Centre for Internet and Society

India’s Digital ID Rollout Collides With Rickety Reality

praskrishna — 2017-01-17T15:35:04Z

India’s new digital identification system, years in the making and now being put into widespread use, has yet to deliver the new era of modern efficiency it promised for shop owner Om Prakash and customer Daya Chand.

The article by Gabriele Parussini was published in the Wall Street Journal on January 13, 2017. Hans Varghese Mathews was quoted.

At first, it drove both men up a tree.

The system, which relies on fingerprints and eye scans to eventually provide IDs to all 1.25 billion Indians, is also expected to improve the distribution of state food and fuel rations and eventually facilitate daily needs such as banking and buying train tickets.

But Mr. Prakash couldn’t confirm his customers’ identities until he dragged them to a Java plum tree in a corner of his village near New Delhi’s international airport. That was the only place to get the phone signal needed to tap into the government database.

“I hopped on a chair and put my finger in the machine,” said Mr. Chand, a 60-year-old taxi driver. Getting his state food ration “used to be much easier,” he said.

In a system so vast, even small glitches can leave millions of people empty-handed.

The government began building the system, called Aadhaar, or “foundation,” with great fanfare in 2009, led by a team of pioneering technology entrepreneurs. Since then, almost 90% of India’s population has been enrolled in what is now the world’s largest biometric data set.

Prime Minister Narendra Modi, who set aside early skepticism about the Aadhaar project after taking power in 2014, is betting that it can help India address critical problems such as poverty and corruption, while also saving money for the government.

But the technology is colliding with the rickety reality of India, where many people live off the grid or have fingerprints compromised by manual labor or age.

Panna Singh, a 55-year-old day laborer in the northwestern state of Rajasthan who breaks stones used to build walls, says the machine recognized his scuffed-up fingerprints only a couple of times.

“I’ve come twice today,” he said at a ration shop in the village of Devdungri. “That’s a full day of work, gone.”

Iris scans are meant to resolve situations where fingerprints don’t work, but shops don’t yet have iris scanners.

Ajay Bhushan Pandey, chief executive of the government agency that oversees Aadhaar, said kinks will be ironed out as the system is used, as is the case with software rollouts. It works 92% of the time, and that will rise to 95%, he said.

“On the scale of what [Aadhaar] has achieved, the rollout has been remarkably smooth,” said Nandan Nilekani, the Infosys co-founder who spearheaded the project. “I don’t see any issues that are disproportionate to the size of project.”

An Aadhaar ID is intended to be a great convenience, replacing the multitude of paperwork required by banks, merchants and government agencies. The benefits are only just beginning, backers say, as the biometric IDs are linked to programs and services.

But in rural areas, home to hundreds of millions of impoverished Indians dependent on subsidies, the impact of technical disruptions has already been evident.

After walking for two hours across rough underbrush in Rajasthan to get kerosene for the month, Hanja Devi left empty-handed because the machine couldn’t match her fingerprint with her Aadhaar number.

“It’s always so difficult” using the system, said Ms. Devi, who lives with her husband and a nephew on 1,500 rupees ($22) a month.

Ranjit Singh, who operates the shop, said five of the 37 customers before Ms. Devi also left the shop empty-handed, a failure rate of over 15%.

A shop manager in a neighboring village said identification had failed for a similar portion of his 500 customers.

Any biometric recognition system of Aadhaar’s size is bound to show duplicates, meaning some people’s biometric identifiers will match someone else’s when they try to enroll.The new system hasn’t eliminated attempts at fraud. In August, police in Rajasthan accused two shop managers of linking their fingerprints to a multitude of cards and stealing for months the rations of dozens of clients.

Hans Varghese Mathews, a mathematician at the Bangalore-based Center for Internet and Society, used the results of a test run by Aadhaar officials on a sample of 84 million people to extrapolate the figure for India’s total population. The error level is less than 1%, but in the world’s second-most populous country, the snag would still affect about 11 million people, he said.

Government officials disputed the calculation, saying the number of duplicates would be much smaller—and that it would take only seven analysts to manage the error caseload.

As for trouble connecting to the registry, better infrastructure, including steadier internet connections, will eventually also help, Mr. Pandey said.

For now, Mr. Prakash has found a way to cope without climbing trees. After scouring the village, he set up a shack in a spot with enough bandwidth for his fingerprint scanner to work. It is hardly efficient. He issues receipts in the morning at the shack, then goes back to his shop to hand out the grains. Customers have to line up twice, sometimes for hours.

Mr. Prakash has applied to the government to operate without biometric identification, but his request was turned down, he said. “They said: ‘You have to keep trying.’ ”

For more details visit https://cis-india.org/internet-governance/news/wall-street-journal-gabriele-parussini-january-13-2017-indias-digital-id-rollout-collides-with-rickety-reality

Flaws in the UIDAI Process

hans — 2016-03-06T10:40:59Z

The accuracy of biometric identification depends on the chance of a false positive: the probability that the identifiers of two persons will match. Individuals whose identifiers match might be termed duplicands. When very many people are to be identified success can be measured by the (low) proportion of duplicands. The Government of India is engaged upon biometrically identifying the entire population of India. An experiment performed at an early stage of the programme has allowed us to estimate the chance of a false positive: and from that to estimate the proportion of duplicands. For the current population of 1.2 billion the expected proportion of duplicands is 1/121, a ratio which is far too high.

The article was published in Economic & Political Weekly, Journal » Vol. 51, Issue No. 9, 27 Feb, 2016.

A legal challenge is being mounted in the Supreme Court, currently, to the programme of biometric identification that the Unique Identification Authority of India (UIDAI) is engaged upon: an identification preliminary and a requisite to providing citizens with “Aadhaar numbers” that can serve them as “unique identiﬁers” in their transactions with the state. What follows will recount an assessment of their chances of success. We shall be using data that was available to the UIDAI and shall employ only elementary ways of calculation. It should be recorded immediately that an earlier technical paper by the author (Mathews 2013) has been of some use to the plaintiffs, and reference will be made to that in due course.

The Aadhaar numbers themselves may or may not derive, in some way, from the biometrics in question; the question is not material here. For our purposes a biometric is a numerical representation of some organic feature: like the iris or the retina, for instance, or the inside of a ﬁnger, or the hand taken whole even. We shall consider them in some more detail later. The UIDAI is using ﬁngerprints and iris images to generate a combination of biometrics for each individual. This paper bears on the accuracy of the composite biometric identiﬁer. How well those composites will distinguish between individuals can be assessed, actually, using the results of an experiment conducted by the UIDAI itself in the very early stages of its operation; and our contention is that, from those results themselves, the UIDAI should have been able to estimate how many individuals would have their biometric identiﬁers matching those of some other person, under the best of circumstances even, when any good part of population has been identiﬁed.

Read the full article here.

The author thanks Nico Temme of the Centrum Wiskunde & Informatica in The Netherlands for the bounds he derived on the chance of a false positive. He is particularly grateful to the anonymous referee of this journal who, through two rounds of comment, has very much improved the presentation of the results. A technical supplement to this paper is placed on the EPW website along with this paper.

For more details visit https://cis-india.org/internet-governance/blog/epw-27-february-2016-hans-varghese-mathews-flaws-in-uidai-process

A comparison of the 2016 Aadhaar Bill, and the 2010 NIDAI Bill

Vanya Rakesh — 2016-03-09T04:08:01Z

This blog post does a clause-by-clause comparison of the provisions of National Identification Authority of India Bill, 2010 and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016

Title

2010 Bill: The Bill was titled as the National Identification Authority of India Bill, 2010.

2016 Bill : The Bill has been titled as the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.

Purpose/Object Clause

2010 Bill: The purpose of Bill was stated to provide for the establishment of the National Identification Authority of India to issue identification numbers to residents of India as well as certain other classes of individuals , to facilitate access to benefits and services, to which they are entitled.

2016 Bill : The purpose of this Bill has been stated to ensure targeted delivery of subsidies, benefits and services to residents of India in an efficient and transparent manner by assigning unique identity numbers to such individuals.

Definitions

2010 Bill: “Authentication” was defined as the process in which the Aadhaar number, along with other attributes (including biometrics) are submitted to the Central Identities Data Repository for verification, done on the basis of information, data or documents available with the Repository.
2016 Bill : “Authentication” has been defined as the process by which the Aadhaar number, along with demographic or biometric information of an individual is submitted to the Central Identities Data Repository for the purpose of verification, done on the basis of the correctness of (or lack of) information available with it.

2010 Bill: “Authentication Record” was not defined in the previous Bill.
2016 Bill : “Authentication Record” has been defined under clause 2(d) as the record of the time of authentication, the identity of the entity requesting such record and the response provided by the Authority for this purpose.

2010 Bill: “Authority” was defined under clause 2(d) as National Identification Authority of India established under provisions of the Bill.

2016 Bill :“Authority” has been defined under clause 2(e) as Unique Identification Authority of India established under provisions of the Bill.

2010 Bill: “Benefit” was not defined in the previous Bill.
2016 Bill : “Benefit” has been defined under clause 2(f) as any advantage, gift, reward, relief, or payment (either in cash or kind), or such other benefits, which is provided to an

individual/ a group of individuals as notified by the Central Government.

2010 Bill: “Biometric Information” was defined under clause 2(e) as a set of biological attributes of an individual as may be specified by regulations.
2016 Bill : “Biometric Information” has been defined under clause 2(g) as biological attributes of an individual like photograph, fingerprint, Iris scan, or other such biological

attributes as may be specified by regulations.

2010 Bill: “Core Biometric Information” was not defined in the previous Bill.
2016 Bill : “Core Biometric Information” has been defined under clause 2(j) as biological attribute of an individual like fingerprint, Iris scan, or such other biological attribute as

may be specified by regulations.

2010 Bill: “Demographic Information” was defined under clause 2(h) as information specified in the regulations for the purpose of issuing an Aadhaar number, like information relating to the name, age, gender and address of an individual (other than race, religion, caste, tribe, ethnicity, language, income or health), and such other information.
2016 Bill : “Demographic Information” has been defined under clause 2(k) as information of an individual as may be specified by regulations for the purpose of issuing an Aadhaar number like information relating to the name, date of birth, address and other relevant information, excluding race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history of an individual.

2010 Bill: “Enrolling Agency” was defined under clause 2(i) as an agency appointed by the Authority or the Registrars for collecting information under the Act.
2016 Bill : “Enrolling Agency” has been defined under clause 2(l) as an agency appointed by the Authority or a Registrar for collecting demographic and biometric information of individuals under this Act.

2010 Bill: “Member” was defined under clause 2(l) to include the Chairperson and a part-time Member of the Authority appointed under the provisions of the Bill.
2016 Bill : “Member” has been defined under clause 2(o) to include the Chairperson and Member of the Authority appointed under the provisions of the Bill.

2010 Bill: “Records of Entitlement” was not defined under the previous Bill.
2016 Bill : “Records of Entitlement” has been defined under clause 2(r) as the records of benefits, subsidies or services provided to, or availed by, any individual under any programme.

2010 Bill: “Requesting Entity” was not defined under the previous Bill.
2016 Bill : “Requesting Entity” has been defined under clause 2(u) as an agency or person that submits information of an individual comprising of the Aadhaar number and

demographic or biometric information to the Central Identities Data Repository for the purpose of authentication.

2010 Bill: “Resident” was defined under clause 2(q) as an individual usually residing in a village, rural area, town, ward, demarcated area (demarcated by the Registrar General of Citizen Registration) within a ward in a town or urban area in India.
2016 Bill : “Resident” has been defined under clause 2(v) as an individual who has resided in India for a period or periods amounting in all to one hundred and eighty-two days or more in the twelve months immediately preceding the date of application for enrolment.

2010 Bill: “Review Committee” was defined under clause 2(r) as the Identification Review Committee constituted under the provisions of the Bill.
2016 Bill : “Review Committee” has not been defined under the Bill.

2010 Bill: “Service” was not defined in the previous Bill.
2016 Bill : “Service” has been defined under clause 2 (w) as any provision, facility, utility or any other assistance provided in any form to an individual or a group of individuals as may be notified by the Central Government.

2010 Bill: “Subsidy” was not defined in the previous Bill.
2016 Bill : “Subsidy” has been defined under clause 2(x) as any form of aid, support, grant, subvention, or appropriation (either in cash or kind), as may be notified by the Central Government, given to an individual or a group of individuals.

Enrolment

Aadhaar Numbers

2016 Bill : Under clause 3(2) of the Bill, it is stated that at the time of enrolment, The enrolling agency shall inform the individual undergoing enrolment the following details:

(a) the manner in which the information so collected shall be used,

(b) the nature of recipients with whom the information is intended to be shared during authentication,and

(c) the existence of a right to access information, the procedure for making such requests for access, and details of the person/department in-charge to whom such requests can be

made.

Properties of Aadhaar Number

2010 Bill : Clause 4 (3) stated that subject to authentication, the Aadhaar number shall be accepted as a proof of identity of the Aadhaar number holder.

2016 Bill : Clause 4 (3) states that subject to authentication, the Aadhaar number (either in physical or electronic form) shall be accepted as a proof of identity of the Aadhaar

number holder.

The Explanation under this clause states that for the purpose of this provision, “electronic form” shall have the same meaning as assigned to it in section 2 (1) (r) of the Information Technology Act, 2000.

Authentication

Proof of Aadhaar number necessary for receipt of certain subsidies, benefits and services, etc.

2016 Bill : Under clause 7 of the Bill it is provided that for the purpose of establishing an individual's identity as a condition to receipt a a subsidy, benefit or service. the Central or State Government (as the case may be), require that such individual undergo authentication, or furnish proof of possession of Aadhaar number. In case the Aadhaar number has not been assigned to an individual, such individual must make an application for enrolment.

The Proviso states that the individual shall be offered alternate and viable means of identification for delivery of the subsidy, benefit or service, in an Aadhaar number is not assigned to an individual.

Authentication of Aadhaar number

2010 Bill: Clause 5 of the Bill stated that authentication of the Aadhaar number shall be performed by the Authority, in relation to the holders’ biometric and demographic information, subject to such conditions and on payment of the prescribed fees. Also, it was provided that the Authority shall respond to an authentication query with a positive, negative or other appropriate response (excluding any demographic and biometric information).

2016 Bill : The Bill states that authentication of the Aadhaar number shall be performed by the Authority, in relation to the holders’ biometric and demographic information, subject to such conditions and on payment of the prescribed fees.

Clause 8 (2) provides that unless otherwise provided in the Act, the requesting entity shall—

For the purpose of authentication, obtain the consent of an individual before collecting his identity information, and
ensure that the identity information of an individual is only used for submission to the Central Identities Data Repository for authentication.

Clause 8 (3) provides that the following details shall be informed by the requesting entity to the individual submitting his identity information for the purpose of authentication:

a. the nature of information that may be shared upon authentication;

b. the uses to which the information received during authentication may be put by the requesting entity; and

c. alternatives to submission of identity information to the requesting entity.

Clause 8(4) states that the Authority shall respond to an authentication query with a positive, negative or other appropriate response (excluding any core biometric information).

Prohibition on requiring certain information.

2010 Bill: Clause 9 of the Bill prohibited the Authority to make an individual give information pertaining to his race, religion, caste, tribe, ethnicity, language, income or health.

2016 Bill : This provision has been removed from the 2016 Bill.

Unique Identification Authority Of India

Establishment of Authority

2010 Bill: Clause 11(1) of the Bill stated that the Central Government shall establish an Authority called as the National Identification Authority of India, to exercise the powers conferred on it and to perform the functions assigned to it under this Act. Also, clause 11(3) provided that the head office of the Authority shall be in the National Capital Region, referred to in section 2(f) of the National Capital Region Planning Board Act, 1985.

2016 Bill : Clause 11(1) of the Bill states that the Central Government shall establish an Authority called as the Unique Identification Authority of India, responsible for the processes of enrolment, authentication and perform such other functions assigned to it under this Act. Also, clause 11(3) provides that the head office of the Authority shall be in New Delhi.

Composition of Authority

2010 Bill: Clause 12 provided that the Authority shall consist of a Chairperson and two part-time Members, to be appointed by the Central Government.

2016 Bill : Clause 12 of the Bill provides that the Authority shall consist of a Chairperson (appointed on part-time or full- time basis) , two part-time Members, and the chief executive officer (who shall be Member-Secretary of the Authority), to be appointed by the Central Government.

Qualifications for appointment of Chairperson and Members of Authority

2010 Bill: Clause 13 provided that the Chairperson and Members of the Authority shall be persons of ability, integrity and outstanding calibre having experience and knowledge in the matters relating to technology, governance, law, development, economics, finance, management, public affairs or administration.

2016 Bill : Clause 13 provides that the Chairperson and Members of the Authority shall be persons of ability and integrity having experience and knowledge of at least ten years in matters relating to technology, governance, law, development, economics, finance, management, public affairs or administration.

Term of office and other conditions of service of Chairperson.

2010 Bill: Proviso to Clause 14 (1) stated that the Chairperson of the Unique Identification Authority of India, who would have been appointed before the commencement of this Act by notification A-43011/02/2009-Admn.I (Vol.II) dated the 2nd July, 2009, shall continue as a Chairperson of the Authority for the term for which he had been appointed. Clause 14(4) prohibited the Chairperson from holding any other office during the period of holding his office in the Authority. Proviso to clause 14 (5) stated the salary, allowances and the other terms and conditions of service of the Chairperson shall not be varied to his disadvantage after his appointment.

2016 Bill : These provisions have not been included in the Bill.

Removal of Chairperson and Members

2010 Bill: Clause 15 (2) stated that unless a reasonable opportunity of being heard has been duly provided, the Chairperson or a Member shall not be removed under clauses (d) or (e) of sub-section (1).

2016 Bill : Clause 15 (2) stated that unless a reasonable opportunity of being heard has been duly provided, the Chairperson or a Member shall not be removed under clauses (b), (d) or (e) of sub-section (1).

Restrictions on Chairperson or Members on employment after cessation of office

2010 Bill: Clause 16 (a) provided that the Chairperson or a member, who ceases to hold office, shall not accept any employment in, or connected with the management or administration of, any person which has been associated with any work under the Act, for a period of three years from the date on which they cease to hold office, without previous approval of the Central Government.

The proviso to this clause stated that this provision shall not apply to any employment under the Central Government, State Government, local authority, any statutory authority or any corporation established by or under any Central, State or provincial Act or a Government Company, as defined in section 617 of the Companies Act, 195.

2016 Bill: Clause 16 (a) provides that the Chairperson or a member, who ceases to hold office, shall not accept any employment in, or connected with the management of any organisation, company or any other entity which has been associated with any work done or contracted out by the Authority (whether directly or indirectly), during his tenure as Chairperson or Member, as the case may be, for a period of three years from the date on which he ceases to hold office, without previous approval of the Central Government.

Functions of Chairperson

2010 Bill: Clause 17 of the Bill provided that the Chairperson shall have powers of general superintendence, direction in the conduct of the affairs of the Authority, preside over the meetings of the Authority, and exercise and discharge such other powers and functions of the Authority as prescribed, without prejudice to any of the provisions of the Act.

2016 Bill : Clause 17 of the Bill states that the Chairperson shall preside over the meetings of the Authority, and exercise and discharge such other powers and functions of the Authority as prescribed, without prejudice to any of the provisions of the Act.

Chief Executive Officer

2010 Bill: Clause 20 (1) of the Bill stated that a chief executive officer, not below the rank of the Additional Secretary to the Government of India, who shall be the Member-Secretary of the Authority,shall be appointed by the Central Government.

2016 Bill : Clause 18 (1) stated that a chief executive officer, not below the rank of the Additional Secretary to the Government of India, shall be appointed by the Central Government. In the list of its responsibilities, clause 18 (2) (e) additionally provides for performing such other functions, or exercising such other powers, as may be specified by regulations.

Meetings

2010 Bill: Clause 18 (4) provided that all decisions of the Authority shall be authenticated by the signature of the Chairperson or any other Member who is authorised by the Authority for this purpose.

2016 Bill : Clause 19 (4) provided that all decisions of the Authority shall be signed by the Chairperson, any other Member or the Member-Secretary authorised by the Authority.

Vacancies, etc., not to invalidate proceedings of Authority

2010 Bill: Clause 19 (b) of the Bill stated that No act or proceeding of the Authority shall be invalid merely by reason of any defect in the appointment of a person as a Member of the Authority

2016 Bill : Clause 20 (b) of the Bill stated that No act or proceeding of the Authority shall be invalid merely by reason of any defect in the appointment of a person as Chairperson or Member of the Authority

Powers and functions of Authority

Clause 23 (2) (k)

2010 Bill: Clause 23 (2) (k) provided that the powers and functions of the Authority may include sharing the information of Aadhaar number holders, with their written consent, with such agencies engaged in delivery of public benefits and public services as the Authority may by order direct, in a manner as specified by regulations.

2016 Bill : Clause 23 (2) (k) provides that the powers and functions of the Authority may include sharing the information of Aadhaar number holders, subject to the provisions of this Act.

Clause 23 (2) (r)

2010 Bill : Clause 23 (2) (r) stated that the powers and functions of the Authority may include specifying, by regulation, the policies and practices for Registrars, enrolling agencies and other service providers.

2016 Bill : Clause 23 (2) (r) states that the powers and functions of the Authority may include evolving of, and specifying, by regulation, the policies and practices for Registrars, enrolling agencies and other service providers.

Grants, Accounts and Audit and Annual Report

2010 Bill: Clause 25 provided that the fees or revenue collected by the Authority shall be credited to the Consolidated Fund of India and the entire amount so credited be transferred to the Authority.

2016 Bill : Clause 25 states that the fees or revenue collected by the Authority shall be credited to the Consolidated Fund of India.

Identity Review Committee

2010 Bill: Clause 28 of the Bill provided for establishment of the Identity Review Committee, consisting of three members (including the chairperson) who are persons of eminence, ability, integrity and having knowledge and experience in the fields of technology, law, administration and governance, social service, journalism, management or social sciences. Clause 29 of the Bill enlisted several functions to be undertaken by the Review Committee so constituted.

2016 Bill: These provisions have been removed from the Bill.

Protection of Information

Security and confidentiality of information

2010 Bill: Clause 30 (2) of the Bill stated that the Authority shall take measures (including security safeguards) to ensure security and protection of information in possession/control of the Authority (including information stored in the Central Identities Data Repository), against any loss, unauthorised access, use or unauthorised disclosure of the same.

2016 Bill : Clause 28 (3) states that the Authority shall take measures to ensure security and protection of information in possession/control of the Authority (including information stored in the Central Identities Data Repository), against access, use or disclosure not permitted under this Act or regulations made thereunder, and against accidental or intentional destruction, loss or damage.

A new provision-clause 28(4)- states that the Authority shall undertake the following additional measures for protection of information:

(a) adopt and implement appropriate technical and organisational security measures,

(b) ensure that the agencies, consultants, advisors or other persons appointed or engaged for performing any function of the Authority under this Act, have in place appropriate technical and organisational security measures for the information, and

(c) ensure that the agreements or arrangements entered into with such agencies, consultants, advisors or other persons, impose obligations equivalent to those imposed on the Authority under this Act, and require such agencies, consultants, advisors and other persons to act only on instructions from the Authority.

Restriction on sharing information

2010 Bill: The Bill did not provide for restrictions on sharing of information.

2016 Bill: This new provision under Clause 29 states that no core biometric information, collected or created under this Act, shall be—

(a) shared with anyone for any reason whatsoever; or

(b) used for any purpose other than generation of Aadhaar numbers and authentication under this Act.

Also, the identity information, other than core biometric information, collected or created

under this Act may be shared only in accordance with the provisions of this Act as specified under Regulations.

Clause 29 (3) prohibits usage of identity information available with a requesting entity for any purpose, other than that specified to the individual at the time of submitting any identity information for authentication, or disclosed further, except with the prior consent of the individual to whom such information relates.

Clause 29 (4) prohibits publication, displaying or publicly posting of the Aadhaar number or core biometric information collected or created under this Act in respect of an Aadhaar number holder, except for the purposes as may prescribed in Law.

Biometric information deemed to be sensitive personal information.

2010 Bill: The Bill did not contain provisions stating that the biometric information shall be deemed to be sensitive personal information for the purpose of this Act.

2016 Bill: Clause 30 states that the biometric information collected and stored in electronic form shall be deemed to be “electronic record” and “sensitive personal data or information”, and the provisions contained in the Information Technology Act, 2000 and the rules made thereunder shall apply to such information,to the extent not in derogation of the provisions of this Act.

The Explanation defines

(a) “electronic form” - as defined under section 2 (1) (r) of the Information Technology Act, 2000,

(b) “electronic record” as defined under section 2 (1) (t) of the Information Technology Act, 2000

(c)“sensitive personal data or information” - as defined under clause (iii) of the

Explanation to section 43A of the Information Technology Act, 2000.

Security and confidentiality of information

A new provision-clause 28(4)- states that the Authority shall undertake the following additional measures for protection of information:

(a) adopt and implement appropriate technical and organisational security measures,

Alteration of demographic information or biometric information.

2016 Bill : Clause 31 (4) prohibits alteration of identity information in the Central Identities Data Repository, except in the manner provided in this Act or regulations made thereof.

Access to own information and records of requests for authentication.

2016 Bill : Clause 32 (3) provides that the Authority shall not collect, keep or maintain any information about the purpose of authentication, either by itself or through any entity under its control.

Disclosure of information in certain cases

2010 Bill: The provision creates an exception under Clause 33 for the purposes of disclosure of information in certain cases like disclosure (including identity information or details of authentication) made pursuant to an order of a competent court; or disclosure (including identity information) made in the interests of national security in pursuance of directions issued by an officer(s) not below the rank of Joint Secretary or equivalent in the Central Government specifically authorised in this behalf by an order of the Central Government.

2016 Bill : The provision creates an exception under Clause 33 for the purposes of disclosure of information in certain cases like disclosure (including identity information or details of authentication) made pursuant to an order not inferior to that of a District Judge (provided that the court order shall be made only after giving an opportunity of hearing to the Authority); or disclosure (including identity information or authentication records) made in the interests of national security in pursuance of directions issued by an officer not below the rank of Joint Secretary to the Government of India, authorised in this behalf by an order of the Central Government.

The proviso to Clause 33 (2) states that every direction so issued shall be reviewed by an Oversight Committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology, before it takes effect.

The second proviso states that any such direction so issued shall be valid for a period of three months from the date of its issue, which may be extended for a further period of three months after the review by the Oversight Committee.

Offences and Penalties

Penalty for impersonation at time of enrolment.

2010 Bill: The penalty for impersonation was prescribed under Clause 34 as imprisonment for a term which may extend to three years and fine which may extend to ten thousand rupees.

2016 Bill : The penalty for impersonation was prescribed under Clause 34 as imprisonment for a term which may extend to three years, or with fine which may extend to ten thousand rupees, or both.

Penalty for unauthorised access to the Central Identities Data Repository

2010 Bill: Clause 38 (g) stated that any person not authorised by the Authority, provides any assistance to any person to do any of the acts mentioned under sub-clauses (a)-(f) shall be punishable. If anyone, who is not authorised by the Authority, performs any activity as listed under (a)-(i), shall be punishable with imprisonment for a term which may extend to three years and shall be liable to a fine which shall not be less than one crore rupees.

2016 Bill : Clause 38 (g) stated that any person not authorised by the Authority, reveals any information in contravention of sub-section section 28 (5), or shares, uses or displays information in contravention of section 29 or assists any person in any of the acts mentioned under sub-clauses (a)-(f) shall be punishable. If anyone, who is not authorised by the Authority, performs any activity as listed under (a)-(i), shall be punishable with imprisonment for a term which may extend to three years and shall be liable to a fine which shall not be less than ten lakh rupees. Additionally, the Explanation states that the expression “computer source code” shall have the meaning assigned to it in the Explanation to section 65 of the Information Technology Act, 2000.

Penalty for unauthorised use by requesting entity and noncompliance with intimation requirements

2010 Bill: Clause 40 of the Bill prescribed penalty for manipulating biometric information and stated that a person who gives/attempts to give any biometric information which does not pertain to him for the purpose of getting an Aadhaar number, authentication or updating his information, shall be punishable with imprisonment for a term which may extend to three years or with a fine which may extend to ten thousand rupees or with both.

2016 Bill: Clause 40 prescribes penalty for a person, being a requesting entity, uses the identity information of an individual in contravention of clause 8(3) , to be punishable with imprisonment which may extend to three years or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees or with both. Clause 41 of the Bill states that Whoever, being an enrolling agency or a requesting entity, fails to comply with the requirements of clause 3(2)-list of details to be informed to the individual undergoing enrolment, and clause 8(3)-informing individual undergoing enrolment details for the purpose of authentication, shall be punishable with imprisonment which may extend to one year, or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees or with both.

General Penalty

2010 Bill: For an offence committed under the Act or rules made thereunder, for which no specific penalty was provided, the penalty was prescribed as imprisonment for a term which may extend to three years, or fine as prescribed.

2016 Bill : For an offence committed under the Act or rules made thereunder, for which no specific penalty was provided, the penalty was prescribed as imprisonment for a term which may extend to one year, or fine as prescribed.

Miscellaneous

Power of Central Government to supersede Authority.

2010 Bill: Clause 47(1)(c) stated that if at any time the Central Government is of the opinion that such circumstances exist which render it necessary in the public interest to supersede the Authority, may do so in the manner prescribed under this provision.

2016 Bill : Clause 48(1)(c) states that if at any time the Central Government is of the opinion that a public emergency exists, then the Central Government may supersede the Authority, in the manner prescribed under this provision.

Power to remove difficulties.

2010 Bill: The proviso to Clause 56(1) stated that an no order by Central Government, which may appear necessary to remove a difficulty in giving effect to the provisions of this Act, shall be made under this section after the expiry of two years from the commencement of this Act.

2016 Bill : The proviso to Clause 58(1) stated that an no order by Central Government, which may appear necessary to remove a difficulty in giving effect to the provisions of this Act, shall be made under this section after the expiry of three years from the commencement of this Act.

Savings

2010 Bill: Clause 57 provided that any action taken by the Central Government under the Resolution of the Government of India, Planning Commission bearing notification number A-43011/02/ 2009-Admin.I, dated the 28th January, 2009, shall be deemed to have been done or taken under the corresponding provisions of this Act.

2016 Bill : Clause 59 states that any action take by Central Government under the Resolution of the Government of India, Planning Commission bearing notification number A-43011/02/2009-Admin. I, dated the 28th January, 2009, or by the Department of Electronics and Information Technology under the Cabinet Secretariat Notification bearing notification number S.O. 2492(E), dated the 12th September, 2015, as the case may be, shall be deemed to have been validly done or taken under this Act.

Statement of Objects and Reasons

2010 Bill: The Bill stated that the Central Government decided to issues unique identification numbers to all residents in India, which involves collection of demographic, as well as biometric information. The Unique Identification Authority of India was constituted as an executive body by the Government, vide its notification dated the 28th January, 2009. The Bill addressed and enlisted several issues with the issuance of unique identification numbers which should be addressed by law and attract penalties, such as security and confidentiality of information, imposition of obligation of disclosure of information so collected in certain cases, impersonation at the time of enrolment, unauthorised access to the Central Identities Data Repository, manipulation of biometric information, investigation of certain acts constituting offence, and unauthorised disclosure of the information collected for the purposes of issuance of the numbers. To make the said Authority a statutory one, the National Identification Authority of India Bill, 2010 was proposed to establish the National Identification Authority of India to issue identification numbers and authenticate the Aadhaar number to facilitate access to benefits and services to such individuals to which they are entitled and for matters connected therewith or incidental thereto.Apart from the above mentioned purposes, The National Identification Authority of India Bill, 2010 also seeks to provide for the Authority to exercise powers and discharge functions so prescribed , ensure that the Authority does not require any individual to give information pertaining to his race, religion, caste, tribe, ethnicity, language, income or health, may engage entities to establish and maintain the Central Identities Data Repository and to perform any other functions as may be specified by regulations, constitute the Identity Review Committee and take measures to ensure that the information in the possession or control of the Authority is secured and protected against any loss, unauthorised access or use or unauthorised disclosure thereof.

2016 Bill: The Bill states that correct identification of targeted beneficiaries for delivery of subsidies, services, frants, benefits, etc has become a challenge for the Government and has proved to be a major hindrance for successful implementation of these programmes. In the absence of a credible system to authenticate identity of beneficiaries, it is difficult to ensure that the subsidies, benefits and services reach to intended beneficiaries. The Unique Identification Authority of India was established by a resolution of the Government of India, Planning Commission vide notification number A-43011/02/ 2009-Admin.I, dated the 28th January, 2009, to lay down policies and implement the Unique Identification Scheme of the Government, by which residents of India were to be provided unique identity number. Upon successful authentication, this number would serve as proof of identity for identification of beneficiaries for transfer of benefits, subsidies, services and other purposes. With increased use of the Aadhaar number, steps to ensure security of such information need to be taken and offences pertaining to certain unlawful actions, created. It has been felt that the processes of enrolment, authentication, security, confidentiality and use of Aadhaar related information must be made statutory. For this purpose, the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 seeks to provide for issuance of Aadhaar numbers to individuals on providing his demographic and biometric information to the Unique Identification Authority of India, requiring Aadhaar numbers for identifying an individual for delivery of benefits, subsidies, and services, authentication of the Aadhaar number, establishment of the Unique Identification Authority of India, maintenance and updating the information of individuals in the Central Identities Data Repository, state measures pertaining to security, privacy and confidentiality of information in possession or control of the Authority including information stored in the Central Identities Data Repository and identify offences and penalties for contravention of relevant statutory provisions.

For more details visit https://cis-india.org/internet-governance/blog/a-comparison-of-the-2016-aadhaar-bill-and-the-2010-nidai-bill

The 12-digit conundrum

praskrishna — 2017-03-14T13:50:05Z

Even as the Centre plans to link as many as 500 schemes to Aadhaar, concerns over data safety are rising. Richa Mishra reports.

The article by Richa Mishra was published in the Hindu Businessline on March 13, 2017. Sunil Abraham was quoted.

The developments of last few weeks seem to have made real some of the worst fears about Aadhaar. In February, UIDAI (Unique Identification Authority of India) filed a police complaint alleging attempts of unauthorised authentication and impersonation of data related to Aadhaar. Since then, each and every machinery within the government has been trying to convince otherwise, that Aadhaar database is safe and secure, and that the data is protected both by the best available advanced technology as well as by the stringent legal provisions in the Aadhaar Act.

Not everyone is convinced. Critics say, biometrics only make the citizen transparent to the State, it does not make the State transparent to citizens. “We warned the government six years ago, but they ignored us,” said Sunil Abraham, Executive Director of Bengaluru-based research organisation, Centre for Internet and Society. According to him, the legislation implementing Aadhaar has almost no data protection guarantees for citizens. He also believes that by opting for biometrics instead of smart cards the government is using surveillance technology instead of e-governance technology.

“Biometrics is remote, covert and non-consensual identification technology. It is totally inappropriate for authentication. This has only increased the fragility of Indian cyber security,” he stresses.

However, officials associated with UIDAI dismiss these arguments. Collecting biometrics does not pose any threat to the right to privacy because people have been giving their thumb impression for ages, they say. “The biometrics are encrypted at source and kept safe and secure. Unauthorised sharing and leakage of the data does not happen. Fears related to collection of biometrics are not justified,” an official at the helm of affairs said. He requested anonymity.

“However, as and when we find that some suspicious activity or misuse is happening, we will strike at the very beginning itself. UIDAI has full authentication regulation under the Aadhaar Act that has to be followed. It specifies in what manner authorities can use Aadhaar,” the official pointed out.

On the ground

Even as the debate over data security rages, the aam aadmi seem to be little perturbed about the alleged risks involved. For Padmini, who works as a domestic help in East Delhi and is the sole bread earner for her family of four, the Aadhaar card meant access to all government benefits.

“Koi farak nahi padta, kaun dekhta hai mera card. Mujhko LPG cylinder ka paisa bank mein mil jata hai,” (It doesn’t matter to me who sees my card. The subsidy for LPG gets transferred to my account) she says. “Baccho ke school admission mein bhi zaroorat pada,” (I needed it to get my children’s admission in school), she added. Sukh, a cab driver also uses it to get the LPG subsidy.

While everyone BusinessLine talked to were convinced that Aadhaar was not a citizenship card, the more aware ones saw it as a door that gave access to government schemes.

While they had a point, government officials are careful to make it clear that Aadhaar is not mandatory. But the popular perception increasingly points to the opposite view, especially after it emerged that Aadhaar might be made mandatory for children to receive midday meals at schools.

Another senior government official said, “Aadhaar is not mandatory under any welfare scheme of the government and no one is being deprived of a service or benefit for the want of Aadhaar…it’s required for availing a service/subsidy/benefit that accrues through the Consolidated Fund of India.” He added that those who do not have the 12-digit number would be provided with the facility to enrol by the Requiring Agency. “And till the time Aadhaar is assigned, alternative IDs would be allowed,” he said.

If a school which has to get Aadhaar enrolment done for its students puts the Aadhaar numbers of its students on its site and the same is used by someone, you can’t blame us, the official argues. Then, who is accountable?

Pushing for Aadhaar, the UIDAI officials cite the example of Kerala’s Department of General Education (DGE), which has integrated Aadhaar with the student databases and has thereby optimised the teacher-student ratio and identified the schools with excess teachers. In a single academic year, 3,892 excess teacher posts were identified.

“Due to this exercise, no new posts have been sanctioned for the last two years, resulting in notional savings of ₹540 crore per annum,” said a UIDAI official. After student enrolment in the state was linked to Aadhaar since 2012-2013, the head count of pupils have fallen by 5 lakh. Similar trends have been reported in Haryana. Critics have also pointed out the possible security risk in using AadhaarPay, the Andriod-based app. Merchants can download the app in their phone and install a fingerprint scanner linked to the phone. Customers with Aadhaar numbers can use their fingerprints (like the secret PIN in case of debit cards) to do a transaction. While doubts have been raised about the safety of fingerprint data, officials in the know blame the controversy on the “card lobbies.”

“Thirty crore Indians have no mobiles. They find it difficult to handle password, pin or card, this is where AadhaarPay will come handy,” the official added. “They don’t need a smart phone or feature phone. They don’t need a debit card.

“Today more than 112 crore people have the Aadhaar card. Approximately, 52.95 crore people have linked their Aadhaar numbers to their bank accounts. We already have a system of Aadhaar authentication in place,” the official added.

Government officials are at pain to point out the larger benefits of Aadhaar, including savings of more than ₹49,000 crore by plugging leakages in government schemes like PDS. Government plans to increase the number of welfare schemes linked to Aadhaar from 36 to over 500. While the intent is good, concerns remain.

For more details visit https://cis-india.org/internet-governance/news/richa-mishra-hindu-businessline-march-13-2017-the-12-digit-conundrum

No ID, no benefits: thousands could lose lifeline under India’s biometric scheme

praskrishna — 2017-03-22T14:27:25Z

Controversial Aadhaar card restricts fundamental rights, argue critics, limiting access to free school meals and exposing 1 billion people to privacy risks.

The article was published in the Guardian on March 21, 2017. Sumandro Chattapadhyay was quoted.

An Aadhaar biometric identity card, which will be mandatory for Indians to access many essential government services and benefits. Photograph: Bloomberg/Getty Images

Hundreds of thousands of people in India could be left without essential government services and benefits – including free school meals and uniforms, food subsidies and pensions – under new rules that make access to more than three dozen state-funded schemes conditional on showing identification.

Over the past month, citizens have been notified that they have to prove their identity with a biometric ID, known as an Aadhaar card, to be eligible to use various services. Booking railway tickets online, applying for some jobs, and getting fuel subsidies will also be dependent on showing the controversial card.

Aadhaar cards were introduced by the Indian government in 2009, and rolled out by prime minister Narendra Modi in 2014. They record personal biometric data, including fingerprints and eye scans, which the government says allows it to ensure that welfare services are being delivered to those who really need them, and saving billions of rupees by reducing welfare fraud.

The Unique Identification Authority of India (UIDAI), which oversees the Aadhaar programme, says that more than 1.13 billion people have been enrolled on an official database. But activists say that hundreds of thousands of Indians and migrants are still undocumented and could miss out on their fundamental rights because of the new rules.

“What if a Facebook account was necessary to log in to the internet, and what if Facebook was owned by the government of the US?” asked Sumandro Chattapadhyay, research director at the Centre for Internet and Society (CIS), a thinktank with offices in Bangalore and Delhi. “We are building a system that will decide whether a child will eat or not on an afternoon based on [the] quality of internet connectivity and cleanliness of the child’s thumbprint.”

Chattapadhyay argued that Aadhaar, which is effectively being forced upon Indians, and which is used increasingly by private companies, exposed more than a billion people to huge privacy risks.

“The Aadhaar ID is being connected to digital communications via sim card registration, it is being connected to financial transactions via bank accounts, and all Indian citizens are being forced to enrol for it against the threat of losing out from welfare services,” he said.

“The potential of unmonitored and unregulated use of such linked data by the private sector is massive. It does not matter if the Indian state will finally go ahead with implementing this system or not. The fact that [it] is considering such a system is scary enough.”

Nanu Bhasin, spokesperson at the ministry of women and child development, confirmed that the order to link Aadhaar to government schemes had come directly from the Modi government. “There are leakages in the system,” she said. “This will plug leakages.”

Bhasin said Aadhaar was now mandatory: “You have to take it, it is necessary. You cannot take the right to a benefit if you don’t have the Aadhaar card.”

She said she did not know if those who did not want to enrol in the scheme because of potential privacy risks would still be able to receive benefits. “You have bank accounts, there you give all your details, everything. Why make a fuss [about privacy] for Aadhaar?” she said.

One of the most contentious new rules introduced this month, and coming into force in July, requires children to show Aadhaar cards to get free school meals. The notice led to a media storm in India, where malnutrition rates are high and nearly 60 million children are underweight.

On 7 March the government said alternative forms of ID would be accepted for free school meals where people did not yet have Aadhaar cards, and urged schools and childcare centres to enrol all attendees.

Activists argue that setting any barriers to free school meals is unethical and unconstitutional. Ambarish Rai, national convenor of the Right to Education Forum, said: “This is a very insensitive decision of the government. How can you make it mandatory? It is a clear-cut violation of the Right to Education Act 2009.”

Compulsory identification could deter school attendance if children struggle to get free school meals or uniforms, said Swati Narayan, visiting research scholar from the LSE and food activist. “India’s school meal programme covers almost 100 million children – the largest in the world. Instead of creating unnecessary barriers, the focus should be on how to improve these modest meals by adding eggs, fruit and nutritious foods to the menu.”

Glitches in the Aadhaar system have already led to reports of people being unfairly denied government subsidies. In February, the news website Scroll recorded a number of people in the state of Jharkhand being denied rice subsidies because of problems with Aadhaar card machines.

The constitutional validity of the government’s new orders is currently being debated in court, with questions raised as to whether the Indian parliament can restrict fundamental rights enshrined in the constitution, and whether the government has the power to force citizens to enrol.

In 2015, a supreme court order had ruled that the scheme was purely voluntary, and that it could not become mandatory with a court ruling. But in 2016, parliament passed the Aadhaar Act, which allowed the government to require identification for government services.

Khagesh Jha, a lawyer and activist, argued that the act was fundamentally unconstitutional. “Rescued children, children who have been trafficked or those who have been forced into child labour – [you] can’t expect them to hold an Aadhaar card or documents like a birth certificate. Right to education is a fundamental right, and is protected by the core of the constitution. It cannot be challenged by any other document.”

UIDAI, the agency overseeing Aadhaar, issued a statement saying the government had made savings of more than 490bn rupees (£6bn) in the past two and a half years, thanks to schemes linking government benefits to Aadhaar. It added that during the past seven years, there had been no report of a breach or leak of residents’ data.

For more details visit https://cis-india.org/internet-governance/news/the-guardian-march-21-2017-no-id-no-benefits

Privacy concerns multiply for Aadhaar, India’s national biometric identity registry

praskrishna — 2017-03-22T14:38:52Z

The largest and most sophisticated biometric identity system of any country in the world, India’s Aadhaar, is sparking new fears that the personal data it stores on more than 1.1 billion people could be vulnerable to exploitation.

The article by Kaelyn Lowmaster was published by One World Identity on March 17, 2017, Sunil Abraham was quoted.

Aadhaar, which translates to “foundation” in Hindi, is a unique 12-digit code tied to citizens’ biometric data and personal information. The system was launched in 2009 in an effort to extend social services to India’s millions of unregistered citizens, and to cut down on welfare benefit “leakage” resulting from an opaque and often corrupt bureaucracy.

Constructing a centralized repository of biometric data on nearly a fifth of the world’s population has raised serious concerns among privacy advocates.

The government has also looked to Aadhaar data to underpin mobile payment transfer platforms, which have become crucial for cashless transactions during the country’s demonetization push over past year.

But constructing a centralized repository of biometric data on nearly a fifth of the world’s population has raised serious concerns among privacy advocates, who cite several vulnerabilities both with the Aadhaar system and the Modi administration’s planned expansion.

Despite this, recent metrics indicate that Aadhaar has been enormously successful in achieving those goals. Though the program is theoretically voluntary, more than 99% of Indian adults are now enrolled. Over three billion individual identity verifications have been conducted, and some reports indicate that the Indian government is saving a billion dollars per year now that welfare subsidies can be paid to citizens directly through Aadhaar-verified fund transfers.

Prime Minister Narendra Modi has ambitions to broaden the system even further, seeking to use Aadhaar as the gateway for accessing government programs ranging from public education to subsidized cooking gas, as well as partnering with private companies to offer services facilitated by the Aadhaar database.

Concerns, however, remain. One primary worry is that India’s legal framework for information security is still weak and fragmented, despite government assurances that Aadhaar biometrics have never been misused or stolen.

“There are no regulations in India on safeguards over and procedures for the collection, processing, storage, retention, access, disclosure, destruction, and anonymization of sensitive personal information by any service provider,” according to a 2016 World Bank report.

A patchwork of rules outlining “reasonable security practices and procedures” for personal data has accumulated since Aadhaar was launched, but there is no codified law outlining how data in the system must be secured, or what penalties exist for potential leaks, fraud or misuse.

“Imagine a situation where the police (are) secretly capturing the iris data of protesters and then identifying them through their biometric records” – Sunil Abraham, executive director of the Centre for Internet and Society in Bangalore

This regulatory gap poses a particularly acute risk now that the government has begun offering companies and app developers support for starting new businesses that use Aadhaar data. Through a new initiative called IndiaStack, the administration is providing open program interfaces for companies in fintech, healthcare, and other areas to integrate Aadhaar-based transactions into their business platforms. While IndiaStack’s terms of use explicitly state that user consent is required for any information sharing between service providers and the Aadhaar database, doubts remain about the integrity of the network infrastructure and the lack of clarity surrounding acceptable information sharing and storing protocols.

Another source of concern is the risk that Aadhaar information could be leveraged by the government itself for political purposes.

“Maintaining a central database is akin to getting the keys of every house in Delhi and storing them at a central police station,” Sunil Abraham, executive director of the Centre for Internet and Society in Bangalore, told Reuters. “It is very easy to capture iris data of any individual with the use of next generation cameras. Imagine a situation where the police (are) secretly capturing the iris data of protesters and then identifying them through their biometric records.”

Further stoking fears of federal overreach, the Modi administration has attempted to make Aadhaar registration mandatory in certain sectors, violating a Supreme Court ruling from October 2015 that enrollment must remain voluntary.

Still, the benefits of building on the Aadhaar identity system appear to be outweighing the risks for now, and the system is gathering momentum worldwide. The World Bank is helping market the Aadhaar model abroad, and Russia, Morocco, Tunisia, and Algeria have all expressed interest in instituting national biometric identity programs of their own. Microsoft is already on board, and Google is negotiating ways to get involved.

Aadhaar may indeed live up to is potential and become the global standard for universal legal identity, but until India can manage to create more robust mechanisms to protect citizens’ personal data, their security could remain uncertain.

For more details visit https://cis-india.org/internet-governance/news/one-world-indentity-kaelyn-lowmaster-march-17-2017-privacy-concerns-multiply-for-aadhaar-indias-national-biometric-identity-registry

India’s biometric ID scans make sci-fi a reality

praskrishna — 2017-03-28T02:45:28Z

I have been thinking about my fingerprints and the secrets that may lie within my eyes — and whether I want to share them with the Indian government. I may not however have a choice.

The article by Amy Kazmin was published in the Financial Times on March 27, 2017. Sunil Abraham was quoted.

India has the world’s largest domestic biometric identification system, known as Aadhaar. Since 2010, the government has collected fingerprints and iris scans from more than 1bn residents, and each has been assigned a 12-digit identification number.

The scheme is championed by Nandan Nilekani, the billionaire co-founder of IT company Infosys. It was initially conceived to ensure poor Indians received subsidised food entitlements and other welfare benefits that were previously siphoned off by unscrupulous intermediaries. It was also seen as offering poor Indians, many of whom lack birth certificates, with a portable ID that can be used anywhere in the country.

Until now, obtaining an Aadhaar number was voluntary, though most Indians enrolled without hesitation as they see its potential benefits. But New Delhi is now enlisting Aadhaar, which means “foundation” or “base” in Hindi, in more than just welfare schemes. This would mean sharing one’s biometric details isn’t really optional any more despite a Supreme Court ruling that it should be “purely voluntary”.

Last week, the government issued a rule requiring an Aadhaar number for filing tax returns, ostensibly to improve tax compliance. It has also decided that all cell phone numbers must be linked to an Aadhaar number by 2018. Even Indian Railways has plans to demand Aadhaar from those booking train tickets online.

What was once touted as an initiative to improve delivery of welfare suddenly now seems like the foundation of a surveillance state — and I admit the prospect of putting my own biometrics in the database leaves me uneasy.

As a US citizen, I’ve never had to give my biometric data to my government. Domestically, fingerprints are only taken from criminal suspects, or applicants for government jobs, though I know foreign citizens are fingerprinted on arrival.

To me, the idea of sharing eye scans evokes the dystopian Hollywood film, Minority Report, which depicts a near future in which optical-recognition cameras allow the authorities to identify anyone in any public place. The hero on the run, played by Tom Cruise, has an illegal eye transplant to avoid detection.

In recent days, many Indian academics and activists have raised concerns about Aadhaar data security, the lack of privacy rules and the absence of any accountability structure if data are misused.

"Biometrics is being weaponised," says Sunil Abraham, executive director of the Bangalore-based Centre for Internet and Society. "What you need to be worried about is that someone will clean out your bank account or frame you in a crime," he says.

Pratap Bhanu Mehta, director of the Centre for Policy Research, has written of the “conversion of Aadhaar from a tool of citizen empowerment to a tool of state surveillance and citizen vulnerability”.

I call Mr Nilekani, of whose honourable intentions I have no doubt. After leaving Infosys in 2009, he spent five years in government, working to get Aadhaar off the ground. He says he is “extremely offended” when his project is accused of being part of a surveillance society, a narrative he says is “completely misrepresenting” the project. “I can steal your fingerprint off your glass. I don’t need this fancy technology,” he says. “Surveillance is far better done by following my phone, or when I use a map to order a taxi: the map knows where I am. Our internet companies know where you are.”

But in a society known for ingenious means of bypassing rules, such as having multiple taxpayer ID cards to aid evasion, Mr Nilekani says biometric authentication of individuals can bring discipline and reduce cheating. “It’s like you are creating a rule-based society,” he says, “it’s the transition that is going on right now.” I hang up, hardly reassured. To me, it seems clear that in India, as in so many places these days, Big Brother is increasingly watching.

For more details visit https://cis-india.org/internet-governance/news/financial-times-march-27-2017-amy-kazmin-indias-biometric-id-scans-make-sci-fi-a-reality

क्‍या आधार पर जल्दबाज़ी में है सरकार?

praskrishna — 2017-03-29T03:52:08Z

Amber Sinha took part in a discussion on Aadhaar aired by NDTV on March 27, 2017.

एक जुलाई 2017 से आयकर रिटर्न भरने और पैन नंबर के लिए आधार नंबर देना अनिवार्य हो जाएगा. बिना आधार के अब आयकर रिटर्न नहीं भरा जा सकेगा. जिस किसी के पास पैन कार्ड है उसे एक जुलाई तक आधार नंबर देना होगा. अगर ऐसा नहीं करेंगे तो पैन कार्ड अवैध हो जाएगा. माना जाएगा कि आपके पास पैन कार्ड या पैन नंबर नहीं है. आयकर फार्म और पैन नंबर में आधार को अनिवार्य किये जाने से कई सवाल फिर से उठे हैं. 2009 से लेकर 2017 के बीच आधार के इस्तमाल को लेकर, इसके लीक होने से लेकर अनिवार्य किये जाने के ख़तरे को लेकर कई बहसें सुनी, पचासों लेख पढ़े. दूसरी तरफ हमने समाज में देखा कि आधार को लेकर ग़ज़ब का उत्साह है.

Watch the Video on NDTV

For more details visit https://cis-india.org/internet-governance/news/ndtv-march-27-2017-discussion-on-aadhaar

No such rule, but many vaccination centres are insisting on Aadhaar as proof

Sreedevi Jayarajan — 2021-06-26T04:43:13Z

Radhika Radhakrishnan saw three words swimming before her as she inched closer to the hospital lobby.

The blog post by Sreedevi Jayarajan was published in the News Minute on June 4, 2021. Pranesh Prakash was quoted.

The words were written on a white board inside the private hospital she had visited in Bengaluru on May 21, three weeks after the Union Government opened up COVID-19 vaccinations for the 18+ category after online registration. “I had booked a vaccine slot and visited the hospital and the words on the board read ‘Aadhaar is mandatory’, along with other dos and don’ts of the vaccination process that the hospital followed,” she tells TNM. On the morning of her vaccination date, Radhika had registered on the Union Health Ministry’s CoWin portal for a vaccine slot in the 18+ age group. She had given her PAN number when the portal asked for a government ID proof. The appointment slip on CoWin also showed her PAN, she says.

But on the day of vaccination, authorities at the private hospital refused to accept her PAN card. Radhika says that they insisted on her Aadhaar number in order to authenticate her vaccination appointment, despite her telling them that it is illegal to demand her Aadhar card. “The hospital authorities told me that they only used Aadhaar cards to register people for vaccination or authenticate CoWin appointments. They said that if I did not want to give my Aadhaar number, I would have to wait a few more hours for them to figure out a different process,” she tells TNM. By this time, Radhika had already waited three hours in the hospital queue.

Bengaluru-based journalist Biswak* too recounts a similar experience at a government run vaccination centre he had visited on May 5. The 25-year-old had registered on CoWin using his Driving License, one of five government ID proofs that the Health Ministry portal accepts for booking vaccination slots. But at the centre, Biswak says that the officials insisted on his Aadhaar number. “Thankfully I had the number despite not carrying my card. I got vaccinated and the vaccination certificate issued on my CoWin account showed the last four digits of my Aadhaar, and did not mention my driving license which was my ID proof of choice,” he says.

TNM got in touch with several people from Tamil Nadu and Karnataka among other states who confirmed that their vaccination centres refused to accept any other ID proof, and insisted on Aadhaar. This despite the Union government not making Aadhaar mandatory for CoWin registration, for on-the-spot registrations, and even for authentication of appointments at vaccination centres.

Co-Win does not insist on Aadhaar

A quick look at the CoWin portal will tell you that you can register with any of six government ID proofs other than your Aadhaar card. These are Driving License, PAN card, Passport, Pension Passbook, NPR Smart Card and Voter ID (EPIC). To the vaccine centres, registered citizens should carry the very same ID proof they have used to register on the Co-Win portal, along with a printout or screenshot of their appointment slip. This means, if a person has registered on the portal using an Aadhaar card, the vaccination centre will ask for the same for authentication.

Once vaccinated, citizens get a certificate with their vaccination status (one dose or fully vaccinated) on their phones. This certificate contains the person’s name, age, type of vaccine (Covishield or Covaxin) and the last four digits of the ID proof used for registration.

While Radhika and Biswak say that their appointment slips had their PAN and Driving License numbers respectively, after they were coerced to give their Aadhaar numbers, the vaccination certificate on the Co-Win portal showed their Aadhaar number. “This means that they have forced me to give my Aadhaar number and then used this, despite me giving a different ID proof,” Radhika says. Multiple private hospitals in Chennai too currently insist on Aadhaar card for vaccinations, while Tamil Nadu government maintains that Aadhaar is not mandatory.

TNM spoke to a senior official in the Revenue and Finance Department of the Greater Chennai Corporation who confirmed that centres, both private and government, did not have the right to demand Aadhaar for vaccination. “There is no such rule that Aadhaar has to be submitted by citizens. In fact, the Co-Win portal also has a section to register those who have no ID proof, i.e homeless persons or those from marginalised sections. The portal finds another way to register these people. So insisting on an Aadhaar number is out of the question,” he says. In the neighbouring state of Kerala, the government recently announced that persons who had to travel abroad for various reasons should register on the government portal only using their passports. This, so that their vaccination certificate would generate their passport number as ID proof.

A matter of convenience?

In the absence of a law which mandates Aadhaar to be used for the purpose of universal COVID-19 vaccination, there is no legal basis for hospitals and vaccination centres to insist on Aadhaar numbers to vaccinate people. “Unlike a law passed by the Union government which makes it compulsory for your PAN to be linked to your Aadhaar, there is no law which the government has passed to make Aadhaar compulsory for vaccination. The Union government does, however, have the legislative competence to pass such a law. Which means that if they want to make Aadhaar mandatory for vaccination, they can. So far they have not. And therefore, nobody has the right to demand Aadhaar to vaccinate people,” says Pranesh Prakash of the Centre for Internet and Society.

However, it could be a matter of convenience for hospitals to use one type of ID proof, to be able to streamline their data entry process. “As (I believe) Aadhaar is the most widespread ID card in the country right now, when compared to other ID proofs, it makes it simple for vaccination centres to ask for Aadhaar numbers and key this in," Pranesh adds.

To a query that TNM posted on Twitter, we got varied responses from people. While many said that the centres did not insist on a particular ID card, many others said they had to give their Aadhaar. The insistence for Aadhaar by vaccination centres, both private and government, seems to be random, with no proper pattern or rule in place.

System does not support other ID proofs?

From Radhika’s experience, the hospital she visited for vaccination could not support any other ID proof, as they, in their own words “followed a system of using just Aadhaar cards”. This indirectly coerces unwilling citizens to part with their Aadhaar details, and offers no choice for those who registered with other ID proofs.

“I had to finally give my Aadhaar number but it said that there was a mismatch. Later we found out that my name on my PAN was a bit different from the name on my Aadhaar card. Since I had used the PAN to register on Co-Win, the portal could not authenticate me with the Aadhaar number. Finally I had to re-register on the spot and give a different phone number as the phone number I had given was already linked to my Aadhaar and PAN,” she says, adding that all of this could have been avoided if the hospital had accepted her PAN in the first place.

However, a private hospital that has been doing vaccinations in many places across India told TNM that they had no instructions from the state or Union government to use only Aadhaar and claimed that they only asked for Aadhaar if the person had used it during registration. However, many people who responded to TNM named this private hospital and many others too as those insisting on Aadhaar as proof.

For more details visit https://cis-india.org/internet-governance/news/the-news-minute-june-4-2021-sreedevi-jayarajan-no-such-rule-but-many-vaccination-centres-are-insisting-on-aadhaar-as-proof

Advanced biometric technologies and new market entries tackle fraud, chase digital ID billions

Chris Burt — 2021-06-28T01:13:05Z

Amid forecasts of rapid growth and huge market potential, digital ID platforms launches by Techsign and Ping Identity, new services, features and even an investment fund have been launched.

The blog post by Chris Burt was published by Biometric Update on June 26, 2021.

A new camera solution for under-display 3D face biometrics from Infineon and partners, and IPO filings by Clear and SenseTime show parallel investment activity in biometrics, meanwhile, and experts from Veridium and Intellicheck provide insight into the shifting technology and fraud landscapes, among the most widely-read stories this week on Biometric Update.

Top biometrics news of the week

Several areas of the digital identity market continued to be very active, with a new investment fund launched to support startups in digital commerce and payments, Yoti joining a regulatory sandbox, Techsign launching a digital ID platform, and Mastercard and b.well reporting positive results from a recent pilot for their biometric healthcare platform. All this activity contributes to explaining Juniper Research’s forecast of rapid growth in the sector to $16.7 billion in 2026, driven largely by spending on remote onboarding.

Okta CEO Todd McKinnon, meanwhile, told Barron’s that the total addressable market for identity and access management providers like Okta is something like $80 billion, as well as that effective integration is the key to solving biometrics challenges in the space. Entrust and Yubico formed an integration partnership, LoginRadius launched a new feature, Jamf launched a biometric tool for enterprises, and a certification program for IAM professionals was launched.

A list of goods for sale on the dark web includes a listing for selfies holding an American ID credential, which in theory could be used in a biometric spoofing attack. Cybersecurity researcher Luana Pascu helps guide readers through the report, and shares insights such as on the status of faked vaccination certificates on dark web marketplaces.

Ensuring the validity of the ID document a biometric identity verification process is based on, without adding too much friction, often means adopting layered risk profiling, Intellicheck CEO Bryan Lewis tells Biometric Update in a sponsored post. The company has deep roots in detecting fraudulent documents and has found that even scanning the barcode on an identity document will not necessarily catch a fake if the unique security elements are not validated as part of the scan.

Fourthline Anti-Financial Crime Head Ro Paddock writes in a Biometric Update guest post about the ever-increasing sophistication of fraud attacks, which reached the level of computer-generated 3D masks and deepfakes during the pandemic,. In response, information-sharing between organizations will be necessary to understand the scope of these new threats, and how to defend against them.

Philippines’ election commission has launched an app to allow people to preregister for the voter roll online before enrolling their biometrics in person, as the country continues digitizing its public services. Governments in Pakistan, Haiti and Nigeria are also making moves to improve the accessibility and trustworthiness of their electoral processes.

A partnership between Research ICT Africa and the Centre for Internet and Society, supported by the Omidyar Network, to explore the development of digital ID systems for the African context is explained in a blog post. The project will be based on an adaptation of the Evaluation Framework for Digital Identities which the CIS used to assess India’s Aadhaar system, with rule of law, rights and risk-based tests, and presented in a series of posts.

Details of Clear’s IPO plans emerged, including its intention to raise up to $396 million on the NYSE. The $2.2 billion valuation aligns with some comparable companies, by revenue multiple, but the lower voting power of the shares on offer could be a restraining factor.

An even bigger IPO could be held by SenseTime later this year, with the Chinese AI firm looking to raise up to $2 billion on the Hong Kong exchange. The company has been talking about a public stock launch since before the company was hit with restrictions to U.S. trade, which it indicates have had little impact.

The latest major funding round in digital identity is the largest yet, with Transmit Security raising $543 million at a $2.2 billion valuation to expand the market reach of its passwordless biometric authentication technology. The company claims it is the highest ever Series A funding round in cybersecurity.

Bob Eckel, Aware CEO and International Biometrics + Identity Association (IBIA) Director and Board Member, discusses why people should own their own identity, identifying things and protecting supply chains, and his background in setting up air traffic control systems used all over the world with the Requis Supply Chain Next podcast. In the longer term Eckel sees biometric replacing passwords, and in the shorter term being used to make processes touchless.

Veridium CTO John Callahan guides Biometric Update through recent NIST guidance on the interoperable use of contactless fingerprints with contact-based back-end AFIS systems. The guidance, which changes definitions within the NIST ITL biometric container standard, but advises that the associated image quality metric does not apply to contactless prints, could spark further investment in the modality.

A new time-of-flight 3D imaging solution that could be used to implement facial authentication from under the display of mobile devices without notches or bezels has been developed by partners Infineon, pmdtechnologies and ArcSoft. Based on the REAL3 sensor and ArcSoft’s computer vision algorithms, the solution is expected to reach availability in Q3 2021.

Ping Identity has acquired SecuredTouch in a deal with undisclosed financial details to integrate its behavioral biometrics-based continuous user authentication with the PingOne enterprise cloud platform. Ping also launched a consumer application for reusable credentials and added unified management features to its cloud platform at its Identiverse 2021 event.

Notre Dame-IBM Technology Ethics Lab Founding Director Elizabeth Renieris joins the MIT Sloan Management Review’s Me, Myself and AI podcast to discuss the role of the lab, her path past and through some of the digital identity space’s key ethical developments, and the need to take the long view on technology to understand its ethical implications. Renieris makes a pitch for process-oriented regulations, based on the best understanding we have at the time.

ProctorU’s announcement that it will no longer sell fully-automated remote proctoring services is seen as a win in the battle against “the AI shell game” by the Electronic Frontier Foundation. The descriptions of the balance between the automated and human decision-making by AI proctoring providers amount to doublespeak, the EFF says, before panning their human review processes, accuracy rates, and use of facial recognition.

For more details visit https://cis-india.org/internet-governance/news/biometric-update-june-26-2021-chris-burt-advanced-biometric-technologies-and-new-market-entries-tackle-fraud-chase-digital-id-billions

UIDAI declining multiple requests by police to share Indian citizens’ biometrics

praskrishna — 2017-07-06T15:25:32Z

The Unique Identification Authority of India (UIDAI), the governing agency in charge of Aadhaar, has declined multiple requests from all law enforcement agencies, including the Delhi Police, for biometrics of citizens for criminal investigations, according to a report by The Indian Express.

The blog post by Justin Lee was published by Biometric Update on July 4, 2017.

Investigating agencies such as CBI and NIA have been repeatedly requesting the details of Aadhaar cardholders including their biometrics, UIDAI said.

UIDAI Deputy Director General Rajesh Kumar Singh has written to the heads of each agency, ordering them to stop asking for such details.

“This is regarding requests frequently received by the UIDAI from police and other law enforcement agencies, seeking demographic and biometric information of residents for facilitating identification of individuals in different cases,” Singh said in his letter. “In this regard, I would like to draw your kind attention to provisions under Sections 28 and 29 of the Aadhaar (Targeted delivery of financial and other subsidies, benefits and services) Act, 2016, which prohibits sharing of core biometric and identity related information with other authorities.”

Rather than asking forensic labs to match fingerprints, state police and investigating agencies are requesting biometrics data from UIDAI.

“Identity information cannot be shared by UIDAI,” Singh said. “The requests received from law enforcement agencies lead to avoidable delays in investigation by the police authorities and unnecessary increase in the workload of subordinate authorities.”

UIDAI is also concerned about data potentially leaking as the central government has confirmed that identities of individuals, including Aadhaar numbers and other private information, has been leaked to the public.

In May, the Centre for Internet and Society published a report that claimed between 130 to 135 million numbers in India’s Aadhaar biometric registry system, and around 100 million bank numbers of pensioners and rural jobs-for-work beneficiaries, have been leaked online by four key government programs.

For more details visit https://cis-india.org/internet-governance/news/biometric-update-july-4-2017-justin-lee-uidai-declining-multiple-requests-by-police-to-share-indian-citizens-biometrics

Supreme Court sets up constitution bench to hear Aadhaar privacy issues

praskrishna — 2017-07-14T10:55:04Z

The Supreme Court ‘s five-judge constitution bench will also decide if the Aadhaar privacy issue should be heard by a larger bench.

The article by Priyanka Mittal was published in Livemint on July 12, 2017. Sunil Abraham was quoted.

A five-judge constitution bench will hear arguments on 18-19 July as to whether Indian citizens have the right to privacy, and whether the Aadhaar unique identity project breaches the right.

Chief Justice of India (CJI) J.S. Khehar on Wednesday set the dates for the hearing by the constitution bench, which will decide whether the issue should be heard by a larger bench.

Should the five-judge bench decide to rule on the case itself and not refer it to a larger bench, it will decide the future of Aadhaar, which has become the backbone of government welfare programmes, the tax administration network and online financial transactions.

This will be based on whether the right to privacy is a fundamental right of Indian citizens.

Privacy rights activists argue that personal data gathered under the Aadhaar programme, aimed at giving a unique 12-digit identity number to every Indian, is vulnerable to abuse. Then attorney general Mukul Rohatgi told the Supreme Court in 2015 that Indian citizens don’t have a fundamental right to privacy under the Indian Constitution—an argument he repeated subsequently.

“In the two-day hearing, the court is not going to decide the full issue of privacy,” said Alok Prasanna Kumar, a lawyer and visiting fellow at think tank Vidhi Centre for Legal Policy, explaining how the Constitution bench is likely to proceed. “They are going to take a call on whether, in light of precedents, there is a need to refer the issue to a larger bench. There are past judgements and the court will have to look at the scope of privacy under each to decide the number of judges.”

He added: “If the five-judge bench agrees with the precedents, then it would continue to address the angle of privacy; if not, then it would be referred back to the CJI to constitute a larger bench of nine judges.”

All cases related to Aadhaar, including the right to privacy, will be heard by the constitution bench; the court decided to set up the constitution bench to hear the privacy case in August 2015.

The CJI’s decision came on a plea by advocate Shyam Divan, who has appeared in several cases opposing Aadhaar, and attorney general K.K. Venugopal seeking the speedy creation of a Constitution bench. It came a week after justice J. Chelameswar said that all matters related to Aadhaar should be addressed by a constitution bench.

“I see it as a step in the right direction. Personally, I hope that the privacy issue is heard by a five-judge bench as against a larger bench as that can bring more disagreement,” said Sunil Abraham, executive director of Bengaluru-based research think tank Centre for Internet and Society.

Last month, the Supreme Court court upheld the government’s decision to link Aadhaar with the permanent account number (PAN) for filing of income-tax returns but ruled that non-compliance with the law will carry no retrospective consequences.

Under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, the unique identity number is mandatory only to receive social welfare benefits.

For more details visit https://cis-india.org/internet-governance/news/livemint-priyanka-mittal-july-12-2017-supreme-court-sets-up-constitution-bench-to-hear-aadhaar-privacy-issues

Centre to form panel to 'encrypt' MGNREGA-DBT database and prevent leaks

praskrishna — 2017-07-14T10:46:45Z

Around 5 crore bank accounts of active MGNREGA workers yet to be seeded with Aadhaar.

The article by Sanjeeb Mukherjee was published in the Business Standard on July 14, 2017.

Alarmed over reports of ‘public disclosure’ of sensitive Aadhaar data through various portals and payment gateways, the Centre is in the process of appointing a high-powered panel of almost 20 experts to suggest ways and means through which data, particularly one which can be accessed through the MGNREGA-DBT platform can be encrypted.

Encryption, officials believe, would prevent the Aadhaar data and other related information from falling into wrong hands.

The need for proper encryption of Aadhaar data rose after the government made it mandatory for availing almost all benefits - be it school scholarships, payments of MGNREGA wages, identification of beneficiaries under mid-day meal scheme and even public distribution system along with others.

Ensuring cyber security has become all the more necessary as the Central government, in a notification issued last month, has made it mandatory for all bank accounts to be seeded with Aadhaar numbers by December 31, 2017, or else they would cease to be operational until the time the account holder furnishes his Aadhaar number.

This could seriously hamper payment of wages to MGNREGA workers because as per available information almost 5 crore active workers don’t have their bank accounts seeded with Aadhaar.

To complete the process before December 2017, the ministry of rural development has planned special Aadhaar camps to be held in villages from July 20 to September 2017.

Recently, a website published all confidential details of customers of a private telecom company including Aadhaar numbers and other information.

The breach was another instance of secure confidential information falling into public domain.

Officials of the panel, which would be headed by former NASSCOM head Kiran Karnik are expected to submit their report on the same within the next few months.

Other members of the panel include Director General of National Institute of Smart Governance (NISG), officials from Indian Computer Emergency Response Team (ICERT) and others.

However, cyber security experts believe that encrypting Aadhaar-DBT details mainly for those schemes and programmes which have a direct linkage with the public at this later stage has its own challenges as the entire ecosystem around Aadhaar has grown manifold ever since it was made mandatory for a variety of programmes.

Also, in the absence of a national encryption policy, such a move will have its own legal and regulatory challenges.

“Ever since the government made Aadhaar mandatory for many things, the entire ecosystem around it including the Central Identities Data Repository (the agency which stores Aadhaar data is exposed to leaks,” noted cyber law expert Pawan Duggal told Business Standard.

He said that without a proper national encryption law, it would be extremely challenging to provide legal and regulatory backing to encrypt all Aadhaar- DBT data details for MGNREGA. “Also now that the ‘cat is out of the bag,’ encryption of Aadhaar details will be hugely challenging,” Duggal said.

Already, civil society activists said that after some concern, the central government has removed all Aadhaar numbers and bank details from MGNREGA website, which has made tracking payments difficult.

A recent study by Amber Sinha and Srinivas Kodali from the Centre for Internet and Society (CIS) found that granular details about individuals including sensitive personally identifiable information such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away through government schemes dashboard and portals.

“While initiatives such as the government open data portals may be laudable for providing easy access to government data condensed for easy digestion, however in the absence of proper controls exercised by the government departments the results can be disastrous by divulging sensitive and adversely actionable information about the individuals who are responding units of such databases,” the report said.

It specifically studied two major schemes of the ministry of rural development; the National National Social Assistance Programme and MGNREGA along with some state schemes.

Pointers

a) Centre to form a panel to encrypt all MGNREGA-DBT database to prevent leaks.

b) The panel might also suggest ways and means in which such ‘encryption’ could be applied in other platforms.

c) The panel is expected to be headed by former NASSCOM head Kiran Karnik.

d) The encryption is essential as from January 2018 all non-Aadhaar seeded bank accounts will cease to be operational unless the holders seed them.

e) A recent study found that vivid details about individuals can be easily accessed from government platforms and databases.

f) The MGNREGA database was one such publicly available platform which formed part of the study.

For more details visit https://cis-india.org/internet-governance/news/business-standard-sanjeeb-mukherjee-july-14-2017-centre-to-form-panel-to-encrypt-mgnrega-dbt-database-and-prevent-leaks

Supreme Court provides partial relief for Aadhaar

praskrishna — 2015-10-18T05:01:49Z

In a small but significant win for the government, the Supreme Court on Thursday allowed the use of the Aadhaar number for the Mahatma Gandhi National Rural Employment Guarantee Scheme (MGNREGS), the Pradhan Mantri Jan Dhan Yojana, pensions by central and state governments, and the Employees’ Provident Fund Scheme, in addition to its current use in the public distribution system (PDS) and the distribution of cooking gas and kerosene.

The article by Apurva Vishwanath and Saurabh Kumar was published in Livemint on October 15, 2015. Sunil Abraham was quoted.

In an interim order on 11 August, the apex court had restricted the use of Aadhaar, the unique identity number, to the PDS and the distribution of cooking gas and kerosene.

Subsequently, several state governments, government departments and regulatory agencies put up a joint defence seeking a modification of the interim order. They included the Reserve Bank of India (RBI), the Securities and Exchange Board of India and the Telecom Regulatory Authority of India, the governments of Jharkhand, Maharashtra, Uttarakhand, Himachal Pradesh, Gujarat and Rajasthan, and industry body Indian Banks’ Association, along with the Unique Identification Authority of India (UIDAI), the issuer of Aadhaar.

A five-judge constitutional bench comprising Chief Justice H.L Dattu and justices M.Y Eqbal, C. Nagappan, Arun Mishra and Amitava Roy said in an order on Thursday: “We are of the opinion that in para 3 of the interim order, we can include schemes like MGNREGS, pensions by state and central government, Jan Dhan Yojana and Employees’ Provident Fund Scheme along with PDS and LPG (liquefied petroleum gas).”

Para 3 of the 11 August interim order had allowed the voluntary use of Aadhaar only for direct benefit transfer in foodgrain, kerosene and cooking gas schemes.

The court’s interim order threw an element of uncertainty around flagship government programmes such as biometric attendance for government employees; the Jan Dhan Yojana, the Prime Minister’s ambitious financial inclusion initiative; digital certificates, and pension payments.

It also threatened to derail India’s progress towards a cashless economy where payments banks are expected to play an important role.

All of these depend on linking accounts to individuals electronically, and are dependent on the Aadhaar number.

“The government was able to convince the court on the utility of Aadhaar which is critical to provide services to the most vulnerable section of the society,” said a government official who spoke on condition of anonymity.

The apex court, however, did not allow the use of Aadhaar for the e-know-your-customer (e-KYC) specifically, which would have helped banks, including payments banks, to enrol new customers and telecom operators for issuing SIM cards. However, it is noteworthy that while obtaining bank accounts under the Jan Dhan scheme, banks use e-KYC. The clarification that RBI sought from the court, on whether the Aadhaar number can be used as proof of identification to open a bank account, still remains uncertain.

This will affect banks, mutual funds and companies that have won in-principle payments bank licences such as Airtel M Commerce Services Ltd (from the stable of Bharti Airtel Ltd, which had a customer base of 231.6 million as of July) and Vodafone m-pesa Ltd (a part of Vodafone India Ltd, which had a customer base of 185.4 million as of July).

The licensees also include the department of posts, which has 155,015 post offices across the country, of which 139,144 are in rural areas. The sheer reach of these entities is unrivalled. These entities hope to ride on the technology platform to reach customers, and e-KYC is critical to the process.

“The reason why the court has allowed use of Aadhaar for Jan Dhan Yojana and not other banking services is perhaps because the government made a humanitarian argument that the poorest will be able to avail banking services. It is, however, a technologically flawed argument, deeply so,” said Sunil Abraham, executive director of Bengaluru-based research organization Centre for Internet and Society.

The bench ordered the Union government to follow all earlier interim orders issued by the Supreme Court starting September 2013. Some of these orders include restrain on sharing of biometrics and keeping Aadhaar voluntary.

As of now, 920 million Indian citizens have been allotted Aadhaar numbers. The interim stay was affecting beneficiaries of the MGNREGS (91.7 million), pensioners (27.1 million) and recipients of scholarships (25.7 million), among others, according to data from the Unique Identification Authority of India (UIDAI). Till now, 187 million bank accounts have been opened under the Pradhan Mantri Jan Dhan Yojana.

The apex court made the interim ruling in an ongoing hearing where several pleas related to Aadhaar were clubbed together. Some relate to Aadhaar numbers being made mandatory to enable people to avail of certain government benefits and services. Others deal with the number being a violation of privacy, especially in the absence of any backing regulation or oversight, and yet others deal with possible misuse of the information.

However, the constitution bench had clarified on Wednesday that only pleas seeking clarification and modification of the interim order will be decided, and the issue concerning the right to privacy will be heard subsequently by another constitution bench.

“I am very disappointed with the court’s order. The government claims that Aadhaar is voluntary, but actually it will not be till it is delinked from all government schemes. This way, people who do have Aadhaar are excluded and will have to run from pillar to post to receive benefits if they do not have the number,” said Kamayani Bali Mahabal, a Mumbai-based lawyer, human rights activist and a petitioner in the UIDAI case. She added that the order may increase the incidents of fake Aadhaar numbers as ineligible people choose to gain from all schemes, depriving the poor and aged of real benefits.

The attorney general, Mukul Rohatgi, on Wednesday assured the court that the government has issued advertisements in over 20 languages that Aadhaar is a voluntary scheme.

On 14 Wednesday, PTI reported that a Right to Information application has showed that the UIDAI has identified more than 25,000 duplicate Aadhaar numbers till August.

Mathew Thomas, one of the petitioners challenging the use and validity of the Aadhaar scheme, also expressed disappointment at the court’s ruling today. “Aadhaar is a case of great importance to the billion citizens of India. It is unfortunate that the constitution bench spent only a few hours in hearing the issues,” he said.

The Supreme Court will appoint a larger bench of at least nine judges to hear the privacy issue. The court in 1954, in the case of M.P. Sharma vs Satish Chandra, ruled that the right to privacy was not a fundamental right recognized by the Constitution. This case was decided by an eight-judge bench of the apex court, and only a bench of equal or larger strength will be able to override that decision.

The Chief Justice in the order on Thursday said that the larger bench, with nine or 11 judges, will be constituted at the earliest to hear the matter on Aadhaar potentially violating privacy and other intervening applications.

The petitioners have argued that UIDAI was approved only by an empowered group of ministers during the United Progressive Alliance tenure and has no statutory authority to collect biometrics of residents. Senior counsel for the petitioners, Shyam Divan, said: “The only law in India which allows the government to collect fingerprints is the Prisoner’s Act of 1920, which is a colonial enactment.”

The UIDAI does not have any legislative backing and was constituted by notification in 2009 by the erstwhile Planning Commission. Divan, however, said that the Planning Commission notification has no effect since the body itself has ceased to exist, and added that the centre is not introducing a legislation empowering the Aadhaar scheme as it realizes the vulnerability of the entire exercise.

The National Identification Authority of India Bill was introduced in the Rajya Sabha in 2010.

In 2012, the centre was mulling a privacy law that could be enacted to support the UIDAI scheme and, in connection, the Planning Commission then formed an expert committee on privacy under A.P Shah, a former chairperson of the Law Commission.

For more details visit https://cis-india.org/internet-governance/news/livemint-october-15-2015-apurva-vishwanath-saurabh-kumar-supreme-court-provides-partial-relief-for-aadhaar

Aadhaar by Numbers

praskrishna — 2016-09-11T16:36:58Z

Sunil Abraham will be addressing a public seminar at an event organized by National Institute of Public Finance and Policy (NIPFP) in New Delhi on Friday, April 29, 2016.

This talk will reflect on several aspects of the Aadhaar project from a technical perspective. First, there will be a reflection on biometrics as a unique, identification and authentication technology. Second, there will be a critique of open washing by the UIDAI through their adoption of free software and open standards and finally there will be an analysis of alternative technical solutions and architecture which will allow India to harvest the benefits of identity management without the harms and risks of centralized biometrics.

Sunil Abraham

Sunil Abraham (an Ashoka Fellow) is the executive director of the Centre for Internet and Society (CIS), Bangalore/New Delhi. CIS is a 7 year old policy and academic research organisation that focuses on accessibility, access to knowledge, internet governance and telecommunications. He is also the founder and director of Mahiti, a 17 year old social enterprise that aims to reduce the cost and complexity of ICTs for the voluntary sector by using free software. Starting 2004, for 3 years, Sunil also managed the International Open Source Network, a project of UNDP's APDIP, serving 42 countries in the Asia-Pacific region. Sunil currently serves on the advisory boards of OSF – Information Programme, Mahiti and Samvada.

The talk reflected on several aspects of the Aadhaar project from a technical perspective. First, there is a reflection on biometrics as a unique, identification and authentication technology. Second, there is a critique of open washing by the UIDAI through their adoption of free software and open standards and finally there is an analysis of alternative technical solutions and architecture which will allow India to harvest the benefits of identity management without the harms and risks of centralized biometrics.

Video

For more details visit https://cis-india.org/internet-governance/news/aadhaar-by-numbers

Centre for Internet and Society

India’s Digital ID Rollout Collides With Rickety Reality

Flaws in the UIDAI Process

A comparison of the 2016 Aadhaar Bill, and the 2010 NIDAI Bill

Title

Purpose/Object Clause

Definitions

Enrolment

Authentication

Unique Identification Authority Of India

Grants, Accounts and Audit and Annual Report

Identity Review Committee

Protection of Information

Offences and Penalties

Miscellaneous

Statement of Objects and Reasons