the corn!”

The practicality of utilizing UID for authentication in the PDS system is a huge conundrum. Considering that the process to authenticate at ration shops requires all shops to have scanners (approximately six lakhs) which must be connected to a network and power at all the time.

Another problem surrounds the collection of ration. Ration-card holders do not always go to collect rations. There could be occasions where one family member goes for collection or one person collects rations for a number of families. The worst part of the UID application to the PDS system is that the procedure puts the BPL person at the mercy of the ration-shop keeper. He could simply deny rations, saying, “Authentication failed”.

The potential abuses of the UID could arise from the large collection of fingerprints that will be with various government officials and private agencies which could be used to foist false criminal cases against innocent people, forge title deeds, sale deeds, promissory notes wills, etc., and could target individuals and communities.

Col. Mathew Thomas concluded by explaining the main risks of any centralized database, it can be hacked and can crash. Professor Ian Angle, of the London School of Economics, has said that the UID will be "Olympic games of hacking", providing people with the biggest challenge to hack through.

Making a point: (From left) Public Relations Officer, e-governance, T. Prabhakar; UIDAI Regional Deputy Director Ashok Dalwai; Managing Trustee of Grahak Shakti Somashekar V.K.; and civic activist Mathew Thomas at a panel discussion in Bangalore on Friday. — photo: V. Sreenivasa Murthy.

Photo Source: From the Hindu, September 17, 2011, http://goo.gl/gCnqK

Note: Unfortunately, the other presentations were conducted in Kannada and could not be understood by the author of this blog.

For more details visit https://cis-india.org/internet-governance/unique-id-system-pros-and-cons

UNESCAP Google AI Meeting

Admin — 2018-09-20T15:47:42Z

Arindrajit was a panelist at the event on AI in public service delivery hosted by UNESCAP Bangkok on August 29, 2018. The event was co-organized by Economic and Social Commission for Asia and the Pacific and Google.

The discussion centered around the two questions (1) Is AI different from other technological advancements in the past and (2) Recommendations for policy-makers to enhance AI in Public Service Delivery.The other panelists were Dr. Urs Gasser (Berkman), Vidushi Marda ( Art.19), Malavika Jayaram (Digital Asia Hub) and Jake Lucchi ( Google) The panel was a platform to discuss some of our findings in our case studies on healthcare and agriculture, which we will receive comments on and will get published in November.

For more details visit https://cis-india.org/internet-governance/news/unescap-google-ai-meeting

Understanding Surveillance and Privacy in India

praskrishna — 2014-09-08T06:08:49Z

Bhairav Acharya delivered a lecture at the Jamia Millia Islamia in New Delhi on August 28, 2014.

Abstract
While privacy seems intuitive to most people, its legal codification and protection is complex. This is because varying expectations of privacy exist in different social contexts demanding different forms and degrees of protection. In India, an unambiguous and enforceable constitutional right to privacy does not exist. The Supreme Court of India has, intermittently and unconvincingly, recognised a limited right to privacy in certain situations. Recent debates on privacy focus primarily on two areas: surveillance, and data protection. The interception of communications – phone calls, emails, and letters, – which is a type of surveillance, is statutorily regulated in India in an uneven way. A colonial law permits and regulates wiretaps in India. A derivative law governs emails and electronic communications. Both these laws suffer serious shortcomings. Indian law permits executive authorisations – by bureaucrats – of wiretaps without an independent audit and oversight mechanism. No legal provisions exist to redress improper wiretaps or information leaks – the Radia tapes controversy illustrates this. These lacunae remain unaddressed even as large-scale techno-utopian projects, such as the Central Monitoring System, move forward. However, the recent governmental push for privacy law does not stem from surveillance concerns but from international commerce in personal data. There is also a growing domestic constituency that is alarmed by the state’s collection of personal data without regulatory safeguards.

About the Speaker
Bhairav Acharya is a constitutional lawyer in India who joined the Bar in 2004 after graduating from the National Law School of India University, Bangalore. From 2004 - 2009, he was the Deputy Director of the Public Interest Legal Support and Research Centre (PILSARC), an organisation established to provide institutional legal support and credible research to popular movements, and to ideas and communities marginalised by law. He headed a UNHCR project to draft a refugee protection law for India and is a member of the NHRC’s National Experts Group on Refugee Law. He litigated – mostly constitutional law – in the chambers of a senior counsel in the Supreme Court of India, where he became especially interested in free speech law. From 2009 - 2010, he advised a leading Indian multinational information technology major on privacy law and data protection. At present, he independently advises the Centre for Internet and Society, Bangalore, on privacy law, and is drafting a proposed privacy statute to regulate data protection and surveillance in India to provide a participatory and consensus - based legal submission to the Indian government.

Event Details
Venue: CCMG Network Governance Lab,
Date: Thursday, August 28, 2014
Time: 11.30 a.m.

For more details visit https://cis-india.org/internet-governance/news/understanding-privacy-and-surveillance-in-india

Understanding Aadhaar and its New Challenges, May 26-27, 2016

sumandro — 2016-05-26T10:29:43Z

A workshop on “Understanding Aadhaar and its New Challenges” is being organised by the Centre for Studies in Science Policy, Jawaharlal Nehru University, and the Centre for Internet and Society, during May 26-27. It is also supported by the Centre for Communication Governance at NLU Delhi, Free Software Movement of India, Knowledge Commons, PEACE, and Center for Advancement of Public Understanding of Science & Technology. This is a legal and technical workshop to be attended by various key researchers and practitioners to discuss the current status of the implementation of the project, in the context of the passing of the Act and the various ongoing cases.

Workshop Programme

First Day, May 26

9:00-9:30	Registration
9:30-10:00	Prof. Dinesh Abrol - Welcome Self-introduction and expectations of participants Dr. Usha Ramanathan - Overview of the Workshop
10:00-11:00	Current Status of Aadhaar Dr. Usha Ramanathan, Legal Researcher, New Delhi - What the 2016 Law Says, and How it Came into Being S. Prasanna, Advocate, New Delhi - Status and Force of Supreme Court Orders on Aadhaar Discussion
11:00-11:30	Tea Break
11:30-13:30	Direct Benefits Transfers Prof. Reetika Khera, Indian Institute of Technology, Delhi - Welfare Needs Aadhaar like a Fish Needs a Bicycle Prof. Ram Kumar, Tata Institute of Social Sciences, Mumbai - Aadhaar and the Social Sector: A critical analysis of the claims of benefits and inclusion Ashok Rao, Delhi Science Forum - Cash Transfers Study Discussion
13:30-14:30	Lunch
14:30-16:00	Aadhaar: Science, Technology, and Security Prof. Subashis Banerjee, Deptt of Computer Science & Engineering, IIT, Delhi - Privacy and Security Issues Related to the Aadhaar Act Pukhraj Singh, former National Cyber Security Manager, Aadhaar, New Delhi - Aadhaar: Security and Surveillance Dimensions Discussion
16:00-16:30	Tea Break
16:30-17:30	Aadhaar - International Dimensions Prof. Chinmayi Arun, Center for Communication Governance, National Law University, Delhi - Biometrics and Mandatory IDs in other parts of the world Dr. Gopal Krishna, Citizens Forum for Civil Liberties - International Dimensions of Aadhaar Discussion
17:30-18:00	High Tea
18:00-19:00	Video Presentations

Second Day, May 27

9:30-11:00	Privacy, Surveillance, and Ethical Dimensions of Aadhaar Prabir Purkayastha, Free Software Movement of India, New Delhi - Surveillance Capitalism and the Commodification of Personal Data Arjun Jayakumar, SFLC - Surveillance Projects Amalgamated Col Mathew Thomas, Bengaluru - The Deceit of Aadhaar Discussion
11:00-11:30	Tea Break
11:30-10:30	Aadhaar: Broad Issues - I Prof. G Nagarjuna, Homi Bhabha Center for Science Education, Tata Institute of Fundamental Research, Mumbai - How to prevent linked data in the context of Aadhaar Dr. Anupam Saraph, Pune - Aadhaar and Moneylaundering Discussion
13:00-13:30	Video Presentations
13:30-14:30	Lunch
14:30-15:30	Aadhaar: Broad Issues - II Prof. MS Sriram, Visiting Faculty, Indian Institute of Management, Bangalore - Financial lnclusion Nikhil Dey, MKSS, Rajasthan (TBC) - Field witness: Technology on the Ground Prof. Himanshu, Centre for Economic Studies & Planning, JNU - UID Process and Financial Inclusion Discussion
15:30-16:00	Conclusion

For more details visit https://cis-india.org/internet-governance/events/understanding-aadhaar-and-its-new-challenges-may-26-27-2016