The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 21 to 35.
Aadhaar data of over 89 lakh MNREGA workers in Andhra Pradesh leaked online
https://cis-india.org/internet-governance/news/new-indian-express-april-26-2018-aadhaar-data-over-89-lakh-mnrega-workers-in-andhra-pradesh-leaked-online
<b>Independent security researcher Kodali Srinivas tweeted screenshots of Aadhaar data of 89,38,138 MNREGA workers available on the Andhra Pradesh Benefit Disbursement Portal.</b>
<p style="text-align: justify; ">The article was <a class="external-link" href="http://www.newindianexpress.com/states/andhra-pradesh/2018/apr/26/aadhaar-data-of-over-89-lakh-mnrega-workers-in-andhra-pradesh-leaked-online-1806717.html">published in New Indian Express</a> on April 27, 2018.</p>
<hr />
<p style="text-align: justify; ">Independent security researcher Kodali Srinivas, who exposed the leakage of Aadhaar and other personal data of 1.34 lakh beneficiaries on the State Housing Corporation website, on Thursday tweeted screenshots of Aadhaar data of 89,38,138 MNREGA workers availalbe on the Andhra Pradesh Benefit Disbursement Portal, which is maintained by APOnline, a joint venture between the Tata Consultancy Services (TCS) and the State government.</p>
<p style="text-align: justify; ">Hours after he blew the whistle, the website administrators began masking the data. In May 2017, Srinivas had co-authored a report for the Centre for Internet and Society, exposing how the Aadhaar data of 13.5 crore card holders was leaked online. The data was then leaked by four government portals, National Social Assistance Programme, National Rural Employment Guarantee Scheme, Chandranna Bima Scheme of the Government of Andhra Pradesh and Daily Online Payment Reports of NREGA of the Government of Andhra Pradesh.</p>
<p style="text-align: justify; ">It appears that almost a year later, nothing much has changed. Srinivas told TNIE he had sent a mail to the chief operating officer, APOnline and Universal Identification Authority of India, the National Critical Information Infrastructure Protection Centre, and CERT-In, the Centre's cyber response wing. When contacted, Balasubramanyam, Joint Secretary (NREGS) told TNIE, "I have seen it. It is Benefit Disbursement Portal... not maintained by us. We have been very careful ever since that massive leak of data last year."</p>
<p style="text-align: justify; ">Executive (operations), APOnline, S Chandramouleeswara Reddy refused comment saying that he was not the competent authority to speak on the issue. APOnline developed ICT solution for MGNREGA scheme, a framework involving Department of Posts, for disbursement of entitlements after accurate authentication of the entitlements through finger print authentication. TCS implements the ICT solution for MGNREGA in the State.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/new-indian-express-april-26-2018-aadhaar-data-over-89-lakh-mnrega-workers-in-andhra-pradesh-leaked-online'>https://cis-india.org/internet-governance/news/new-indian-express-april-26-2018-aadhaar-data-over-89-lakh-mnrega-workers-in-andhra-pradesh-leaked-online</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-05-05T08:43:53ZNews ItemPension won’t be denied for want of Aadhaar, says EPFO
https://cis-india.org/internet-governance/news/livemint-prashant-k-nanda-and-komal-gupta-pension-wont-be-denied-for-want-of-aadhaar-epfo
<b>The move is aimed at ensuring that no retired government employee is deprived of pension for want of Aadhaar or failure of fingerprint authentication.</b>
<p style="text-align: justify; ">The article by Prashant K. Nanda and Komal Gupta published by <a class="external-link" href="https://www.livemint.com/Politics/J0wTnWuLVVNsejAcJygdRO/Dont-delay-pension-disbursal-in-pretext-of-Aadhaar-linking.html">Livemint</a> on April 11, 2018 quoted Pranesh Prakash.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Tens of thousands of pensioners under the employees pension scheme will not be denied their monthly pension if their Aadhaar authentication fails or they do not have the 12-digit unique ID, the Employees Provident Fund Organisation (EPFO) has indicated.</p>
<p style="text-align: justify; ">The retirement fund manager has asked banks and post offices to facilitate pension disbursement without making senior citizens do the rounds.</p>
<p style="text-align: justify; ">The move comes after EPFO received several complaints of denial of pension by banks.</p>
<p style="text-align: justify; "><span>For paying pension to those whose fingerprint authentication fails, “banks may make provisions for iris scanner, along with the fingerprint scanner in bank branches. It has been observed that in many cases, iris authentication is successful even though fingerprint authentication may have failed. This is particularly true for many senior citizens. In such cases, digital life certificate may be generated on the basis of iris authentication and pension may be given,” the EPFO said in a circular on Monday.</span></p>
<p style="text-align: justify; ">And when both iris and fingerprint authentication are not feasible, “an entry should be made in the exception register with reasons and pension may be provided on the basis of paper life certificate and physical Aadhaar card or E-Aadhaar card of the pensioner after due verification as deemed fit by the bank,” the circular said.</p>
<p style="text-align: justify; ">The move is aimed at ensuring that no senior citizen is deprived of pension for want of Aadhaar or failure of fingerprint authentication.</p>
<p style="text-align: justify; "><span>Banks have been advised to ensure that benefits of the pension scheme reach the citizens and a proper mechanism for “handling exceptions” is put in place.</span></p>
<p style="text-align: justify; ">“Banks should make special arrangements for the bed-ridden, differently abled, or senior citizens who are unable to visit the Aadhaar enrolment centre,” the circular said.</p>
<p style="text-align: justify; ">EPFO has also instructed pension disbursing banks and post offices to make necessary arrangements for enrolling pensioners for Aadhaar and to carry out authentication through iris, especially for those who cannot be verified through fingerprints.</p>
<p style="text-align: justify; "><span>The Unique Identification Authority of India (UIDAI) has been under the scanner over the past few months over allegations of access to pension being denied as the fingerprints of the elderly do not match biometrics in the Aadhaar database.</span></p>
<p style="text-align: justify; ">So far, pensioners had to furnish a life certificate and needed to authenticate it using biometrics.</p>
<p style="text-align: justify; ">“The fact that it is coming now means that the Unique Identification Authority of India’s claim in the Supreme Court about no person having been denied any benefit due to the lack of Aadhaar is simply untrue,” said Bengaluru-based Pranesh Prakash, an affiliated fellow with the Yale Law School’s Information Society Project that works on issues related to the intersection of law, technology and society.</p>
<p style="text-align: justify; "><span>Prakash, however, welcomed EPFO’s move laying down “a procedure both for those who don’t have an Aadhaar number, as well as those whose biometrics fail for any reason”.</span></p>
<p style="text-align: justify; ">Prakash further said that “as per the UIDAI’s own data, failure rates for iris authentication are higher (8.54%) than for fingerprints (6%). So the utility of pushing for iris authentication is unclear.”</p>
<p style="text-align: justify; ">There are more than 1.2 billion Aadhaar holders in the country.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/livemint-prashant-k-nanda-and-komal-gupta-pension-wont-be-denied-for-want-of-aadhaar-epfo'>https://cis-india.org/internet-governance/news/livemint-prashant-k-nanda-and-komal-gupta-pension-wont-be-denied-for-want-of-aadhaar-epfo</a>
</p>
No publisherAdminAadhaarInternet Governance2018-04-10T22:33:39ZNews ItemUIDAI servers or third parties, Aadhaar leaks are dangerous: Experts
https://cis-india.org/internet-governance/news/business-standard-mayank-jain-march-27-2018-uidai-servers-or-third-parties-aadhaar-leaks-are-dangerous-experts
<b>Even though the UIDAI has denied these reports, its arguments rest on shaky grounds, according to experts.</b>
<p style="text-align: justify; ">The article by Mayank Jain was published in <a class="external-link" href="http://www.business-standard.com/article/current-affairs/uidai-servers-or-third-parties-aadhaar-leaks-are-dangerous-experts-118032601008_1.html">Business Standard</a> on March 27, 2018. Pranesh Prakash was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The government has told the Supreme Court that the Aadhaar data “remains safely behind 13-feet high walls” and it will take “the age of the universe” to break one key in the Unique Identification Authority of India’s (UIDAI’s) encryption.</p>
<p style="text-align: justify; ">Even if this claim is taken at face value, experts suggest leaks from third-party databases seeded with Aadhaar numbers are equally dangerous and the UIDAI is responsible for the damage. <span>The most recent case came from a report published online and it said random numbers could provide access to the Aadhaar data, which also includes people’s financial information, from a state-owned company’s database. </span><span>Even though the UIDAI has denied these reports, its arguments rest on shaky grounds, according to experts.“There is no truth in this story as there has been absolutely no breach of the UIDAI’s Aadhaar database.</span></p>
<p style="text-align: justify; ">Aadhaar remains safe and secure,” the UIDAI said on Twitter shortly after the story broke on ZDNet.The authority added even if the report was taken to be true, “it would raise security concerns on the database of that Utility Company and has nothing to do with the security of the UIDAI’s Aadhaar database”.This has been the authority’s defence in several such cases but those in the know of things say it doesn’t hold water simply because the Aadhaar data is not concentrated in the UIDAI’s complexes anymore and has spread across various databases.“Publishing this by the state entities is a violation under the Aadhaar Act.</p>
<p style="text-align: justify; ">Even if you publish your Aadhaar number, it is a violation of the law,” said Pranesh Prakash, policy director at the Centre for Internet and Society.“Saying that the UIDAI has not been compromised is thoroughly insufficient because for customers, it doesn’t matter if the leak comes from servers operated by the UIDAI or from others holding copies of the UIDAI database.”Prakash said it should be the authority’s responsibility to help others comply with the law and prevent data leaks.</p>
<p style="text-align: justify; ">He gave the example of biometric leaks from Gujarat government servers and how criminals used them to forge fingerprints.The possibility of data leaks was demonstrated when Robert Baptiste, purportedly a French app developer, announced on Twitter how he got access to thousands of scanned Aadhaar card copies through simple Google searches.In an interview to Business Standard, Baptiste said the major threat was data handling by third parties, which could lead to identity theft.Even the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, has provisions that debar making public citizens’ Aadhaar-related information public unless required for certain purposes.</p>
<p style="text-align: justify; ">“Whoever intentionally discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication to any person not authorised under this Act” can be in jail for three years and pay a fine of ~10,000 under the Act.A lawyer appearing on the petitioners’ side in the ongoing Supreme Court case on the constitutional validity of Aadhaar said only the UIDAI had the powers to file cases against people who published Aadhaar information. Hence everyone else is helpless despite the leaks.</p>
<p style="text-align: justify; ">The UIDAI’s argument that Aadhaar information can’t be misused is duplicitous because the regulations under the Aadhaar Act assure individuals that if biometric authentication fails, they should have other means of identifying themselves, says Kiran Jonnalagadda, founder of HasGeek.“So the regulations guarantee that anyone in possession of stolen identity information will be able to misuse it without biometric authentication,” he said.Prakash agreed with this. He said demographic authentication, which is an acceptable authentication method under the Aadhaar Act, was prone to misuse as long as Aadhaar numbers remained public.“Aadhaar is used as just a piece of paper, unlike security features embedded in passports or even permanent account number cards. Thus, demographic authentication merely involves providing Aadhaar numbers and details like addresses, which can be used even for things like getting entry into an airport by just printing a ticket and having a fake Aadhaar,” he said.</p>
<p style="text-align: justify; "><em>Queries sent to the UIDAI were not answered till the time of going to press</em></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/business-standard-mayank-jain-march-27-2018-uidai-servers-or-third-parties-aadhaar-leaks-are-dangerous-experts'>https://cis-india.org/internet-governance/news/business-standard-mayank-jain-march-27-2018-uidai-servers-or-third-parties-aadhaar-leaks-are-dangerous-experts</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-03-27T02:16:55ZNews ItemSecurity experts say need to secure Aadhaar ecosystem, warn about third party leaks
https://cis-india.org/internet-governance/news/economic-times-march-26-2018-nilesh-christopher-security-experts-say-need-to-secure-aadhaar-ecosystem-warn-about-third-party-leaks
<b>The public reckoning of data leaks in India’s national ID database, Aadhaar is still on hold while reports of data leakage through third-parties keep coming. </b>
<p style="text-align: justify; ">The article by Nilesh Christopher was published in <a class="external-link" href="https://economictimes.indiatimes.com/news/politics-and-nation/there-is-a-need-to-secure-full-aadhaar-ecosystem-experts/articleshow/63459367.cms">Economic Times</a> on March 26, 2018. Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; ">While the Unique Identification Authority of India (UIDAI) has maintained that its database is secure and there are no breaches of <a class="external-link" href="https://economictimes.indiatimes.com/topic/Aadhaar">Aadhaar</a> data from its system, security researchers warn that leaks are happening in third-party sites and it is important for the agency to ensure that its ecosystem adopts measures to keep data safe.</p>
<p style="text-align: justify; ">While the Unique Identification Authority of India (<a class="external-link" href="https://economictimes.indiatimes.com/topic/UIDAI">UIDAI</a>) has maintained that its database is secure and there are no breaches of Aadhaar data from its system, security researchers warn that leaks are happening in third-party sites and it is important for the agency to ensure that its ecosystem adopts measures to keep data safe.</p>
<p style="text-align: justify; ">“Securing an entire ecosystem is more important than secure individual databases,” said security researcher Srinivas Kodali. Over the weekend, technology publication <a class="external-link" href="https://economictimes.indiatimes.com/topic/ZDnet">ZDnet </a>citing an Indian security researcher said that it identified Aadhaar data leaks on a system run by a state-owned utility company <a class="external-link" href="https://economictimes.indiatimes.com/topic/Indane">Indane</a> that allowed anyone to access sensitive information like a name, Aadhar number, bank details. The leak was plugged soon after the report appeared.</p>
<p style="text-align: justify; ">UIDAI came out with a strong statement denying the breach. “There is no truth in the story as there has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure,” the government agency said.</p>
<p style="text-align: justify; ">There have been no reports of any breach in the core database so far. However, it is the third-parties that have acted as weak links.</p>
<p style="text-align: justify; ">“The simple parallel that can be drawn is, though Facebook’s core database of users information was secure, the data leak happened through third-party developers and organisation like Cambridge Analytica that have allegedly misused it,” Kodali said.</p>
<p style="text-align: justify; ">In case of Aadhar too, the allegations of breaches have not been on ‘Aadhaar database’ but rather at insecure government websites and third-parties with API access to the database. “In this aspect, the issue in Facebook and Aadhaar is similar. In both the cases there was no breach of database, but it was third parties that acted as the weakest link. In both cases, it was a legitimate means of access through API that was open for abuse,” said Sunil Abraham, executive director, Center for Internet and Society.</p>
<p style="text-align: justify; ">UIDAI could take a leaf from Indian Space Research Organisation while handling <a class="external-link" href="https://economictimes.indiatimes.com/topic/data-breach">data breach</a> reports. The state-run space agency put out a note appreciating security researches for their efforts. An email ID to report flaws is more important than summoning people regarding data breaches.</p>
<p style="text-align: justify; ">“The fear of criminal prosecution hanging over the heads of ethical hackers would not help us develop a robust and strong security architecture,” said Karan Saini, a Delhi-based security researcher who first highlighted the Aadhaar leak at Indane.</p>
<p style="text-align: justify; ">“UIDAI is working on a policy to enable security experts to report issues in a legal and safe manner,” tweeted Ajay Bhushan Pandey, chief executive of India's Unique Identification Authority (UIDAI), the government department that administers the Aadhaar database. Seven months after the tweet, Pandey’s promise of a bug-reporting mechanism has still has not fructified.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/economic-times-march-26-2018-nilesh-christopher-security-experts-say-need-to-secure-aadhaar-ecosystem-warn-about-third-party-leaks'>https://cis-india.org/internet-governance/news/economic-times-march-26-2018-nilesh-christopher-security-experts-say-need-to-secure-aadhaar-ecosystem-warn-about-third-party-leaks</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-03-26T22:37:30ZNews ItemAadhaar safety
https://cis-india.org/internet-governance/news/asian-age-march-25-2018-aadhaar-safety
<b>We get experts to give their take on a current issue each week and lend their perspective to a much-discussed topic.</b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="http://www.asianage.com/life/more-features/250318/aadhaar-safety.html">Asian Age</a> on March 25, 2018.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Attorney General K. K. Venugopal claiming before a five-judge constitutional Bench of the Supreme Court that Aadhaar data remains safe and secure behind a complex with 13-ft high and 5-ft thick walls has resulted in a series of trolls and hilarious responses. We ask tech experts if this is the proper way to ensure safety of digital data and their opinions on alternatives, if any, to keep public data safe.</p>
<p style="text-align: justify; "><strong>‘Safety claims are bogus’<br /><em>Hrishikesh Bhaskaran, Privacy Activist</em></strong><br />Aadhaar safety claims are bogus. It is vulnerable and its vulnerabilities were pointed out by many information security experts in the past. If someone says that a 13-ft high 5-ft thick wall complex is protecting your digital data (which is well connected to the outside network) be sure that a village is missing its idiot. Digital data leak almost always happens through the network. Multiple cases were reported about the Aadhaar data leak (The Tribune report for example). Many government sites are leaking Aadhaar details of citizens and are available publicly through a simple Google search. (Read as the data are already in public without anyone hacking into it).</p>
<p style="text-align: justify; ">The system is defective by design and is maintained by mediocre talents and technology. I feel that their claims about the huge walled protection are a tactic to divert discussion on the human rights angle because otherwise, the government will have no choice but to scrap the whole Aadhaar idea. The only way to protect the personal data of citizens is to start afresh.</p>
<p style="text-align: justify; "><strong>‘Multi-level security assumes added significance’<br /><em>Jaideep Mehta, CEO of VCCircle.com</em></strong><br />Physical security is an important component in the overall security architecture. In addition there is a need to protect the data with multiple levels of cyber security including data encryption, bio-metric driven access, protection against malware and so on. Multi-dimensional security assumes added significance as this is a nationally important database.</p>
<p style="text-align: justify; "><strong>‘Tightening system, or line of human command more important’<br /><em>Ershad Kaleebullah, Technology Editor</em></strong><br />There are right ways to secure digital data. I know of solutions at the individual user level. But for something of Aadhaar’s size the security of digital data will obviously happen at a much, much larger scale. All the resident data and raw biometrics are stored in UIDAI’s datacentre and even fortifying it with the world’s thickest and tallest wall is not going to protect them. I’m really not sure of any foolproof data security systems in the world at that scale. Tightening the system or the line of human command is more important. If Snowden can walk out of NSA with highly confidential information on a lowly thumb drive, Aadhaar data can be easily hacked. If I have to be blunt here, Indians can’t keep a secret to save their lives.</p>
<p style="text-align: justify; "><strong>‘Your data security is in your hands, always be cautious’<br /><em>Viraj Kumar Pratapwant, Senior Software Design Engineer</em></strong><br />First off, no hacker is going to run into a data center and rob data disks. The idea to construct high and thick walls will make anyone chuckle. Speaking about alternatives, let's talk about data. Basically there are two types of data: Data in Motion and Data at Rest. With the right set of firewalls guarding these two kinds will ensure some amount of security. Sensitive and vital information should always be encrypted and kept out of reach for any external source to access this data. Having multiple steps of verification could help the user safeguard his authenticity. Your data and privacy are the most important factor, they should only be shared with trusted sources and with your consent. A lot of data are going digital and soon our lives will completely rely on digital data. The government should enforce strict vigilance to public data. They should make sure that the consumers should follow all the security guidelines and must prove that the data will be saved responsibly. Any compromise caused by any sources should be penalised by law. Lastly, your data security is in your hands, always be cautious about who and where you are giving the data.</p>
<p style="text-align: justify; "><em><strong>Sunil Abraham, Executive Director at Centre for Internet and Society</strong></em><br />Encryption, regardless of the key length, is only useful when citizens have absolute control of the private key. If the UIDAI had gone with smart cards my private key would have only been stored on my smart card. Even though the data in encrypted in the CIDR - the deduplication software needs to compare the bio metric of the person getting enrolled with the unencrypted bio metric of others already in the database. This means that the engineer who controls the software has access to the whole bio metric database. If a foreign state installs a Trojan on the engineer's system it can get into the CIDR. The deduplication software is a proprietary black box software which is owned by a foreign corporation. We don't know what hidden capabilities are there in this software.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/asian-age-march-25-2018-aadhaar-safety'>https://cis-india.org/internet-governance/news/asian-age-march-25-2018-aadhaar-safety</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-03-26T17:09:26ZNews ItemSupreme Court extends Aadhaar linking deadline till it passes verdict
https://cis-india.org/internet-governance/news/livemint-priyanka-mittal-komal-gupta-march-13-2018-supreme-court-extends-aadhaar-linking-deadline-till-it-passes-verdict
<b>The Supreme Court, however, allowed the government to seek Aadhaar numbers to transfer benefits of government schemes funded from the consolidated fund of India.</b>
<p style="text-align: justify; ">The article by Priyanka Mittal and Komal Gupta was <a class="external-link" href="http://www.livemint.com/Politics/5j76JhsKSVEtgGPqAGbSJL/SC-extends-Aadhaar-linking-deadline-for-all-services-till-co.html">published in Livemint </a>on March 13, 2018. Pranesh Prakash was quoted.</p>
<hr style="text-align: justify; " />
<p class="S5l" style="text-align: justify; ">The Supreme Court (SC) on Tuesday extended the deadline for linking of Aadhaar with mobile services, opening of new bank accounts and other services until it passes its verdict on a pending challenge to the constitutional validity of such linkages.</p>
<p style="text-align: justify; ">The court also noted that Aadhaar could not be made mandatory for issuance of a Tatkal passport, for now.</p>
<p style="text-align: justify; ">The extension would be applicable to the schemes of ministries/departments of the Union government as well as those of state governments, the court ruled in an interim order.</p>
<p style="text-align: justify; "><img src="http://www.livemint.com/r/LiveMint/Period2/2018/03/14/Photos/Processed/w_aadhaar.jpg" /></p>
<p style="text-align: justify; ">It was however, clarified that the extension would not be applicable for availing services, subsidies and benefits under Section 7 of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016.</p>
<p style="text-align: justify; ">A Constitution bench comprising Chief Justice Dipak Misra and justices D.Y. Chandrachud, A.K. Sikri, A.M. Khanwilkar and Ashok Bhushan is hearing a challenge to the constitutional basis of the 12-digit unique identification project, which is now likely to conclude after 31 March, the earlier deadline for Aadhaar linking.</p>
<p style="text-align: justify; ">“Even where Aadhaar hasn’t been mandated by the government, and even though the Supreme Court has extended the deadline for some mandatory linkages, if the software systems used by various governmental and private entities don’t make ‘Aadhaar number’ and authentication optional, then the SC’s orders gets nullified, effectively,” said Pranesh Prakash, policy director at think tank Centre for Internet and Society (CIS).</p>
<p style="text-align: justify; ">Similar concerns over the extent of Tuesday’s interim protection were also expressed by the Software Freedom Law Centre (SFLC), an organization working to protect freedom in the digital world. “While the extension is certainly welcome, it is also important to note that there is currently some uncertainty about this extension and how it applies to linkages made mandatory under Section 7 of the Aadhaar Act. If the latest order does indeed exclude Aadhaar linkages mandated under Section 7, a large number of central and state government schemes (such as PDS, LPG, MNREGA and many more) would still need to be linked to Aadhaar by the end of the month, significantly diminishing the relief brought by today’s order, ” said the organization.</p>
<p style="text-align: justify; ">“The deadline for Aadhaar holders to link their PAN cards for taxation purposes will also be extended until disposal of the case as this linkage was mandated by Section 139AA of the Income Tax Act, 2000 and not Section 7 of the Aadhaar Act,” SFLC added.</p>
<p style="text-align: justify; ">Last week, attorney general K.K. Venugopal had told the apex court that the centre would consider extending the linking deadline since arguments in the case were likely to proceed beyond the earlier deadline of 31 March.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/livemint-priyanka-mittal-komal-gupta-march-13-2018-supreme-court-extends-aadhaar-linking-deadline-till-it-passes-verdict'>https://cis-india.org/internet-governance/news/livemint-priyanka-mittal-komal-gupta-march-13-2018-supreme-court-extends-aadhaar-linking-deadline-till-it-passes-verdict</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-03-17T15:02:10ZNews ItemAadhaar unique IDs in India: a qualified success?
https://cis-india.org/internet-governance/news/the-paypers-march-16-2018-aadhaar-unique-ids-in-india-a-qualified-success
<b>Anshuman Jaswal form Kapronasia shares insights into the security and privacy concerns related to Aadhaar, which are often overlooked</b>
<p style="text-align: justify; "><em>This editorial was first published in our <a href="https://www.thepaypers.com/reports/web-fraud-prevention-and-online-authentication-market-guide-2017-2018/r770429" target="_blank">Web Fraud Prevention and Online Authentication Market Guide 2017/2018</a>. The Guide is a complete overview of the fraud management, digital identity verification and authentication ecosystem provided by thought leaders in the industry from leading solution providers (both established and new players) to associations and experts.</em></p>
<p style="text-align: justify; ">The Digital India project initiated by the Government of India has made significant headway in the last few years. As part of this project, the Unique Identification Authority of India (UIDAI) has presided over the allotment of unique identification numbers to all Indian residents since 2009. Currently, more than 1.1 billion Indian citizens and residents have Aadhaar IDs, making this the largest exercise of this kind the world has ever seen. There are many potential benefits of such a scheme, but there are also concerns and pitfalls. Besides the advantages, this article also focuses on some of the security and privacy concerns related to Aadhaar, which are often overlooked.</p>
<p style="text-align: justify; "><strong>Benefits of Aadhaar</strong></p>
<p style="text-align: justify; ">India is the second most populous nation on earth, with more than 1.3 billion people. Having a unique identification system in place would be a fillip for the government, as it would allow government schemes for poverty alleviation and improvement in health and educational well-being to be better targeted. For example, if a needy person’s bank account is linked to their Aadhaar biometric ID, then it would be easier for the government to provide funds to the individual without using any intermediary. In a country struggling with corruption throughout the government machinery, being able to reach the target audience directly is a significant benefit. Similarly, if both the bank accounts and the tax IDs of individuals are linked to the Aadhaar ID, then the government can trace the income and expenditure of its citizens, thereby obtaining vital information that would allow it to counter money-laundering and the shadow economy.</p>
<p style="text-align: justify; "><strong>Security challenges are paramount</strong></p>
<p style="text-align: justify; ">Creating a monumental technology infrastructure to meet the requirements of a population of more than 1.3 billion people does not come without its problems. Many people have questioned the wisdom of concentrating so much critical personal information in a government platform that is not known for having a robust security framework. There have been two prominent instances in which the Aadhaar database has been compromised.</p>
<p style="text-align: justify; "><a href="https://www.ndtv.com/india-news/aadhaar-issuing-authority-uidai-asks-research-firm-cis-to-justify-data-leak-claim-1695574" target="_blank">In May 2017</a>, the Bengaluru-based Centre for Internet and Society (CIS) alleged that there had been an illegal breach of the database, and Aadhaar identity numbers of more than 130 million people had been leaked online, along with their dates of birth, addresses, and tax IDs (PAN). It is believed that the revealed information did not include the biometric identification of the people affected, but the breach was significant nonetheless as it exposed millions of people to possible fraud.</p>
<p style="text-align: justify; ">The response of the UIDAI was also insightful, because it asked the CIS to reveal on which servers the data was stored, and who might have been responsible for the breach. The UIDAI response quoted the relevant laws, namely sections of the Information Technology Act, 2000 and the Aadhaar Act, underlining the liability under law. The aggressive approach of the UIDAI forced the CIS to retract some of its claims, but then the focus of the discussion was shifted from the loss of critical information to the semantics of the claims of CIS. Instead of calling the breach a “leak”, after receiving the letter from UIDAI, CIS stated that it was merely an “illegal disclosure”.</p>
<p style="text-align: justify; ">The second instance of a breach occurred between <a href="https://www.medianama.com/2017/08/223-ola-ekyc-aadhaar-police-bangalore/" target="_blank">January to July 2017</a>, when an IT expert hacked into the Aadhaar-enabled e-hospital system created under the Digital India project of the Government of India. His intention was to access the central identities data repository of UIDAI for verification of Aadhaar numbers, to be used for an ‘eKYC Verification’ app created by him. The UIDAI database gave him access considering that it was the e-hospital system that was requesting the Aadhaar identity verification. The hack shows that the security protocols of the UIDAI require significant overhaul before it can be trusted to protect the hundreds of millions of digital identities in its database.</p>
<p style="text-align: justify; "><strong>Aadhaar and the right to privacy</strong></p>
<p style="text-align: justify; ">The Indian constitution does not mention a right to privacy. This has been raised as a serious concern by the critics of Aadhaar, since there is no related privacy framework that outlines how the government can use the Aadhaar information. However, the Supreme Court of India addressed some of these concerns when it stated, in August 2017, that privacy is a fundamental right under the Constitution with reasonable restrictions. It was a landmark decision in the Indian context, since it could affect the way in which the unique identification data is collected, and especially the means for which it is used. For example, in the past, the government has mandated that Aadhaar data to be linked to citizens’ information from bank accounts, tax filings, medical records and phone numbers. Once this is achieved, the government would have unregulated access to such information. There is currently no statute or legal precedent to guard against abuse or to allow an individual to file a complaint.</p>
<p style="text-align: justify; ">The Supreme Court decision gives encouragement to citizens and institutions that are concerned about the rights of ordinary individuals, while also laying the groundwork for further work that needs to be done to create a robust legal framework in this field.</p>
<hr />
<p style="text-align: justify; ">Read the original blog post published by the <a class="external-link" href="https://www.thepaypers.com/expert-opinion/aadhaar-unique-ids-in-india-a-qualified-success-/772349">Paypers here</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/the-paypers-march-16-2018-aadhaar-unique-ids-in-india-a-qualified-success'>https://cis-india.org/internet-governance/news/the-paypers-march-16-2018-aadhaar-unique-ids-in-india-a-qualified-success</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-03-17T12:49:51ZNews ItemFrom 1 March, only registered devices to be used to authenticate Aadhaar
https://cis-india.org/internet-governance/news/livemint-komal-gupta-february-8-2018-from-march-1-only-registered-devices-to-be-used-to-authenticate-aadhaar
<b>UIDAI directive to Aadhaar authentication agencies aims to avoid putting citizens’ biometric data at risk</b>
<p style="text-align: justify; ">The article by Komal Gupta was <a class="external-link" href="http://www.livemint.com/Politics/FgXy2gorgyXaGVvpkl4yKN/From-1-Mar-only-registered-devices-to-be-used-to-authentica.html">published in Livemint</a> on February 8, 2018.</p>
<hr />
<p style="text-align: justify; ">The Unique Identification Authority of India (UIDAI) has directed all Aadhaar authentication agencies to use only registered biometric devices from 1 March to avoid putting residents’ data at risk.</p>
<p style="text-align: justify; "><span>The initial deadline to upgrade these devices was 1 June 2017, but it has been extended several times. The latest is the sixth extension.</span></p>
<p style="text-align: justify; ">The UIDAI wants the biometric devices registered with the Aadhaar system for encryption key management. The Aadhaar authentication server can individually identify and validate these devices and manage encryption keys on each registered device.</p>
<p style="text-align: justify; ">“It is reiterated that to ensure encryption of biometrics of residents at time of capture, it is absolutely essential to use only the registered devices. Any further use of non-registered devices will be putting residents’ privacy at risk,” a UIDAI circular dated 2 February said.</p>
<p style="text-align: justify; ">In January last year, UIDAI had instructed all the authentication user agencies (AUAs) and authentication service agencies (ASAs) to adhere to its new encryption standards and accordingly upgrade the devices to the new norms.</p>
<p style="text-align: justify; ">The AUA is an entity engaged in providing Aadhaar-enabled services. It may be a government, public or a private legal agency registered in India which uses Aadhaar authentication services provided by UIDAI.</p>
<p style="text-align: justify; ">The ASA is any entity that transmits authentication requests to the Central Identities Data Repository (CIDR) on behalf of one or more AUAs.</p>
<p style="text-align: justify; ">Requests from AUAs to extend the timeline has been cited as the reason for delay by UIDAI. The last deadline was 31 January.</p>
<p style="text-align: justify; ">Still, UIDAI claims most of the entities have migrated to registered devices and “no further extension will be given in this regard.” Failure to meet the February-end deadline will lead to loss or disruption of services, the circular added.</p>
<p style="text-align: justify; ">A privacy expert called for better security in the Aadhaar system.</p>
<p style="text-align: justify; ">“The UIDAI should have gone in for smart cards, which are inherently more secure and would have proven a better basis for a national ID system. Given its choice of biometrics, UIDAI should have required hardware-level encryption — the yet-to-be-specified (Level 1) security standard— from 2010,” said Pranesh Prakash, policy director at think tank Centre for Internet and Society.</p>
<p style="text-align: justify; ">“Making the much-delayed Level 1 mandatory is what UIDAI should be focusing on; sadly, even basic registration and easily-defeated software-level encryption (Level 0) is yet to be made mandatory,” he said.</p>
<p style="text-align: justify; ">UIDAI has been under the scanner over the past few months over charges that random entities have been accessing personal information without the consent of individual Aadhaar number holders.</p>
<p style="text-align: justify; ">Last month, UIDAI put in place a two-layer security to reinforce privacy protections for Aadhaar holders—it introduced a virtual identification so that the actual number need not be shared to authenticate their identity. Simultaneously, it further regulated the storage of the Aadhaar numbers within various databases.<br />There are more than 1.2 billion Aadhaar holders in the country.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/livemint-komal-gupta-february-8-2018-from-march-1-only-registered-devices-to-be-used-to-authenticate-aadhaar'>https://cis-india.org/internet-governance/news/livemint-komal-gupta-february-8-2018-from-march-1-only-registered-devices-to-be-used-to-authenticate-aadhaar</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-02-24T07:59:39ZNews ItemAadhaar: ‘Safety is regularly evolving‘
https://cis-india.org/internet-governance/news/kaplan-herald-february-5-2018-aadhaar-safety-is-regularly-evolving
<b>Experts say the new security features will significantly ensure there is no ‘large-scale theft of people‘s identity‘. Alnoor Peermohamed reports.</b>
<p class="rbig" style="text-align: justify; ">The blog post was published in <a class="external-link" href="https://kaplanherald.com/2018/02/05/aadhaar-safety-is-regularly-evolving/">Kaplan Herald </a>on February 5, 2018.</p>
<hr />
<p class="rbig" style="text-align: justify; ">While the introduction of new features such as face authentication, virtual ID, and limited know-your-customer (KYC) by the Unique Identification Authority of India are being seen as reactions to mounting public pressure over the security of Aadhaar, experts, who have helped build the citizen identity system, say these have been in the pipeline for a long time.</p>
<p style="text-align: justify; ">Pegged to be fully functional by July 1, the new features will make Aadhaar more secure, but that hasn‘t stopped the UIDAI from drawing flak over the recent issue of rogue agents selling demographic data of individuals.</p>
<p style="text-align: justify; ">Moreover, the agency‘s handling of the issue has not inspired confidence among the public and security researchers.</p>
<p style="text-align: justify; ">Experts say for a system of Aadhaar‘s size, security is continually evolving.</p>
<p style="text-align: justify; ">Lalitesh Katragadda, former head of Google‘s product centre in India and who also helped build Aadhaar, says as a country we need to understand there‘s ‘no such thing as a 100 per cent secure system‘.</p>
<p style="text-align: justify; ">While security gaps will always exist, he says it‘s the UIDAI‘s duty to ensure there‘s no ‘large-scale theft of people‘s identity‘.</p>
<p style="text-align: justify; ">According to him, the new security features will help significantly in this regard.</p>
<p class="rbig" style="text-align: justify; ">Face authentication will be another biometric Aadhaar will begin offering to combat the reportedly high failure rates of fingerprint authentication.</p>
<p style="text-align: justify; ">The system will use common Webcams to capture photos of individuals and match them with the existing photo on the UIDAI‘s database.</p>
<p style="text-align: justify; ">The system will not use any high-end hardware backed facial recognition like the recently launched iPhone X, which the company claims is more accurate than its previous fingerprint authentication technology.</p>
<p style="text-align: justify; ">The UIDAI will work around this issue by clubbing face authentication with other forms of authentication — fingerprint, iris scan or a one-time password sent to a user‘s mobile phone.</p>
<p class="rbig" style="text-align: justify; ">While it isn‘t known how exactly the feature will be built into apps relying on Aadhaar authentication, Srikanth Nadhamuni, the former chief technology officer of Aadhaar, envisions a scenario where a photo of an individual could be captured and matched when fingerprint authentication fails, in order to improve the probability of a match.</p>
<p style="text-align: justify; ">But even this isn‘t a foolproof plan, some believe.</p>
<p style="text-align: justify; ">“Your face is again a biometric, and that comes with the same host of issues that is plaguing the other biometrics that have so far been used,” says Sunil Abraham, executive director at the Bengaluru-based think-tank, Centre for Internet and Society.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/kaplan-herald-february-5-2018-aadhaar-safety-is-regularly-evolving'>https://cis-india.org/internet-governance/news/kaplan-herald-february-5-2018-aadhaar-safety-is-regularly-evolving</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-02-07T16:44:50ZNews ItemTo protect data, don’t opt for plastic or laminated Aadhaar card: UIDAI
https://cis-india.org/internet-governance/news/livemint-komal-gupta-february-7-2017-to-protect-data-dont-opt-for-plastic-or-laminated-Aadhaar
<b>Unauthorized printing of Aadhaar cards could render the QR (quick response) code dysfunctional or even expose personal data without an individual’s informed consent, UIDAI says.</b>
<p>The article by Komal Gupta was <a class="external-link" href="http://www.livemint.com/Politics/5Gr7j4bgNoLRVtf10cjrzK/To-protect-data-dont-opt-for-plastic-or-laminated-Aadhaar.html">published by Livemint</a> on February 7, 2017</p>
<hr />
<p class="S3l" style="text-align: justify; ">To protect information provided by holders of Aadhaar, the Unique Identification Authority of India (UIDAI) on Tuesday cautioned people against opting for plastic or laminated “smart” cards.</p>
<p style="text-align: justify; ">Unauthorized printing of the cards could render the QR (quick response) code dysfunctional or even expose personal data without an individual’s informed consent, it said in a statement on Tuesday.</p>
<p style="text-align: justify; ">Besides, opting for plastic or laminated cards opened up the possibility of Aadhaar details (personal sensitive demographic information) being shared with devious elements without the informed consent of holders, the statement added.</p>
<p>According to UIDAI, the Aadhaar letter sent by it, a cutaway portion or downloaded versions of Aadhaar on ordinary paper or mAadhaar are perfectly valid.</p>
<p style="text-align: justify; ">“If a person has a paper Aadhaar card, there is absolutely no need to get his/her Aadhaar card laminated or obtain a plastic Aadhaar card or so called smart Aadhaar card by paying money. There is no concept such as smart or plastic Aadhaar card,” UIDAI chief executive officer Ajay Bhushan Pandey said in a statement.</p>
<p style="text-align: justify; ">Printing Aadhaar on a plastic/PVC sheet privately can cost anywhere between Rs50 and Rs300 or more, UIDAI said. It added that a printout of the downloaded Aadhaar card, even in black and white, is as valid as the original Aadhaar letter sent by UIDAI.</p>
<p>It added that in case a person loses his Aadhaar card, he can download the card free from <i>https://eaadhaar.uidai.gov.in.</i></p>
<p style="text-align: justify; ">Pandey asked holders not to share Aadhaar number or personal details with unauthorized agencies for getting the card laminated, or printed on plastic.</p>
<p style="text-align: justify; ">The agency also directed unauthorized agencies not to collect Aadhaar information from people, reminding them that collecting such information or unauthorized printing of Aadhaar card is a criminal offence punishable with imprisonment.</p>
<p style="text-align: justify; ">“I feel a lot more has to be done by UIDAI. Sadly, by encouraging people to rely on printed Aadhaar ‘cards’, UIDAI is ending up with the worst of both worlds with respect to personal data protection: photocopies of so-called Aadhaar cards/letter are being circulated to facilitate identity fraud as well as the kind of dangerous personal data disclosures that centralized databases enable,” said Pranesh Prakash, policy director at think tank Centre for Internet and Society.</p>
<p style="text-align: justify; ">Last month, UIDAI put in place a two-layer security to reinforce privacy protections for Aadhaar holders—it introduced a virtual identification so that the actual number need not be shared to authenticate their identity. Simultaneously, it further regulated the storage of the Aadhaar numbers within various databases.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/livemint-komal-gupta-february-7-2017-to-protect-data-dont-opt-for-plastic-or-laminated-Aadhaar'>https://cis-india.org/internet-governance/news/livemint-komal-gupta-february-7-2017-to-protect-data-dont-opt-for-plastic-or-laminated-Aadhaar</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-02-07T01:00:00ZNews ItemAadhaar's new security measures are good, it is still work in progress
https://cis-india.org/internet-governance/news/business-standard-january-25-2018-alnoor-peermohamed-aadhaars-new-security-measures-are-good-it-is-still-work-in-progress
<b>Here's a rundown of the three new features that the UIDAI will introduce to make Aadhaar seemingly more secure.</b>
<p style="text-align: justify; ">The article by Alnoor Peermohamed was <a class="external-link" href="http://www.business-standard.com/article/economy-policy/aadhaar-s-new-security-measures-are-good-it-is-still-work-in-progress-118012400982_1.html">published in Business Standard</a> on January 25, 2018.</p>
<hr />
<p style="text-align: justify; ">While public pressure over the security of <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>might have forced the Unique Identification Authority of India (UIDAI) to introduce new features such as face authentication, <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=virtual+id" target="_blank">virtual ID </a>and limited KYC, experts who have worked on the system say such updates are incremental and need to keep happening.</p>
<p style="text-align: justify; ">Be it Google, Facebook or Aadhaar, a digital system serving billions of people needs to remain secure for which it continually has to evolve, sometimes adapting to issues that are found. The three new features will certainly help improve security, but many questions still remain over how the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=uidai" target="_blank">UIDAI </a>will tackle the recently highlighted issue of rogue <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>agents.</p>
<p style="text-align: justify; ">An article in the Tribune newspaper which claimed that <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>information of individuals was on sale for as little as Rs 500, sparked off the biggest security scare against the digital identity keeper in a while. Even though the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=uidai" target="_blank">UIDAI </a>asserted that its systems had not been breached, proof that <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>details of an individual could be bought had been delivered. The agency has also not inspired confidence among public and security researchers with the way it has responded to <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>data that has been put in public domain in violation of privacy of individuals.</p>
<p style="text-align: justify; "><span>"As an economy and an ecosystem, we have to understand that there is no such thing as a 100 percent secure system. When it was on paper it was not secure and now that it is digital, it is not a 100 percent secure. Security gaps may exist, but those should not cause large-scale theft of people's identity or cause significant damage. It's an arms race and this means that </span><a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a><span>has to improve constantly," says Lalitesh Katragadda, former head of Google's product centre in India who has helped build </span><a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar.</a></p>
<p style="text-align: justify; "><strong>Here's a rundown of the three new features that the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=uidai" target="_blank">UIDAI </a>will introduce to make <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>seemingly more secure:</strong></p>
<p style="text-align: justify; "><strong>Face Auth</strong></p>
<p style="text-align: justify; "><a class="storyTags" href="http://www.business-standard.com/search?type=news&q=face+authentication" target="_blank">Face Authentication </a>or 'Face Auth' is an additional biometric that the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=uidai" target="_blank">UIDAI </a>will roll out in order to cut down on the number of failed attempts which is increasingly being highlighted as an issue. By matching a user's face, captured through a camera at the time of authentication to the image of their face which was taken at the time of <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>enrolment, the identity of an individual can be more accurately verified.</p>
<p style="text-align: justify; ">Facial recognition in the consumer landscape has once again been popularised by Apple's latest iPhone X device that uses an array of sensors and infrared light to map a person's face in three dimensions. The company claims this is more accurate than its previous fingerprint-based TouchID technology, but this isn't the case with UIDAI's facial recognition technology.</p>
<p style="text-align: justify; ">The <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=uidai" target="_blank">UIDAI </a>will utilise webcams and low-end hardware to enable Face Auth and therefore the conscious decision to use a person's face in conjunction to another layer of authentication - fingerprint, iris scan or a one-time password sent to the user's registered mobile device was taken.</p>
<p style="text-align: justify; ">How exactly applications built on <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>will utilise this new Face Auth feature is not known yet, and neither are the technical specifications. Srikanth Nadhamuni, the former Chief Technology Officer of Aadhaar, envisions a scenario where a farmer using <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>to get his PDS witnesses a failure to authenticate using his fingerprint, prompting the application to capture his photo and check whether it matches with the existing photo on the UIDAI's database.</p>
<p style="text-align: justify; ">Activists, however, point out that it's far easier to fake facial recognition software, which in some cases get fooled into giving out positives by simply holding photos of the user in front of a camera. "At the end of the day your face is again biometric, and that comes with the same host of issues that are plaguing the other biometrics that has so far been used," says Sunil Abraham, Executive at Bengaluru-based think tank Centre for Internet and Society (CIS).</p>
<p style="text-align: justify; "><strong>Virtual ID</strong></p>
<p style="text-align: justify; ">As its name suggests, <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=virtual+id" target="_blank">Virtual ID </a>gives users a stand-in for their 12-digit <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>number if they're worried that it will be stolen, leaked online or misused in any way. Any <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>user will be able to log into an online portal, visit an <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>enrollment centre or use the mAadhaar app to generate a 16-digit <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=virtual+id" target="_blank">Virtual ID.</a></p>
<p style="text-align: justify; ">By virtue, the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=uidai" target="_blank">UIDAI </a>has built the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=virtual+id" target="_blank">Virtual ID </a>to be temporary and a user can ask for any number of Virtual IDs - when a new one is generated, the old one is destroyed and can even be assigned to another user. The key here is that only the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=uidai" target="_blank">UIDAI </a>will be able to make the link to a <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=virtual+id" target="_blank">Virtual ID </a>and <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>number and no-one else.</p>
<p style="text-align: justify; ">After years of arguing that leaking of the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>number itself wasn't an issue, the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=uidai" target="_blank">UIDAI </a>is finally giving users a tool that allows them to keep their <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>number private. While Abraham agrees that the feature will make <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>safer, he says its effectiveness will only be valid if a user opts in as it has not been made a feature by design.</p>
<p style="text-align: justify; ">Nadhamuni argues on the contrary, that making <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=virtual+id" target="_blank">Virtual ID </a>a mandatory process would hurt more people than it helps. "A lot of people in rural India are using their <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>for authentication of PDS and MNREGA and so on and it's working for them.</p>
<p style="text-align: justify; ">You don't want to confuse all of them and ask them to create yet another number. You'd have to make a farmer understand the concept of <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=virtual+id" target="_blank">Virtual ID </a>when he's completely happy with the way things are today," he says.</p>
<p style="text-align: justify; "><strong>Limited KYC</strong></p>
<p style="text-align: justify; ">The process of KYC (Know Your Customer) through <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>has all along given public bodies and private companies access to a user's details such as name, age, sex, address and photograph. With limited KYC, the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=uidai" target="_blank">UIDAI </a>will categorise a body seeking <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">aadhaar </a>details into two buckets, ones that get the full information and ones with whom only partial information is shared.</p>
<p style="text-align: justify; ">Realising that not all bodies or companies need all the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>details, is the biggest change that <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=limited+kyc" target="_blank">Limited KYC </a>will bring in. The idea is that the fewer places a person's <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>details are stored, the fewer chances of it leaking. Moreover, by giving only critical services full <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>details the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=uidai" target="_blank">UIDAI </a>is hoping it will eliminate its problem of having to share details with less secure systems.</p>
<p style="text-align: justify; "><a class="storyTags" href="http://www.business-standard.com/search?type=news&q=limited+kyc" target="_blank">Limited KYC </a>will also bring in a tokenized system for agencies to ensure uniqueness while not storing a user's <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>number on their databases. A 72 digit alphanumeric UID Token will be generated at the time of authentication which only <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=uidai" target="_blank">UIDAI </a>will be able to map back to a particular <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>number. However, there isn't clarity on who will be exempt from this as there is word that banks and tax authorities will be allowed to store user <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>numbers.</p>
<p style="text-align: justify; ">The UID Tokens will also be backdated, meaning all previous KYC attempts a user had made with a particular body or company will also be migrated to the new system, ensuring that if two databases leak, the perpetrators are not able to easily use <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>numbers to match users and improve the quality of the data they've stolen. Some details on this are still missing though.</p>
<p style="text-align: justify; "><strong>Security: Work in Progress</strong></p>
<p style="text-align: justify; ">Experts who worked on building <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>say that such features were discussed during the very inception of the national biometric database, but were not rolled out until now to avoid complexity. Katragadda, who has worked on building many large APIs at Google agrees that all large systems avoid complexity during the kickoff and add them based on needs of users later.</p>
<p style="text-align: justify; ">Like him, both Nadhamuni and even Abraham agree that the new features will make <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>more secure, while the latter had his reservations on how secure it would be which only the fine print would reveal. The experts also agree that the public discourse which <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>security has taken is a good thing, since the digital security of over a billion people is now public discussion.</p>
<p style="text-align: justify; ">"Security breaches are like earthquakes. It's better to have many tiny tremors than be oblivious to gaps in our system and lose everything with that one massive earthquake. So it's better to have our ears close to the ground, have ethical hacking competitions where we ask people to hack the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>system, find gaps in security. The best APIs in the world do this," says Katragadda.</p>
<p style="text-align: justify; ">He adds that India should not be scared to build large digital systems for public good in the fear that there will be security breaches. Even the paper based system before <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=aadhaar" target="_blank">Aadhaar </a>had several security lapses, but were not visible. "Otherwise we need to have this holy grail of a system which is perfectly automated and we're at least 20 years away from full robotics," he adds.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/business-standard-january-25-2018-alnoor-peermohamed-aadhaars-new-security-measures-are-good-it-is-still-work-in-progress'>https://cis-india.org/internet-governance/news/business-standard-january-25-2018-alnoor-peermohamed-aadhaars-new-security-measures-are-good-it-is-still-work-in-progress</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-26T01:52:51ZNews ItemAadhaar-privacy debate: How the 12-digit number went from personal identifier to all pervasive transaction tool
https://cis-india.org/internet-governance/news/first-post-january-18-2018-aadhaar-privacy-debate-how-the-12-digit-number-went-from-personal-identifier-to-all-pervasive-transaction-tool
<b>Depending on who you ask, the Aadhaar is either a convenience or a curse. </b>
<p style="text-align: justify; ">The article was published by <a class="external-link" href="http://www.firstpost.com/india/aadhaar-privacy-debate-how-the-12-digit-number-went-from-personal-identifier-to-all-pervasive-transaction-tool-4308043.html">First Post</a> on January 18, 2018.</p>
<hr />
<p style="text-align: justify; ">The ongoing <a href="http://www.firstpost.com/india/aadhaar-a-giant-electronic-leash-distorts-states-relation-with-citizen-petitioner-tells-supreme-court-4307107.html">hearing in the Supreme Court</a> is testing the constitutional validity of a scheme that has been around in one shape or another since 2003, ever since the need for an identification project was first felt.</p>
<p style="text-align: justify; ">By the government's own estimates, the Aadhaar initiative has <a href="http://www.thehindubusinessline.com/economy/policy/aadhaar-covers-98-of-adult-population-says-prasad/article9091254.ece" rel="nofollow" target="_blank">covered 98 percent of the adult population</a> in India and, as of 7 September, the Unique Identification Authority of India (UIDAI) has generated cards for 105.11 crore people. So, if you are an Indian adult, chances are that you possess an Aadhaar card by now.</p>
<p style="text-align: justify; ">The Aadhaar database is one of the largest government databases on the planet, where a 12 digit unique-identity number has been assigned to the majority of the Indian citizens. This database contains both the demographic as well as biometric data of the citizens.</p>
<p style="text-align: justify; ">What started as a unique identification number to streamline the distribution of welfare to the needy has now turned into an all-pervasive tool that can arm the government with sensitive data of all Indians. At the heart of this issue is the sheer quantity of data being amassed as part of the scheme and the many privacy and security concerns generated as a result of it.</p>
<p style="text-align: justify; ">The Aadhaar of today, in addition to basic personal information, includes biometric data like your fingerprints, your iris scan and now even your facial scans (albeit introduced as a safety feature). This is designed to address the issue of failed biometric authentication, as an alternative for people having difficulty authenticating, due to factors like worn out fingerprints, or changing biometric data due to old age, hard work conditions, accidents and the like.</p>
<p style="text-align: justify; ">But what it fails to address is the growing unease among citizens about the scale of the project, its intent, and the actual legality of enabling such an architecture, which could threaten the citizens with the possibility of State surveillance.</p>
<p style="text-align: justify; ">The sheer amount of private and confidential data amassed in one singular database has given rise to concerns over data security and its privacy.</p>
<p style="text-align: justify; ">However, worst fears about Aadhaar <a href="http://www.firstpost.com/economy/you-should-be-worried-with-aadhaar-you-are-at-govts-mercy-1315823.html" target="_blank">have come true</a> after the developments that have happened over the past few weeks. A recent investigation by <a href="http://www.tribuneindia.com/news/nation/rs-500-10-minutes-and-you-have-access-to-billion-aadhaar-details/523361.html" rel="nofollow" target="_blank"><em>The Tribune</em></a> revealed that the details of any of the billion Aadhaar numbers issued in India were accessible for as little as Rs 500.</p>
<p style="text-align: justify; ">Since then, the UIDAI and every other government machinery have been in top gear, trying to allay the fears around Aadhaar. It even introduced a flurry of steps to make sure that the database is safe and secure, and that the data is protected. But not everyone is convinced. Critics say, biometrics only make the citizen transparent to the State and that it does not make the State transparent to citizens.</p>
<p style="text-align: justify; ">"We warned the government six years ago, but they ignored us," Sunil Abraham, executive director of Bengaluru-based research organisation, Centre for Internet and Society, was quoted by <a href="http://www.thehindubusinessline.com/specials/india-file/aadhaar-the-12digit-conundrum/article9582271.ece" rel="nofollow" target="_blank"><em>The Hindu Business Line</em></a> as saying.</p>
<p style="text-align: justify; ">According to him, the legislation implementing Aadhaar has almost no data protection guarantees for citizens. He also believes that by opting for biometrics instead of smart cards the government is using surveillance technology instead of e-governance technology.</p>
<p style="text-align: justify; ">On the other hand, finance minister Arun Jaitley said recently that an Aadhaar card could become the sole identifier for a person in future. "A stage may come that the unique identity will become the only card," Jaitley said. "There are many countries where such a situation exists. There is a social security number in America and in India it (Aadhaar) could be the counterpart."</p>
<p style="text-align: justify; ">Since its inception, the Aadhaar was always pitched as a scheme integral to the modernisation of social welfare in India.</p>
<p style="text-align: justify; ">But, according to a <a href="https://scroll.in/article/825103/aadhaar-shows-indias-governance-is-susceptible-to-poorly-tested-ideas-pushed-by-powerful-people" rel="nofollow" target="_blank"><em>Scroll</em></a> report, state governments are struggling to use Aadhaar-based fingerprint authentication in ration shops. Whereas, at the same time, a rising number of companies are integrating Aadhaar into their databases for private services that have nothing to do with the welfare delivery system.</p>
<p style="text-align: justify; ">So, why is the scheme failing at the very job it was created for, while proving useful to private endeavours elsewhere? Why did the BJP, a dispensation critical of Aadhaar in 2014, make a complete u-turn and become a champion for a cause backed by the UPA in its time? Are the security, privacy concerns a small price to pay for better delivery of welfare schemes or is it an instrument of surveillance and a potential goldmine for hackers?</p>
<p style="text-align: justify; ">The debate around Aadhaar and the explanations for its need and/or threats are biased, incomplete and solely depend on who you ask. Therefore, it might do well to trace the roots of the Aadhaar mission and retrace its critical moments.</p>
<h3 style="text-align: justify; ">Origins of Aadhaar</h3>
<p style="text-align: justify; ">According to the <em>Scroll</em> report, India first fiddled with the idea to assign numbers to people in 2003, in the aftermath of the Kargil war.</p>
<p style="text-align: justify; ">With rising security concerns, the then BJP government under Atal Bihari Vajpayee wanted every Indian citizen to be accounted for. This desire eventually took the shape of the National Population Register, that aimed to identify citizens amongst the country's residents.</p>
<p class="body" style="text-align: justify; ">The Citizenship Act was amended in 2004 by the incumbent Congress government to make way for the National Population Register (NPR).</p>
<p style="text-align: justify; ">The second and major push for an identity project was introduced subsequently by the UPA-1 government in late 2008. With welfare spending on the rise, adds the report, bureaucrats in the erstwhile Planning Commission were worried about leakages.</p>
<p style="text-align: justify; ">Thus, the idea of constituting an authority that would aggregate all databases of social welfare programmes to create a mother database emerged.</p>
<p style="text-align: justify; ">Such a database would "weed out ghosts and duplicates so that a person who gets the LPG subsidy doesn’t also get the kerosene subsidy," <em>Scroll</em> quoted a former UIDAI official as saying, on conditions of anonymity.</p>
<p style="text-align: justify; ">Eventually, in 2009, Aadhaar, or UIDAI, surfaced as a 12-digit identification number that served as proof of identity and address — meaning, it applies to all residents whether they are citizens or not, unlike with the NPR. Biometric data was not in the picture at this time.</p>
<p style="text-align: justify; ">And then, in 2016, the Centre notified the new Aadhaar Act, which gives the unique identity number assigned to each Indian citizen statutory backing. The idea of this Act was to empower Aadhaar with legal backing for the purpose of transferring subsidies and government benefits to beneficiaries through designated bank accounts.</p>
<p style="text-align: justify; ">The government said in a notification that the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016 will provide “efficient, transparent, and targeted delivery of subsidies, benefits and services, the expenditure for which is incurred from the Consolidated Fund of India, to individuals residing in India through assigning of unique identity numbers to such individuals."</p>
<p style="text-align: justify; ">Another interesting aspect of the Aadhaar debate is the politics of it all. The Opposition, BJP back then and UPA now, has shaped much of the debate against the use of Aadhaar. But one thing that stands out in this melee is that many in the current dispensation, who are currently the biggest proponents of the scheme, had once opposed it vehemently.</p>
<p style="text-align: justify; ">"The people who thought of themselves as having given birth to IT in this country refused to listen to a common man like me. Even the SC has demanded answers,” Narendra Modi had famously said when he was the Gujarat chief minister. He had alleged that the Aadhaar programme was a bundle of lies to loot the country’s treasury.</p>
<p style="text-align: justify; ">In 2014, Modi had tweeted: "On Aadhaar, neither the team that I met nor PM could answer my Qs on security threat it can pose. There is no vision, only political gimmick."</p>
<p style="text-align: justify; ">So, how was it that one of Aadhaar's most vehement opponents became its biggest proponent?</p>
<p style="text-align: justify; ">According to a report in <a href="http://www.thehindubusinessline.com/blink/cover/the-aadhaar-of-all-things/article9609603.ece" rel="nofollow" target="_blank"><em>The Hindu Business Line</em></a>, the destiny of the Aadhaar scheme was shaped by two meetings – between Nilekani and Modi with Jaitley, and the second with Vijay Madan, the UIDAI director general and mission director.</p>
<p style="text-align: justify; ">Through the course of these meetings, the <a href="http://www.governancenow.com/news/regular-story/50k-crore-reason-modi-backed-aadhaar" rel="nofollow" target="_blank">potential savings from plugging subsidy leakages</a>was put across to Modi, a figure of "up to ₹50,000 crore a year".</p>
<p class="body" style="text-align: justify; ">Modi in his keenness to showcase the arrival of <em>"acche din",</em> the report adds, immediately sought a 100-crore enrolment target at the ‘earliest’, putting paid to speculations that the new government would shelve the UIDAI project.</p>
<p style="text-align: justify; ">Thus, the current Aadhaar project was born.</p>
<h3 style="text-align: justify; ">Inclusion of biometric data</h3>
<p style="text-align: justify; ">Although an extension of UPA's idea, the new Aadhaar act <a href="http://www.firstpost.com/business/upa-vs-nda-check-out-how-aadhaar-act-2016-differs-from-the-2010-bill-2700706.html">had some crucial differences</a>:</p>
<p style="text-align: justify; ">- As per the new Act, "any person who has resided in India for 182 days (in the one year preceding the application for Aadhaar)". The UPA's Bill said any person residing in India.</p>
<p style="text-align: justify; ">- Further, the new Act says that the number can be used to verify the identity of any person, for any purpose, by any public or private entity. In the UPA's Bill, no such provision was there.</p>
<p style="text-align: justify; ">- The new Act stipulated all these identity facets to be maintained: photograph, biometric information (iris scan and fingerprint), demographic information (name, date of birth, address but excludes race, religion, caste, etc.), and Aadhaar number. The authority may specify any other biological and demographic information to be collected.</p>
<h3 style="text-align: justify; ">Data security debate</h3>
<p style="text-align: justify; ">Over the last one year, there have been multiple instances of Aadhaar data leaking online through government websites or its mobile app. The most recent case was when an RTI query pushed UIDAI to reveal that about <a href="http://www.firstpost.com/india/uidai-reveals-210-govt-websites-made-aadhaar-details-public-did-not-specify-when-breach-took-place-4217597.html" target="_blank">210 government websites made</a> the Aadhaar details of people with Aadhaar, public on the internet.</p>
<p style="text-align: justify; ">Centre for Internet and Society (CIS) also pointed out that <a href="http://www.firstpost.com/tech/news-analysis/130-mn-aadhaar-numbers-were-not-leaked-they-were-treated-as-publicly-shareable-data-cis-3702187.html" target="_blank">about 130 million Aadhar numbers</a> along with other sensitive data were available on the internet.</p>
<p style="text-align: justify; ">The recent <em>Tribune</em> report has only highlighted the deeper, infrastructural fallibility of singular mega-database of sensitive data.</p>
<p style="text-align: justify; ">As per this <a href="http://www.firstpost.com/india/aadhaar-data-breach-uidai-must-address-privacy-concerns-urgently-simply-denying-leak-not-enough-4288825.html"><em>Firstpost</em></a> piece, the UIDAI's <a href="http://www.firstpost.com/business/aadhaar-data-breach-uidai-refutes-media-reports-says-biometric-information-safe-and-secure-no-leakage-occurred-4287237.html">response to such an obvious data breach</a> and violation of privacy is extremely worrying. It is yet another reiteration of the privacy concerns with Aadhaar, and the constant denial of privacy concerns by the UIDAI instead of sitting up and addressing the problem at hand.</p>
<p style="text-align: justify; ">The large-scale collection of data and the binding of said data with almost all services raises a pertinent question: Is the government capable of safeguarding the massive amounts of data collected as part of the Aadhaar project? The answer, again, depends on who you ask.</p>
<h3 style="text-align: justify; ">Concerns over privacy</h3>
<p style="text-align: justify; ">Apart from the security concerns, Aadhaar has brought up a question of the citizen's privacy, given that access to such sensitive data empowers the government to keep a close scrutiny of a person's financial, personal information.</p>
<p class="A5l" style="text-align: justify; ">The Supreme Court had held recently that privacy is a fundamental right under the Constitution with reasonable restrictions. This decision is bound to impact the Aadhaar project in one way or another, as collectively biometric data of citizens can be construed as a violation of said right.</p>
<p style="text-align: justify; ">The Supreme Court started hearing the crucial cases related to the constitutional validity of Aadhaar on Wednesday. A five-judge bench heard the arguments of the petitioner, maintaining that the government's mandatory biometric identification project is, in essence, seeking to change a people's Constitution into State's Constitution.</p>
<p style="text-align: justify; ">The petitioners made submissions ranging from the Standing Committee's observations, to the precedents as adopted by other nations to pointing out basic moral and administrative defects in amassing biometric data of citizens on such a large scale, perhaps trying to patiently drive the point that the Aadhaar project can never be safely assumed to be leakproof, hence safe, ergo, legal.</p>
<p style="text-align: justify; ">The petitioner also argued that Aadhaar could lead to millions of people being denied access to essential services and benefits in violation of their human rights, as he pointed out that biometric details of almost 6.2 crore people <a href="https://timesofindia.indiatimes.com/city/bhubaneswar/30-lakh-people-from-state-rejected-for-Aadhar-card/articleshow/27812115.cms" rel="nofollow" target="_blank">have been rejected</a>, mainly due to calloused hands and fingertips, wherein biometric data could not be recorded.</p>
<p style="text-align: justify; ">"These are not dishonest people or ghosts," he said. Even the <a href="http://www.prsindia.org/uploads/media/UID/uid%20report.pdf" rel="nofollow" target="_blank">Standing Committee report</a> on Aadhaar points out: "<em>..it has been proven again and again that in the Indian environment, the failure to enrol with fingerprints is as high as 15 percent due to the prevalence of a huge population dependent on manual labour. These are essentially the poor and marginalised sections of the society. So, while the poor do indeed need identity proofs, Aadhaar is not the right way to do that"</em></p>
<p style="text-align: justify; ">In December 2017, the court had <a href="http://www.firstpost.com/india/supreme-court-extends-deadline-for-linking-aadhaar-with-various-services-and-schemes-till-31-march-2018-4259711.html" target="_blank">extended the deadline</a> for mandatory linking of Aadhaar with various services and welfare schemes till 31 March, 2018. It had also modified its earlier order with regard to linking Aadhaar with mobile services and said the deadline of 6 February, 2018 for this purpose also stood extended till 31 March.</p>
<h3 style="text-align: justify; ">Right to Privacy and its effect on Aadhaar</h3>
<p style="text-align: justify; ">In August 2017, the Supreme Court in a unanimous 9:0 judgment had <a href="http://www.firstpost.com/india/in-a-9-0-verdict-supreme-court-says-right-to-privacy-is-a-fundamental-right-highlights-from-judgment-3967839.html" target="_blank">declared the Right to Privacy</a> to be a Fundamental Right. It was hailed as a big victory for pro-privacy advocates who could now point to the Constitutional Bench <a href="http://www.firstpost.com/india/privacy-is-your-fundamental-right-says-9-judge-supreme-court-bench-heres-547-page-full-judgment-of-verdict-3968491.html" target="_blank">judgment</a> should the right ever be questioned.</p>
<p style="text-align: justify; ">However, the judgment only <a href="https://twitter.com/alokpi/status/900592316938727424" rel="nofollow" target="_blank">established</a> the theoretical Right to Privacy. It removed the earlier hurdles of the cases of MP Sharma and Kharak Singh which had held Right to Privacy not to be a Fundamental Right. However, the actual freedoms protected by the Right had to be enshrined into in separate judgments.</p>
<p style="text-align: justify; ">As far Aadhaar is concerned, the judgment <a href="http://www.ndtv.com/india-news/right-to-privacy-privacy-is-a-fundamental-right-says-supreme-court-10-developments-1741368" rel="nofollow" target="_blank">did not invalidate it</a> in any way. However, it did give a boost to anti-Aadhaar arguments which rely on privacy as now the government can no longer say that there is no Right to Privacy.</p>
<p style="text-align: justify; ">With 1.08 billion citizens already enrolled, the ‘mandatory vs. voluntary’ debate on Aadhaar is now mostly a thing of the past. What remains to be seen now is how the Supreme Court will rule on the constitutional validity of the Aadhaar and if the government will be willing to reform/modify the current scheme to allay fears over data security and privacy in order to retailer the project to meet its original goal, the timely and secure delivery of welfare to those who need it.</p>
<p style="text-align: justify; "><em>With inputs from agencies</em></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/first-post-january-18-2018-aadhaar-privacy-debate-how-the-12-digit-number-went-from-personal-identifier-to-all-pervasive-transaction-tool'>https://cis-india.org/internet-governance/news/first-post-january-18-2018-aadhaar-privacy-debate-how-the-12-digit-number-went-from-personal-identifier-to-all-pervasive-transaction-tool</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-18T15:01:48ZNews ItemToken security or tokenized security?
https://cis-india.org/internet-governance/news/livemint-january-9-2018-manasa-venkataraman-ajay-patri-token-security-or-tokenized-security
<b>Implementing a system of tokenization for Aadhaar verification will address the security loopholes highlighted in recent reports.</b>
<p style="text-align: justify; ">The article by Manasa Venkataraman and Ajay Patri was published in <a class="external-link" href="http://www.livemint.com/Opinion/Kx7GIb4P73EpEtpxOFzi6M/Token-security-or-tokenized-security.html">Livemint</a> <span>on January 9, 2018.</span></p>
<hr style="text-align: justify; " />
<p class="S3l" style="text-align: justify; ">Those who were reassured that the Aadhaar architecture is safe and secure have faced a few rude shocks lately. First, there was the recent report in <i>The Tribune </i>on how one of its reporters was easily able to log in to the Aadhaar website and access any enrolled Indian’s personal information, all for a grand fee of Rs500. While the veracity of this report is still being contested by the Unique Identification Authority of India (UIDAI), it has stirred panic over the security of personal data entrusted to the government. This came close on the heels of reports last month that a telecom company was utilizing the eKYC (know your customer) data of its mobile subscribers to open payment bank accounts without their consent.</p>
<p style="text-align: justify; ">These two instances highlight scenarios where data from the Aadhaar database is vulnerable. In the first, the weaknesses in security measures and processes around the database leave information susceptible to an attack. In the second, providing third-party entities loosely regulated access to an individual’s data leaves scope for abuse.</p>
<p style="text-align: justify; ">There is a need to protect the data belonging to individuals in these situations, providing the government with two possible policy options: it can choose to either overhaul the Aadhaar architecture completely, or it can build in additional security measures to ensure that individual data is not compromised.</p>
<p style="text-align: justify; ">Uninventing Aadhaar is not a practical proposal. It would have to include repealing the statute on Aadhaar, disbanding the database already created, and figuring out alternative means of delivering the services that are now dependent on Aadhaar. A more sustainable way forward is to better secure Aadhaar. This will involve not only the secure collection and storage of personal data, but also a safe regulation of the manner in which third parties use it for authentication.</p>
<p style="text-align: justify; ">One way to protect Aadhaar-related communications is to channel them through a secure conduit. This can be achieved through a system of temporary tokens for Aadhaar-based verifications. Sunil Abraham from the Centre for Internet and Society (CIS) has recommended a system of using dummy or virtual Aadhaar numbers along with a smart card to protect information belonging to individuals.</p>
<p style="text-align: justify; ">Tokenization is the process of masking sensitive personal data with another innocuous dataset, allowing it to be shared with third parties without the risk of the personal data being exposed. So, every time a service provider asks for identification, the individual can provide a one-time-ID number generated by an Aadhaar app or on UIDAI’s website. The service provider can authenticate the one-time-ID number with the Aadhaar database, without needing to know or store the Aadhaar number. The algorithm used to generate the one-time-ID number must be constructed using hard-to-replicate information and kept a well-guarded secret. No two service providers will have the same one-time ID, making it harder for personal profiles to be constructed by mining data from multiple service providers, thus enabling a higher level of privacy protection.</p>
<p style="text-align: justify; ">Allowing such a system of tokenization for every eKYC can create a welcome layer of ambiguity around individuals’ personal data and preserve the individuals’ Aadhaar-related information with the government. This system also breaks the link between the Aadhaar database and any third party having access to an individual’s Aadhaar number. If this link is not broken, then any entity—government or private—would have access to potentially millions of Aadhaar card numbers, opening endless possibilities for data abuse.</p>
<p style="text-align: justify; ">The tokenization process allows the authority to arrest any attempts at data abuse. In fact, to make this system of tokens or one-time-ID numbers effective, the law must build in measures to penalize any attempt to recreate an individual’s Aadhaar number from the unique token number. In other words, the service provider is given a token number for authentication, but prohibited from obtaining the Aadhaar number it corresponds to.</p>
<p style="text-align: justify; ">Tokenization is an improvement over the status quo, but only in one aspect—making Aadhaar secure. It is imperative that the government pays equal attention to the manner in which all data is collected, stored and disposed of by the authority. There are two facets to be explored here: first, ensuring secure storage of the vast information database, and second, plugging security loopholes that happen at collection by limiting access to the database.</p>
<p style="text-align: justify; ">The adoption of appropriate technical safeguards is indispensable to thwart external threats to the Aadhaar database, such as ransomware attacks. Having appropriate security, and having periodic audits to test the adequacy of such security, is indispensable.</p>
<p style="text-align: justify; ">Equally, limiting access to the database is crucial for preventing leaks, such as the ones reported in <i>The Tribune</i>. It is important that only a select few individuals have access to the database and that these personnel are properly vetted before being vested with such responsibility.</p>
<p style="text-align: justify; ">These various facets of the Aadhaar ecosystem are likely to be further examined in the public in the weeks to come as the Supreme Court gears up to hear the petitions on Aadhaar. Regardless of the verdict, there is an urgent need to improve the safety of the Aadhaar ecosystem and the use of tokenization goes some way towards achieving this objective.</p>
<p style="text-align: justify; "><i>Manasa Venkataraman and Ajay Patri are researchers at the Takshashila Institution, an independent, non-partisan think tank and school of public policy.</i></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/livemint-january-9-2018-manasa-venkataraman-ajay-patri-token-security-or-tokenized-security'>https://cis-india.org/internet-governance/news/livemint-january-9-2018-manasa-venkataraman-ajay-patri-token-security-or-tokenized-security</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-17T00:17:41ZNews ItemIndia To Introduce Virtual ID For Aadhaar To Strengthen Privacy
https://cis-india.org/internet-governance/news/bloomberg-quint-january-11-2018-india-to-introduce-virtual-id-for-aadhaar-to-strengthen-privacy
<b>The government will introduce a virtual identification number for Aadhaar to help strengthen privacy following several instances of data leaks.</b>
<p style="text-align: justify; ">The blog post was published by <a class="external-link" href="https://www.bloombergquint.com/aadhaar/2018/01/10/india-to-introduce-virtual-id-for-aadhaar-to-strengthen-privacy">Bloomberg Quint </a>on January 11, 2018.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; "><span>The additional layer of security is meant to help Aadhaar users avoid sharing their unique identification number at the time of authentication to avail various services and welfare schemes, UIDAI said in a circular seen by BloombergQuint. The virtual ID will be an optional feature and users will be allowed to provide Aadhaar for verification.</span></p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">The Aadhaar-issuing body, Unique Identification Authority of India, will also introduce limited know-your-customer rules to eliminate the need for agencies to store the biometric ID. Migration to the new system will start from June 1, it added.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">Virtual IDs should be made mandatory and the UIDAI should itself generate these codes instead of having the user do it, said Pranesh Prakash, policy director at the Center for Internet Security, which has published reports on the security flaws in the world’s largest database.</p>
<p style="text-align: justify; ">The additional layer of security is meant to help Aadhaar users avoid sharing their unique identification number at the time of authentication to avail various services and welfare schemes, UIDAI said in a circular seen by BloombergQuint. The virtual ID will be an optional feature and users will be allowed to provide Aadhaar for verification.</p>
<p style="text-align: justify; ">The Aadhaar-issuing body, Unique Identification Authority of India, will also introduce limited know-your-customer rules to eliminate the need for agencies to store the biometric ID. Migration to the new system will start from June 1, it added.</p>
<p style="text-align: justify; ">Virtual IDs should be made mandatory and the UIDAI should itself generate these codes instead of having the user do it, said Pranesh Prakash, policy director at the Center for Internet Security, which has published reports on the security flaws in the world’s largest database.</p>
<blockquote class="quoted" style="text-align: justify; ">This takes into account concerns of third-party databases being combined without the consent of the individual but fails to address issues of government surveillance, exclusion and cybersecurity, he added.</blockquote>
<p style="text-align: justify; ">The move comes barely a week after The Tribune, a Chandigarh-based newspaper, reported that it could access the Aadhaar database by paying Rs 500, raising privacy concerns. Petitions challenging the validity of Aadhaar and the government’s decision to make it mandatory for everything from bank accounts to mobile services are pending in the Supreme Court.</p>
<p style="text-align: justify; ">As of now, citizens are required to share their Aadhaar number for authentication to avail certain services. With the introduction of the virtual ID that would change.</p>
<p style="text-align: justify; ">It would be a randomly generated 16-digit number that'd be digitally linked to a person's Aadhaar number. This ID would be temporary and revocable. There can be only one active and valid virtual ID for an Aadhaar number at any given point in time. Aadhaar holders will be able to use the virtual ID whenever authentication is required.</p>
<p class="callout" style="text-align: justify; ">Virtual ID, by design being temporary, cannot be used by agencies for duplication.<br /><span><strong>UIDAI Circular</strong></span></p>
<p style="text-align: justify; ">Only Aadhaar holders themselves can generate a virtual ID and set a minimum validity period for that after which it will have to be replaced by a new one. The virtual IDs can be changed through UIDAI's portal, at an Aadhaar enrolment centre or using the mAadhaar mobile application, the circular said.</p>
<h3 style="text-align: justify; ">Who Can Store Your Aadhaar Data?</h3>
<p style="text-align: justify; ">The UIDAI will limit the number of agencies that can access and store your Aadhaar number. For this purpose, it will divide the agencies that seek to use Aadhaar authentication for services into two categories—global and local.</p>
<p style="text-align: justify; ">Global authentication agencies will be allowed to "securely" store the Aadhaar number, while local agencies won't. The latter would be the ones that’d use the virtual IDs and a unique token for authentication.</p>
<p style="text-align: justify; ">The Aadhaar-issuing body has not clearly defined what would classify as a global agency. It has only said that it will "from time to time" evaluate authentication agencies "based on the laws governing them and categorise them" as global agencies. Any authentication agency that is not classified as global would be local.</p>
<h3 style="text-align: justify; ">Transition To New System</h3>
<p style="text-align: justify; ">UIDAI has told all agencies that use Aadhaar authentication to update their applications and processes for accepting virtual IDs instead of the Aadhaar number and allow authentication using the UID token. This has to be done by June 1.</p>
<p style="text-align: justify; ">If an agency fails to migrate to the new system by then, their authentication services "may be discontinued" and a penalty may be imposed, UIDAI said.</p>
<p style="text-align: justify; ">UIDAI will release the updated tools and protocols required for building the authentication software by March 1. All authentication agencies would also receive technical documents, workshops and training session to ensure smooth implementation.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/bloomberg-quint-january-11-2018-india-to-introduce-virtual-id-for-aadhaar-to-strengthen-privacy'>https://cis-india.org/internet-governance/news/bloomberg-quint-january-11-2018-india-to-introduce-virtual-id-for-aadhaar-to-strengthen-privacy</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-17T00:11:13ZNews ItemVirtual Aadhaar ID: too little, too late?
https://cis-india.org/internet-governance/news/hindu-yuthika-bhargava-january-11-2018-virtual-aadhaar-id-too-little-too-late
<b>Problems persist as many have already shared their 12-digit number with various entities, say experts</b>
<p style="text-align: justify; ">The article by Yuthika Bhargava was <a class="external-link" href="http://www.thehindu.com/news/national/virtual-aadhaar-id-too-little-too-late/article22423218.ece">published in the Hindu</a> on January 11, 2018</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The move to introduce an “untested” virtual ID to address security concerns over Aadhaar database is a step in the right direction, but may be a case of too little, too late, according to experts, as many of the 119 crore Aadhaar holders have already shared their 12-digit numbers with various entities.</p>
<p style="text-align: justify; ">“What about all the databases that are already linked up with our Aadhaar number? Virtual ID will therefore not attack the root of the problem. At best, it is band-aid,” said Reetika Khera, faculty, Indian Institute of Technology-Delhi.</p>
<p style="text-align: justify; ">“Can we realistically expect rural folks to use this to protect themselves? Or are we pushing the barely literate into the hands of middlemen who will ‘help’ them navigate it?” she questioned.</p>
<p style="text-align: justify; ">The Unique Identification Authority of India (UIDAI) on Wednesday introduced the concept of a virtual ID that can be used in lieu of the Aadhaar number at the time of authentication, thus eliminating the need to share and store Aadhaar numbers. It can be generated only by the Aadhaar number-holder via the UIDAI website, Aadhaar enrolment centre, or its mobile application.</p>
<p style="text-align: justify; ">Experts pointed out that the virtual ID is voluntary and the Aadhaar number will still need to be used at some places.</p>
<p style="text-align: justify; ">“Unless all entities are required to use virtual IDs or UID tokens, and are barred from storing Aadhaar numbers, the new measures won’t really help,” said Pranesh Prakash, Policy Director, Centre for Internet and Society, Bengaluru.</p>
<p style="text-align: justify; ">Kiran Jonnalagadda, co-founder of the Internet Freedom Foundation, agreed. “The idea is good but it should have been done in 2010, as now all the data is already out. Now, what can be done is revoke everybody’s Aadhaar and give new IDs.”</p>
<p style="text-align: justify; ">Mr. Jonnalagadda added that Authentication User Agencies (AUAs) categorised as ‘global AUAs’ by the UIDAI will be exempted from using the virtual IDs. “These are likely to be entities which require de-duplication for subsidy transfer, such as banks and government agencies. All the leaks have happened till now from these entities. So, basically, the move will exempt the parties that are the problem,” he said.</p>
<p style="text-align: justify; ">Vipin Nair, one of the advocates representing the petitioners who have challenged the Aadhaar Act in the Supreme Court said, “It is potentially a case of unmitigated chaos purely from an Information Technology perspective.”</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/hindu-yuthika-bhargava-january-11-2018-virtual-aadhaar-id-too-little-too-late'>https://cis-india.org/internet-governance/news/hindu-yuthika-bhargava-january-11-2018-virtual-aadhaar-id-too-little-too-late</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-16T23:59:21ZNews Item