Centre for Internet and Society

Aadhaar marks a fundamental shift in citizen-state relations: From ‘We the People’ to ‘We the Government’

pranesh — 2017-04-04T16:10:06Z

Your fingerprints, iris scans, details of where you shop. Compulsory Aadhaar means all this data is out there. And it’s still not clear who can view or use it.

The article was published in the Hindustan Times on April 3, 2017.

Until recently, people were allowed to opt out of Aadhaar and withdraw consent to have their data stored. This is no longer going to be an option.
(Siddhant Jumde / HT Illustration)

Imagine you’re walking down the street and you point the camera on your phone at a crowd of people in front of you. An app superimposes on each person’s face a partially-redacted name, date of birth, address, whether she’s undergone police verification, and, of course, an obscured Aadhaar number.

OnGrid, a company that bills itself as a “trust platform” and offers “to deliver verifications and background checks”, used that very imagery in an advertisement last month. Its website notes that “As per Government regulations, it is mandatory to take consent of the individual while using OnGrid”, but that is a legal requirement, not a technical one.

Since every instance of use of Aadhaar for authentication or for financial transactions leaves behind logs in the Unique Identification Authority of India’s (UIDAI) databases, the government can potentially have very detailed information about everything from the your medical purchases to your use of video-chatting software. The space for digital identities as divorced from legal identities gets removed. Clearly, Aadhaar has immense potential for profiling and surveillance. Our only defence: law that is weak at best and non-existent at worst.

The Aadhaar Act and Rules don’t limit the information that can be gathered from you by the enrolling agency; it doesn’t limit how Aadhaar can be used by third parties (a process called ‘seeding’) if they haven’t gathered their data from UIDAI; it doesn’t require your consent before third parties use your Aadhaar number to collate records about you (eg, a drug manufacturer buying data from various pharmacies, and creating profiles using Aadhaar).

It even allows your biometrics to be shared if it is “in the interest of national security”. The law offers provisions for UIDAI to file cases (eg, for multiple enrollments), but it doesn’t allow citizens to file a case against private parties or the government for misuse of Aadhaar or identity fraud, or data breach.

It is also clear that the government opposes any privacy-related improvements to the law. After debating the Aadhaar Bill in March 2016, the Rajya Sabha passed an amendment by MP Jairam Ramesh that allowed people to opt out of Aadhaar, and withdraw their consent to UIDAI storing their data, if they had other means of proving their identity (thus allowing Aadhaar to remain an enabler).

But that amendment, as with all amendments passed in the Rajya Sabha, was rejected by the Lok Sabha, allowing the government to make Aadhaar mandatory, and depriving citizens of consent. While the Aadhaar Act requires a person’s consent before collecting or using Aadhaar-provided details, it doesn’t allow for the revocation of that consent.

In other countries, data security laws require that a person be notified if her data has been breached. In response to an RTI application asking whether UIDAI systems had ever been breached, the Authority responded that the information could not be disclosed for reasons of “national security”.

The citizen must be transparent to the state, while the state will become more opaque to the citizen.

How Did Aadhaar Change?

How did Aadhaar become the behemoth it is today, with it being mandatory for hundreds of government programmes, and even software like Skype enabling support for it?

The first detailed look one had at the UID project was through an internal UIDAI document marked ‘Confidential’ that was leaked through WikiLeaks in November 2009. That 41-page dossier is markedly different from the 170-page ‘Technology and Architecture’ document that UIDAI has on its website now, but also similar in some ways.

In neither of those is the need for Aadhaar properly established. Only in November 2012 — after scholars like Reetika Khera pointed out UIDAI’s fundamental misunderstanding of leakages in the welfare delivery system — was the first cost-benefit analysis commissioned, by when UIDAI had already spent ₹28 billion. That same month, Justice KS Puttaswamy, a retired High Court judge, filed a PIL in the Supreme Court challenging Aadhaar’s constitutionality, wherein the government has argued privacy isn’t a fundamental right.

Every time you use Aadhaar, you leave behind logs in the UIDAI databases. This means that the government can potentially have very detailed information about everything from the your medical purchases to your use of video-chatting software.

Even today, whether the ‘deduplication’ process — using biometrics to ensure the same person can’t register twice — works properly is a mystery, since UIDAI hasn’t published data on this since 2012. Instead of welcoming researchers to try to find flaws in the system, UIDAI recently filed an FIR against a journalist doing so.

At least in 2009, UIDAI stated it sought to prevent anyone from “[e]ngaging in or facilitating profiling of any nature for anyone or providing information for profiling of any nature for anyone”, whereas the 2014 document doesn’t. As OnGrid’s services show, the very profiling that the UIDAI said it would prohibit is now seen as a feature that all, including private companies, may exploit.

UID has changed in other ways too. In 2009, it was as a system that never sent out any information other than ‘Yes’ or ‘No’, which it did in response to queries like ‘Is Pranesh Prakash the name attached to this UID number’ or ‘Is April 1, 1990 his date of birth’, or ‘Does this fingerprint match this UID number’.

With the addition of e-KYC (wherein UIDAI provides your demographic details to the requester) and Aadhaar-enabled payments to the plan in 2012, the fundamentals of Aadhaar changed. This has made Aadhaar less secure.

Security Concerns

With Aadhaar Pay, due to be launched on April 14, a merchant will ask you to enter your Aadhaar number into her device, and then for your biometrics — typically a fingerprint, which will serve as your ‘password’, resulting in money transfer from your Aadhaar-linked bank account.

Basic information security theory requires that even if the identifier (username, Aadhaar number etc) is publicly known — millions of people names and Aadhaar numbers have been published on dozens of government portals — the password must be secret. That’s how most logins works, that’s how debit and credit cards work. How are you or UIDAI going to keep your biometrics secret?

In 2015, researchers in Carnegie Mellon captured the iris scans of a driver using car’s side-view mirror from distances of up to 40 feet. In 2013, German hackers fooled Apple iOS’s fingerprint sensors by replicating a fingerprint from a photo taken off a glass held by an individual. They even replicated the German Defence Minister’s fingerprints from photographs she herself had put online. Your biometrics can’t be kept secret.

Typically, even if your username (in this case, Aadhaar number) is publicly known, your password must be secret. That’s how most logins works, that’s how debit and credit cards work. How are you or UIDAI going to keep your biometrics secret?

In the US, in a security breach of 21.5 million government employees’ personnel records in 2015, 5.2 million employees’ fingerprints were copied. If that breach had happened in India, those fingerprints could be used in conjunction with Aadhaar numbers not only for large-scale identity fraud, but also to steal money from people’s bank accounts.

All ‘passwords’ should be replaceable. If your credit card gets stolen, you can block it and get a new card. If your Aadhaar number and fingerprint are leaked, you can’t change it, you can’t block it.

The answer for Aadhaar too is to choose not to use biometrics alone for authentication and authorisation, and to remove the centralised biometrics database. And this requires a fundamental overhaul of the UID project.

Aadhaar marks a fundamental shift in citizen-state relations: from ‘We the People’ to ‘We the Government’. If the rampant misuse of electronic surveillance powers and wilful ignorance of the law by the state is any precedent, the future looks bleak. The only way to protect against us devolving into a total surveillance state is to improve rule of law, to strengthen our democratic institutions, and to fundamentally alter Aadhaar. Sadly, the political currents are not only not favourable, but dragging us in the opposite direction.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-pranesh-prakash-april-3-2017-aadhaar-marks-a-fundamental-shift-in-citizen-state-relations

It’s the technology, stupid

sunil — 2017-04-07T12:53:21Z

Eleven reasons why the Aadhaar is not just non-smart but also insecure.

The article was published in Hindu Businessline on March 31, 2017.

Aadhaar is insecure because it is based on biometrics. Biometrics is surveillance technology, a necessity for any State. However, surveillance is much like salt in cooking: essential in tiny quantities, but counterproductive even if slightly in excess. Biometrics should be used for targeted surveillance, but this technology should not be used in e-governance for the following reasons:

One, biometrics is becoming a remote technology. High-resolution cameras allow malicious actors to steal fingerprints and iris images from unsuspecting people. In a couple of years, governments will be able to identify citizens more accurately in a crowd with iris recognition than the current generation of facial recognition technology.

Two, biometrics is covert technology. Thanks to sophisticated remote sensors, biometrics can be harvested without the knowledge of the citizen. This increases effectiveness from a surveillance perspective, but diminishes it from an e-governance perspective.

Three, biometrics is non-consensual technology. There is a big difference between the State identifying citizens and citizens identifying themselves to the state. With biometrics, the State can identify citizens without seeking their consent. With a smart card, the citizen has to allow the State to identify them. Once you discard your smart card the State cannot easily identify you, but you cannot discard your biometrics.

Four, biometrics is very similar to symmetric cryptography. Modern cryptography is asymmetric. Where there is both a public and a private key, the user always has the private key, which is never in transit and, therefore, intermediaries cannot intercept it. Biometrics, on the other hand, needs to be secured during transit. The UIDAI’s (Unique Identification Authority of India overseeing the rollout of Aadhaar) current fix for its erroneous choice of technology is the use of “registered devices”; but, unfortunately, the encryption is only at the software layer and cannot prevent hardware interception.

Five, biometrics requires a centralised network; in contrast, cryptography for smart cards does not require a centralised store for all private keys. All centralised stores are honey pots — targeted by criminals, foreign States and terrorists.

Six, biometrics is irrevocable. Once compromised, it cannot be secured again. Smart cards are based on asymmetric cryptography, which even the UIDAI uses to secure its servers from attacks. If cryptography is good for the State, then surely it is good for the citizen too.

Seven, biometrics is based on probability. Cryptography in smart cards, on the other hand, allows for exact matching. Every biometric device comes with ratios for false positives and false negatives. These ratios are determined in near-perfect lab conditions. Going by press reports and even UIDAI’s claims, the field reality is unsurprisingly different from the lab. Imagine going to an ATM and not being sure if your debit card will match your bank’s records.

Eight, biometric technology is proprietary and opaque. You cannot independently audit the proprietary technology used by the UIDAI for effectiveness and security. On the other hand, open smart card standards like SCOSTA (Smart Card Operating System for Transport Applications) are based on globally accepted cryptographic standards and allow researchers, scientists and mathematicians to independently confirm the claims of the government.

Nine, biometrics is cheap and easy to defeat. Any Indian citizen, even children, can make gummy fingers at home using Fevicol and wax. You can buy fingerprint lifting kits from a toystore. To clone a smart card, on the other hand, you need a skimmer, a printer and knowledge of cryptography.

Ten, biometrics undermines human dignity. In many media photographs — even on the @UIDAI’s Twitter stream — you can see the biometric device operator pressing the applicant’s fingers, especially in the case of underprivileged citizens, against the reader. Imagine service providers — say, a shopkeeper or a restaurant waiter — having to touch you every time you want to pay. Smart cards offer a more dignified user experience.

Eleven, biometrics enables the shirking of responsibility, while cryptography requires a chain of trust.

Each legitimate transaction has repudiable signatures of all parties responsible. With biometrics, the buck will be passed to an inscrutable black box every time things go wrong. The citizens or courts will have nobody to hold to account.

The precursor to Aadhaar was called MNIC (Multipurpose National Identification Card). Initiated by the NDA government headed by Atal Bihari Vajpayee, it was based on the open SCOSTA standard. This was the correct technological choice.

Unfortunately, the promoters of Aadhaar chose biometrics in their belief that newer, costlier and complex technology is superior to an older, cheaper and simpler alternative.

This erroneous technological choice is not a glitch or teething problem that can be dealt with legislative fixes such as an improved Aadhaar Act or an omnibus Privacy Act. It can only be fixed by destroying the centralised biometric database, like the UK did, and shifting to smart cards.

In other words, you cannot fix using the law what you have broken using technology.

For more details visit https://cis-india.org/internet-governance/blog/the-hindu-businessline-march-31-2017-sunil-abraham-its-the-technology-stupid

Press Release, March 11, 2016: The Law cannot Fix what Technology has Broken!

Japreet Grewal and Sunil Abraham — 2016-03-16T10:10:40Z

We published and circulated the following press release on March 11, 2016, as the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. This Bill was proposed by finance minister, Mr. Arun Jaitley to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).

The Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 today. This Bill was proposed by finance minister, Mr. Arun Jaitley to give legislative backing to Aadhaar, being implemented by the Unique Identification Authority of India (UIDAI).

The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. The Bill has made it compulsory for an individual to enrol under Aadhaar in order to receive any subsidy, benefit or service from the Government. Biometric information that is required for the purpose of enrolment has been deemed "sensitive personal information" and restrictions have been imposed on use, disclosure and sharing of such information for purposes other than authentication, disclosure made pursuant to a court order or in the interest of national security. Here, the Bill has acknowledged the standards of protection of sensitive personal information established under Section 43A of the Information Technology Act, 2000. The Bill has also laid down several penal provisions for acts that include impersonation at the time of enrolment, unauthorised access to the Central Identities Data Repository, unauthorised use by requesting entity, noncompliance with intimation requirements, etc.

Key Issues

1. Identification without Consent

Before the Aadhaar project it was not possible for the Indian government to identify citizens without their consent. But once the government has created a national centralized biometric database it will be possible for the government to identify any citizen without their consent. Hi-resolution photography and videography make it trivial for governments and also any other actor to harvest biometrics remotely. In other words, the technology makes consent irrelevant. A German ministers fingerprints were captured by hackers as she spoke using hand gesture at at conference. In a similar manner the government can now identify us both as individuals and also as groups without requiring our cooperation. This has direct implications for the right to privacy as we will be under constant government surveillance in the future as CCTV camera resolutions improve and there will be chilling effects on the right to free speech and the freedom of association. The only way to fix this is to change the technology configuration and architecture of the project. The law cannot be used as band-aid on really badly designed technology.

2. Fallible Technology

The technology used for collection and authentication as been said to be fallible. It is understood that the technology has been feasible for a population of 200 million. The Biometrics Standards Committee of UIDAI has acknowledged the lack of data on how a biometric authentication technology will scale up where the population is about 1.2 billion. Further, a report by 4G Identity Solutions estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population.

We know that the Aadhaar number has been issued to dogs, trees (with the Aadhaar letter containing the photo of a tree). There have been slip-ups in the Aadhaar card enrolment process, some cards have ended up with pictures of an empty chair, a tree or a dog instead of the actual applicants. An RTI application has revealed that the Unique Identification Authority of India (UIDAI) has identified more than 25,000 duplicate Aadhaar numbers in the country till August 2015.

At the stage of authentication, the accuracy of biometric identification depends on the chance of a false positiveâ€” the probability that the identifiers of two persons will match. For the current population of 1.2 billion the expected proportion of duplicates is 1/121, a ratio which is far too high. In a recent paper in EPW by Hans Mathews, a mathematician with CIS, shows that as per UIDAI's own statistics on failure rates, the programme would badly fail to uniquely identify individuals in India. [1]

Endnote

[1] See: http://cis-india.org/internet-governance/blog/epw-27-february-2016-hans-varghese-mathews-flaws-in-uidai-process

For more details visit https://cis-india.org/internet-governance/blog/press-release-aadhaar-11032016-the-law-cannot-fix-what-technology-has-broken

List of Recommendations on the Aadhaar Bill, 2016 - Letter Submitted to the Members of Parliament

Amber Sinha, Sumandro Chattapadhyay, Sunil Abraham, and Vanya Rakesh — 2016-03-21T08:50:09Z

On Friday, March 11, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. Based on these concerns, and numerous others, we submitted an initial list of recommendations to the Members of Parliaments to highlight the aspects of the Bill that require immediate attention.

Download the submission letter: PDF.

Text of the Submission

On Friday, March 11, the Lok Sabha passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. The Bill was introduced as a money bill and there was no public consultation to evaluate the provisions therein even though there are very serious ramifications for the Right to Privacy and the Right to Association and Assembly. The Bill has made it compulsory for all Indian to enroll for Aadhaar in order to receive any subsidy, benefit, or service from the Government whose expenditure is incurred from the Consolidate Fund of India. Apart from the issue of centralisation of the national biometric database leading to a deep national vulnerability, the Bill also keeps unaddressed two serious concerns regarding the technological framework concerned:

Identification without Consent: Before the Aadhaar project it was not possible for the Indian government or any private entity to identify citizens (and all residents) without their consent. But biometrics allow for non-consensual and covert identification and authentication. The only way to fix this is to change the technology configuration and architecture of the project. The law cannot be used to correct the problems in the technological design of the project.
Fallible Technology: The Biometrics Standards Committee of UIDAI has acknowledged the lack of data on how a biometric authentication technology will scale up where the population is about 1.2 billion. The technology has been tested and found feasible only for a population of 200 million. Further, a report by 4G Identity Solutions estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population. For the current Indian population of 1.2 billion the expected proportion of duplicates is 1/121, a ratio which is far too high. [1]

Based on these concerns, and numerous others, we sincerely request you to ensure that the Bill is rigorously discussed in Rajya Sabha, in public, and, if needed, also by a Parliamentary Standing Committee, before considering its approval and implementation. Towards this, we humbly submit an initial list of recommendations to highlight the aspects of the Bill that require immediate attention:

Implement the Recommendations of the Shah and Sinha Committees: The report by the Group of Experts on Privacy chaired by the Former Chief Justice A P Shah [2] and the report by the Parliamentary Standing Committee on Finance (2011-2012) chaired by Shri Yashwant Sinha [3] have suggested a rigorous and extensive range of recommendations on the Aadhaar / UIDAI / NIAI project and the National Identification Authority of India Bill, 2010 from which the majority sections of the Aadhaar Bill, 2016, are drawn. We request that these recommendations are seriously considered and incorporated into the Aadhaar Bill, 2016.
Authentication using the Aadhaar number for receiving government subsidies, benefits, and services cannot be made mandatory: Section 7 of the Aadhaar Bill, 2016, states that authentication of the person using her/his Aadhaar number can be made mandatory for the purpose of disbursement of government subsidies, benefits, and services; and in case the person does not have an Aadhaar number, s/he will have to apply for Aadhaar enrolment. This sharply contradicts the claims made by UIDAI earlier that the Aadhaar number is “optional, and not mandatory”, and more importantly the directive given by the Supreme Court (via order dated August 11, 2015). The Bill must explicitly state that the Aadhaar number is only optional, and not mandatory, and a person without an Aadhaar number cannot be denied any democratic rights, and public subsidies, benefits, and services, and any private services.
Vulnerabilities in the Enrolment Process: The Bill does not address already documented issues in the enrolment process. In the absence of an exhaustive list of information to be collected, some Registrars are permitted to collect extra and unnecessary information. Also, storage of data for elongated periods with Enrollment agencies creates security risks. These vulnerabilities need to be prevented through specific provisions. It should also be mandated for all entities including the Enrolment Agencies, Registrars, CIDR and the requesting entities to shift to secure system like PKI based cryptography to ensure secure method of data transfer.
Precisely Define and Provide Legal Framework for Collection and Sharing of Biometric Data of Citizens: The Bill defines “biometric information” is defined to include within its scope “photograph, fingerprint, iris scan, or other such biological attributes of an individual.” This definition gives broad and sweeping discretionary power to the UIDAI / Central Government to increase the scope of the term. The definition should be exhaustive in its scope so that a legislative act is required to modify it in any way.
Prohibit Central Storage of Biometrics Data: The presence of central storage of sensitive personal information of all residents in one place creates a grave security risk. Even with the most enhanced security measures in place, the quantum of damage in case of a breach is extremely high. Therefore, storage of biometrics must be allowed only on the smart cards that are issued to the residents.
Chain of Trust Model and Audit Trail: As one of the objects of the legislation is to provide targeted services to beneficiaries and reduce corruption, there should be more accountability measures in place. A chain of trust model must be incorporated in the process of enrolment where individuals and organisations vouch for individuals so that when a ghost is introduced someone has can be held accountable blame is not placed simply on the technology. This is especially important in light of the questions already raised about the deduplication technology. Further, there should be a transparent audit trail made available that allows public access to use of Aadhaar for combating corruption in the supply chain.
Rights of Residents: There should be specific provisions dealing with cases where an individual is not issued an Aadhaar number or denied access to benefits due to any other factor. Additionally, the Bill should make provisions for residents to access and correct information collected from them, to be notified of data breaches and legal access to information by the Government or its agencies, as matter of right. Further, along with the obligations in Section 8, it should also be mandatory for all requesting entities to notify the individuals of any changes in privacy policy, and providing a mechanism to opt-out.
Establish Appropriate Oversight Mechanisms: Section 33 currently specifies a procedure for oversight by a committee, however, there are no substantive provisions laid down that shall act as the guiding principles for such oversight mechanisms. The provision should include data minimisation, and “necessity and proportionality” principles as guiding principles for any exceptions to Section 29.
Establish Grievance Redressal and Review Mechanisms: Currently, there are no grievance redressal mechanism created under the Bill. The power to set up such a mechanism is delegated to the UIDAI under Section 23 (2) (s) of the Bill. However, making the entity administering a project, also responsible for providing for the frameworks to address the grievances arising from the project, severely compromises the independence of the grievance redressal body. An independent national grievance redressal body with state and district level bodies under it, should be set up. Further, the NIAI Bill, 2010, provided for establishing an Identity Review Committee to monitor the usage pattern of Aadhaar numbers. This has been removed in the Aadhaar Bill 2016, and must be restored.

Endnotes

[1] See: http://cis-india.org/internet-governance/blog/Flaws_in_the_UIDAI_Process_0.pdf.

[2] See: http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf.

[3] See: http://164.100.47.134/lsscommittee/Finance/15_Finance_42.pdf.

For more details visit https://cis-india.org/internet-governance/blog/list-of-recommendations-on-the-aadhaar-bill-2016

Vulnerabilities in the UIDAI Implementation Not Addressed by the Aadhaar Bill, 2016

Pooja Saxena and Amber Sinha — 2016-03-21T08:33:53Z

In this infographic, we document the various issues in the Aadhaar enrolment process implemented by the UIDAI, and highlight the vulnerabilities that the Aadhaar Bill, 2016 does not address. The infographic is based on Vidushi Marda’s article 'Data Flow in the Unique Identification Scheme of India,' and is designed by Pooja Saxena, with inputs from Amber Sinha.

Download the infographic: PDF and PNG.

Credits: The illustration uses the following icons from The Noun Project - Thumpbrint created by Daouna Jeong, Duplicate created by Pham Thi Dieu Linh, Copy created by Mahdi Ehsaei.

License: It is shared under Creative Commons Attribution 4.0 International License.

For more details visit https://cis-india.org/internet-governance/blog/vulnerabilities-in-the-uidai-implementation-not-addressed-by-the-aadhaar-bill-2016

Workshop on Big Data in India: Benefits, Harms, and Human Rights (Delhi, October 01)

vanya — 2016-09-28T05:53:55Z

CIS welcomes you to participate in the workshop we are organising on Saturday, October 01 at India Habitat Centre, Delhi, to discuss benefits, harms, and human rights implications of big data technologies, and explore potential research questions. A quick RSVP will be much appreciated.

Workshop invitation: Download (PDF)

Workshop agenda: Download (PDF)

In the last few years, there has been an emergence of the discourse of big data viewing it as an instrument not just for ensuring efficient, targeted and personalised services in the private sector, but also for development, social and policy research, and formalising and monetising various sections of the economy. This possibility is premised upon the idea that there is great knowledge that resides in both traditional and new forms of data made possible by our digital selves, and that we may now have the capability to tap into that knowledge for insights across diverse sectors like healthcare, finance, e-governance, education, law enforcement and disaster management, to name but a few. Alongside, various commentators have also pointed to the new problems and risks that big data could create for privacy of individuals through greater profiling, for free speech and economic choice by strengthening monopolistic tendencies, and for socio-economic inequalities by making existing disparities more acute and facilitating algorithmic bias and exclusion.

From a regulatory perspective, big data technologies pose fundamental challenges to the national data regulatory frameworks that have existed since many years. The nature of collection and utilisation of big data, which is often not driven by immediate purpose of the collected data, conflict with the principles of data minimisation and collection limitation that have been integral to data protection laws globally. This compels us to revisit existing theories of data governance. Additionally, use of big data in public decision-making highlights the question of how algorithmic control and governance must be regulated. This raises concerns around taking determining a balanced position that recognises the importance of big data, including for development actions, and ensures unhindered innovation with simultaneous focus on greater transparency and anonymisation to protect individual privacy, and various big data risks faced by population groups. In order to answer these questions, we need to begin with identifying the different harms and benefits of big data that could arise through its use across sectors and disciplines, especially in the context of human rights.

This workshop is designed around an extensive study of current and potential future uses of big data for governance in India that CIS has undertaken over the last year. The study focused on key central government projects and initiatives like the UID project, the Digital India programme, the Smart Cities Challenge, etc.

We will initiate the workshop with a detailed presentation of our findings and key concerns, which will then shape the discussion agenda of the workshop. We look forward to discuss aspects of big data technologies through the entry points of harms, opportunities, and human rights.

The final session of the workshop will focus on identifying key research questions on the topic, and exploring potential alliances of scholars and organisations that can drive such research activities.

We look forward to making this a forum for knowledge exchange for our friends and colleagues attending the discussion and discuss the opportunity to for potential collaboration.

RSVP: Please send an email to Ajoy Kumar at <ajoy@cis-india.org>.

Organisers: Amber Sinha <amber@cis-india.org> and Sumandro Chattapadhyay <sumandro@cis-india.org>.

For more details visit https://cis-india.org/internet-governance/events/big-data-in-india-benefits-harms-and-human-rights-oct-01-2016

India’s National ID Program May Be Turning The Country Into A Surveillance State

praskrishna — 2017-04-07T12:49:30Z

For seven years, India’s government has been scanning the irises and fingerprints of its citizens into a massive database. The once voluntary program was intended to fix the country’s corrupt welfare schemes, but critics worry about its Orwellian overtones.

The blog post by Pranav Dixit was published by BuzzFeedNews on April 4, 2017. Sunil Abraham was quoted.

An abridged version of the blog post containing Sunil Abraham's quotes are reproduced below:

“You can’t change your fingerprints”

Sunil Abraham, the CIS director, calls himself a “technological critic” of the Aadhaar platform. For years, he’s been warning of the security risks associated with a centralized repository of the demographic and biometric details of a billion or so people.

“Aadhaar is a sitting duck,” Abraham told BuzzFeed News. That’s not an unreasonable assessment considering that India’s track record for protecting people’s private data is far from stellar. Earlier this year, for example, a security researcher discovered a website that was leaking the Aadhaar demographic data of more than 500,000 minors. The website was subsequently shut down, but the incident raised questions about Aadhaar’s security protocols — particularly those around data shared with third parties.

Abraham’s concerns are not without global precedent. In 2012, Ecuadorian police jailed blogger Paul Moreno for breaking into the country’s online national identity database and registering himself as Ecuadorian President Rafael Correa. In April 2016, hackers posted a database containing names, national IDs, addresses, and birth dates of more than 50 million Turkish citizens, including Turkish President Recep Tayyip Erdogan; later that month, Mexico’s entire voter database — over 87 million national IDs, addresses, and more — was leaked onto Amazon’s cloud servers by as-yet-untraced sources; and in the Philippines, more than 55 million voters had their private information — including fingerprints — released on the Dark Web.

“When this database is hacked — and it will be — it will be because someone breaches the computer security that protects the computers actually using the data.”

“What is the price that we pay as a nation if our database of over a billion people — complete with all 10 fingerprints and iris scans — leaks?” Abraham asked. The consequences, he said, will be permanent. Unlike a password, which you can reset at any time, your biometrics, if compromised, are the ultimate privacy breach. “You can’t change your fingerprints.”

The UIDAI claims that the Aadhaar database is protected using the “highest available public key cryptography encryption (PKI-2048 and AES-256)” and would take “billions of years” to crack.

“Encryption like this doesn’t typically get broken, it gets circumvented,” security researcher Troy Hunt told BuzzFeed News. “For example, the web application that sits in front of it is compromised and data is retrieved after decryption.” Or alternatively, he said, the encryption key itself is compromised. “Naturally, governments will offer all sorts of assurances on these things, but the simple, immutable fact is that once large volumes are centralized like this, there is a heightened risk of security incidents and of the data consequently being lost or exposed,” he added.

Cryptographer and cybersecurity expert Bruce Schneier echoed Hunt’s assessment. “When this database is hacked — and it will be — it will be because someone breaches the computer security that protects the computers actually using the data,” he said. “They will go around the encryption.”

Nilekani — who did not respond to BuzzFeed News’ requests for comment — recently dismissed concerns around the project’s privacy implications as “hand-waving.” In an interview with the Economic Times, he repeatedly stressed how secure Aadhaar’s “advanced encryption technology” was. “I can categorically say that it’s the most secure system in India and among the most secure systems in the world,” he said.

Abraham is unconvinced by such assurances. He believes Aadhaar fundamentally changes the equation between a citizen and a state. “There’s a big difference between you identifying yourself to the government, and the government identifying who you are,” he said.

Aadhaar’s opponents say the program’s implementation has left India’s poorest people with no choice but to use it. “If you link people’s food subsidies, wages, bank accounts, and other crucial things to Aadhaar, you hit them where it hurts the most,” Ramanathan argued. “You leave them with no choice but to sign up.”

“Can you imagine if the United States passed a law that said that every person who wished to get food stamps would need their fingerprints registered in a government-owned database?” a journalist turned Aadhaar activist who did not wished to be named told BuzzFeed News. “Imagine what a scandal that would be.”

For Nilekani, such criticism is just overstatement and drama. “I think this so-called anti-Aadhaar lobby is really just a small bunch of liberal elites who are in some echo chamber,” he said during a recent interview with Indian business news channel ET Now. “The reality is that a billion people are using Aadhaar. A lot of the accusations are just delusional. Aadhaar is not a system for surveillance. [The critics] live in a bubble and are not connected to reality.”

Abraham laughed off Nilekani’s comments. “The Unique Identification Authority of India will become the monopoly provider of identification and authentication services in India,” he said. “That sounds like a centrally planned communist state to me. I don’t know which left liberal elites he’s talking about.”

For more details visit https://cis-india.org/internet-governance/news/buzzfeednews-pranav-dixit-april-4-2017-indias-national-id-program-may-be-turning-the-country-into-a-surveillance-state

Aadhaar: A widening net

praskrishna — 2017-04-22T05:06:23Z

As India makes Aadhaar compulsory for a range of services, concerns about potential data breaches remain more than six years after the govt started building the world’s largest biometric identification system.

The article by Komal Gupta, Apurva Vishwanath and Suranjana Roy was published in Livemint on April 21, 2017. Pranesh Prakash was quoted.

On 29 March, a storm broke out on social media after private data that former Indian cricket captain M.S. Dhoni had furnished to get enrolled in India’s unique identity system, known as Aadhaar, were leaked online.

The popular cricketer’s wife, Sakshi, flagged the matter on Twitter, tagging information technology (IT) minister Ravi Shankar Prasad. “Is there any privacy left? Information of Aadhaar card, including application, is made public property,” Sakshi fumed on the microblogging site.

The minister replied: “Sharing personal information is illegal. Serious action will be taken against this.”

It turned out to be the fault of an overenthusiastic common services centre in Dhoni’s home town of Ranchi licensed to enrol people in Aadhaar. The centre was promptly blacklisted. “We have ordered further inquiry on the matter and action will be taken against all those involved in the leak,” said Ajay Bhushan Pandey, chief executive officer of the Unique Identification Authority of India (UIDAI), which administers Aadhaar.

The matter blew over soon enough, but it served to illustrate the lingering concerns about potential data breaches and privacy violations surrounding Aadhaar, which has become the world’s largest biometric identification database with 1.13 billion people enrolled in it in the past six years.

The project, under which a 12-digit identification number is to be allotted to every Indian resident, was originally supposed to be a way of plugging leakages in the delivery of state benefits such as subsidized grains to the poor.

It has now become mandatory for everything ranging from opening a bank account and getting a driver’s licence or a mobile phone connection to filing of income tax returns. Even government school students entitled to a free mid-day meal need an Aadhaar number.

The use of Aadhaar has only expanded with the government going on an overdrive to promote cashless transactions and payment systems linked to the biometric ID system after banning old, high-value bank notes in November in a crackdown on unaccounted wealth hidden away from the taxman.

For instance, the Aadhaar-Enabled Payment System (AEPS) empowers a bank customer to use Aadhaar as her identity to access her Aadhaar-enabled bank account and perform basic banking transactions like cash deposit or withdrawal through a bank agent or business correspondent.

The customer can carry out transactions by scanning her fingerprint at any micro ATM or biometric point-of-sale (POS) terminal, and entering the Aadhaar number linked to the bank account. A merchant-led model of AEPS, called Aadhaar Pay, has also been launched.

Last week, Prime Minister Narendra Modi launched the BHIM-Aadhaar platform—a merchant interface linking the unique identification number to the Bharat Interface for Money (BHIM) mobile application. This will enable merchants to receive payments through fingerprint scans of customers.

“Any citizen without access to smartphones, Internet, debit or credit cards will be able to transact digitally through the BHIM-Aadhaar platform,” a government statement said.

Aadhaar’s growing importance in the economy has only served to deepen concerns about potential data breaches. And there are other concerns as well.

For instance, the Aadhaar biometric authentication failure rate in the rural job guarantee scheme, which assures 100 days of work a year to one member of every rural household, is as high as 36% in the southern state of Telangana, according to data released by the state government.

“Aadhaar is supposed to be an enabler and it will happen only when it is made voluntary. Biometric authentications might fail due to poor data connectivity and transactions might not happen even though the Aadhaar number of the person is there; so, what’s the benefit,” asked Pranesh Prakash, policy director of the Centre for Internet and Society, a Bengaluru-based think tank.

Aadhaar was the brainchild of the previous United Progressive Alliance (UPA) government, which lost power in the 2014 general election to the National Democratic Alliance (NDA). The first 10 Aadhaar numbers were handed over to residents of a small village called Tembhli in Maharashtra on 29 September 2010 in the presence of then prime minister Manmohan Singh, Congress party president Sonia Gandhi and Aadhaar’s chief architect Nandan Nilekani, a co-founder of software services giant Infosys Ltd.

After coming to power, the NDA systematically went about making Aadhaar the pivot of government welfare programmes. In March last year, Parliament passed the Aadhaar Bill to make the use of Aadhaar mandatory for availing of government subsidies despite resistance from opposition parties.

Last month, finance minister Arun Jaitley said the 12-digit number would eventually become a single, monolithic proof of identity for every Indian, replacing every other identity card.

To be sure, Aadhaar has helped the government better target beneficiaries of its welfare programmes, cutting out middlemen and corruption. For instance, the government claims to have saved about Rs50,000 crore in cooking gas subsidies by linking the Aadhaar number with bank accounts in which the subsidy is directly transferred.

Yet, Aadhaar has its critics, who have challenged the project on grounds including potential compromise of national security, violation of the right to privacy and exclusion of people from welfare programmes. The Supreme Court has cautioned the government that no citizen can be denied access to welfare programmes for lack of an Aadhaar number.

Before cricketer Dhoni’s data breach made the headlines, in February, UIDAI filed a complaint against Axis Bank Ltd, business correspondent Suvidhaa Infoserve and e-sign provider eMudhra, alleging they had attempted unauthorized authentication and impersonation by illegally storing Aadhaar biometrics. The breach was noticed after one individual performed 397 biometric transactions between 14 July 2016 and 19 February 2017. All three entities have been temporarily barred from offering Aadhaar-related services until UIDAI makes a final decision.

Pranesh Prakash of the Centre for Internet and Society said rules on the use of Aadhaar data are inadequate.

“UIDAI is allowed to share the information of a person from its database on its website, after taking proper consent of that person. However, there is no law which states what should be done if any other party does that with the same individual. Such rules must be in place,” Prakash said.

Four years after the Aadhaar project took off, a retired judge took the government to court. K. Puttaswamy, a former judge of the Karnataka high court, moved the Supreme Court in 2013, arguing that Aadhaar violated his fundamental right to privacy under the constitution. The case opened the gates for legal challenges to Aadhaar. Over the next few years till date, at least a dozen cases had questioned the legality of the project.

Ramon Magsaysay award winner Aruna Roy brought a case on behalf of manual workers whose faint finger prints, she said, often go undetected. Currently, only 44 million out of the 101 million beneficiaries of India’s rural job entitlement are paid through Aadhaar.

To be sure, India’s Constitution does not contain a black and white reference to a “fundamental right to privacy”, that the government cannot violate. The list of rights says “no person shall be deprived of his life or personal liberty except according to a procedure established by law”—often interpreted by courts as an all-encompassing right including right to live with dignity, right to speedy justice and even a right to clean air.

Nilekani, the man behind Aadhaar, has cautioned that privacy is a broader issue involving how people retain their privacy in day-to-day life. “Privacy is an all-encompassing issue because of the rapid rate of digitization the world is seeing. Your smartphone has sensors, GPS and is generating more and more information about everything; voice-activated devices could also be recording your conversations. There’s a profusion of CCTV cameras at malls, restaurants, ATMs recording your movements,” Nilekani said in a recent interview with The Economic Times.

But this is where a problem arises. Although there is concurrence on the need for a privacy law, there is a great reluctance on the part of the government to come out with one.

“We don’t have a comprehensive privacy law; all our databases are unlinked. The government is trying to link the databases using Aadhaar for all schemes but a separate privacy law must be there for protecting any piece of information, whether or not linked to Aadhaar,” said Rahul Matthan, a partner at law firm Trilegal and a Mint columnist.

Matthan said first a privacy law must be put in place and then there has to be a discussion on what all it must include.

The government on its part pointed out that India’s apex court itself has been indecisive on a right to privacy.

“The larger question on privacy needs to be settled by the court. Till then, one cannot comment on secondary concerns,” attorney general Mukul Rohatgi said in an interview.

In 2015, the Supreme Court decided that a bench of at least seven judges will rule on the privacy issue, while clarifying that the government cannot make Aadhaar a mandatory proof of identity for its welfare schemes. Twenty months after the judicial order, the larger bench is yet to be formed by the apex court. The passing of the Aadhaar Act in Parliament to provide statutory backing to Aadhaar also indicates a departure from the Indian government’s position of not taking a legislative stand while an issue is under the apex court’s consideration.

For example, one of the reasons the Indian government has shown restraint in repealing a colonial law that criminalizes homosexuality is because the apex court is seized of the issue.

In the absence of legislation and pending an authoritative ruling by the top court, whether 1.3 billion Indians are entitled to their privacy remains a grey area. Meanwhile, the government is seemingly in the final stretch of its Aadhaar enrolment drive.

For more details visit https://cis-india.org/internet-governance/news/livemint-april-21-2017-komal-gupta-apurva-vishwanath-suranjana-roy-aadhaar-a-widening-net

Is Your Aadhar Biometrics Safe? Firms Accused Of Storing Biometrics And Using Them Illegally

praskrishna — 2017-02-27T01:56:28Z

Fears of Aadhar biometric security have been compounded as the government is sprinting towards the next phase of ‘cashless India’ and digitization

Pranesh Prakash and Sunil Abraham have been quoted in this article published by Outlook on February 24, 2017.

The biggest fear regarding misuse of Aadhar biometrics and security loopholes are becoming real.

Three firms are being probed for attempting unauthorised authentication and impersonation by using stored Aadhaar biometrics, reported The Times of India.

The paper reported that the Unique Identification Authority of India (UIDAI) has lodged a criminal complaint with the cyber cell of Delhi Police, saying it is a clear violation of the law.

“The firms are Axis Bank, Suvidhaa Infoserve and eMudhra. They have been served a “notice for action“ under Aadhaar regulations”.

The firms have been accused of storing biometrics and using them illegally.

The fears of biometric security have been compounded as the government is sprinting towards the next phase of ‘cashless India’ and digitization. They are preparing to launch Aadhaar Pay, an initiative that will supersede the need to use credit cards, debit cards, smartphones and PINs to make payments or transfer money.

The proposed system of payments will use a person’s biometric data and fingerprints to make payments through Aadhaar-linked bank accounts.

Outlook’s Senior Associate Editor Arindam Mukherjee had in a clairvoyant article for the magazine raised the fears of biometrics being manipulated.

In the article, critics of Aadhaar and Aadhaar-based services raised the issue of privacy and security of biometric and personal data.

Pranesh Prakash, policy director with the Centre for Internet and Society (CIS), recently tweeted, “As long as Aadhar-Enabled Payment Services encourages biometric authorisation of transactions, it is bound to be a security nightmare, with widespread fraud.” Would you tell a shopkeeper your debit card’s PIN? No. Then why share your fingerprint? A fingerprint, in this system, becomes a kind of unchangeable Aadhaar Enabled Payment System PIN, he asks.

Pointing out a possible danger, Usha Ramanathan, an independent law researcher who has been following Aadhaar since its inception, says, “In many payments, biometric data is authenticated and then it remains in the system where there are leakages. Intermediaries then have access to the data, which is thus made insecure.”

According to the UIDAI, however, once biometric data is provided by the consumer while making Aadhaar-based payments, it gets encrypted and a merchant doesn’t get access to that data. The Aadhaar Act also prohibits any storing of biometric data in local devices.

And yet, there are many like CIS executive director Sunil Abraham who believe it is a mistake to use biometrics for authentication, especially when payments are concerned.

“Our concern with Aadhaar Pay is about the biometric component of the project,” says Abraham. “Biometrics is an identification technology. Unfortunately, it is being presented as an authentication technology. It is not a secure authentication technology as biometric data can be stolen easily. It is also irrevocable; once biometric data is stolen, it cannot be re-issued like a smart card.”

Then there is the problem of availability of fingerprints. In the case of many people from rural areas and the working class, fingerprints get affected due to the manual nature of their work. This makes it difficult for this target group of UIDAI to conduct transactions properly through Aadhaar Pay. “In Rajasthan, 30 per cent of the households are not even able to procure ration using fingerprints,” says Ramanathan.

For more details visit https://cis-india.org/internet-governance/news/outlook-february-24-2017-is-your-aadhar-biometrics-safe-firms-accused-of-storing-biometrics-and-using-them-illegally

Analysis of Key Provisions of the Aadhaar Act Regulations

amber — 2017-04-03T14:05:01Z

In exercise of their powers under of the powers conferred by Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016, (Aadhaar Act) the UIDAI has come out with a set of five regulations in late 2016 last year. In this policy brief, we look at the five regulations, their key provisions and highlight point out the unresolved, issues, unaddressed, and created issues as result of these regulations.

This blog post was edited by Elonnai Hickok

Introduction

At the outset it is important to note that a concerning feature of these regulations is that they intend to govern the processes of a body which has been in existence for over six years, and has engaged in all the activities sought to be governed by these policies at a massive scale, considering the claims of over one billion Aadhaar number holders. However, the regulation do not acknowledge, let alone address past processes, practices, enrollments, authentications, use of technology etc. this fact, and there are no provisions that effectively address the past operations of the UIDAI. Below is an analysis of the five regulations issued thus far by the UIDAI.

Unique Identification Authority of India (Transactions of Business at Meetings of the Authority) Regulations^{^[1]}

These regulations framed under clause (h) of sub-section (2) of section 54 read with sub-section (1) of section 19 of the Aadhaar Act, deal with the meetings of the UIDAI, the process following up to each meeting, and the manner in which all meetings are to be conducted.

Provision: Sub-Regulation 3.

Meetings of the Authority– (1) There shall be no less than three meetings of the Authority in a financial year on such dates and at such places as the Chairperson may direct and the interval between any two meetings shall not in any case, be longer than five months

Observations:

The number of times that UIDAI would meet in a year is far too less, taking in account the significance of the responsibilities of UIDAI as the sole body for policy making for all issues related to Aadhaar. In contrast, the Telecom Regulatory Authority of India is required to meet at least once a month. Other bodies such as SEBI and IRDAI are also required to meet at least four times^{^[2]} and six times^{^[3]} in a year respectively.

Provision: Sub-Regulation 8 (5)

Decisions taken at every meeting of the Authority shall be published on the website of Authority unless the Chairperson determines otherwise on grounds of ensuring confidentiality.

Observations:

The Chairperson has the power to determine withholding publication of the decisions of the meeting on the broad grounds of ‘confidentiality’. Given the fact that the decisions taken by UIDAI as a public body can have very real implications for the rights of residents, the ground of confidentiality is not sufficient to warrant withholding publication. It is curious that instead of referring to the clearly defined exceptions laid down in other similar provisions such as the exceptions in Section 8 of the Right to Information Act, 2005, the rules merely refer to vague and undefined criteria of ‘confidentiality’.

Provision: Sub-Regulation 14 (4)

Members of the Authority and invitees shall sign an initial Declaration at the first meeting of the Authority for maintaining the confidentiality of the business transacted at meetings of the Authority in Schedule II.

Observations:

The above provision, combined with the fact that there is no provision regarding publication of the minutes of the meetings of UIDAI raise serious questions about the transparency of its functioning.

Unique Identification Authority of India (Enrolment and Update) Regulations^{^[4]}

These regulations, framed under sub-section (1), and sub-clauses (a), (b), (d,) (e), (j), (k), (l), (n), (r), (s), and (v) of sub-section (2), of Section 54 of the Aadhaar Act deals with the enrolment process, the generation of an Aadhaar number, updation of information and governs the conduct of enrolment agencies and associated third parties.

Provisions:

Sub-Regulation 8 (2), (3) and (4)

The standard enrolment/update software shall have the security features as may be specified by the Authority for this purpose.

All equipment used in enrolment, such as computers, printers, biometric devices and other accessories shall be as per the specifications issued by the Authority for this purpose.

The biometric devices used for enrolment shall meet the specifications, and shall be certified as per the procedure, as may be specified by the Authority for this purpose.

Sub-Regulation 3 (2)

The standards for collecting the biometric information shall be as specified by the Authority for this purpose.

Sub-Regulation 4 (5)

The standards of the above demographic information shall be as may be specified by the Authority for this purpose.

Sub-Regulation 6 (2)

For residents who are unable to provide any biometric information contemplated by these regulations, the Authority shall provide for handling of such exceptions in the enrolment and update software, and such enrolment shall be carried out as per the procedure as may be specified by the Authority for this purpose.

Sub-Regulation 14 (2)

In case of rejection due to duplicate enrolment, resident may be informed about the enrolment against which his Aadhaar number has been generated in the manner as may be specified by the Authority.

Observations:

Though in February 2017, the UIDAI published technical specifications for registered devices^{^[5]}, the regulations leave unaddressed issues such as lack of appropriately defined security safeguards in the Aadhaar. There is a general trend of continued deferrals in the regulations by stating that matters would be specified later on important aspects such as rejection of applications, uploading of the enrolment packet to the CIDR, the procedure for enrolling residents with biometric exceptions, the procedure for informing residents about acceptance/rejection of enrolment application, specifying the convenience fee for updation of residents’ information, the procedure for authenticating individuals across services etc.c. There is a clear failure to exercise the mandate delegated to UIDAI, leaving key matters to determined at a future unspecified date. The delay and ambiguity around when regulations will be defined is all the more problematic in light of the fact that the project has been implemented since 2010 and the Aadhaar number is now mandatory for availing a number of services.

Further it is important to note that a number of policies put out by the UIDAI predate these regulations, on which the regulations are completely silent, thus neither endorsing previous policies nor suggesting that they may be revisited. Further, the regulations choose to not engage with the question of operation of the Aadhaar project, enrolment and storage of data etc prior to the notification of these regulations, or the policies which these regulations may regularise. For instance, the regulations do not specify any measures to deal with issues arising out of enrolment devices used prior to the development of the February 2017 specifications.

Provision: Sub-Regulation 32

The Authority shall set up a contact centre to act as a central point of contact for resolution of queries and grievances of residents, accessible to residents through toll free number(s) and/ or e-mail, as may be specified by the Authority for this purpose.

(2) The contact centre shall:

Provide a mechanism to log queries or grievances and provide residents with a unique reference number for further tracking till closure of the matter;
Provide regional language support to the extent possible;
Ensure safety of any information received from residents in relation to their identity information;
Comply with the procedures and processes as may be specified by the Authority for this purpose.

(3) Residents may also raise grievances by visiting the regional offices of the Authority or through any other officers or channels as may be specified by the Authority.

Observations:

While the setting up of a grievance redressal mechanism under the regulations is a welcome move, there is little clarity about the procedure to be followed, nor is a timeline for it specified. The chapter on grievance redressal is in fact one of the shortest chapters in the regulations. The only provision in this chapter deals with the setting up of a contact centre, a curious choice of term for what is supposed to be the primary quasi judicial grievance redressal body for the Aadhaar project. In line with the indifferent and insouciant terminology of ‘contact centre’, the chapter is restricted to the matters of the logging of queries and grievances by the contact centre, and does not address the matter of procedure or timelines, and even the substantive provisions about the nature of redress available. Furthermore, the obligation on the contact centre to protect information received is limited to ‘ensuring safety’ an ambiguous standard that does not speak to any other standards in Indian law.

Aadhaar (Authentication) Regulations, 2016^{^[6]}

These regulations, framed under sub-section (1), and sub-clauses (f) and (w) of sub-section (2) of Section 54 of the Aadhaar Act deals with the authentication framework for Aadhaar numbers, the governance of authentication agencies and the procedure for collection, storage of authentication data and records.

Provisions:

Sub-Regulation 5 (1)

At the time of authentication, a requesting entity shall inform the Aadhaar number holder of the following details:—

(a) the nature of information that will be shared by the Authority upon authentication;

(b) the uses to which the information received during authentication may be put; and

Sub-Regulation 6 (2)

A requesting entity shall obtain the consent referred to in sub-regulation (1) above in physical or preferably in electronic form and maintain logs or records of the consent obtained in the manner and form as may be specified by the Authority for this purpose.

Observations:

Sub-regulation 5 mentions that at the time of authentication, requesting entities shall inform the Aadhaar number holder of alternatives to submission of identity information for the purpose of authentication. Similarly, sub-regulation 6 mentions that requesting entity shall obtain the consent of the Aadhaar number holder for the authentication. However, in neither of the above circumstances do the regulations specify the clearly defined options that must be made available to the Aadhaar number holder in case they do not wish submit identity information, nor do the regulations specify the procedure to be followed in case the Aadhaar number holder does not provide consent.

Most significantly, this provision does little by way of allaying the fears raised by the language in Section 8 (4) of the Aadhaar Act which states that UIDAI “shall respond to an authentication query with a positive, negative or any other appropriate response sharing such identity information.” This section gives a very wide discretion to UIDAI to share personal identity information with third parties, and the regulations do not temper or qualify this power in any way.

Sub-Regulation 11 (1) and (4)

The Authority may enable an Aadhaar number holder to permanently lock his biometrics and temporarily unlock it when needed for biometric authentication.

The Authority may make provisions for Aadhaar number holders to remove such permanent locks at any point in a secure manner.

Observations:

A welcome provision in the regulation is that of biometric locking which allows Aadhaar number holders to permanently lock his biometrics and temporarily unlock it only when needed for biometric authentication. However, in the same breath, the regulation also provides for the UIDAI to make provisions to remove such locking without any specified grounds for doing so.

Provision: Sub-Regulation 18 (2), (3) and (4)

The logs of authentication transactions shall be maintained by the requesting entity for a period of 2 (two) years, during which period an Aadhaar number holder shall have the right to access such logs, in accordance with the procedure as may be specified.

Upon expiry of the period specified in sub-regulation (2), the logs shall be archived for a period of five years or the number of years as required by the laws or regulations governing the entity, whichever is later, and upon expiry of the said period, the logs shall be deleted except those records required to be retained by a court or required to be retained for any pending disputes.

The requesting entity shall not share the authentication logs with any person other than the concerned Aadhaar number holder upon his request or for grievance redressal and resolution of disputes or with the Authority for audit purposes. The authentication logs shall not be used for any purpose other than stated in this sub-regulation.

Observations:

While it is specified that the authentication logs collected by the requesting entities shall not be shared with any person other than the concerned Aadhaar number holder upon their request or for grievance redressal and resolution of disputes or with the Authority for audit purposes, and that the authentication logs may not be used for any other purpose, the maintenance of the logs for a period of seven years seems excessive. Similarly, the UIDAI is also supposed to store Authentication transaction data for over five years. This is in violation of the widely recognized data minimisation principles which seeks that data collectors and data processors delete personal data records when the purpose for which it has been collected if fulfilled. While retention of data for audit and dispute-resolution purpose is legitimate, the lack of specification of security standards and the overall lack of transparency and inadequate grievance redressal mechanism greatly exacerbate the risks associated with data retention.

Aadhaar (Sharing of Information) Regulations, 2016 and Aadhaar (Data security) Regulations, 2016^{^[7]}

Framed under the powers conferred by sub-section (1), and sub-clause (o) of sub-section (2), of Section 54 read with sub-clause (k) of sub-section (2) of Section 23, and sub-sections

(2) and (4) of Section 29, of the Aadhaar Act, the Sharing of Information regulations look at the restrictions on sharing of identity information collected by the UIDAI and requesting entities. The Data Security regulation, framed under powers conferred by clause (p) of subsection (2) of section 54 of the Aadhaar Act, looks at security obligations of all service providers engaged by the UIDAI.

Provision: Sub-Regulation 6 (1)

All agencies, consultants, advisors and other service providers engaged by the Authority, and ecosystem partners such as registrars, requesting entities, Authentication User Agencies and Authentication Service Agencies shall get their operations audited by an information systems auditor certified by a recognised body under the Information Technology Act, 2000 and furnish certified audit reports to the Authority, upon request or at time periods specified by the Authority.

Observations:

The regulation states that audits shall be conducted by an information systems auditor certified by a recognised body under the Information Technology Act, 2000. However, there is no such certifying body under the Information Technology Act. This suggests a lack of diligence in framing the rules, and will inevitably to lead to inordinate delays, or alternately, a lack of a clear procedure in the appointment of an auditor. Further, instead of prescribing a regular and proactive process of audits, the regulation only limits audits to when requested or as deemed appropriate by UIDAI. This is another, in line of many provisions, whose implication is power being concentrated in the hands of UIDAI, with little scope for accountability and transparency.

Conclusion

In conclusion, it must be stated that the regulations promulgated by the UIDAI leave a lot to be desired. Some of the most important issues raised against the Aadhaar Act, which were delegated to the UIDAI’s rule making powers have not been addressed at all. Some of the most important issues such as data security policies, right to access records of Aadhaar number holders, procedure to be followed by the grievance redressal bodies, uploading of the enrolment packet to the CIDR, procedure for enrolling residents with biometric exceptions, procedure for informing residents about acceptance/rejection of enrolment application have left unaddressed and ‘may be specified’ at a later data. These failures leave a gaping hole especially in light of the absence of a comprehensive data protection legislation in India, as well the speed and haste with the enrolment and seeding has been done by the UIDAI, and the number of services, both private and public, which are using or planning to use the Aadhaar number and the authentication process as a primary identifier for residents.

^{^[1]} Available at https://uidai.gov.in/legal-framework/acts/regulations.html

^{^[2]} https://www.irda.gov.in/ADMINCMS/cms/frmGeneral_Layout.aspx?page=PageNo62&flag=1

^{^[3]} http://www.sebi.gov.in/acts/boardregu.html

^{^[4]} Available at https://uidai.gov.in/legal-framework/acts/regulations.html

^{^[5]} Available at: https://uidai.gov.in/images/resource/aadhaar_registered_devices_2_0_09112016.pdf

^{^[6]} Available at https://uidai.gov.in/legal-framework/acts/regulations.html

^{^[7]} Available at https://uidai.gov.in/legal-framework/acts/regulations.html

For more details visit https://cis-india.org/internet-governance/blog/analysis-of-key-provisions-of-aadhaar-act-regulations

India’s Supreme Court hears challenge to biometric authentication system

praskrishna — 2017-05-20T06:44:02Z

Two lawsuits being heard this week before India’s Supreme Court question a requirement imposed by the government that individuals should quote a biometrics-based authentication number when filing their tax returns.

The post by John Riberio, IDG News Service was mirrored by IT World on May 3, 2017.

Civil rights groups have opposed the Aadhaar biometric system, which is based on centralized records of all ten fingerprints and iris scans, as their extensive use allegedly encroach on the privacy rights of Indians. “Aadhaar is surveillance technology masquerading as secure authentication technology,” said Sunil Abraham, executive director of Bangalore-based research organization, the Centre for Internet and Society.

The Indian government has in the meantime extended the use of Aadhaar, originally meant to identify beneficiaries of state schemes for the poor, to other areas such as filing of taxes, distribution of meals to school children and payment systems.

Hearings on the writ petitions, challenging the amendment to the Income Tax Act, are going on in Delhi before a Supreme Court bench consisting of Justices A.K. Sikri and Ashok Bhushan.

Tax payers are required to have the Aadhaar number in addition to their permanent account number (PAN), which they have previously used to file their tax returns. Their failure to produce the Aadhaar number would lead to invalidation of the PAN number, affecting people who are already required to quote this number for other transactions such as buying cars or opening bank accounts.

The stakes in this dispute are high. The petitioners have argued for Aadhaar being voluntary and question the manner in which the new amendment to the tax law has been introduced. The government has said both in court and in other public forums that it needs a reliable and mandatory biometric system to get around the issue of fake PAN numbers.

The lawyer for one of the plaintiffs, Shyam Divan, has argued for the individual’s absolute ownership of her body, citing Article 21 of the Indian Constitution, which protects a person from being “deprived of his life or personal liberty except according to procedure established by law.” The government has countered by saying that citizens do not have absolute rights over their bodies, citing the law against an individual committing suicide as an example.

The Supreme Court in another lawsuit looking into privacy issues and the constitutionality of the Aadhaar scheme had ruled in an interim order in 2015 that the biometric program had to be voluntary and could not be used to deprive the poor of benefits.

"The production of an Aadhaar card will not be condition for obtaining any benefits otherwise due to a citizen," the top court ruled.

The government holds that the Aadhaar Act, passed in Parliament last year, provides the legal backing for making the biometric identification compulsory.

The current lawsuits against Aadhaar have not been argued on grounds of privacy, reportedly because the court would not allow this line of argument, which is already being heard in the other case. The Supreme Court has made current petitioners “fight this battle with one arm tied behind their backs!,” wrote lawyer Gautam Bhatia in a blog post Wednesday.

For more details visit https://cis-india.org/internet-governance/news/idg-news-service-john-riberio-may-3-2017-indias-supreme-court-hears-challenge-to-biometric-authentication-system

Digital native: Look before you (digitally) leap

nishant — 2017-06-08T01:22:54Z

Creating a digital future is great, but there’s a serious need to secure the infrastructure first.

The article was published in the Indian Express on May 28, 2017.

Digital technologies of connectivity have one unrelenting promise — they offer us new ways of doing things, augmenting existing practices, amplifying capacities and affording new possibilities of information and data transactions that accelerate the ways in which we live. This idea of the internet as infrastructure is central to India’s transition into an information technologies future.

Nandan Nilekani, almost a decade ago, in his book, Imagining India, had clearly charted how the digital is the basis for shaping the future of our communities, societies and governance. As one of the architects of Aadhaar, Nilekani had argued that the country of the 21st century will have to be one that seriously invests in the digital infrastructure.

In 10 short years, we have reached a point where we no longer question the enormous investment we make in digital systems of governance and functioning, and we appreciate the economic and networked values of projects like #DigitalIndia and #MakeInIndia that shape our markets and cities into becoming the new cyber-hubs.

There is no denying that digital offers a new way of consolidating a country as polyphonic, multicultural, expansive and diverse as India. We also have to appreciate that, even if selectively, the digitisation of public records, government services, and state support is clearly producing an administrative momentum that is reforming various practices of corruption and incompetence in the massive state machinery. The role of the digital as infrastructure has been a boon for many developing countries.

This positioning, however, masks the fact that infrastructure needs its own support and care systems. Take roads, for example. Roads allow for connectivity, movement and mobility between different spaces. They are one of the most important of state and public infrastructures and for all our jokes about pot-holes and eroding spaces for pedestrians, roads remain the life-line of our everyday life. A complex mechanism of planning, regulation and maintenance needs to be put into place in order to make roads survive.

The amount of attention we pay to roads — the material quality, the land that it occupies, the lanes for different vehicles, the traffic lights and zebra crossings, blockages and streamlines, authorising specific use of roads and disallowing certain activities to happen there — is staggering. A public planner would tell you that before the road comes into being, the idea of the road has to be formulated. The road needs protection and planning and its own infrastructure of support and creation.

When it comes to the information superhighway of the digital web, this remains forgotten. We are so focused on the digital as infrastructure that we seem to pay no attention to its infrastructure. Thus, when we proposed, deployed and now enforced a project like Aadhaar, the focus remained on its unfolding and its operations. Aadhaar as an aspiration of governance has its values and has the capacity to become a system that augments statecraft.

However, the infrastructure that is needed to make Aadhaar possible — rules and regulations around privacy, bills and acts about data sharing and ownership, contexts of informed consent and engagement, community awareness and data security protocol — have been missing from the debates. For years now, activists have been advising and warning the state that building this digital infrastructure without building the contexts within which they make sense is not just irresponsible, but downright dangerous.

Different governments have turned a deaf ear to these protests. Now, when the Aadhaar portals are found disclosing massive volumes of public data, making people vulnerable to data and identity theft and fraud, we are realising the massive projects we have started without thinking about the context of security.

With the ongoing controversies around #AadhaarLeaks, the question is not whether the disclosure of this information was a leak, a breach or an ignorant exposure of sensitive information. The response to it cannot be just about fixing the infrastructure and building more robust systems. The question that we need to confront is how do we stop thinking of the internet as infrastructure and start focusing on the infrastructure that needs to be set into place so that these digital systems promise safety, security, and protection for the lives they intersect with.

For more details visit https://cis-india.org/raw/indian-express-nishant-shah-may-28-2017-digital-native-look-before-you-digitally-leap

Are biometrics hack-proof?

praskrishna — 2017-06-12T01:39:14Z

There are growing concerns over biometric security in India. We ask the experts if biometrics can really be hacked.

The article by Shaikh Zoaib Saleem was published by Livemint on June 11, 2017. Pranesh Prakash was quoted.

There are growing concerns over biometric security. A compromised password can be changed but not a stolen biometric. We ask experts about biometrics security in India.

Pranesh Prakash, policy director, The Centre for Internet & Society

Biometric devices are not hack-proof. It depends on the ease with which this can be done. In Malaysia, thieves who stole a car with a fingerprint-based ignition system simply chopped off the owner's finger. When a biometric attendance system was introduced at the Institute of Chemical Technology (ICT) in Mumbai, students continued giving proxies by using moulds made from Fevicol.

Earlier this year, researchers at NYU and Michigan State University revealed that they were able to generate a "MasterPrint", which is a "partial fingerprint that can be used to impersonate a large number of users". While there are potential safeguards, they require re-capturing everyone's biometrics.

Even other technologies like iris scanner, gait recognition, face recognition, and others, are getting better, but all have problems. Our laws haven't evolved either, leaving many unanswered questions: who can demand your biometrics and under what circumstances? Can your biometrics be captured without your consent? Who is liable for failure? What remedies does one have?

This is an evolving area of technology studies, and every day new kinds of attacks are discovered. Further, they are probabilistic technologies unlike passwords. Given this, if you seek a reliable identity verification system, it doesn't make sense to deploy a system exclusively based on biometrics.

Umesh Panchal, vice-president, Biomatiques Identification Solutions

Biometric devices are instruments delivering added security check functions over traditional methods and these devices can be hack-proof, if the process of exploiting vulnerabilities to gain unauthorised access to systems or resources, is taken care of. With liveliness detection, iris biometric devices are far more hack-proof than fingerprint devices. Even Pentagon has been hacked. Theoretically, a biometric device can internally store or copy fingerprints or iris scans. Depending upon the use-case and ecosystem, a biometric device can internally store templates. However, the UID system (Unique Identification Authority of India) doesn’t permit storage of any biometric data in any biometric devices.

Several security measures can be incorporated to ensure strong transaction security and end-to-end traceability to prevent misuse. This can be achieved by implementing specification of authentication ecosystem. These include deploying signed application, host and operator authentication, usage of multi-factor authentication, SMS/email alerts, encryption of sensitive data, biometric locking, device identification with unique device identifier for analytics/fraud management, eliminating use of stored biometrics and so on.

For a consumer, the device security is determined by the certification it holds from the competent certification authority.

Bryce Boland, chief technology officer-Asia Pacific, FireEye

Biometrics take many forms. Most often people think biometrics are the actually measured biological feature, but they are actually measurements of a feature turned into a sequence of data that is compared against another set of data. You don’t actually need the physical feature, you need the measurements to generate the sequence of data to make a match. If you can inject that data into a biometric, bypassing the reader, you can potentially trick a biometric system.

Most successful biometric implementations have a controlled enrolment process where identity validation is undertaken, and have physically secured, tamperproof and closely monitored readers. Systems like those used for passport biometric enrolment with restricted deployments of readers at airports are an example. Self-enrollment is prone to fraud. Widely distributed readers are prone to tampering. Insecure paths from readers to central credential repositories are prone to credential theft.

Once biometric information is stolen, it usually cannot be changed. So stolen data can potentially be used for a long time, creating problems. This isn’t the case for airport fingerprint readers, but it is a problem for biometric devices in the hands of the public. The best way to check this is to keep the system’s environment physically secured, tamperproof and closely monitored.

Rajesh Babu, CEO, Mirox Cyber Security & Technology

Biometrics devices can be hacked. They have fingerprint sensors, which only check the pattern. It is possible to recreate these patterns through various techniques. Technically, it is difficult to recreate biometrics from a high-resolution picture. However, by using other image rendering tools we can recreate the patterns. Security experts and hackers have already proved that they can bypass mobile fingerprint scanners using a collection of high-resolution photographs taken from different angles using standard photo cameras to make a latex replica print.

Most of the biometric scanners have a date set of all fingerprints and other identities inside the device database. Not every manufacturer in India undergoes enough security auditing. Most of the companies manufacture low-cost biometric devices which are highly vulnerable. These devices are imported from China and other countries but they do not conduct or go through any security audits in our country. They may have kernel level back doors, which are highly vulnerable and can lead to launch of an any kind of attack, including compromising an organization’s network. Only a handful of companies conduct audits of their products as part of security practice.

Organizations and the government must have a clear and concise Security Devices Policy based on standard applicable laws and regulation framework.

For more details visit https://cis-india.org/internet-governance/news/livemint-june-11-2017-shaikh-zoaib-saleem-are-biometrics-hack-proof

An Urgent Need for the Right to Privacy

sumandro — 2016-03-17T07:40:12Z

Along with a group of individuals and organisations from academia and civil society, we have drafted and are signatories to an open letter addressed to the Union government and urging the same to "urgently take steps to uphold the constitutional basis to the right to privacy and fulfil it’s constitutional and international obligations." Here we publish the text of the open letter. Please follow the link below to support it by joining the signatories.

Read and sign the open letter.

Text of the Open Letter

As our everyday lives are conducted increasingly through electronic communications the necessity for privacy protections has also increased. While several countries across the globe have recognised this by furthering the right to privacy of their citizens the Union Government has adopted a regressive attitude towards this core civil liberty. We urge the Union Government to take urgent measures to safeguard the right to privacy in India.

Our concerns are based on a continuing pattern of disregard for the right to privacy by several governments in the past. This trend has increased as can be plainly viewed from the following developments.

In 2015, the Attorney General in the case of *K.S. Puttaswamy v. Union of India*, argued before the Hon’ble Supreme Court that there is no right to privacy under the Constitution of India. The Hon'ble Court was persuaded to re-examine the basis of the right to privacy upsetting 45 years of judicial precedent. This has thrown the constitutional right to privacy in doubt and the several judgements that have been given under it. This includes the 1997 PUCL Telephone Tapping judgement as well. We urge the Union Government to take whatever steps are necessary and urge the Supreme Court to hold that a right to privacy exists under the Constitution of India.

Recently Mr. Arun Jaitley, Minister for Finance introduced the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. This bill was passed on March 11, 2016 in the middle of budget discussion on a short notice as a money bill in the Lok Sabha when only 73 of 545 members were present. Its timing and introduction as a money bill prevents necessary scrutiny given the large privacy risks that arise under it. This version of the bill was never put up for public consultation and is being rushed through without adequate discussion. Even substantively it fails to give accountable privacy safeguards while making Aadhaar mandatory for availing any government subsidy, benefit, or service.

We urge the Union Government to urgently take steps to uphold the constitutional basis to the right to privacy and fulfil it’s constitutional and international obligations. We encourage the Government to have extensive public discussions on the Aadhaar Bill before notifying it. We further call upon them to constitute a drafting committee with members of civil society to draft a comprehensive statute as suggested by the Justice A.P. Shah Committee Report of 2012.

Signatories:

Amber Sinha, the Centre for Internet and Society
Japreet Grewal, the Centre for Internet and Society
Joshita Pai, Centre for Communication Governance, National Law University
Raman Jit Singh Chima, Access Now
Sarvjeet Singh, Centre for Communication Governance, National Law University
Sumandro Chattapadhyay, the Centre for Internet and Society
Sunil Abraham, the Centre for Internet and Society
Vanya Rakesh, the Centre for Internet and Society

For more details visit https://cis-india.org/internet-governance/blog/an-urgent-need-for-the-right-to-privacy

Press Release, March 15, 2016: The New Bill Makes Aadhaar Compulsory!

Amber Sinha — 2016-03-16T10:11:32Z

We published and circulated the following press release on March 15, 2016, to highlight the fact that the Section 7 of the Aadhaar Bill, 2016 states that authentication of the person using her/his Aadhaar number can be made mandatory for the purpose of disbursement of government subsidies, benefits, and services; and in case the person does not have an Aadhaar number, s/he will have to apply for Aadhaar enrolment.

Nandan Nilekani, the former chairperson of the Unique Identification Authority of India had repeatedly stated that Aadhaar is not mandatory. However, in the last few years various agencies and departments of the government, both at the central and state level, had made it mandatory in order to be able to avail beneficiary schemes or for the arrangement of salary, provident fund disbursals, promotion, scholarship, opening bank account, marriages and property registrations. In August 2015, the Supreme Court passed an order mandating that the Aadhaar number shall remain optional for welfare schemes, stating that no person should be denied any benefit for reason of not having an Aadhaar number, barring a few specified services.

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, however, has not followed this mandate. Section 7 of the Bill states that “a person should be authenticated or give proof of the Aadhaar number to establish his/her identity” “as a condition for receiving subsidy, benefit or service”. Further, it reads, “In the case a person does not have an Aadhaar number, he/she should make an application for enrollment.” The language of the provision is very clear in making enrollment in Aadhaar mandatory, in order to be entitled for welfare services. Section 7 also says that “the person will be offered viable and alternate means of identification for receiving the subsidy, benefit or service. However, these unspecified alternate means will be made available in the event “an Aadhaar number is not assigned”. This language is vague and it is not clear whether it mandates alternate means of identification for those who choose not to apply for an Aadhaar number for any reason. The fact that it does make it mandatory to apply for an Aadhaar number for persons without it, may lead to the presumption that the alternate means are to be made available for those who may have applied for an Aadhaar number but it has not been assigned for any reason. It is also noteworthy that draft legislation is silent on what the “viable and alternate means of identification” could be. There are a number of means of identification, which are recognised by the state, and a schedule with an inclusive list could have gone a long way in reducing the ambiguity in this provision.

Another aspect of Section 7 which is at odds with the Supreme Court order is that it allows making an Aadhaar number mandatory for “for receipt of a subsidy, benefit or service for which the expenditure is incurred” from the Consolidated Fund of India. The Supreme Court had been very specific in articulating that having an Aadhaar number could not be made compulsory except for “any purpose other than the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene” or for the purpose of the LPG scheme. The restriction in the Supreme Court order was with respect to the welfare schemes, however, instead of specifying the schemes, Section 7 specified the source of expenditure from which subsidies, benefits and services can be funded, making the scope much broader. Section 7, in effect, allows the Central Government to circumvent the Supreme Court order if they choose to tie more subsidies, benefits and services to the Consolidated Fund of India.

These provisions run counter to the repeated claims of the government for the last six years that Aadhaar is not compulsory, nor is the specification by the Supreme Court for restricting use of Aadhaar to a few services only, reflected anywhere in the Bill. The “viable and alternate means” clause is too vague and inadequate to prevent denial of benefits to those without an Aadhaar number. The sum effect of these factors is to give the Central Government powers to make Aadhaar mandatory, for all practical purposes.

For more details visit https://cis-india.org/internet-governance/blog/press-release-aadhaar-15032016-the-new-bill-makes-aadhaar-compulsory

Centre for Internet and Society

Aadhaar marks a fundamental shift in citizen-state relations: From ‘We the People’ to ‘We the Government’

How Did Aadhaar Change?

Security Concerns

It’s the technology, stupid

Press Release, March 11, 2016: The Law cannot Fix what Technology has Broken!

Key Issues

1. Identification without Consent

2. Fallible Technology

Endnote

List of Recommendations on the Aadhaar Bill, 2016 - Letter Submitted to the Members of Parliament

Download the submission letter: PDF.

Text of the Submission

Endnotes

Vulnerabilities in the UIDAI Implementation Not Addressed by the Aadhaar Bill, 2016

Download the infographic: PDF and PNG.

Workshop on Big Data in India: Benefits, Harms, and Human Rights (Delhi, October 01)

Workshop invitation: Download (PDF)

Workshop agenda: Download (PDF)

India’s National ID Program May Be Turning The Country Into A Surveillance State

“You can’t change your fingerprints”

Aadhaar: A widening net

Is Your Aadhar Biometrics Safe? Firms Accused Of Storing Biometrics And Using Them Illegally

Analysis of Key Provisions of the Aadhaar Act Regulations

Introduction

Unique Identification Authority of India (Transactions of Business at Meetings of the Authority) Regulations[1]

Provision: Sub-Regulation 3.

Observations:

Provision: Sub-Regulation 8 (5)

Observations:

Provision: Sub-Regulation 14 (4)

Observations:

Unique Identification Authority of India (Enrolment and Update) Regulations[4]

Provisions:

Observations:

Provision: Sub-Regulation 32

Observations:

Aadhaar (Authentication) Regulations, 2016[6]

Provisions:

Observations:

Sub-Regulation 11 (1) and (4)

Observations:

Provision: Sub-Regulation 18 (2), (3) and (4)

Observations:

Aadhaar (Sharing of Information) Regulations, 2016 and Aadhaar (Data security) Regulations, 2016[7]

Provision: Sub-Regulation 6 (1)

Observations:

Conclusion

India’s Supreme Court hears challenge to biometric authentication system

Digital native: Look before you (digitally) leap

Are biometrics hack-proof?

An Urgent Need for the Right to Privacy

Read and sign the open letter.

Text of the Open Letter

Press Release, March 15, 2016: The New Bill Makes Aadhaar Compulsory!

Unique Identification Authority of India (Transactions of Business at Meetings of the Authority) Regulations^{^[1]}

Unique Identification Authority of India (Enrolment and Update) Regulations^{^[4]}

Aadhaar (Authentication) Regulations, 2016^{^[6]}

Aadhaar (Sharing of Information) Regulations, 2016 and Aadhaar (Data security) Regulations, 2016^{^[7]}