Centre for Internet and Society

Three Years Later, IPaidABribe.com Pays Off

praskrishna — 2013-09-25T06:05:05Z

After reporting a bribe on IPaidABribe.com, one Bangalore student has had the satisfaction of seeing action taken against a corrupt public official.

This article by Jessica McKenzie was published in TechPresident on September 23, 2013. Sunil Abraham is quoted.

The student, Shubham Kahndelwal, was asked to give a bribe before getting a receipt for registering for an identity card called the AADHAAR card. He at first refused, but then gave in. In response, the official gave him a receipt for his father's registration (which he had submitted along with his own) but not his. He told I Paid A Bribe that he “never knew a simple complaint could make such a difference.”

Kahndelwal elaborated:

I was in Chennai when the incident happened and after that I was furious and was searching all over to look for a complaint mechanism, when I stumbled upon IPaidaBribe.com. It is a great day and event for me and for me to share with my friends.

IPaidABribe.com was launched in August 2010 by the Bangalore-based nonprofit Janaagraha, which focuses on civic engagement and improving governance.

When first launched, there were concerns over privacy issues and protecting the users who submit complaints. On the other hand, in an interview this May with techPresident's David Eaves, Sunil Abraham, the founder of the Center for Internet & Society, pointed out that in order to make a difference, I Paid A Bribe would somehow have to close the loop.

Abraham went on:

some of the things that go on with anonymous reporting cannot happen, and to close the loop it almost needs to become a paralegal infrastructure. It has to talk to law enforcement and people have to be arrested, prosecuted and put away.

That is apparently what happened in this case. The official in question has been blacklisted and had disciplinary action taken against him.

To put the success in perspective, however, the bribe requested was Rs 2000 (US$31.95) and the bribe ultimately given was only Rs 350 (US$5.59).

Abraham also pointed out to Eaves that the real problem in India is “high ticket bribes...at the top of the pyramid.”

So while complaints from people like Kahndelwal are what keep the feeds at IPaidABribe.com constantly refreshing, they're mere drops in the bucket when compared to the millions of dollars moving in scandals like the 2G spectrum scam.

Personal Democracy Media is grateful to the Omidyar Network and the UN Foundation for their generous support of techPresident's WeGov section.

For more details visit https://cis-india.org/news/tech-president-september-23-2013-jessica-mckenzie

CIS and International Coalition Calls upon Governments to Protect Privacy

elonnai — 2013-09-25T07:21:09Z

The Centre for Internet and Society (CIS) along with the International Coalition has called upon governments across the globe to protect privacy.

On September 20 in Geneva, CIS joined a huge international coalition in calling upon countries across the globe, including India to assess whether national surveillance laws and activities are in line with their international human rights obligations.

The Centre for Internet and Society has endorsed a set of international principles against unchecked surveillance. The 13 Principles set out for the first time an evaluative framework for assessing surveillance practices in the context of international human rights obligations.

A group of civil society organizations officially presented the 13 Principles this past Friday in Geneva at a side event attended by Navi Pillay, the United Nations High Commissioner for Human Rights and the United Nations Special Rapporteur on Freedom of Expression and Opinion, Frank LaRue, during the 24th session of the Human Rights Council. The side event was hosted by the Permanent Missions of Austria, Germany, Liechtenstein, Norway, Switzerland and Hungary.

Elonnai Hickok, Programme Manager at the Centre for Internet and Society has noted that "the 13 Principles are an important first step towards informing governments, corporates, and individuals across jurisdictions, including India, about needed safeguards for surveillance practices and related policies to ensure that they are necessary and proportionate."

Navi Pillay, the United Nations High Commissioner for Human Rights, speaking at the Human Rights Council stated in her opening statement on September 9:

"Laws and policies must be adopted to address the potential for dramatic intrusion on individuals’ privacy which have been made possible by modern communications technology."

Navi Pillay, the United Nations High Commissioner for Human Rights, speaking at the event, said that:

"technological advancements have been powerful tools for democracy by giving access to all to participate in society, but increasing use of data mining by intelligence agencies blurs lines between legitimate surveillance and arbitrary mass surveillance."

Frank La Rue, the United Nations Special Rapporteur on Freedom of Expression and Opinion made clear the case for a direct relationship between state surveillance, privacy and freedom of expression in this latest report to the Human Rights Council:

"The right to privacy is often understood as an essential requirement for the realization of the right to freedom of expression. Undue interference with individuals’ privacy can both directly and indirectly limit the free development and exchange of ideas. … An infringement upon one right can be both the cause and consequence of an infringement upon the other."

Speaking at the event, the UN Special Rapporteur remarked that:

"previously surveillance was carried out on targeted basis but the Internet has changed the context by providing the possibility for carrying out mass surveillance. This is the danger."

Representatives of the Centre for Internet and Society, Privacy International, the Electronic Frontier Foundation,Access,Human Rights Watch,Reporters Without Borders, Association for Progressive Communications, and theCenter for Democracy and Technology all are taking part in the event.

Find out more about the Principles at https://NecessaryandProportionate.org

Contacts

NGOs currently in Geneva for the 24^th Human Rights Council:

Access
Fabiola Carrion: fabiola@accessnow.org

Association for Progressive Communication
Shawna Finnegan: shawna@apc.org

Center for Democracy and Technology
Matthew Shears: mshears@cdt.org

Electronic Frontier Foundation
Katitza Rodriguez: katitza@eff.org - @txitua

Human Rights Watch
Cynthia Wong: wongc@hrw.org

Privacy International
Carly Nyst: carly@privacy.org

Reporters Without Borders
Lucie Morillon: lucie.morillon@rsf.org
Hélène Sackstein: helsack@gmail.com

Signatories

Argentina
Ramiro Alvarez: rugarte@adc.org.ar
Asociación por los Derechos Civiles

Argentina
Beatriz Busaniche: bea@vialibre.org.ar
Fundación Via Libre

Colombia
Carolina Botero: carobotero@gmail.com
Fundación Karisma

Egypt
Ahmed Ezzat: ahmed.ezzat@afteegypt.org
Afteegypt

Honduras
Hedme Sierra-Castro: hedme.sc@gmail.com
ACI-Participa

India
Elonnai Hickok: elonnai@cis-india.org
Center for Internet and Society

Korea
Prof. Park: kyungsinpark@korea.ac.kr
Open Net Korea

Macedonia
Bardhyl Jashari: info@metamorphosis.org.mk
Metamorphosis Foundation for Internet and Society

Mauritania, Senegal, Tanzania
Abadacar Diop: jonction_jonction@yahoo.fr
Jonction

Portugal
Andreia Martins: andreia@coolpolitics.pt
ASSOCIAÇÃO COOLPOLITICS

Peru
Miguel Morachimo: morachimo@gmail.com
Hiperderecho

Russia
Andrei Soldatov: soldatov@agentura.ru
Agentura.ru

Serbia
Djordje Krivokapic: krivokapic@gmail.com
SHARE Foundation

Western Balkans
Valentina Pellizer: valentina.pellizzer@oneworldsee.org
Oneworldsee

Brasil
Marcelo Saldanha: instituto@bemestarbrasil.org.br
IBEBrasil

For more details visit https://cis-india.org/internet-governance/blog/cis-and-international-coalition-calls-upon-governments-to-protect-privacy

India:Privacy in Peril

bhairav — 2013-09-25T09:56:22Z

The danger of mass surveillance in India is for real. The absence of a regulating law is damning for Indians who want to protect their privacy against the juggernaut of state and private surveillance.

The article was originally published in the Frontline on July 12, 2013.

At the concluding scene of his latest movie, Superman disdainfully flings a surveillance drone down to earth in front of a horrified general. “You can’t control me,” he tells his military minder. “You can’t find out where I hang up my cape.” This exchange goes to the crux of surveillance: control. Surveillance is the means by which nation-states exercise control over people. If the logical basis of the nation-state is the establishment and maintenance of homogeneity, it is necessary to detect and interdict dissent before it threatens the boundedness and continuity of the national imagination. This imagination often cannot encompass diversity, so it constructs categories of others that include dissenters and outsiders. Admittedly, this happens less in India because the foundation of the Indian nation-state imagined a diverse society expressing a plurality of ideas in a variety of languages secured by a syncretic and democratic government that protected individual freedoms. Unfortunately, this vision is still to be realised, and the foundational idea of India continues to be challenged by poor governance, poverty, insurgencies and rebellion. Consequently, surveillance is, for the modern nation-state, a condicio sine qua non—an essential element without which it will eventually cease to exist. The challenge for democratic nation-states is to find the optimal balance between surveillance and the duty to protect the freedoms of its citizens.

History of wiretaps

Some countries, such as the United States, have assembled a vast apparatus of surveillance to monitor the activities of their citizens and foreigners. Let us review the recent controversy revealed by the whistle-blower Edward Snowden. In 1967, the U.S. Supreme Court ruled in Katz vs United States that wiretaps had to be warranted, judicially sanctioned and supported by probable cause. This resulted in the passage of the Wiretap Act of 1968 that regulated domestic surveillance. Following revelations that Washington was engaging in unrestricted foreign surveillance in the context of the Vietnam war and anti-war protests, the U.S. Congress enacted the Foreign Intelligence Surveillance Act (FISA) in 1978. FISA gave the U.S. government the power to conduct, without judicial sanction, surveillance for foreign intelligence information; and, with judicial sanction from a secret FISA court, surveillance of anybody if the ultimate target was a foreign power. Paradoxically, even a U.S. citizen could be a foreign power in certain circumstances. Domestically, FISA enabled secret warrants for specific items of information such as library book borrowers and car rentals.

Following the 9/11 World Trade Centre attacks, Congress enacted the Patriot Act of 2001, Section 215 of which dramatically expanded the scope of FISA to allow secret warrants to conduct surveillance in respect of “any tangible thing” that was relevant to a national security investigation. In exercise of this power, a secret FISA court issued secret warrants ordering a number of U.S. companies to share, in real time, voice and data traffic with the National Security Agency (NSA). We may never know the full scope of the NSA’s surveillance, but we know this: (a) Verizon Communications, a telecommunications major, was ordered to provide metadata for all telephone calls within and without the U.S.; (b) the NSA runs a clandestine programme called PRISM that accesses Internet traffic, such as e-mails, web searches, forum comments and blogs, in real time; and (c) the NSA manages a comprehensive data analysis system called Boundless Informant that intercepts and analyses voice and data traffic around the world and subjects them to automated pattern recognition. The documents leaked by Snowden allege that Google, Facebook, Apple, Dropbox, Microsoft and Yahoo! participate in PRISM, but these companies have denied their involvement.

India fifth-most monitored

How does this affect India? The Snowden documents reveal that India is the NSA’s fifth-most monitored country after Iran, Pakistan, Jordan and Egypt. Interestingly, China is monitored less than India. Several billion pieces of data from India, such as e-mails and telephone metadata, were intercepted and monitored by the NSA. For Indians, it is not inconceivable that our e-mails, should they be sent using Gmail, Yahoo! Mail or Hotmail, or our documents, should we be subscribing to Dropbox, or our Facebook posts, are being accessed and read by the NSA. Incredibly, most Indian governmental communication, including that of Ministers and senior civil servants, use private U.S. e-mail services. We no longer enjoy privacy online. The question of suspicious activity, irrespective of the rubric under which suspicion is measured, is moot. Any use of U.S. service providers is potentially compromised since U.S. law permits intrusive dragnet surveillance against foreigners. This clearly reveals a dichotomy in U.S. constitutional law: the Fourth Amendment’s guarantees of privacy, repeatedly upheld by U.S. courts, protect U.S. citizens to a far greater extent than they do foreigners. It is natural for a nation-state to privilege the rights of its citizens over others. As Indians, therefore, we must clearly look out for ourselves.

Privacy and personal liberty

Unfortunately, India does not have a persuasive jurisprudence of privacy protection. In the Kharak Singh (1964) and Gobind (1975) cases, the Supreme Court of India considered the question of privacy from physical surveillance by the police in and around homes of suspects. In the latter case, the court found that some of the Fundamental Rights “could be described as contributing to the right to privacy”, which was subject to a compelling public interest. This insipid inference held the field until 1994 when, in the Rajagopal (“Auto Shankar”, 1994) case, the Supreme Court, for the first time, directly located privacy within the ambit of the right to personal liberty recognised by Article 21 of the Constitution. However, Rajagopal dealt specifically with the publication of an autobiography, it did not consider the privacy of communications. In 1997, the Supreme Court considered the question of wiretaps in the People’s Union for Civil Liberties (PUCL) case. While finding that wiretaps invaded the privacy of communications, it continued to permit them subject to some procedural safeguards which continue to be routinely ignored. A more robust statement of the right to privacy was made by the Delhi High Court in the Naz Foundation case (2011) that decriminalised consensual homosexual acts; however, there is an appeal against the judgment in the Supreme Court.

Legislative silence

Judicial vagueness has been compounded by legislative silence. India does not have a law to operationalise a right to privacy. Consequently, a multitude of laws permit daily infractions of privacy. These infractions have survived because they are diverse, dissipated and quite disorganised. However, the technocratic impulse to centralise and consolidate surveillance and data collection has, in recent years, alarmed many citizens. The state hopes to, through enterprises such as the Central Monitoring System (CMS), the Crime and Criminals Tracking Network and System (CCTNS), the National Intelligence Grid (NATGRID), the Telephone Call Interception System (TCIS) and the Unique Identification Number (UID), replicate the U.S. successes in surveillance and monitoring and profiling all its citizens. However, unlike the U.S., India proposes to achieve this without an enabling law. Let us consider the CMS. No documents have been made available that indicate the scope and size of the CMS.

From a variety of police tenders for private equipment, it appears that the Central government hopes to put in place a system that will intercept, in real time, all voice and data traffic originating or terminating in India or being carried by Indian service providers. This data will be subject to pattern recognition and other automated tests to detect emotional markers, such as hate, compassion or intent. The sheer scale of this enterprise is intimidating; all communications in India’s many languages will be subject to interception and testing designed to detect different forms of dissent. This mammoth exercise in monitoring is taking place—it is understood that some components of the CMS are already operational—without statutory sanction. No credible authorities exist to supervise this exercise, no avenues for redress have been identified and no consequences have been laid down for abuse.

Statutory Surveillance

In a recent interview, Milind Deora, Minister of State for Communications and Information Technology, dismissed public scepticism of the CMS saying that direct state access to private communications was better for privacy since it reduced dependence on the interception abilities of private service providers. This circular argument is both disingenuous and incorrect. No doubt, trusting private persons with the power to intercept and store the private data of citizens is flawed. The leaking of the Niira Radia tapes, which contain the private communications of Niira Radia taped on the orders of the Income Tax Department, testifies to this flaw. However, bypassing private players to enable direct state access to private communications will preclude leaks and, thereby, remove from public knowledge the fact of surveillance. This messy situation may be obviated by a regime of statutory regulation of warranted surveillance by an independent and impartial authority. This system is favoured by liberal democracies around the world but conspicuously resisted by the Indian government.

The question of privacy legislation was recently considered by a committee chaired by Justice Ajit Prakash Shah, a former judge of the Delhi High Court who sat on the Bench that delivered the Naz Foundation judgment. The Shah Committee was constituted by the Planning Commission for a different reason: the need to protect personal data that are outsourced to India for processing. The lack of credible privacy law, it is foreseen, will result in European and other foreign personal data being sent to other attractive processing destinations, such as Vietnam, Israel or the Philippines, resulting in the decline of India’s outsourcing industry. However, the Shah Committee also noted the absence of law sufficient to protect against surveillance abuses. Most importantly, the Shah Committee formulated nine national privacy principles to inform any future privacy legislation (see story on page 26). In 2011, the Department of Personnel and Training (DoPT) of the Ministry of Human Resource Development, the same Ministry entrusted with implementing the Right to Information Act, 2005, leaked a draft privacy Bill, marked ‘Secret’, on the Internet. The DoPT Bill received substantive criticism from the Attorney General and some government Secretaries for the clumsy drafting. A new version of the DoPT Bill is reported to have been drafted and sent to the Ministry of Law for consideration. This revised Bill, which presumably contains chapters to regulate surveillance, including the interception of communications, has not been made public.

The need for privacy legislation cannot be overstated. The Snowden affair reveals the extent of possible state surveillance of private communications. For Indians who must now explore ways to protect their privacy against the juggernaut of state and private surveillance, the absence of regulatory law is damning. Permitting, through public inaction, unwarranted and non-targetted dragnet surveillance by the Indian state without reasonable cause would be an act of surrender of far-reaching implications.

Information, they say, is power. Allowing governments to exercise this power over us without thought for the rule of law constitutes the ultimate submission possible in a democratic nation-state. And, since superheroes are escapist fantasies, without the prospect of good laws we will all be subordinate to a new national imagination of control and monitoring, surveillance and profiling. If allowed to come to pass, this will be a betrayal of the foundational idea of India as a free and democratic republic tolerant of dissent.

Bhairav Acharya is a constitutional lawyer practising in the Supreme Court of India. He advises the Centre for Internet & Society, Bangalore, on privacy law and other constitutional issues.

For more details visit https://cis-india.org/internet-governance/blog/frontline-cover-story-july-12-2013-bhairav-acharya-privacy-in-peril

The Central Monitoring System: Some Questions to be Raised in Parliament

bhairav — 2013-09-25T10:30:10Z

The following are some model questions to be raised in the Parliament regarding the lack of transparency in the central monitoring system.

Preliminary

The Central Monitoring System (CMS) is a Central Government project to intercept communications, both voice and data, that is transmitted via telephones and the internet to, from and within India. Owing to the vast nature of this enterprise, the CMS cannot be succinctly described and the many issues surrounding this project are diverse. This Issue Brief will outline preliminary constitutional, legal and technical concerns that are presented by the CMS.
At the outset, it must be clearly understood that no public documentation exists to explain the scope, functions and technical architecture of the CMS. This lack of transparency is the single-largest obstacle to understanding the Central Government’s motives in conceptualising and operationalizing the CMS. This lack of public documentation is also the chief reason for the brevity of this Issue Note. Without making public the policy, law and technical abilities of the CMS, there cannot be an informed national debate on the primary concerns posed by the CMS, i.e the extent of envisaged state surveillance upon Indian citizens and the safeguards, if any, to protect the individual right to privacy.

Surveillance and Privacy

Surveillance is necessary to secure political organisation. Modern nation-states, which are theoretically organised on the basis of shared national and societal characteristics, require surveillance to detect threats to these characteristics. In democratic societies, beyond the immediate requirements of national integrity and security, surveillance must be targeted at securing the safety and rights of individual citizens. This Issue Brief does not dispute the fact that democratic countries, such as India, should conduct surveillance to secure legitimate ends. Concerns, however, arise when surveillance is conducted in a manner unrestricted and unregulated by law; these concerns are compounded when a lack of law is accompanied by a lack of transparency.
Technological advancement leads to more intrusive surveillance. The evolution of surveillance in the United States resulted, in 1967, in the first judicial recognition of the right to privacy. In Katz v. United States the US Supreme Court ruled that the privacy of communications had to be balanced with the need to conduct surveillance; and, therefore, wiretaps had to be warranted, judicially sanctioned and supported by probable cause. Katz expanded the scope of the Fourth Amendment of the US Constitution, which protected against unreasonable searches and seizures. Most subsequent US legal developments relating to the privacy of communications from surveillance originate in the Katz judgement. Other common law countries, such as the United Kingdom and Canada, have experienced similar judicial evolution to recognise that the right to privacy must be balanced with governance.

Right to Privacy in India

Unfortunately, India does not have a persuasive jurisprudence of privacy protection. In the Kharak Singh (1964) and Gobind (1975) cases, the Supreme Court of India considered the question of privacy from physical surveillance by the police in and around the homes of suspects. In the latter case, the Supreme Court found that some of the Fundamental Rights “could be described as contributing to the right to privacy” which was nevertheless subject to a compelling public interest. This insipid inference held the field until 1994 when, in the Rajagopal (“Auto Shankar”, 1994) case, the Supreme Court, for the first time, directly located privacy within the ambit of the right to personal liberty recognised by Article 21 of the Constitution. However, Rajagopal dealt specifically with the publication of an autobiography, it did not consider the privacy of communications. In 1997, the Supreme Court considered the question of wiretaps in the PUCL case. While finding that wiretaps invaded the privacy of communications, it continued to permit them subject to some procedural safeguards which continue to be routinely ignored. A more robust statement of the right to privacy was made recently by the Delhi High Court in the Naz Foundation case (2011) that de-criminalised consensual homosexual acts; however, this judgment has been appealed to the Supreme Court.

Issues Pertaining to the CMS

While judicial protection from physical surveillance was cursorily dealt with in the Kharak Singh and Gobind cases, the Supreme Court of India directly considered the issue of wiretaps in the PUCL case. Wiretaps in India primarily occur on the strength of powers granted to certain authorities under section 5(2) of the Indian Telegraph Act, 1885. The Court found that the Telegraph Act, and Rules made thereunder, did not prescribe adequate procedural safeguards to create a “just and fair” mechanism to conduct wiretaps. Therefore, it laid down the following procedure to conduct wiretaps:

(a) the order should be issued by the relevant Home Secretary (this power is delegable to a Joint Secretary),
(b) the interception must be carried out exactly in terms of the order and not in excess of it,
(c) a determination of whether the information could be reasonably secured by other means,
(d) the interception shall cease after sixty (60) days.

Therefore, prima facie, any voice interception conducted through the CMS will be in violation of this Supreme Court judgement. The CMS will enforce blanket surveillance upon the entire country without regard for reasonable cause or necessity. This movement away from targeted surveillance to blanket surveillance without cause, conducted without statutory sanction and without transparency, is worrying.
Accordingly, the following questions may be raised, in Parliament, to learn more about the CMS project:

Which statutes, Government Orders, notifications etc deal with the establishment and maintenance of the CMS?
Which is the nodal agency in charge of implementing the CMS?
What are the powers and functions of the nodal agency?
What guarantees exist to protect ordinary Indian citizens from intrusive surveillance without cause?
What are the technical parameters of the CMS?
What are the consequences for misuse or abuse of powers by any person working in the CMS project?
What recourse is available to Indian citizens against whom there is unnecessary surveillance or against whom there has been a misuse or abuse of power?

For more details visit https://cis-india.org/internet-governance/blog/central-monitoring-system-questions-to-be-asked-in-parliament

Privacy Round Table, New Delhi (October 2013)

praskrishna — 2013-09-28T02:52:26Z

The Centre for Internet and Society (CIS), Federation of Indian Chambers of Commerce and Industry (FICCI), and DSCI cordially invite you to a "Privacy Round Table" at the FICCI Federation House in Tansen Marg on October 19, 2013.

Click the below links to:

Download the event brochure
Download the latest version of the Draft Privacy Bill

Jacob Kohnstamm, Data Protection Authority, Netherlands and Chairman of the Article 29 Working Party, Chantel Bernier, Assistant Privacy Commissioner, Canada, and Christopher Graham, Information Commissioner, UK will make presentations:

Agenda

Time	Detail
10:00 10:30	Introduction and summary of previous Roundtables
10:30 11:00	“Data Protection in the European Union” Mr. Jacob Kohnstamm, Data Protection Authority, Netherlands and Chairman of the Article 29 Working Party
11:00 11:15	Tea
11:15 12:15	Regulatory Frameworks and Jurisdiction a. Co-Regulation vs. Self Regulation vs. Statutory Regulation b. Applicability of regulatory framework to domestic processing vs. multiple/international jurisdictions
12:15 12:45	“An Overview of the Canadian Privacy Regime” Ms. Chantal Bernier, Assistant Privacy Commissioner, Canada
12:15 13:30	The Privacy Commissioner a. Composition of the Office of the Privacy Commissioner (officers, funding, organizational structure) b. Powers of the Privacy Commissioner (investigation, audit, privacy impact assessment etc) c. Functions of the Office of the Privacy Commissioner
13:30 14:30	Lunch
14:30 15:30	Rights of the individual and exceptions to the right to privacy a. Rights of the individual including: notice, access, deletion etc. b. Exceptions to the right to privacy: national security, public order, public interest, prevention and detection of crime etc.
15:30 16:00	“An overview of the Privacy Regime in the UK” Mr. Christopher Graham, Information Commissioner, UK
16:00 16:15	Tea
16:15 17:00	Defining and protecting personal data and personal sensitive data a. Definitions and distinctions between personal data vs personal sensitive data b. Levels of protection for personal data vs. personal sensitive data c. Penalty and remedy for breach of personal data vs. personal sensitive data
17:00 18:00	Penalty and Redress a. Forms and extent of penalty: fine, public notice, shut down of services etc. b. Forms of redress for the individual c. Enforcement of penalty and redress

The Speakers

Jacob Kohnstamm	Before his appointment as Chairman of the Dutch Data Protection Authority in 2004, Jacob Kohnstamm was active in Dutch politics as member of the Lower House of the Dutch Parliament, as State Secretary for Internal Affairs and as member of the Senate of the Dutch Parliament (between 1981 and 2004). Before that, he worked as a lawyer in Amsterdam. Since February 2010, Jacob Kohnstamm is Chairman of the Art. 29 Working Party of European Data Protection Authorities. Since November 2011, Jacob Kohnstamm is also Chairman of the Executive Committee of the International Conference of Data Protection and Privacy Commissioners.
Chantal Bernier	Chantal Bernier was appointed Assistant Privacy Commissioner of Canada in December 2008. Ms. Bernier started her career in the federal government as a lawyer in the Department of Justice, Canada. She went on to hold a directorship at the Privy Council Office before being appointed Assistant Deputy Minister at Indian and Northern Affairs Canada, and later on at Public Safety Canada. She holds a Bachelor of Civil Law from the University of Sherbrooke and a Masters in Public International Law from the London School of Economics and Political Science.
Christopher Graham	Christopher Graham became UK Information Commissioner in June 2009, with responsibility for overseeing the Freedom of Information Act and Data Protection Act regimes — upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals. He is the Vice Chair of the Article 29 Working Party of the European Data Protection Authorities. Christopher was the director general of the Advertising Standards Authority (ASA) from April 2000 to June 2009. From 2003-5, he was chairman of the European Advertising Standards Alliance (EASA), the federation of advertising self-regulatory bodies across the EU Single Market. Prior to joining the ASA, Christopher was for three years Secretary of the BBC. Christopher first joined the broadcaster as a news trainee in 1973. He was a Current Affairs Producer for BBC Radio and TV before becoming Managing Editor of News Programmes for TV and Radio.

Confirmations and RSVP

Please send your email confirmations for attending the Delhi Privacy Round Table on October 19, 2013, to Elonnai Hickok (elonnai@cis-india.org)

For more details visit https://cis-india.org/internet-governance/events/privacy-round-table-delhi-october-19-2013

An Analysis of the Cases Filed under Section 46 of the Information Technology Act, 2000 for Adjudication in the State of Maharashtra

bhairav — 2013-10-01T15:29:46Z

This is a brief review of some of the cases related to privacy filed under section 46 of the Information Technology Act, 2000 ("the Act") seeking adjudication for alleged contraventions of the Act in the State of Maharashtra.

Background

Section 46 of the Act grants the Central Government the power to appoint an adjudicating officer to hold an enquiry to adjudge, upon complaints being filed before that adjudicating officer, contraventions of the Act. The adjudicating officer may be of the Central Government or of the State Government [see section 46(1) of the Act], must have field experience with information technology and law [see section 46(3) of the Act] and exercises jurisdiction over claims for damages up to `5,00,00,000 [see section 46(1A) of the Act]. For the purpose of adjudication, the officer is vested with certain powers of a civil court [see section 46(5) of the Act] and must follow basic principles of natural justice while conducting adjudications [see section 46(2) of the Act]. Hence, the adjudicating officer appointed under section 46 is a quasi-judicial authority.

In addition, the quasi-judicial adjudicating officer may impose penalties, thereby vesting him with some of the powers of a criminal court [see section 46(2) of the Act], and award compensation, the quantum of which is to be determined after taking into account factors including unfair advantage, loss and repeat offences [see section 47 of the Act]. The adjudicating officer may impose penalties for any of the offences described in section 43, section 44 and section 45 of the Act; and, further, may award compensation for losses suffered as a result of contraventions of section 43 and section 43A. The text of these sections is reproduced in the Schedule below. Further law as to the appointment of the adjudicating officer and the procedure attendant on all adjudications was made by Information Technology (Qualification and Experience of Adjudicating Officers and the Manner of Holding Enquiry) Rules, 2003.[1]

It is clear that the adjudicating officer is vested with significant judicial powers, including the power to enforce certain criminal penalties, and is an important quasi-judicial authority.

Excursus

At the outset, it is important to understand the distinction between compensation and damages. Compensation is a sum of money awarded by a civil court, before or along with the primary decree, to indemnify a person for injury or loss. It is usually awarded to a person who has a suffered a monetary loss as a result of the acts or omissions of another party. Its quantification is usually guided by principles of equity. [See Shantilal Mangaldas AIR 1969 SC 634 and Ranbir Kumar Arora AIR 1983 P&H 431]. On the hand, damages are punitive and, in addition to restoring an indemnitee to wholeness, may be imposed to deter an offender, punish exemplary offences, and recover consequential losses, amongst other objectives. Damages that are punitive, while not judicially popular in India, are usually imposed by a criminal court in common law jurisdictions. They are distinct from civil and equitable actions. [See the seminal case of The Owners of the Steamship Mediana [1900] AC 113 (HL)].

Unfortunately, section 46 of the Act uses the terms “damage”, “injury” and “compensation” interchangeably without regard for the long and rich jurisprudence that finds them to be different concepts.

The Cases related to Privacy

In the State of Maharashtra, there have been a total of 47 cases filed under section 46 of the Act. Of these, 33 cases have been disposed of by the Adjudicating Officer and 14 are currently pending disposal. [2] At least three of these cases before the Adjudicating Officer deal with issues related to privacy of communications and personal data. They are:

Case Title	Forum	Date
Vinod Kaushik v. Madhvika Joshi	Shri Rajesh Aggarwal Adjudicating Officer, ex-officio Secretary, IT Government of Maharashtra	10.10.2011
Amit D. Patwardhan v. Rud India Chains	Shri Rajesh Aggarwal Adjudicating Officer, ex-officio Secretary, IT Government of Maharashtra	15.04.2013
Nirmalkumar Bagherwal v. Minal Bagherwal	Shri Rajesh Aggarwal Adjudicating Officer, ex-officio Secretary, IT Government of Maharashtra	26.08.2013

In all three cases the Adjudicating Officer was called upon to determine and penalise unauthorised access to personal data of the complainants. In the Vinod Kaushik case, the complainants’ emails and chat sessions were accessed, copied and made available to the police for legal proceedings without the permission of the complainants. In the Amit Patwardhan and Nirmalkumar Bagherwal cases, the complainants’ financial information in the form of bank account statements were obtained from their respective banks without their consent and used against them in legal proceedings.

The Vinod Kaushik complaint was filed in 2010 for privacy violations committed between 2008 and 2009. The complaint was made against the complainant’s daughter-in-law – the respondent, who was estranged from her husband, the complainant’s son. The respondent had, independent of the proceedings before the Adjudicating Officer, instituted criminal proceedings alleging cruelty and dowry-related harassment against her estranged husband and the complainant. To support some of the claims made in the criminal proceedings, the respondent accessed the email accounts of her estranged husband and the complainant and printed copies of certain communications, both emails and chat transcripts. The complaint to the Adjudicating Officer was made in relation to these emails and chat transcripts that were obtained without the consent and knowledge of the complainant and his son. On 09.08.2010, the then Adjudicating Officer dismissed the complaint after finding that, owing to the marriage between the respondent and the complainant’s son, there was a relation of mutual trust between them that resulted in the complainant and his son consensually sharing their email account passwords with the respondent. This ruling was appealed to the Cyber Appellate Tribunal ("CyAT") which, in a decision of 29.06.2011, found irregularities in the complainant’s son’s privity to the proceedings and remanded the complaint to the Adjudicating Officer for re-adjudication. The re-adjudication, which was conducted by Shri Rajesh Aggarwal as Adjudicating Officer, resulted in a final order of 10.10.2011 ("the final order") that is the subject of this analysis. The final order found that the respondent had violated the privacy of the complainant and his son by her unauthorised access of their email accounts and sharing of their private communications. However, the Adjudicating Officer found that the intent of the unauthorised access – to obtain evidence to support a criminal proceeding – was mitigatory and hence ordered the respondent to pay only a small token amount in compensation, not to the complainants but instead to the State Treasury. The Delhi High Court, which was moved in appeal because the CyAT was non-functional, upheld the final order in its decision of 27.01.2012.

The Amit Patwardhan complaint was filed against the complainant’s ex-employer – the respondent, for illegally obtaining copies of the complainant’s bank account statement. The complainant had left the employ of the respondent to work with a competing business company but not before colluding with the competing business company and diverting the respondent’s customers to them. For redress, the respondent filed suit for a decree of compensation and lead the complainant’s bank statements in evidence to prove unlawful gratification. Since the bank statements were obtained electronically by the respondent without the complainant’s consent, the jurisdiction of the Adjudicating Officer was invoked. In his order of 15.04.2013, Shri Rajesh Aggarwal, the Adjudicating Officer, found that the respondent had, by unlawfully obtaining the complainant’s bank account statements which constitute sensitive personal data, violated the complainant’s privacy. The Adjudicating Officer astutely applied the equitable doctrine of clean hands to deny compensation to the complainant; however, because the complainant’s bank was not a party to the complaint, the Adjudicating Officer was unable to make a ruling on the lack of action by the bank to protect the sensitive personal data of its depositors.

The Nirmalkumar Bagherwal complaint bears a few similarities to the preceding two cases. Like the Vinod Kaushik matter, the issue concerned the manner in which a wife, estranged but still legally married, accessed electronic records of personal data of the complainants; and, like the Amit Patwardhan matter, the object of the privacy violation was the bank account statements of the complainants that constitute sensitive personal data. The respondent was the estranged wife of one of the complainants who, along with his complainant father, managed the third complainant company. To support her claim for maintenance from the complainant and his family in an independent legal proceeding, the respondent obtained certain bank account statements of the complainants without their consent and, possibly, with the collusion of the respondent bank. After reviewing relevant law from the European Union and the United States, and observant of relevant sectoral regulations applicable in India including the relevant Master Circular of the Reserve Bank of India, and further noting preceding consumer case law on the subject, the Adjudicating Officer issued an order on 26.08.2013. The order found that the complainant’s right to privacy was violated by both the respondents but, while determining the quantum of compensation, distinguished between the respondents in respect of the degree of liability; the respondent wife was ordered to pay a token compensation amount while the respondent bank was ordered to pay higher compensation to each of the three complainants individually.

The high quality of each of the three orders bears specific mention. Despite the superb quality of the judgments of the Indian higher judiciary in the decades after independence, the overall quality of judgment-writing appears to have declined. [3] In the last decade, several Indian judges have called for higher standards of judgment writing from their fellow judges. [4] In this background, it is notable that Shri Rajesh Aggarwal, despite not being a member of the judiciary, has delivered well-reasoned, articulate and clear orders that are cognisant of legal issues and also easily understandable to a non-legal reader.

In each of these cases, the Adjudicating Officer has successfully navigated around the fact that none of the primary parties were interacting and transacting at arm’s length. In the Vinod Kaushik and Nirmalkumar Bagherwal matters, the primary parties were estranged but still legally married partners and in the Amit Patwardhan matter the parties were in an employer-employee relationship. The first Adjudicating Officer in the Vinod Kaushik matter failed, in his order of 09.08.2010, to appreciate that the individual communications of individual persons were privileged by an expectation of privacy, regardless of their relationship. Hence, despite acknowledging that the marital partners in that matter were in conflict with each other, and despite being told by one party that the other party’s access to those private communications was made without consent, the Adjudicating Officer allowed his non-judicial opinion of marriage to influence his order. This mistake was corrected when the matter was remanded for re-adjudication. In the re-adjudication, the new Adjudicating Officer correctly noted that the respondent wife could have chosen to approach the police or a court to follow the proper investigative procedure for accessing emails and other private communications of another person and that her unauthorised use of the complainant’s passwords amounted to a violation of their privacy.

Popular conceptions of different types of relationships may affect the (quasi) judicial imagination of privacy. In comparison to the Vinod Kaushik matter, the Nirmalkumar Bagherwal and Amit Patwardhan matters both dealt with unauthorised access to bank account statements, by a wife and by an ex-employer respectively. In any event, the same Adjudicating Officer presided over all three matters and correctly found that the facts in all three matters admitted to contraventions of the privacy of the complainants. The conjecture as to whether the first Adjudicating Officer in the Vinod Kaushik matter would have applied the same standard of family unity to unauthorised access of bank account statements by an estranged wife who was seeking maintenance remains untested. However, the reliance placed on the decision of the Delhi State Consumer Protection Commission in the matter of Rupa Mahajan Pahwa, [5] where the Commission found that unauthorised access to a bank pass book by an estranged husband violated the privacy of the wife, would suggest that judges clothe financial information with a standard of privacy higher than that given to emails.

Emails are a form of electronic communication. The PUCL case (Supreme Court of India, 1996)[6] while it did not explicitly deal with the standard of protection accorded to emails, held that personal communications were protected by an individual right to privacy that emanated from the protection of personal liberty guaranteed under Article 21 of the Constitution of India. Following the Maneka Gandhi case (Supreme Court of India, 1978)[7]

it is settled that persons may be deprived of their personal liberty only by a just, fair and reasonable procedure established by law. As a result, interceptions of private communications that are protected by Article 21 may only be conducted in pursuance of such a procedure. This procedure exists in the form of the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 that came into effect on 27 October 2009 ("the Interception Rules"). The Interception Rules set out a regime for accessing private emails in certain conditions. The powers and procedure of Section 91 of the Code of Criminal Procedure ("CrPC") may also apply to obtain data at rest, such as emails stored in an inbox or sent-mail folder.

Finally, the orders of the Adjudicating Officer reveal a well-reasoned and progressive understanding of the law and principles relating to the quantification of compensation. By choosing to impose larger amounts of compensation on the bank that violated the privacy of the complainant in the Nirmalkumar Bagherwal matter, the Adjudicating Officer has indicated that the institutions that hold sensitive personal data, such as financial information, are subject to a higher duty of care in relation of it. But, most importantly, the act of imposing monetary compensation of privacy violations is a step forward because, for the first time in India, it recognises that privacy violations are civil wrongs or injuries that demand compensation.

[1]. These Rules were issued vide GSR 220(E), dated 17 March 2003 and published in the Gazette of India, Extraordinary, Part II, Section 3(i). These Rules can be accessed here – http://it.maharashtra.gov.in/PDF/Qual_ExpAdjudicatingOfficer_Manner_of_Holding_Enquiry_Rules.PDF (visited on 30 September 2013).

[2]. These cases and statistics may be viewed here – http://it.maharashtra.gov.in/1089/IT-Act-Judgements (visited on 30 September 2013).

[3]. See generally, Upendra Baxi “"The Fair Name of Justice": The Memorable Voyage of Chief Justice Chandrachud” in A Chandrachud Reader (Justice V. S. Deshpande ed., Delhi: Documentation Centre etc., 1985) and, Rajeev Dhavan, "Judging the Judges" in Judges and the Judicial Power: Essays in Honour of Justice V. R. Krishna Iyer (Rajeev Dhavan and Salman Khurshid eds., London: Sweet & Maxwell, 1985).

[4]. See generally, Justice B.G .Harindranath, Art of Writing Judgments (Bangalore: Karnataka Judicial Academy, 2004); Justice T .S. Sivagnanam, The Salient Features of the Art of Writing Orders and Judgments (Chennai: Tamil Nadu State Judicial Academy, 2010); and, Justice Sunil Ambwani, “Writing Judgments: Comparative Models” Presentation at the National Judicial Academy, Bhopal (2006) available here – http://districtcourtallahabad.up.nic.in/articles/writing%20judgment.pdf (visited on 29 Sep 2013).

[5]. Appeal No. FA-2008/659 of the Delhi State Consumer Protection Commission, decided on 16 October 2008.

[6]. (1997) 1 SCC 301.

[7]. (1978) 1 SCC 248.

For more details visit https://cis-india.org/internet-governance/blog/analysis-of-cases-filed-under-sec-48-it-act-for-adjudication-maharashtra

Is Your Aadhar Biometrics Safe? Firms Accused Of Storing Biometrics And Using Them Illegally

praskrishna — 2017-02-27T01:56:28Z

Fears of Aadhar biometric security have been compounded as the government is sprinting towards the next phase of ‘cashless India’ and digitization

Pranesh Prakash and Sunil Abraham have been quoted in this article published by Outlook on February 24, 2017.

The biggest fear regarding misuse of Aadhar biometrics and security loopholes are becoming real.

Three firms are being probed for attempting unauthorised authentication and impersonation by using stored Aadhaar biometrics, reported The Times of India.

The paper reported that the Unique Identification Authority of India (UIDAI) has lodged a criminal complaint with the cyber cell of Delhi Police, saying it is a clear violation of the law.

“The firms are Axis Bank, Suvidhaa Infoserve and eMudhra. They have been served a “notice for action“ under Aadhaar regulations”.

The firms have been accused of storing biometrics and using them illegally.

The fears of biometric security have been compounded as the government is sprinting towards the next phase of ‘cashless India’ and digitization. They are preparing to launch Aadhaar Pay, an initiative that will supersede the need to use credit cards, debit cards, smartphones and PINs to make payments or transfer money.

The proposed system of payments will use a person’s biometric data and fingerprints to make payments through Aadhaar-linked bank accounts.

Outlook’s Senior Associate Editor Arindam Mukherjee had in a clairvoyant article for the magazine raised the fears of biometrics being manipulated.

In the article, critics of Aadhaar and Aadhaar-based services raised the issue of privacy and security of biometric and personal data.

Pranesh Prakash, policy director with the Centre for Internet and Society (CIS), recently tweeted, “As long as Aadhar-Enabled Payment Services encourages biometric authorisation of transactions, it is bound to be a security nightmare, with widespread fraud.” Would you tell a shopkeeper your debit card’s PIN? No. Then why share your fingerprint? A fingerprint, in this system, becomes a kind of unchangeable Aadhaar Enabled Payment System PIN, he asks.

Pointing out a possible danger, Usha Ramanathan, an independent law researcher who has been following Aadhaar since its inception, says, “In many payments, biometric data is authenticated and then it remains in the system where there are leakages. Intermediaries then have access to the data, which is thus made insecure.”

According to the UIDAI, however, once biometric data is provided by the consumer while making Aadhaar-based payments, it gets encrypted and a merchant doesn’t get access to that data. The Aadhaar Act also prohibits any storing of biometric data in local devices.

And yet, there are many like CIS executive director Sunil Abraham who believe it is a mistake to use biometrics for authentication, especially when payments are concerned.

“Our concern with Aadhaar Pay is about the biometric component of the project,” says Abraham. “Biometrics is an identification technology. Unfortunately, it is being presented as an authentication technology. It is not a secure authentication technology as biometric data can be stolen easily. It is also irrevocable; once biometric data is stolen, it cannot be re-issued like a smart card.”

Then there is the problem of availability of fingerprints. In the case of many people from rural areas and the working class, fingerprints get affected due to the manual nature of their work. This makes it difficult for this target group of UIDAI to conduct transactions properly through Aadhaar Pay. “In Rajasthan, 30 per cent of the households are not even able to procure ration using fingerprints,” says Ramanathan.

For more details visit https://cis-india.org/internet-governance/news/outlook-february-24-2017-is-your-aadhar-biometrics-safe-firms-accused-of-storing-biometrics-and-using-them-illegally

Can the Judiciary Upturn the Lok Sabha Speaker’s Decision on Aadhaar?

amber — 2017-02-27T15:44:56Z

When ruling on the petition filed by Jairam Ramesh challenging passing the Aadhaar Act as a money Bill, the court has differing precedents to look at.

The article was published in the Wire on February 21, 2017.

In an earlier article, I had argued that the characterisation of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, as a money Bill by Sumitra Mahajan, speaker of the Lok Sabha, was erroneous. Specifically, I had argued that upon perusal of Article 110 (1) of the constitution, the Aadhaar Act does not satisfy the conditions required of a money Bill. For a legislation to be classified as a money Bill, it must comprise of ‘only’ provisions dealing with the following matters: (a) imposition, regulation and abolition of any tax, (b) borrowing or other financial obligations of the government of India, (c) custody, withdrawal from or payment into the Consolidated Fund of India (CFI) or Contingent Fund of India, (d) appropriation of money out of CFI, (e) expenditure charged on the CFI or (f) receipt or custody or audit of money into CFI or public account of India; or (g) any matter incidental to any of the matters specified in sub-clauses (a) to (f).

Article 110 is modelled on Section 1(2) of the UK’s Parliament Act, 1911, which also defines money Bills as those only dealing with certain enumerated matters. The use of the word ‘only’ was brought up by Ghanshyam Singh Gupta during the constituent assembly debates. He pointed out that the use of the word ‘only’ limits the scope money Bills to only those legislations which did not deal with other matters. His amendment to delete the word ‘only’ was rejected, clearly establishing the intent of the framers of the constitution to keep the ambit of money Bills extremely narrow. G.V. Mavalankar, the first speaker of Lok Sabha, had stated that the word ‘only’ must not be construed so as to give an overly restrictive meaning. For instance, a Bill which deals with taxation could have provisions which deal with the administration of the tax. The finance minister, Arun Jaitley, referred to these words by Mavalankar, justifying the classification of the Aadhaar Act as a money Bill.

While the Aadhaar Bill does makes references to benefits, subsidies and services funded by the CFI, even a cursory reading of the Bill reveals its main objectives as creating a right to obtain a unique identification number and providing for a statutory apparatus to regulate the entire process. Any reasonable reading of the legislation would be hard pressed to view all provisions in the Aadhaar Act, aside from the one creating a charge on the CFI, as merely administrative provisions incidental to the creation such charge. The mere fact of establishing the Aadhaar number as the identification mechanism for benefits and subsidies funded by the CFI does not give it the character of a money Bill. The Bill merely speaks of facilitating access to unspecified subsidies and benefits rather than their creation and provision being the primary object of the legislation. Erskine May’s seminal textbook, Parliamentary Practice, is instructive in this respect and makes it clear that a legislation which simply makes a charge on the consolidated fund does not becomes a money Bill if otherwise its character is not that of one. Further, the subordinate regulations notified under the Aadhaar Act deal almost entirely with matters to do with enrolment, updation, authentication of the Aadhaar number and related matters such as data security regulations and sharing of information collected, rather than the provision of benefits or subsidies or disbursal of funds otherwise from the CFI.

However, in the context of the petition filed by former Union minister Jairam Ramesh challenging the passage of the law on Aadhaar as a money Bill, the more important question is whether the judiciary has a right to question the speaker’s decision in such a matter. If not, any other questions about whether the legislation is a money Bill will remain merely academic in nature.

Irregularity vs illegality

Article 110 (3) clearly states that with regard to the question whether a legislation is a money Bill or not, the decision of the speaker is final and binding. The question is whether such a clause completely excludes any judicial review. Further, Article 122 prohibits the courts from questioning the validity of any proceedings in parliament on the ground of any alleged irregularity of procedure.

During the arguments in the court, the attorney general questioned the locus standi of Ramesh. The petition has been made under Article 32 of the constitution and the government argued that no fundamental rights of Ramesh were violated. However, the court has asked Ramesh to make his submission and adjourned the hearing to July. The petition by Ramesh would hinge largely on the powers of the judiciary to question the decision of the speaker of the Lok Sabha.

The powers of privilege that parliamentarians enjoy are integral to the principle of separation of powers. The rationale behind parliamentary privilege is to prevent interference in the lawmakers’ powers to perform essential functions. The ability to speak and vote inside the legislature without the fear of punishment is certainly essential to the role of a lawmaker. However, the extent of this protection lies at the centre of this discussion. During the constituent assembly debates, H.V. Kamath and others had argued for a schedule to exhaustively codify the existing privileges. However, B.R. Ambedkar pointed to the difficulty of doing so and parliamentary privilege on the lines of the British parliamentary practice was retained in the constitution. In the last few decades, a judicial position has emerged that courts could exercise a limited degree of scrutiny over privileges, as they are primarily responsible for interpreting the constitution.

In the matter of Raja Ram Pal vs The Hon’ble Speaker, Lok Sabha, it had been clarified that proceedings of the legislature were immune from questioning by courts in the case of procedural irregularity but not in the case of illegality. In this case, the Supreme Court while dealing with Article 122 stated that it does not oust review by the judiciary in cases of “gross illegality, irrationality, violation of constitutional mandate, mala fides, non-compliance with rules of natural justice and perversity.”

In 1968, the speaker of the Punjab legislative assembly adjourned the proceedings for a period of two months following rowdy behaviour. Subsequently, an ordinance preventing such a suspension was promulgated and the legislature was summoned by the governor to consider some expedient financial matters. The speaker disagreed with the decision and after some confusion, the deputy speaker passed a few Bills as money Bills. While looking into the question of what was protected from judicial review, the court stated that the protection did not extend to breaches of mandatory provisions of the constitution, only to directory provisions. By that logic, if Article 110 (1) is seen as a mandatory provision, a breach of its provisions could lead to an interpretation that the Supreme Court may well question an erroneous decision by the speaker of the Lok Sabha to certify a legislation as a money Bill. The use of the word “shall” in Article 110 (1), the nature and design of the provision, its overriding impact on the other constitutional provisions granting the Rajya Sabha powers are ample evidence of its mandatory nature. Based on the above, Anup Surendranath has argued that the passage of the Aadhaar Act as a money Bill when it does not satisfy the constitutional conditions for it does amount to a gross illegality.

The judicial precedent in Mohd. Saeed Siddiqui vs State of Uttar Pradesh where the matter of the court’s power to question the decision of a speaker was considered, though, leans in the other direction. In 2012, the Uttar Pradesh Lokayukta and Up-Lokayuktas (Amendment) Act, 2012 was passed as money Bill by the Uttar Pradesh state legislature. Subsequently, a writ petition was filed challenging its constitutional validity. A three-judge bench of the Supreme Court looked into the application of Article 212. It is the provision corresponding to Article 122, dealing with the power of the courts to inquire into the proceedings of the state legislature. The court held that Article 212 makes “it clear that the finality of the decision of the Speaker and the proceedings of the State Legislature being important privilege of the State Legislature, viz., freedom of speech, debate and proceedings are not to be inquired by the Courts.” Importantly, ‘proceedings of the legislature’ were deemed to include within its scope everything done in transacting parliamentary business, including the passage of the Bill. While the court did acknowledge the limitations of parliamentary privilege as established in the Raja Ram Pal case, it did not adequately take into account the reasoning in it.

The Aadhaar Act is a legislation which makes it mandatory of all residents to enrol for a biometric identification system in order to avail certain subsidies, benefits and services. It has huge potential risks for individual privacy and national security and has been the subject of an extremely high profile Public Interest Litigation. Its passage as a money Bill, without any oversight from the Rajya Sabha and an opportunity for substantial debate and discussion, is a fraud on the Constitution. Whether or not the court chooses to see it that way remains to be seen.

For more details visit https://cis-india.org/internet-governance/blog/the-wire-amber-sinha-february-21-2017-can-the-judiciary-upturn-the-lok-sabha-speakers-decision-on-aadhaar

Nasscom chief saying full data protection isn’t possible should wake us from our digital slumber

praskrishna — 2017-03-17T01:47:25Z

Considering India is rapidly moving towards a digital economy, the hurdles not withstanding, data and identity security are topics which have to be taken very seriously. Since the demonetisation, a large part of the population who would never bother with digital transactions has suddenly come online. But there is no such thing as complete security of personal data, according to Nasscom chief R Chandrashekhar.

This was published by First Post on March 16, 2017. Pranesh Prakash was quoted.

Attending the World Consumer Rights Day, R Chandrashekhar said that personal data of online consumers cannot be completely secure and stressed on the need to have strict enforcement of consumer protection laws. Speaking to PTI, Chandrashekhar said, “More than 3 million credit card data details were misused recently. Let us face it, these kind of security breaches will take place. There is nothing called fully perfect security in IT.”

It’s high time we call a spade, a spade

R Chandrashekhar, President Nasscom. Image: PIB

Coming from the head of Nasscom, this announcement pertaining to security is very important. According to Chandrashekhar one cannot expect complete cyber security, but there are definitely ways in which such attacks and incidents can be minimised. He very rightly said that that protecting the online consumer data, specially looking at how rapidly e-commerce is growing in the country, is of prime importance.

One cannot help but agree with Chandrashekhar, specially considering the fact India does not have a privacy law ecosystem that is present in countries such as the US and the UK, where online consumer protection is taken very seriously. Germany and other EU nations have always been at the forefront, when it comes to protecting data privacy, and it has ensured that consumer-facing technology companies do not run roughshod when it comes to protecting user data.

Chandrashekhar stated that there was no need for separate regulations for e-commerce sites, but the priority was ensuring means to enforce consumer laws in the digital world.

Lack of dedicated privacy laws

According to cyberlaw and cybersecurity expert, Pavan Duggal, “Going forward, there is an urgent need for India to take a strong view on privacy in terms of legislative frameworks. Unfortunately, at the time of writing, India does not have a dedicated law on privacy.”

Image: Foamy Media

Social media websites for instance have a lot of user data. But what happens when they suddenly change their privacy policies? For instance, a lot of users signed on to WhatsApp when it was an independent company. But post the Facebook acquisition, there have been a lot of instances where WhatsApp has updated its terms and conditions to suit its parent Facebook.

That’s not completely illegal one may say. Loss of privacy is a price you pay for free services. But what if, I as a consumer of WhatsApp do not want the app to share any of my data with Facebook? The only option I am left with is to delete WhatsApp. But then again, I do not know if my data is also deleted from WhatsApp servers or it has already been shared. Social media apps, only let you know what updates are being added. Consent is only required to update the app. You can stall that, up to a point. But there will come a time when you will have to update an app. Then by default you have given approval to all the terms and conditions associated with the app.

Two students had challenged WhatsApp’s revision to its privacy policy before Delhi High Court. The Court dismissed the petition insisting that users could opt out by deleting their accounts.

When a similar challenge was mounted before the authorities in UK, Facebook had to put a pause on their data sharing – and this was because of its strong data protection policy. Under the UK data protection law, the company has to inform the authority established under the Act of any changes in the use of user data. In the case of WhatsApp, the UK authority objected to such sharing.

Aadhaar – the 12-digit biometric storehouse

Aadhaar card is being used for many financial and non financial transactions. Also the Aadhaar number associated with an individual also holds a lot of personal and biometric data. So when recently, there was news about a possible Aadhaar data breach when UIDAI filed a police complaint against Axis Bank, business correspondent Suvidhaa Infoserve and e-sign provider eMudhra, it was naturally a shock to many.

Unlike a password which can be changed, with biometric information there is no scope to do that if it is compromised. Although UIDAI claims that there are multiple levels of security and firewalls to ensure there is no breach of Aadhaar information of an individual, one can only hope that it is robust enough to withstand any attack. Collection of biometric data by the government to form a database, for instance, was debated and ultimately not used in the UK.

Pranesh Prakash, policy director of the Centre for Internet and Society, expressed concern about the pace at which we are progressing when it comes to having a legal and regulatory framework when it comes to the Digital India push. “While the security architecture of Aadhaar Enabled Payment Systems (AEPS) might in itself be good, the idea of providing your fingerprints to merchants for financial transactions is a terrible idea since that is like asking you to give your bank password to a merchant, and the merchant can reuse that password, and you can’t ever change the password,” said Prakash.

Enforcing the correct processes

Last year, a malware affected the systems of Hitachi Payment Services, which provides back end services to ATM machines and Point of Sale nodes across India. As a result of this, around 32 lakh debit cards were compromised including those issued by SBI, HDFC, Yes Bank, Axis, BOB and ICICI. Security experts and consultants have pointed out various holes in the electronic transaction systems in place in India. Intel has also warned that ATM machines in India are vulnerable to malicious attacks. Intel points out that countries in the Asia Pacific region are developing and are particularly vulnerable because of old systems and machines being used.

Image: REUTERS/Amit Dave

According to Mahesh Patel, president and group CTO, AGS Transact Technologies this was more of a governance issue of the data centre than any technical error. “It is not about the software, but it is about the processes and procedures you put in place to ensure that the system is secure. Everything from physical security to computing security to admin management, etc should be process driven. So somewhere there could have been a weak link there. Cloud has to be secure and encrypted which suffices the use case of payments. This cloud is different from the ones used by e-commerce sites to display all their products,” said Patel.

We may have the best of software and security measures, but ensuring that they are implemented the right way is equally important. Plugging the loopholes in current regulations is also important.

Existing laws and regulations, not enough

According to Duggal, “The Information Technology Act, 2000 hardly has effective provisions to protect any data and personal privacy in the digital ecosystem. The Indian Government needs to come up with strong privacy law which can protect both personal privacy and data privacy in an effective manner.”

One may find it really shocking to hear the head of Nasscom saying something to the extent that full data protection for online consumers is not possible, but there is definitely truth to the matter. It will require concerted efforts from not only regulators, governments, digital wallet players and banking industry to come up with these privacy laws, but also you the consumer has to ensure that you are aware of the dangers lurking in the digital world. Educating oneself of the various ways in which your data can be compromised is a good way to protect your online self.

Because, let’s face it, for all practical purposes if you are online, your privacy is dead.

For more details visit https://cis-india.org/internet-governance/news/first-post-march-16-nimish-sawant-nasscom-chief-saying-full-data-protection-isnt-possible-should-wake-us-from-our-digital-slumber

State of Digital Rights in India (Delhi, March 24)

Japreet Grewal and Sumandro Chattapadhyay — 2017-03-27T13:21:20Z

The Centre for Communication Governance at National Law University, Delhi and the Internet Freedom Foundation, in association with Access Now, are hosting a discussion on The State of Digital Rights in India on March 24, 2017 (Friday) from 6.00 pm onwards at Lecture Room-I, India International Centre- Annexe, New Delhi. Japreet Grewal and Sumandro Chattapadhyay will participate in the panel discussions.

Registration: Eventbrite

March 24, 2017 marks the two year anniversary of the landmark Shreya Singhal judgment. This was a very significant ruling on freedom of speech and expression and occupies an important place in the Supreme Court’s discourse on civil liberties. The judgment traces out the contours of free speech on the Internet in India and unequivocally holds that the right to freedom of expression provided under Article 19(1)(a) applies to speech over the Internet, making it clear that this is a medium-neutral right.

The event aims to shed some light on this key judgment and discuss ongoing discussions regarding our civil liberties and freedoms online before courts and the Parliament. We would also like to take this opportunity to discuss some of the other pressing issues like Network Neutrality, Internet shutdowns, Privacy and User Security which need immediate attention and engagement of our democratic institutions. We hope to formulate effective strategies which will further shape the legal and policy framework in India, and facilitate better collaborative efforts between stakeholders.

We hope to bring together everyone who contributed to the judgment, and those who do work connected with it, so that we may build on it to seek a better legal framework to protect online speech and to discuss the threats surrounding digital rights and how best build on the foundations of the judgment.

We would be grateful if you could take out some time on Friday evening (6PM) and be a part of this important discussion. The discussion will be followed by dinner and an Open Bar for an Open Internet, which will start from 9.00 pm at the Annexe Court in the India International Centre - Annexe. In case you are unable to attend the seminar, please do join us for dinner!

Featuring:

A keynote address on our online freedoms and policymaking, by Shri Tathagata Satpathy (Member of Parliament, Lok Sabha)
A legal panel analysing the legacy of the Shreya Singhal v. Union of India judgment
Beyond Shreya Singhal: A conversation with women on the future of our digital rights
Briefings on the state of digital rights in our courts and in Parliament
A conversation on the path ahead for our civil liberties and digital rights community

For more details visit https://cis-india.org/internet-governance/news/state-of-digital-rights-in-india-delhi-march-24

Why We Should All Worry About The Mandatory Imposition Of Aadhaar

praskrishna — 2017-03-27T15:02:10Z

It appears that with each passing day, the government is linking an increasing number of benefits and government services to the 12-digit biometric-based Aadhaar number for Indians, despite growing concerns around its data privacy and security.

The article by Rimin Dutt and Ivan Mehta was published by Huffington Post on March 24, 2017. Sunil Abraham was quoted.

Aadhaar, which collects among other information, citizens' iris scans and fingerprints and stores them into a centralised database for a prolonged time with only loose guidelines and no pre-existing laws to ensure the privacy of that data, is now linked to no less than 38 government schemes, including the government's latest directive –- that Aadhaar become mandatory for tax filing and securing PAN numbers -- introduced by Finance Minister Arun Jaitley earlier this week.

Jaitley openly admitted on Wednesday in the Parliament that the government, in effect, would be forcing people to get Aadhaar in an effort to increase tax compliance.

Aadhaar's use, by no means, is restricted to government agencies alone. A growing number of private financial institutions are now fulfilling their "Know Your Customer" or e-KYC formalities by making Aadhaar compulsory. The government is also in the process of making Aadhaar the basis of all financial transactions.

While the timing of the government's aggressive push of Aadhaar, in itself, is raising eyebrows among political observers, there are some serious concerns about this unique experiment that deserve stronger scrutiny.

Why disregard the Supreme Court?

In making Aadhaar mandatory for filing taxes and securing core taxpayer identity, the government has openly gone against a Supreme Court order from last year that explicitly stated that the Aadhaar Card scheme is "purely voluntary" and cannot be made mandatory until the court has decided on this.

The government has defended its move, saying it is allowed to do so under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016.

However, as Gopal Krishna, a member of the Citizens Forum for Civil Liberties, writes in Business Today, the passage of the Act by the Parliament "does not automatically imply that any agency can make UID/Aadhaar compulsory disregarding the Supreme Court's orders."

According to Krishna, in doing so, the government is "clearly stepping beyond" the mandate of the Aadhaar Act, and also acting in contempt of the Parliament, according to him.

In addition, if tax evasion was the driving factor behind the move, it begs the question — wouldn't forcing people to get Aadhaar actually do the opposite by adding another layer of hassle?

Indeed, tax experts have noted how this requirement may hinder tax collection. Archit Gupta, Founder & CEO ClearTax.com, a tax service provider told HuffPost India, "The [Aadhaar] announcement is likely to be a dampener to tax filers, specially first-timers ... FY 2016-17 filing is expected to see a large number of first-time filers due to demonetisation efforts, and this move may make them more guarded."

Why not strengthen PAN?

The government already has an extensive mandate for the Permanent Account Number (PAN) cards, which are required to validate several important services or for undertaking transactions such as buying and selling property or jewellery worth over ₹2 lakhs. Last year, the government, in fact, said that the National Pension System (NPS) scheme would accept PAN cards over Aadhaar cards to validate new customers.

On Wednesday, however, Jaitley said PAN cards have been misused by certain people to evade taxes, and there are reports that Aadhaar may become the ultimate authenticating document. However, the continued and growing use of PAN along with Aadhaar adds an extra layer of formalities for citizens to access government services, which are their constitutionally guaranteed rights.

How safe is Aadhaar anyway?

Depending on who you talk to, the safety concerns of Aadhaar come up as a pressing issue, especially in the wake of a recent security incident when the Unique Identification Authority of India initiated police action against entities associated with Axis Bank including Suvidhaa Infoserve and e-sign provider eMudhra, which had allegedly engaged in unauthorised authentication and impersonation by illegally storing Aadhaar biometrics.

Earlier this month, in a separate incident, security researcher Srinivas Kodali warned Indian authorities of a website that was leaking Aadhaar demographic data of over five lakh minors, as well as the existence several parallel databases that had key identification data linked to Aadhaar, Scroll reported.

In the absence of any privacy laws in India, these security concerns have assumed even greater significance.

UIDAI, the authority behind Aadhaar, has maintained the technology behind Aadhaar is robust and that it uses advanced encryption to transmit and store data. It specifically denied that any breach of centralised data took place in the Axis Bank incident, saying the case was an isolated incident.

However, in a rather ironic twist in the Aadhaar Act, which itself contains no provisions to address privacy concerns, any legal action against any misuse or theft of Aadhaar data can only be initiated by UIDAI, leaving citizens with no legal recourse should a breach occur.

That represents an obvious conflict of interest as it gives exclusive power to the very authority that is responsible for the security and confidentiality of identity information and authentication records, PRS Legislative Research, has noted.

In addition, the controversial Aadhaar Act contains several other inherent dangers such as the potential to profile citizens based on the linking of other databases with Aadhaar by studying patterns of behaviour.

"Techniques such as running computer programmes across datasets for pattern recognition can be used for various purposes such as detecting potential illegal activities...However, these can also lead to harassment of innocent individuals who get identified incorrectly as potential threats," noted PRS Legislative.

There are currently no safeguards to prevent inappropriate profiling, instances of which could increase as more and more private organisations link their data to Aadhaar, and potentially exploit data for commercial purposes without the consent of citizens.

The US, in comparison, has laws in place that require agencies that collects data to submit an annual report to US Congress on all such data mining activities.

Other unresolved concerns

There are several other concerns related to the widespread use of Aadhaar card and the power it is afforded under the Aadhar act. The act allows UIDAI to collect biometric information beyond iris and fingerprint scans, for example, to include other bio-data such as DNA, noted PRS.

The act also allows private agencies to use Aadhaar, which contradicts an earlier stated objective of the scheme that sought to restrict the use of Aadhaar for only government expenditures.

"It allows private persons to use Aadhaar as a proof of identity for any purpose. This provision will enable private entities such as, airline, telecom, insurance, real estate etc. companies, to require Aadhaar as a proof of identity for availing their services," PRS has noted.

There's also the worrying prospect of Aadhaar being used as a surveillance tool by the government, instead of an e-governance technology, Sunil Abraham, executive director of research organisation, Centre for Internet and Society, told the The Hindu Business Line, adding biometrics only make citizens transparent to the state and not the state transparent to citizens.

"We warned the government six years ago, but they ignored us," said Abraham.

Krishna has a more dire warning: "The JAM Trinity -- Jan Dhan Yojana, Aadhaar and mobile numbers -- may well be a fish bait to trap unsuspecting citizens into the world's biggest transnational biometric database to turn them into subjects under surveillance forever in the name of a set of welfare and anti-poverty policies.

What has been done to address the security concerns?

It is unclear what the government or UIDAI may have done in the wake of the security incident to upgrade its systems. According to an expert HuffPost Post India talked to, many third party apps that are using Aadhar data may not be screened or audited for security, which is a huge worry.

Kodali told HuffPost India that Aadhaar has potential design issues when it comes to information security.

"By design it allows anyone store information of the Aadhaar holder through [application programming interface]. This is creating many parallel databases with Aadhaar as a key," he said.

He notes that security is an afterthought for many institutions and companies.

"UIDAI and the architects of Aadhaar do not accept that data can be a liability instead of an asset," he said. "The mandatory nature of Aadhaar without the right infrastructure and skilled workforce is not just a cyber security issue, but a national security issue."

When will India get privacy laws?

No one quite knows. But there's a growing call for a need for strict privacy laws, given the move towards digital financial transactions and growing e-commerce use. Most advanced economies including the US, the UK, France, Australia and New Zealand have enacted privacy laws.

However, in India, the right to privacy still doesn't exist despite it being recognised by even the UN charter of human rights. Article 12 of the Universal Declaration of Human Rights states, "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

The potential for cyber criminals to misuse citizen data isn't lost on even prominent IT industry experts.

Recently, the chief of IT industry body Nasscom R Chandrashekhar told PTI that personal data of online consumers can never be fully secure, emphasising the need for strict consumer protection laws. "More than 3 million credit card data details were misused recently. Let us face it, these kind of security breaches will take place. There is nothing called fully perfect security in IT," he said.

To be sure, Aadhaar has been lauded by several prominent experts and economists, and it is, undoubtedly, an ambitious project to potentially aid financial inclusion for a large population that has historically been outside of a formal financial services net. India also has one of the lowest tax compliance rates, making tax collection a priority for the government.

Recently, Paul Romer, World Bank's chief economist told Bloomberg, "The system in India is the most sophisticated that I've seen ... It's the basis for all kinds of connections that involve things like financial transactions. It could be good for the world if this became widely adopted."

But given the sensitivity of citizen biometrics data and potential for misuse, the government ought to be held accountable for its proper use and ensure enough safeguards are put in place before its imposition on each citizen.

For more details visit https://cis-india.org/internet-governance/news/huffington-post-rimin-dutt-ivan-mehta-march-24-2017-why-we-should-all-worry-about-the-mandatory-imposition-of-aadhaar

Round Table on Privacy and Data Protection at NIPFP

praskrishna — 2017-03-27T16:02:59Z

National Institute of Public Finance & Policy organized a round-table on privacy and data protection on March 24, 2017 in New Delhi.

Click to see the agenda.

For more details visit https://cis-india.org/internet-governance/news/round-table-on-privacy-and-data-protection-at-nipfp

How Aadhaar compromises privacy? And how to fix it?

sunil — 2017-04-01T07:00:06Z

Aadhaar is mass surveillance technology. Unlike targeted surveillance which is a good thing, and essential for national security and public order – mass surveillance undermines security. And while biometrics is appropriate for targeted surveillance by the state – it is wholly inappropriate for everyday transactions between the state and law abiding citizens.

The op-ed was published in the Hindu on March 31, 2017.

When assessing a technology, don't ask - “what use is it being put to today?”. Instead, ask “what use can it be put to tomorrow and by whom?”. The original noble intentions of the Aadhaar project will not constrain those in the future that want to take full advantage of its technological possibilities. However, rather than frame the surveillance potential of Aadhaar in a negative tone as three problem statements - I will propose three modifications to the project that will reduce but not eliminate its surveillance potential.

Shift from biometrics to smart cards: In January 2011, the Centre for Internet and Society had written to the parliamentary finance committee that was reviewing what was then called the “National Identification Authority of India Bill 2010”. We provided nine reasons for the government to stop using biometrics and instead use an open smart card standard. Biometrics allows for identification of citizens even when they don't want to be identified. Even unconscious and dead citizens can be identified using biometrics. Smart cards, on the other hand, require pins and thus citizens' conscious cooperation during the identification process. Once you flush your smart cards down the toilet nobody can use them to identify you. Consent is baked into the design of the technology. If the UIDAI adopts smart cards, we can destroy the centralized database of biometrics just like the UK government did in 2010 under Theresa May's tenure as Home Secretary. This would completely eliminate the risk of foreign governments, criminals and terrorists using the biometric database to remotely, covertly and non-consensually identify Indians.

Destroy the authentication transaction database: The Aadhaar Authentication Regulations 2016 specifies that transaction data will be archived for five years after the date of the transaction. Even though the UIDAI claims that this is a zero knowledge database from the perspective of “reasons for authentication”, any big data expert will tell you that it is trivial to guess what is going on using the unique identifiers for the registered devices and time stamps that are used for authentication. That is how they put Rajat Gupta and Raj Rajratnam in prison. There was nothing in the payload ie. voice recordings of the tapped telephone conversations – the conviction was based on meta-data. Smart cards based on open standards allow for decentralized authentication by multiple entities and therefore eliminate the need for a centralized transaction database.

Prohibit the use of Aadhaar number in other databases: We must, as a nation, get over our obsession with Know Your Customer [KYC] requirements. For example, for SIM cards there is no KYC requirement is most developed countries. Our insistence on KYC has only resulted in retardation of Internet adoption, a black market for ID documents and unnecessary wastage of resources by telecom companies. It has not prevented criminals and terrorists from using phones. Where we must absolutely have KYC for the purposes of security, elimination of ghosts and regulatory compliance – we must use a token issued by UIDAI instead of the Aadhaar number itself. This would make it harder for unauthorized parties to combine databases while at the same time, enabling law enforcement agencies to combine databases using the appropriate authorizations and infrastructure like NATGRID. The NATGRID, unlike Aadhaar, is not a centralized database. It is a standard and platform for the express assembly of sub-sets of up to 20 databases which is then accessed by up to 12 law enforcement and intelligence agencies.

To conclude, even as a surveillance project – Aadhaar is very poorly designed. The technology needs fixing today, the law can wait for tomorrow.

For more details visit https://cis-india.org/internet-governance/blog/hindu-op-ed-sunil-abraham-march-31-2017-how-aadhaar-compromises-privacy-and-how-to-fix-it

Analysis of Key Provisions of the Aadhaar Act Regulations

amber — 2017-04-03T14:05:01Z

In exercise of their powers under of the powers conferred by Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016, (Aadhaar Act) the UIDAI has come out with a set of five regulations in late 2016 last year. In this policy brief, we look at the five regulations, their key provisions and highlight point out the unresolved, issues, unaddressed, and created issues as result of these regulations.

This blog post was edited by Elonnai Hickok

Introduction

At the outset it is important to note that a concerning feature of these regulations is that they intend to govern the processes of a body which has been in existence for over six years, and has engaged in all the activities sought to be governed by these policies at a massive scale, considering the claims of over one billion Aadhaar number holders. However, the regulation do not acknowledge, let alone address past processes, practices, enrollments, authentications, use of technology etc. this fact, and there are no provisions that effectively address the past operations of the UIDAI. Below is an analysis of the five regulations issued thus far by the UIDAI.

Unique Identification Authority of India (Transactions of Business at Meetings of the Authority) Regulations^{^[1]}

These regulations framed under clause (h) of sub-section (2) of section 54 read with sub-section (1) of section 19 of the Aadhaar Act, deal with the meetings of the UIDAI, the process following up to each meeting, and the manner in which all meetings are to be conducted.

Provision: Sub-Regulation 3.

Meetings of the Authority– (1) There shall be no less than three meetings of the Authority in a financial year on such dates and at such places as the Chairperson may direct and the interval between any two meetings shall not in any case, be longer than five months

Observations:

The number of times that UIDAI would meet in a year is far too less, taking in account the significance of the responsibilities of UIDAI as the sole body for policy making for all issues related to Aadhaar. In contrast, the Telecom Regulatory Authority of India is required to meet at least once a month. Other bodies such as SEBI and IRDAI are also required to meet at least four times^{^[2]} and six times^{^[3]} in a year respectively.

Provision: Sub-Regulation 8 (5)

Decisions taken at every meeting of the Authority shall be published on the website of Authority unless the Chairperson determines otherwise on grounds of ensuring confidentiality.

Observations:

The Chairperson has the power to determine withholding publication of the decisions of the meeting on the broad grounds of ‘confidentiality’. Given the fact that the decisions taken by UIDAI as a public body can have very real implications for the rights of residents, the ground of confidentiality is not sufficient to warrant withholding publication. It is curious that instead of referring to the clearly defined exceptions laid down in other similar provisions such as the exceptions in Section 8 of the Right to Information Act, 2005, the rules merely refer to vague and undefined criteria of ‘confidentiality’.

Provision: Sub-Regulation 14 (4)

Members of the Authority and invitees shall sign an initial Declaration at the first meeting of the Authority for maintaining the confidentiality of the business transacted at meetings of the Authority in Schedule II.

Observations:

The above provision, combined with the fact that there is no provision regarding publication of the minutes of the meetings of UIDAI raise serious questions about the transparency of its functioning.

Unique Identification Authority of India (Enrolment and Update) Regulations^{^[4]}

These regulations, framed under sub-section (1), and sub-clauses (a), (b), (d,) (e), (j), (k), (l), (n), (r), (s), and (v) of sub-section (2), of Section 54 of the Aadhaar Act deals with the enrolment process, the generation of an Aadhaar number, updation of information and governs the conduct of enrolment agencies and associated third parties.

Provisions:

Sub-Regulation 8 (2), (3) and (4)

The standard enrolment/update software shall have the security features as may be specified by the Authority for this purpose.

All equipment used in enrolment, such as computers, printers, biometric devices and other accessories shall be as per the specifications issued by the Authority for this purpose.

The biometric devices used for enrolment shall meet the specifications, and shall be certified as per the procedure, as may be specified by the Authority for this purpose.

Sub-Regulation 3 (2)

The standards for collecting the biometric information shall be as specified by the Authority for this purpose.

Sub-Regulation 4 (5)

The standards of the above demographic information shall be as may be specified by the Authority for this purpose.

Sub-Regulation 6 (2)

For residents who are unable to provide any biometric information contemplated by these regulations, the Authority shall provide for handling of such exceptions in the enrolment and update software, and such enrolment shall be carried out as per the procedure as may be specified by the Authority for this purpose.

Sub-Regulation 14 (2)

In case of rejection due to duplicate enrolment, resident may be informed about the enrolment against which his Aadhaar number has been generated in the manner as may be specified by the Authority.

Observations:

Though in February 2017, the UIDAI published technical specifications for registered devices^{^[5]}, the regulations leave unaddressed issues such as lack of appropriately defined security safeguards in the Aadhaar. There is a general trend of continued deferrals in the regulations by stating that matters would be specified later on important aspects such as rejection of applications, uploading of the enrolment packet to the CIDR, the procedure for enrolling residents with biometric exceptions, the procedure for informing residents about acceptance/rejection of enrolment application, specifying the convenience fee for updation of residents’ information, the procedure for authenticating individuals across services etc.c. There is a clear failure to exercise the mandate delegated to UIDAI, leaving key matters to determined at a future unspecified date. The delay and ambiguity around when regulations will be defined is all the more problematic in light of the fact that the project has been implemented since 2010 and the Aadhaar number is now mandatory for availing a number of services.

Further it is important to note that a number of policies put out by the UIDAI predate these regulations, on which the regulations are completely silent, thus neither endorsing previous policies nor suggesting that they may be revisited. Further, the regulations choose to not engage with the question of operation of the Aadhaar project, enrolment and storage of data etc prior to the notification of these regulations, or the policies which these regulations may regularise. For instance, the regulations do not specify any measures to deal with issues arising out of enrolment devices used prior to the development of the February 2017 specifications.

Provision: Sub-Regulation 32

The Authority shall set up a contact centre to act as a central point of contact for resolution of queries and grievances of residents, accessible to residents through toll free number(s) and/ or e-mail, as may be specified by the Authority for this purpose.

(2) The contact centre shall:

Provide a mechanism to log queries or grievances and provide residents with a unique reference number for further tracking till closure of the matter;
Provide regional language support to the extent possible;
Ensure safety of any information received from residents in relation to their identity information;
Comply with the procedures and processes as may be specified by the Authority for this purpose.

(3) Residents may also raise grievances by visiting the regional offices of the Authority or through any other officers or channels as may be specified by the Authority.

Observations:

While the setting up of a grievance redressal mechanism under the regulations is a welcome move, there is little clarity about the procedure to be followed, nor is a timeline for it specified. The chapter on grievance redressal is in fact one of the shortest chapters in the regulations. The only provision in this chapter deals with the setting up of a contact centre, a curious choice of term for what is supposed to be the primary quasi judicial grievance redressal body for the Aadhaar project. In line with the indifferent and insouciant terminology of ‘contact centre’, the chapter is restricted to the matters of the logging of queries and grievances by the contact centre, and does not address the matter of procedure or timelines, and even the substantive provisions about the nature of redress available. Furthermore, the obligation on the contact centre to protect information received is limited to ‘ensuring safety’ an ambiguous standard that does not speak to any other standards in Indian law.

Aadhaar (Authentication) Regulations, 2016^{^[6]}

These regulations, framed under sub-section (1), and sub-clauses (f) and (w) of sub-section (2) of Section 54 of the Aadhaar Act deals with the authentication framework for Aadhaar numbers, the governance of authentication agencies and the procedure for collection, storage of authentication data and records.

Provisions:

Sub-Regulation 5 (1)

At the time of authentication, a requesting entity shall inform the Aadhaar number holder of the following details:—

(a) the nature of information that will be shared by the Authority upon authentication;

(b) the uses to which the information received during authentication may be put; and

Sub-Regulation 6 (2)

A requesting entity shall obtain the consent referred to in sub-regulation (1) above in physical or preferably in electronic form and maintain logs or records of the consent obtained in the manner and form as may be specified by the Authority for this purpose.

Observations:

Sub-regulation 5 mentions that at the time of authentication, requesting entities shall inform the Aadhaar number holder of alternatives to submission of identity information for the purpose of authentication. Similarly, sub-regulation 6 mentions that requesting entity shall obtain the consent of the Aadhaar number holder for the authentication. However, in neither of the above circumstances do the regulations specify the clearly defined options that must be made available to the Aadhaar number holder in case they do not wish submit identity information, nor do the regulations specify the procedure to be followed in case the Aadhaar number holder does not provide consent.

Most significantly, this provision does little by way of allaying the fears raised by the language in Section 8 (4) of the Aadhaar Act which states that UIDAI “shall respond to an authentication query with a positive, negative or any other appropriate response sharing such identity information.” This section gives a very wide discretion to UIDAI to share personal identity information with third parties, and the regulations do not temper or qualify this power in any way.

Sub-Regulation 11 (1) and (4)

The Authority may enable an Aadhaar number holder to permanently lock his biometrics and temporarily unlock it when needed for biometric authentication.

The Authority may make provisions for Aadhaar number holders to remove such permanent locks at any point in a secure manner.

Observations:

A welcome provision in the regulation is that of biometric locking which allows Aadhaar number holders to permanently lock his biometrics and temporarily unlock it only when needed for biometric authentication. However, in the same breath, the regulation also provides for the UIDAI to make provisions to remove such locking without any specified grounds for doing so.

Provision: Sub-Regulation 18 (2), (3) and (4)

The logs of authentication transactions shall be maintained by the requesting entity for a period of 2 (two) years, during which period an Aadhaar number holder shall have the right to access such logs, in accordance with the procedure as may be specified.

Upon expiry of the period specified in sub-regulation (2), the logs shall be archived for a period of five years or the number of years as required by the laws or regulations governing the entity, whichever is later, and upon expiry of the said period, the logs shall be deleted except those records required to be retained by a court or required to be retained for any pending disputes.

The requesting entity shall not share the authentication logs with any person other than the concerned Aadhaar number holder upon his request or for grievance redressal and resolution of disputes or with the Authority for audit purposes. The authentication logs shall not be used for any purpose other than stated in this sub-regulation.

Observations:

While it is specified that the authentication logs collected by the requesting entities shall not be shared with any person other than the concerned Aadhaar number holder upon their request or for grievance redressal and resolution of disputes or with the Authority for audit purposes, and that the authentication logs may not be used for any other purpose, the maintenance of the logs for a period of seven years seems excessive. Similarly, the UIDAI is also supposed to store Authentication transaction data for over five years. This is in violation of the widely recognized data minimisation principles which seeks that data collectors and data processors delete personal data records when the purpose for which it has been collected if fulfilled. While retention of data for audit and dispute-resolution purpose is legitimate, the lack of specification of security standards and the overall lack of transparency and inadequate grievance redressal mechanism greatly exacerbate the risks associated with data retention.

Aadhaar (Sharing of Information) Regulations, 2016 and Aadhaar (Data security) Regulations, 2016^{^[7]}

Framed under the powers conferred by sub-section (1), and sub-clause (o) of sub-section (2), of Section 54 read with sub-clause (k) of sub-section (2) of Section 23, and sub-sections

(2) and (4) of Section 29, of the Aadhaar Act, the Sharing of Information regulations look at the restrictions on sharing of identity information collected by the UIDAI and requesting entities. The Data Security regulation, framed under powers conferred by clause (p) of subsection (2) of section 54 of the Aadhaar Act, looks at security obligations of all service providers engaged by the UIDAI.

Provision: Sub-Regulation 6 (1)

All agencies, consultants, advisors and other service providers engaged by the Authority, and ecosystem partners such as registrars, requesting entities, Authentication User Agencies and Authentication Service Agencies shall get their operations audited by an information systems auditor certified by a recognised body under the Information Technology Act, 2000 and furnish certified audit reports to the Authority, upon request or at time periods specified by the Authority.

Observations:

The regulation states that audits shall be conducted by an information systems auditor certified by a recognised body under the Information Technology Act, 2000. However, there is no such certifying body under the Information Technology Act. This suggests a lack of diligence in framing the rules, and will inevitably to lead to inordinate delays, or alternately, a lack of a clear procedure in the appointment of an auditor. Further, instead of prescribing a regular and proactive process of audits, the regulation only limits audits to when requested or as deemed appropriate by UIDAI. This is another, in line of many provisions, whose implication is power being concentrated in the hands of UIDAI, with little scope for accountability and transparency.

Conclusion

In conclusion, it must be stated that the regulations promulgated by the UIDAI leave a lot to be desired. Some of the most important issues raised against the Aadhaar Act, which were delegated to the UIDAI’s rule making powers have not been addressed at all. Some of the most important issues such as data security policies, right to access records of Aadhaar number holders, procedure to be followed by the grievance redressal bodies, uploading of the enrolment packet to the CIDR, procedure for enrolling residents with biometric exceptions, procedure for informing residents about acceptance/rejection of enrolment application have left unaddressed and ‘may be specified’ at a later data. These failures leave a gaping hole especially in light of the absence of a comprehensive data protection legislation in India, as well the speed and haste with the enrolment and seeding has been done by the UIDAI, and the number of services, both private and public, which are using or planning to use the Aadhaar number and the authentication process as a primary identifier for residents.

^{^[1]} Available at https://uidai.gov.in/legal-framework/acts/regulations.html

^{^[2]} https://www.irda.gov.in/ADMINCMS/cms/frmGeneral_Layout.aspx?page=PageNo62&flag=1

^{^[3]} http://www.sebi.gov.in/acts/boardregu.html

^{^[4]} Available at https://uidai.gov.in/legal-framework/acts/regulations.html

^{^[5]} Available at: https://uidai.gov.in/images/resource/aadhaar_registered_devices_2_0_09112016.pdf

^{^[6]} Available at https://uidai.gov.in/legal-framework/acts/regulations.html

^{^[7]} Available at https://uidai.gov.in/legal-framework/acts/regulations.html

For more details visit https://cis-india.org/internet-governance/blog/analysis-of-key-provisions-of-aadhaar-act-regulations

The Aadhaar of all things

praskrishna — 2017-04-03T15:46:23Z

From a severely critical stand against Aadhaar in 2014, the Modi-led BJP in power has made a sharp U-turn to bulldoze its way into having every Indian scanned, tagged and labelled. A timeline of the country’s chequered date with the unique identification project.

The article by Shriya Mohan was published in the Hindu Businessline on March 31, 2017. Sunil Abraham was quoted.

You’ve probably read the WhatsApp joke about a post-Aadhaar scenario in 2020 India. A man orders pizza over phone. He is asked for his Aadhaar number first. He then orders a family-size seafood pizza, only to be reminded by the attendant about his high blood pressure and cholesterol levels (thanks to his Aadhaar history visible to everybody “on the system”) and is advised to order the low-fat Hokkien Mee pizza instead, based on his recent search history on Hokkien cuisine. As if this isn’t creepy enough, the pizza guy refuses a card payment, citing the man’s maxed-out credit cards, advises against ATM withdrawal owing to his massive overdraft and even decides to hold off the free cola offer given his dire health situation. When the man turns livid, he is told to mind his language, given that in 2007 he was already imprisoned for verbally abusing a policeman!

2020 is two and a half years away, and the WhatsApp scenario appears less incredulous by the day.

By the government’s latest estimate, 112,01,12,468 Aadhaar cards have been issued since January 2009, when the Unique Identification Authority of India (UIDAI) was set up under the Planning Commission. So if you are an adult Indian resident without an Aadhaar card, you are in a two per cent minority (98 per cent adults are covered).

Last week, Finance Minister Arun Jaitley said the 12-digit number would be the single monolith identity for all Indians in the coming years, replacing every other identity card. The government is serious because each week a new scheme is added to the three dozen schemes in which Aadhaar has been made mandatory. All the 84 schemes under the direct subsidy benefit transfer programme are expected to follow suit.

Here are just a few instances in which you should be ready to whip out your Aadhaar card — a free midday meal at a government school, access to Sarv Shiksha Abhiyan, LPG subsidy and foodgrains under the public distribution system, six scholarship schemes for students with disabilities, getting your EPF pensions, booking a train ticket online, getting a backward caste quota or benefit, and, according to the most recent directive in the Finance Bill, filing your tax returns.

Why did a dispensation so critical of Aadhaar in 2014 make a sharp U-turn to bulldoze its way into having every single Indian citizen scanned, tagged and labelled?

The earliest felt need for an identification project can be traced to the Kargil Review Committee, instituted by the Vajpayee Government in 1999, in the wake of the Indo-Pak war. The Krishnaswamy Subrahmanyam-led panel had recommended a citizenship database for the identification of legitimate Indian citizens living in border areas.

As outlined in a Scroll article, this quickly expanded to include all Indians under the Multipurpose National Identity Card project, which was pilot tested in a few villages. The Citizenship Act was also amended to give a legislative backing to the scheme, which built on the Bharatiya Janata Party’s general stance against illegal immigrants.

The search for identity

The Citizenship Act was amended in 2004 by the incumbent Congress government to make way for the National Population Register (NPR), a database of the identities of all Indian residents, maintained by the Registrar General and Census Commissioner of India.

Eventually, in 2009, Aadhaar, or UIDAI, surfaced as a 12-digit identification number that served as proof of identity and address — meaning, it applies to all residents whether they are citizens or not, unlike with the NPR. Aadhaar, which means ‘basis’ in Hindi, is intended to be an all-encompassing substratum of identities that can provide “instant access to services like banking, mobile phone connections and other government and non-government services”. The United Progressive Alliance government managed to link it to its Direct Benefit Transfer (DBT) system for subsidies provided to targeted groups.

As the main Opposition party, the BJP had felt that the Aadhaar number ought to have been given only to Indian citizens, and not all residents, which, in its view, would include millions of illegal immigrants.

Nandan Nilekani, the former CEO of IT giant Infosys, was appointed UIDAI chairman in July 2009. The first Aadhaar number was issued in September 2010, and then the pace accelerated: 100 million by November 2011, 200 million by February 2012 and 500 million by end of 2013. “We felt speed was strategic. Doing and scaling things quickly was critical. If you move very quickly it doesn’t give opposition the time to consolidate,” Nilekani told Forbes India in a 2013 interview.

Here’s the part most of us forget: The largest opposition that Nilekani was referring to at that time was the BJP.

“The people who thought of themselves as having given birth to IT in this country refused to listen to a common man like me. Even the SC has demanded answers,” Narendra Modi, then Gujarat chief minister, had said and alleged that the Aadhaar programme was a bundle of lies to loot the country’s treasury.

As the BJP’s prime ministerial candidate for the 2014 Lok Sabha elections, days ahead of delivering the party’s biggest-ever victory, he had tweeted: “On Aadhaar, neither the Team that I met nor PM could answer my Qs on security threat it can pose. There is no vision, only political gimmick.” Recently, when Aadhaar enrolments had crossed the billion mark, this tweet was dug out prominently.

The U-turn

So, what changed? How did the Aadhaar’s primary opposition become it’s key crusader?

There were two meetings that supposedly changed the destiny of the Aadhaar project. In the first week of June 2014, as Nilekani was vacating his government-allotted Lutyen’s bungalow as UIDAI chief, he met Modi and Jaitley and persuaded the new regime to persist with Aadhaar. The more important meeting was with Vijay Madan, the UIDAI director general and mission director. According to a Governance Now article, when the UID team spoke of the potential savings from plugging subsidy leakages, and weeding out “ghost beneficiaries”, Modi asked them to give a precise estimate. The figure was “up to ₹50,000 crore a year” or a good 9.4 per cent of India’s ₹5,31,177-crore fiscal deficit.

Modi in his keenness to showcase the arrival of “acche din” immediately sought a 100-crore enrolment target at the ‘earliest’, putting paid to speculations that the new government would shelve the UIDAI project. A funding of ₹2,039.64 crore was formalised in the 2014-2015 Budget presented a week later, to create the infrastructure to enrol 30 crore people to add to the 70 crore already enrolled. The UIDAI targeted the 1-billion mark by the end of that fiscal.

Money bill to beat legal hurdles

It was in November 2012 that the SC admitted a PIL filed by retired Karnataka High Court judge KS Puttaswamy and advocate Parvesh Khanna, questioning the government’s decision to issue Aadhaar even as the National Identification Authority of India Bill 2010 was pending before the Rajya Sabha since December 3, 2010. They argued that there was no legislative backing for obtaining personal information. Also, the proposed law was rejected by the Parliamentary Standing Committee on Finance.

The PIL argued that linking the Aadhaar number with food security, LPG subsidy, the Employees’ Provident Fund and other direct benefit transfers made the enrolment mandatory, thereby falsifying the government’s claim that it was voluntary. Several other PILs too voiced similar privacy concerns.

Currently, there are two legal strictures governing the validity of Aadhaar: the apex court order of October 15, 2015, limiting the card’s voluntary use to six schemes (PDS, MGNREGA, LPG, NEPS and social assistance programmes) and prohibiting the government from making it mandatory for receiving any benefits or services; and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, which is under challenge today. Both strictures have distinct operational status, but petitioners argue that recent government directives making Aadhaar mandatory are leading them to wonder whether the SC’s interim order is overshadowed by the Aadhaar Act or if the government is defying the court.

On March 3, 2016, in a surprise move, to put all dissent to rest, the Aadhaar Act was introduced as a Money Bill in Parliament to give it legislative backing. Things moved pretty fast thereon. On March 11, the Aadhaar Act 2016 was passed in the Lok Sabha. On March 26, the Act was notified. Accusing the BJP-led NDA government of showing “utter contempt” for the Rajya Sabha by taking the Money Bill route, senior Congress leader Jairam Ramesh challenged it in the Supreme Court in April. He likened the use of the Money Bill, which was passed overruling amendments moved in the Rajya Sabha, to “knocking a nail in the coffin of the Upper House”.

The government’s move took many, including Aadhaar advocates, by surprise. “We need to separate Aadhaar as identity from its specific functionality for which it’s used,” says Praveen Chakravarty, a senior fellow at the IDFC institute and a former member of Nilekani’s core team. He believes that just as a voter ID alone isn’t enough to vote, seeing the ownership of an Aadhaar card as key for any transaction is “fear-mongering”. Its use will still involve a process of checks and balances.

But can’t thumb prints be replicated with Fevicol?

“Sure, there could be failures, as there are with any system. But this is a far more foolproof method than any we’ve had before. Internationally also, biometric is to authenticate a higher level of security.”

The argument for privacy

“Aadhaar has the potential to improve welfare service delivery. But it has to be achieved in an inclusive manner befitting a truly liberal society and not through coercion,” says Chakravarty.

His only misgiving is with the use of the Money Bill to introduce the Aadhaar, without any right to privacy. “It should have gone through the process of debate in Parliament. Then it wouldn’t have been passed without a strong right to privacy safeguard,” he says, pointing that even a junior UIDAI officer can access the data of anybody he/she chooses.

“Aadhaar inverts the idea of transparency. It makes people transparent but the State opaque,” says legal expert Usha Ramanathan, a legal expert and anti-Aadhaar crusader.

The use of Aadhar as verification at every instance can help piece together very detailed information about citizens. These include banking transactions, online purchases, travel itineraries, mobile phone usage, location history and practically anything that can be electronically recorded and verified with an Aadhaar.

In February this year, the UIDAI filed a police case against Axis Bank and others for alleged unauthorised authentication and impersonation attempts by illegally storing Aadhaar biometrics.

The latest outcry over breached privacy involved a screenshot of cricketer Mahendra Singh Dhoni’s personal details that went viral on Twitter. The UIDAI blacklisted the agency that revealed Dhoni’s Aadhaar details after his wife complained to the IT Minister. A recent Scroll report shows the UIDAI received 1,390 similar complaints but took no action.

There are legitimate fears such an information database might eventually be misused, for instance in racial profiling or revealing voting preferences.

In January this year, Hyderabad-based ECIL developed a biometric-enabled mobile terminal for instant authentication of a voter “to prevent rigging of votes”. Till August 2015, the Election Commission was working on seeding Aadhaar data with that of voter ID card, in an attempt to weed out fake voters. However, the poll panel stopped this exercise after the SC ruled that Aadhaar be made compulsory only for PDS and LPG distribution.

Nilekani, in an interview to BLink, insisted that the Aadhaar has more privacy regulations than any other service in the world. He also pointed out that all election commission data is already online, and anyone can look up any voter’s name, date of birth, gender and address.

Additionally, social media profiles too are shared publicly of our own volition.

Concurring with this view, Chakravarty says, “It is surprising that we’re perfectly okay with giving all our life information to a 32-year-old named Mark Zuckerberg. However, this is voluntary. Whether we fully know consequences or not is another matter altogether.”

With the Finance Bill requiring all PAN cards to be linked to Aadhaar, there is added concern over privacy. Sunil Abraham, founder of the Centre for Internet and Society, says Aadhaar runs the risk of being used fraudulently. “If I want to get you in trouble, I can make a large purchase of gold against your Aadhaar number, which is linked to your PAN,” he explains.

He advocates for a system where different government departments don’t store Aadhaar numbers in their databases but instead use a token issued by UIADI kiosks. This would prevent proliferation of the number.

Technical glitches

In February this year, Modi claimed in the Lok Sabha that plugging leakages through Aadhaar had saved the government ₹14,000 crore. And that nearly four crore fake ration cards have been seized till date.

One method of establishing a fake ration card is if the owner has not availed himself of his ration. Ever since Aadhaar’s biometric identification has been linked to point-of-sale (POS) machines at ration shops, residents have had to queue up with a prayer on their lips. A lot could go wrong — the biometric might not recognise them or, worse, there could be a network failure, forcing everyone to return home empty-handed. In both instances, while ration shop owners should ideally mark such transactions under ‘Transactions with “N” response from Aadhaar’, they invariably mark them under “Household yet to take ration”, implying that the beneficiary has chosen not to take home her share.

The February 2017 data for 22 ration shops across Delhi, accessed on the Department of Food & Supplies website, shows that none have a single beneficiary marked under “N”. At a Delhi Cantonment outlet, of the 1,038 registered beneficiaries only 168 have been marked “Y”, or ‘Yes’, showing they have taken their rations. Another 871 have been marked “Household yet to take ration” and none have been marked ‘N’ to indicate glitches in the Aadhaar authentication.

As Amrita Johri of citizens’ action group Satark Nagrik Sangathan explains, “Aadhaar relies on internet and electricity. This might seem like a problem only of rural areas. But we don’t have to go far. In South Delhi’s East Mehraam Nagar, there is a ration shop with no mobile signal and no network. Officials said we have to show that Aadhaar is a success, so the shop’s POS machine was finally hung on a jamun tree to get it to work.”

She questions the government’s reluctance to acknowledge the many instances of failure in the project.

Frighteningly, three consecutive failed attempts could lead to the card being placed in an abeyance list and possibly invalidated.

Top performers and laggards

Delhi is rated one of the better performing States/union territories, while Rajasthan has one of the worst records with the maximum number of biometric and network failures.

According to the government’s 2017 monthly estimates, 27 per cent of the residents whose Aadhaar cards have been seeded to the PDS were denied rations owing to biometric or network failure. This figure would be higher if the unseeded cards are also taken into account.

Nikhil Dey, founder of Rajasthan’s Mazdoor Kisan Shakti Sangathan (MKSS) says his organisation is fighting with its back against a wall.

“Nearly 73 lakh households get their monthly rations in this State, where a little over a crore households are eligible to receive them. We’re not even talking about exclusions here,” says Dey. Besides network failure, there are many instances of the old and sick who are unable to visit the shop to physically verify themselves.

“Back-up options such as OTP (one-time password) or facial recognition only work in theory,” says Dey. He alleges that shop owners often fudge the OTP system by punching in their own numbers and stealing the quotas of genuine beneficiaries.

He too believes that several names have been struck off as dead to project that the Aadhaar has weeded out a high number of fake social security pension ers.

Nilekani applauds Andhra Pradesh for its progress in the Aadhaar project by investing in infrastructure to eliminate technical glitches. J Satyanarayana, the UIDAI’s part-time chairperson, told BLink in an email interview that Aadhaar has led to transparency and efficiency in nearly all government schemes in AP.

During March 2017, 42.29 lakh (93.02 per cent) pensioners received their payment through Aadhaar-based biometric authentication, he says, adding that real-time monitoring systems are in place.

“The entire PDS (rations) is linked to Aadhaar,” he says. As many as 1.21 crore (87.39 per cent) card holders collected their ration this month, and 95.94 lakh received wages (totalling ₹5,283 crore under MNREGA through Aadhaar-enabled systems, he informs.

Neighbouring Telangana too is known for its 99 per cent Aadhaar enrollment, leading to an impressive 80 per cent of its population accessing the PDS.

BP Acharya, special chief secretary in Telangana’s planning department says, “Aadhaar’s use can perhaps be most seen in Telangana’s speedy clearances, investment promotion, creating licences and clearances for shops and establishments.”

Telangana took the Aadhaar database project one step further through its Citizen 360 programme. In August 2014, months after the State was newly formed, it conducted one of the largest household surveys in a single day, covering one crore households. This data was integrated with the Aadhaar database and now links different benefits on the same platform. Now the Aadhaar identity is linked to other details such as the holder’s driving licence and even crime record.

The UIDAI holds out AP and Telangana as shining examples of Aadhaar’s efficiency when backed by the right network and infrastructure. But for the lakhs of biometric factory rejects who are denied their rights, Aadhaar can only mean a mass experiment gone horribly wrong.

Aadhaar Timeline

2006

The ministry of communications and information technology approves the ‘Unique ID for Below Poverty Line (BPL) families’ project under the chairmanship of Arvind Virmani, then principal advisor, Planning Commission

2008

Empowered group of ministers formed by former Prime Minister Manmohan Singh decides to collate two schemes — the National Population Register under the Citizenship Act, 1955 and the UID project — to conceive Aadhaar.

2009

Planning Commission issues a notification to constitute the Unique Identification Authority of India (UIDAI).

Government appoints Infosys co-founder Nandan Nilekani as the first chairman of UIDAI, with the rank and status of a cabinet minister.

2012

Former Karnataka high court judge justice K Puttaswamy files a public interest litigation before the Supreme Court (SC) declaring that Aadhaar violates an individual’s right to privacy and that the scheme lacks legislative backing.

2014

In an interim order, the SC restrains the UIDAI from transferring biometric information with an Aadhaar number to any other agency without the individual’s consent in writing.

2015

Three-judge bench of the apex court rules the unique identity number is not mandatory to avail of benefits from government programmes, restricting the use of Aadhaar to beneficiaries of the public distribution system and subsidies on cooking gas and kerosene, and refers the question on privacy to a larger constitution bench.

Centre moves SC seeking a review and modification of the August 11 interim order. A five-judge constitution bench modifies the same and extends the use of Aadhaar to Mahatma Gandhi National Rural Employment Guarantee Scheme, Jan Dhan Yojana, pensions and the Employees’ Provident Fund scheme.

2016

Finance minister Arun Jaitley announces in the budget speech that the government will offer statutory backing for Aadhaar. The Lok Sabha passes the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 as a Money Bill, rejecting Rajya Sabha recommendations.

2017

Aadhaar is made mandatory for three dozen schemes with 84 more expected under direct benefit transfers, including midday meal scheme and universal education.

SC again rules that Aadhaar cannot be made mandatory for welfare schemes.

For more details visit https://cis-india.org/internet-governance/news/hindu-businessline-shriya-mohan-the-aadhaar-of-all-things

Centre for Internet and Society

Three Years Later, IPaidABribe.com Pays Off

CIS and International Coalition Calls upon Governments to Protect Privacy

Contacts

India:Privacy in Peril

History of wiretaps

India fifth-most monitored

Privacy and personal liberty

Legislative silence

Statutory Surveillance

The Central Monitoring System: Some Questions to be Raised in Parliament

Privacy Round Table, New Delhi (October 2013)

Agenda

The Speakers

Jacob Kohnstamm

Chantal Bernier

Christopher Graham

Confirmations and RSVP

An Analysis of the Cases Filed under Section 46 of the Information Technology Act, 2000 for Adjudication in the State of Maharashtra

Background

Excursus

The Cases related to Privacy

Is Your Aadhar Biometrics Safe? Firms Accused Of Storing Biometrics And Using Them Illegally

Can the Judiciary Upturn the Lok Sabha Speaker’s Decision on Aadhaar?

Irregularity vs illegality

Nasscom chief saying full data protection isn’t possible should wake us from our digital slumber

State of Digital Rights in India (Delhi, March 24)

Registration: Eventbrite

Why We Should All Worry About The Mandatory Imposition Of Aadhaar

Why disregard the Supreme Court?

Why not strengthen PAN?

How safe is Aadhaar anyway?

Other unresolved concerns

What has been done to address the security concerns?

When will India get privacy laws?

Round Table on Privacy and Data Protection at NIPFP

How Aadhaar compromises privacy? And how to fix it?

Analysis of Key Provisions of the Aadhaar Act Regulations

Introduction

Unique Identification Authority of India (Transactions of Business at Meetings of the Authority) Regulations[1]

Provision: Sub-Regulation 3.

Observations:

Provision: Sub-Regulation 8 (5)

Observations:

Provision: Sub-Regulation 14 (4)

Observations:

Unique Identification Authority of India (Enrolment and Update) Regulations[4]

Provisions:

Observations:

Provision: Sub-Regulation 32

Observations:

Aadhaar (Authentication) Regulations, 2016[6]

Provisions:

Observations:

Sub-Regulation 11 (1) and (4)

Observations:

Provision: Sub-Regulation 18 (2), (3) and (4)

Observations:

Aadhaar (Sharing of Information) Regulations, 2016 and Aadhaar (Data security) Regulations, 2016[7]

Provision: Sub-Regulation 6 (1)

Observations:

Conclusion

The Aadhaar of all things

Unique Identification Authority of India (Transactions of Business at Meetings of the Authority) Regulations^{^[1]}

Unique Identification Authority of India (Enrolment and Update) Regulations^{^[4]}

Aadhaar (Authentication) Regulations, 2016^{^[6]}

Aadhaar (Sharing of Information) Regulations, 2016 and Aadhaar (Data security) Regulations, 2016^{^[7]}