The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 31 to 45.
Card transactions with Aadhaar validation need more time: experts
https://cis-india.org/news/livemint-december-5-2013-kirthi-v-rao-moulishree-srivastava-card-transactions-with-aadhar-validation-need-more-time
<b>Cost and supply implications are seen by experts as the main hurdles in implementing the RBI directive. </b>
<hr />
<p style="text-align: justify; ">The article by Kirti V. Rao and Moulishree Srivastava was <a class="external-link" href="http://www.livemint.com/Politics/f0P6jklKaCVt5rP6RKBHbJ/Card-transactions-with-Aadhaar-validation-need-more-time-ex.html">published in Livemint</a> on December 5, 2013. Sunil Abraham is quoted.</p>
<hr />
<p style="text-align: justify; ">The Reserve Bank of India’s (RBI’s) move to introduce a new card payment infrastructure able to authenticate transactions using Aadhaar unique identity number-linked biometrics may take some time to implement as it has cost and supply implications.</p>
<p style="text-align: justify; ">“All new card present infrastructure has to be enabled for both EMV chip and PIN and Aadhaar (biometric validation) acceptance,” RBI said in a notification on 26 November.</p>
<p style="text-align: justify; ">Europay MasterCard Visa, or EMV, chip and PIN authentication involves card information stored in a chip that is accessible through a PIN or personal identification number, which replaces a cardholder’s signature.</p>
<p style="text-align: justify; ">Currently, all card infrastructure in India such as automated teller machines (ATMs) and point-of-sales (PoS) machines are moving towards full compliance with the global EMV standard that requires reading integrated circuit cards to authenticate credit and debit card transactions.</p>
<p style="text-align: justify; ">Although all transactions through debit cards are now required to be authenticated by PIN, validating financial transactions by using the biometric Aadhaar identity number database is yet to gain traction. Such a service is expected to begin in May.</p>
<p style="text-align: justify; ">Not all experts are in favour of the central bank’s move to use biometrics data to authenticate transactions.</p>
<p style="text-align: justify; ">“This is a terrible idea. Biometrics should never be used as authentication factor since it cannot be revoked when it is compromised,” said Sunil Abraham, executive director of Bangalore-based think-tank Centre for Internet and Society. “Digital signatures and its variations like the EMV chip are the right way to proceed.”</p>
<p style="text-align: justify; ">A banker did not fully agree with Abraham.</p>
<p style="text-align: justify; ">Pulak Sinha, general manager (payment solutions) at State Bank of India, said: “In our experience, there is a need for biometric authentication in certain geographical segments in the country. Our bank has used biometric authentication for financial inclusion initiatives and has found it very useful. Having said that, each bank is the best judge as to which technology is more relevant for their customers.”</p>
<p style="text-align: justify; ">Sinha added, “Also changing new infrastructure to accept all types of technologies has its own challenges as well as financial implications. Again, business cases need to be built and when people get additional services they may have to pay.”</p>
<p style="text-align: justify; ">There are cost implications if the RBI directive is to be implemented, according to Rajiv Kaul, chief executive of CMS Info Systems Pvt. Ltd, which runs two cash management companies and has recently received an order from SBI to deploy 8,000 cash machines across the country.</p>
<p style="text-align: justify; ">“Some of the ATM infrastructure currently installed have some of the capabilities for EMV chip cards, but even as they are hardware-equipped, software will need to be upgraded,” Kaul said. “For biometric compliance, both hardware and software will need to be installed, which will result in extra cost. So, for the short term, from the biometric perspective, the cost will go up.”<br />Some experts hold that the notification provides a chance to assess the as-yet-untested Aadhaar-linked biometrics model where the EMV model may be hard to implement.</p>
<p style="text-align: justify; ">“RBI has been pragmatic in mandating it incrementally as it is giving Aadhaar a runway to evolve in terms of operations, use cases, risk, technology standards, dispute resolution and get these things in order,” Uttam Nayak, group country manager, India and South Asia at Visa Consolidated Support Services (India) Pvt. Ltd, told Mint on 26 November. “Because Aadhaar is tokenless and doesn’t need a card, it has great potential for inclusion.”</p>
<p style="text-align: justify; ">Biometrics-enabled cash and PoS machines will require additional expenditure as they need high-speed Internet connectivity to transmit biometrics data, Rajeev Chandrasekhar, member of the upper house of Parliament, said in a letter to RBI governor Raghuram Rajan.</p>
<p style="text-align: justify; ">“The hardware and software cost of upgrading a single unit with biometrics hardware is not very much but changing the entire ecosystem would have costs,” acknowledged SBI’s Sinha. “When people get additional services they will have to pay.”</p>
<p style="text-align: justify; ">“A high percentage of the population is still unbanked. The opportunity (to reach people through biometric validation and Aadhaar) is too tempting for the acquirers (banks and others using PoS devices) to not take this up,” said Robin Roy, associate director of financial services at consultancy firm PricewaterhouseCoopers Pvt. Ltd.</p>
<p style="text-align: justify; ">Whether there would be enough suppliers of machines to implement the directive is also a concern, some experts said.</p>
<p>
For more details visit <a href='https://cis-india.org/news/livemint-december-5-2013-kirthi-v-rao-moulishree-srivastava-card-transactions-with-aadhar-validation-need-more-time'>https://cis-india.org/news/livemint-december-5-2013-kirthi-v-rao-moulishree-srivastava-card-transactions-with-aadhar-validation-need-more-time</a>
</p>
No publisherpraskrishnaUIDInternet Governance2013-12-26T06:25:04ZNews ItemUIDAI and Welfare Services: Exclusion and Countermeasures (Bangalore, August 27)
https://cis-india.org/internet-governance/events/uidai-and-welfare-services-exclusion-and-countermeasures-aug-27
<b>The Centre for Internet and Society (CIS) invites you to a one day workshop, on Saturday, August 27, 2016, to discuss, raise awareness of, and devise countermeasures to exclusion due to implementation of UID-based verification for and distribution of welfare services. We look forward to making this a forum for knowledge exchange and a learning opportunity for our friends and colleagues.</b>
<p> </p>
<h3>Invitation</h3>
<p><a href="http://cis-india.org/internet-governance/files/uidai-and-welfare-services-exclusion-and-countermeasures/at_download/file">Download</a> (PDF)</p>
<p> </p>
<h3>Venue</h3>
<p>Institution of Agricultural Technologists, No. 15, Queen’s Road, Bangalore, 560 052.</p>
<p>Location on Google Map: <a href="https://www.google.com/maps/place/Institution+of+Agricultural+Technologists/" target="_blank">https://www.google.com/maps/place/Institution+of+Agricultural+Technologists/</a>.</p>
<p> </p>
<h3>Agenda</h3>
<p><strong>10:00-10:30</strong> Tea and Coffee</p>
<p><strong>10:30-11:00</strong> Introductions and Updates from Delhi Workshop</p>
<p><strong>11:00-12:45</strong> Reconfiguration of Welfare Governance by UIDAI</p>
<p><strong>12:45-14:00</strong> Lunch</p>
<p><strong>14:00-15:00</strong> Updates on Ongoing Cases against UIDAI</p>
<p><strong>15:00-15:15</strong> Tea and Coffee</p>
<p><strong>15:15-16:45</strong> Open Discussion on Countering Welfare Exclusion</p>
<p><strong>16:45-17:00</strong> Tea and Coffee</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/events/uidai-and-welfare-services-exclusion-and-countermeasures-aug-27'>https://cis-india.org/internet-governance/events/uidai-and-welfare-services-exclusion-and-countermeasures-aug-27</a>
</p>
No publishersumandroExclusionDigital GovernancePrivacyInternet GovernanceDigital IndiaAadhaarWelfare GovernanceUID2016-08-22T13:25:03ZEventReport on Understanding Aadhaar and its New Challenges
https://cis-india.org/internet-governance/blog/report-on-understanding-aadhaar-and-its-new-challenges
<b>The Trans-disciplinary Research Cluster on Sustainability Studies at Jawaharlal Nehru University collaborated with the Centre for Internet and Society, and other individuals and organisations to organise a two day workshop on “Understanding Aadhaar and its New Challenges” at the Centre for Studies in Science Policy, JNU on May 26 and 27, 2016. The objective of the workshop was to bring together experts from various fields, who have been rigorously following the developments in the Unique Identification (UID) Project and align their perspectives and develop a shared understanding of the status of the UID Project and its impact. Through this exercise, it was also sought to develop a plan of action to address the welfare exclusion issues that have arisen due to implementation of the UID Project.</b>
<p> </p>
<h4>Report: <a href="https://cis-india.org/internet-governance/files/report-on-understanding-aadhaar-and-its-new-challenges/at_download/file">Download</a> (PDF)</h4>
<hr />
<p style="text-align: justify;">This Report is a compilation of the observations made by participants at the workshop relating to myriad issues under the UID Project and various strategies that could be pursued to address these issues. In this Report we have classified the observations and discussions into following themes:</p>
<p><strong>1.</strong> <a href="#1">Brief Background of the UID Project</a></p>
<p><strong>2.</strong> <a href="#2">Legal Status of the UIDAI Project</a></p>
<ul>
<li><a href="#21">Procedural issues with passage of the Act</a></li>
<li><a href="#22">Status of related litigation</a></li></ul>
<p><strong>3.</strong> <a href="#3">National Identity Projects in Other Jurisdictions</a></p>
<ul>
<li><a href="#31">Pakistan</a></li>
<li><a href="#32">United Kingdom</a></li>
<li><a href="#33">Estonia</a></li>
<li><a href="#34">France</a></li>
<li><a href="#35">Argentina</a></li></ul>
<p><strong>4.</strong> <a href="#4">Technologies of Identification and Authentication</a></p>
<ul>
<li><a href="#41">Use of Biometric Information for Identification and Authentication</a></li>
<li><a href="#42">Architectures of Identification</a></li>
<li><a href="#43">Security Infrastructure of CIDR</a></li></ul>
<p><strong>5.</strong> <a href="#5">Aadhaar for Welfare?</a></p>
<ul>
<li><a href="#51">Social Welfare: Modes of Access and Exclusion</a></li>
<li><a href="#52">Financial Inclusion and Direct Benefits Transfer</a></li></ul>
<p><strong>6.</strong> <a href="#6">Surveillance and UIDAI</a></p>
<p><strong>7.</strong> <a href="#7">Strategies for Future Action</a></p>
<p><strong>Annexure A</strong> <a href="#AA">Workshop Agenda</a></p>
<p><strong>Annexure B</strong> <a href="#AB">Workshop Participants</a></p>
<hr />
<h3 id="1" style="text-align: justify;"><strong>1. Brief Background of the UID Project</strong></h3>
<p style="text-align: justify;">In the year 2009, the UIDAI was established and the UID project was conceived by the Planning Commission under the UPA government to provide unique identification for each resident in India and to be used for delivery of welfare government services in an efficient and transparent manner, along with using it as a tool to monitor government schemes. The objective of the scheme has been to issue a unique identification number by the Unique Identification Authority of India, which can be authenticated and verified online. It was conceptualized and implemented as a platform to facilitate identification and avoid fake identity issues and delivery of government benefits based on the demographic and biometric data available with the Authority.</p>
<p style="text-align: justify;">The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “<strong>Act</strong>”) was passed as a money bill on March 16, 2016 and was notified in the gazette March 25, 2016 upon receiving the assent of the President. However, the enforceability date has not been mentioned due to which the bill has not come into force.</p>
<p style="text-align: justify;">The Act provides that the Aadhaar number can be used to validate a person’s identity, but it cannot be used as a proof of citizenship. Also, the government can make it mandatory for a person to authenticate her/his identity using Aadhaar number before receiving any government subsidy, benefit, or service. At the time of enrolment, the enrolling agency is required to provide notice to the individual regarding how the information will be used, the type of entities the information will be shared with and their right to access their information. Consent of an individual would be obtained for using his/her identity information during enrolment as well as authentication, and would be informed of the nature of information that may be shared. The Act clearly lays that the identity information of a resident shall not be sued for any purpose other than specified at the time of authentication and disclosure of information can be made only pursuant to an order of a court not inferior to that of a District Judge and/or disclosure made in the interest of national security.</p>
<h3 id="2" style="text-align: justify;"><strong>2. Legal Status of the UIDAI Project</strong></h3>
<p style="text-align: justify;">In this section, we have summarised the discussions on the procedural issues with the passage of the Act. The participants had criticised the passage of the Act as a money bill in the Parliament. The participants also assessed the litigation pending in the Supreme Court of India that would be affected by this law. These discussions took place in the session titled, ‘Current Status of Aadhaar’ and have been summarised below.</p>
<h3 id="21" style="text-align: justify;">Procedural Issues with Passage of the Act</h3>
<p style="text-align: justify;">The participants contested the introduction of the Act in the form of a money bill. The rationale behind this was explained at the session and is briefly explained here. Article 110 (1) of the Constitution of India defines a money bill as one containing provisions only regarding the matters enumerated or any matters incidental to the following: a) imposition, regulation and abolition of any tax, b) borrowing or other financial obligations of the Government of India, c) custody, withdrawal from or payment into the Consolidated Fund of India (CFI) or Contingent Fund of India, d) appropriation of money out of CFI, e) expenditure charged on the CFI or f) receipt or custody or audit of money into CFI or public account of India. The Act makes references to benefits, subsidies and services which are funded by the Consolidated Fund of India (CFI), however the main objectives of the Act is to create a right to obtain a unique identification number and provide for a statutory mechanism to regulate this process. The Act only establishes an identification mechanism which facilitates distribution of benefits and subsidies funded by the CFI and this identification mechanism (Aadhaar number) does not give it the character of a money bill. Further, money bills can be introduced only in the Lok Sabha, and the Rajya Sabha cannot make amendments to such bills passed by the Lok Sabha. The Rajya Sabha can suggest amendments, but it is the Lok Sabha’s choice to accept or reject them. This leaves the Rajya Sabha with no effective role to play in the passage of the bill.</p>
<p style="text-align: justify;">The participants also briefly examined the writ petition that has been filed by former Union minister Jairam Ramesh challenging the constitutionality and legality of the treatment of this Act as a money bill which has raised the question of judiciary’s power to review the decisions of the speaker. Article 122 of the Constitution of India provides that this power of judicial review can be exercised to look into procedural irregularities. The question remains whether the Supreme Court will rule that it can determine the constitutionality of the decision made by the speaker relating to the manner in which the Act was introduced in the Lok Sabha. A few participants mentioned that similar circumstances had arisen in the case of Mohd. Saeed Siddiqui v. State of U.P. <a href="#ftn1">[1]</a>.</p>
<p style="text-align: justify;">where the Supreme Court refused to interfere with the decision of the Uttar Pradesh legislative assembly speaker certifying an amendment bill to increase the tenure of the Lokayukta as a money bill, despite the fact that the bill amended the Uttar Pradesh Lokayukta and Up-Lokayuktas Act, 1975, which was passed as an ordinary bill by both houses. The Court in this case held that the decision of the speaker was final and that the proceedings of the legislature being important legislative privilege could not be inquired into by courts. The Court added, “the question whether a bill is a money bill or not can be raised only in the state legislative assembly by a member thereof when the bill is pending in the state legislature and before it becomes an Act.”</p>
<p style="text-align: justify;">However, it is necessary to carve a distinction between Rajya Sabha and State Legislature. Unlike the State Legislature, constitution of Rajya Sabha is not optional therefore significance of the two bodies in the parliamentary process cannot be considered the same. Participants also made another significant observation about a similar bill on the UID project (National Identification Authority of India (NIDAI) Bill) that was introduced before by the UPA government in 2010 and was deemed unacceptable by the standing committee on finance, headed by Yashwant Sinha. This bill was subsequently withdrawn.</p>
<h3 id="22" style="text-align: justify;">Status of Related Litigation</h3>
<p style="text-align: justify;">A panellist in this session briefly summarised all the litigation that was related to or would be affected by the Act. The panellist also highlighted several Supreme Court orders in the case of <em>KS Puttuswamy v. Union of India</em> <a href="#ftn2">[2]</a> which limited the use of Aadhaar. We have reproduced the presentation below.</p>
<ul>
<li style="text-align: justify;"><em>KS Puttuswamy v. Union of India</em> - This petition was filed in 2012 with primary concern about providing Aadhaar numbers to illegal immigrants in India. It was contended that this could not be done without a law establishing the UIDAI and amendment to the Citizenship laws. The petitioner raised concerns about privacy and fallibility of biometrics.</li>
<li style="text-align: justify;"> Sudhir Vombatkere & Bezwada Wilson <a href="#ftn3">[3]</a> - This petition was filed in 2013 on grounds of infringement of right to privacy guaranteed under Article 21 of the Constitution of India and the security threat on account of data convergence.</li>
<li style="text-align: justify;">Aruna Roy & Nikhil Dey <a href="#ftn4">[4]</a> - This petition was filed in 2013 on the grounds of large scale exclusion of people from access to basic welfare services caused by UID. After their petition, no. of intervention applications were filed. These were the following:</li>
<li style="text-align: justify;">Col. Mathew Thomas <a href="#ftn5">[5]</a> - This petition was filed on the grounds of threat to national security posed by the UID project particularly in relation to arrangements for data sharing with foreign companies (with links to foreign intelligence agencies).</li>
<li style="text-align: justify;">Nagrik Chetna Manch <a href="#ftn6">[6]</a> - This petition was filed in 2013 and led by Dr. Anupam Saraph on the grounds that the UID project was detrimental to financial service regulation and financial <em>inclusion.</em></li>
<li style="text-align: justify;">S. Raju <a href="#ftn7">[7] </a> - This petition was filed on the grounds that the UID project had implications on the federal structure of the State and was detrimental to financial inclusion.</li>
<li style="text-align: justify;"><em>Beghar Foundation</em> - This petition was filed in 2013 in the Delhi High Court on the grounds invasion of privacy and exclusion specifically in relation to the homeless. It subsequently joined the petition filed by Aruna Roy and Nikhil Dey as an intervener.</li>
<li style="text-align: justify;">Vickram Crishna – This petition was originally filed in the Bombay High Court in 2013 on the grounds of surveillance and invasion of privacy. It was later transferred to the Supreme Court.</li>
<li style="text-align: justify;">Somasekhar – This petition was filed on the grounds of procedural unreasonableness of the UID project and also exclusion & privacy. The petitioner later intervened in the petition filed by Aruna Roy and Nikhil Dey in 2013.</li>
<li style="text-align: justify;">Rajeev Chandrashekhar– This petition was filed on the ground of lack of legal sanction for the UID project. He later intervened in the petition filed by Aruna Roy and Nikhil Dey in 2013. His position has changed now.</li>
<li style="text-align: justify;">Further, a petition was filed by Mr. Jairam Ramesh initially challenging the passage of the Act as a money bill but subsequently, it has been amended to include issues of violation of right to privacy and exclusion of the poor and has advocated for five amendments that were suggested to the Aadhaar Bill by the Rajya Sabha.</li></ul>
<h3 id="23" style="text-align: justify;">Relevant Orders of the Supreme Court</h3>
<p>There are six orders of the Supreme Court which are noteworthy.</p>
<ul>
<li style="text-align: justify;">Order of Sept. 23, 2013 - The Supreme court directed that: 1) no person shall suffer for not having an aadhaar number despite the fact that a circular by an authority makes it mandatory; 2) it should be checked if a person applying for aadhaar number voluntarily is entitled to it under the law; and 3) precaution should be taken that it is not be issued to illegal immigrants.</li>
<li style="text-align: justify;">Order of 26th November, 2013 – Applications were filed by UIDAI, Ministry of Petroleum & Natural Gas, Govt of India, Indian Oil Corporation, BPCL and HPCL for modifying the September 23rd order and sought permission from the Supreme Court to make aadhaar number mandatory. The Supreme Court held that the order of September 23rd would continue to be effective.</li>
<li style="text-align: justify;">Order of 24th March, 2014 – This order was passed by the Supreme Court in a special leave petition filed in the case of <em>UIDAI v CBI</em> <a href="#ftn8">[8] </a> wherein UIDAI was asked to UIDAI to share biometric information of all residents of a particular place in Goa to facilitate a criminal investigation involving charges of rape and sexual assault. The Supreme Court restrained UIDAI from transferring any biometric information of an individual without to any other agency without his consent in writing. The Supreme Court also directed all the authorities to modify their forms/circulars/likes so as to not make aadhaar number mandatory.</li>
<li style="text-align: justify;">Order of 16th March, 2015 - The SC took notice of widespread violations of the order passed on September 23rd, 2013 and directed the Centre and the states to adhere to these orders to not make aadhaar compulsory.</li>
<li style="text-align: justify;">Orders of August 11, 2015 – In the first order, the Central Government was directed to publicise the fact that aadhaar was voluntary. The Supreme Court further held that provision of benefits due to a citizen of India would not be made conditional upon obtaining an aadhaar number and restricted the use of aadhaar to the PDS Scheme and in particular for the purpose of distribution of foodgrains, etc. and cooking fuel, such as kerosene and the LPG Distribution Scheme. The Supreme Court also held that information of an individual that was collected in order to issue an aadhaar number would not be used for any purpose except when directed by the Court for criminal investigations. Separately, the status of fundamental right to privacy was contested and accordingly the Supreme Court directed that the issue be taken up before the Chief Justice of India.</li>
<li style="text-align: justify;">Orders of October 16, 2015 – The Union of India, the states of Gujarat, Maharashtra, Himachal Pradesh and Rajasthan, and authorities including SEBI, TRAI, CBDT, IRDA , RBI applied for a hearing before the Constitution Bench for modification of the order passed by the Supreme Court on August 11 and allow use of aadhaar number schemes like The Mahatma Gandhi National Rural Employment Guarantee Scheme MGNREGS), National Social Assistance Programme (Old Age Pensions, Widow Pensions, Disability Pensions) Prime Minister's Jan Dhan Yojana (PMJDY) and Employees' Providend Fund Organisation (EPFO). The Bench allowed the use of aadhaar number for these schemes but stressed upon the need to keep aadhaar scheme voluntary until the matter was finally decided.</li></ul>
<p style="text-align: justify;">Status of these orders<br />The participants discussed the possible impact of the law on the operation of these orders. A participant pointed out that matters in the Supreme Court had not become infructuous because fundamental issues that were being heard in the Supreme Court had not been resolved by the passage of the Act. Several participants believed that the aforementioned orders were effective because the law had not come into force. Therefore, aadhaar number could only be used for purposes specified by the Supreme Court and it could not be made mandatory. Participants also highlighted that when the Act was implemented, it would not nullify the orders of the Supreme Court unless Union of India asked the Supreme Court for it specifically and the Supreme Court sanctioned that.</p>
<h3 id="3" style="text-align: justify;"><strong>3. National Identity Projects in Other Jurisdictions</strong></h3>
<p style="text-align: justify;">A panellist had provided a brief overview of similar programs on identification that have been launched in other jurisdictions including Pakistan, United Kingdom, France, Estonia and Argentina in the recent past in the session titled ‘Aadhaar - International Dimensions’. This presentation mainly sought to assess the incentives that drove the governments in these jurisdictions to formulate these projects, mandatory nature of their adoption and their popularity. The Report has reproduced the presentation here.</p>
<h3 id="31" style="text-align: justify;">Pakistan</h3>
<p style="text-align: justify;">The Second Amendment to the Constitution of Pakistan in 2000 established the National Database and Regulation Authority in the country, which regulates government databases and statistically manages the sensitive registration database of the citizens of Pakistan. It is also responsible for issuing national identity cards to the citizens of Pakistan. Although the card is not legally compulsory for a Pakistani citizen, it is mandatory for:</p>
<ul>
<li>Voting</li>
<li>Obtaining a passport</li>
<li>Purchasing vehicles and land</li>
<li>Obtaining a driver licence</li>
<li>Purchasing a plane or train ticket</li>
<li>Obtaining a mobile phone SIM card</li>
<li>Obtaining electricity, gas, and water</li>
<li>Securing admission to college and other post-graduate institutes</li>
<li>Conducting major financial transactions</li></ul>
<p style="text-align: justify;">Therefore, it is pretty much necessary for basic civic life in the country. In 2012, NADRA introduced the Smart National Identity Card, an electronic identity card, which implements 36 security features. The following information can be found on the card and subsequently the central database: Legal Name, Gender (male, female, or transgender), Father's name (Husband's name for married females), Identification Mark, Date of Birth, National Identity Card Number, Family Tree ID Number, Current Address, Permanent Address, Date of Issue, Date of Expiry, Signature, Photo, and Fingerprint (Thumbprint). NADRA also records the applicant's religion, but this is not noted on the card itself. (This system has not been removed yet and is still operational in Pakistan.)</p>
<h3 id="32" style="text-align: justify;">United Kingdom</h3>
<p style="text-align: justify;">The Identity Cards Act was introduced in the wake of the terrorist attacks on 11th September, 2001, amidst rising concerns about identity theft and the misuse of public services. The card was to be used to obtain social security services, but the ability to properly identify a person to their true identity was central to the proposal, with wider implications for prevention of crime and terrorism. The cards were linked to a central database (the National Identity Register), which would store information about all of the holders of the cards. The concerns raised by human rights lawyers, activists, security professionals and IT experts, as well as politicians were not to do with the cards as much as with the NIR. The Act specified 50 categories of information that the NIR could hold, including up to 10 fingerprints, digitised facial scan and iris scan, current and past UK and overseas places of residence of all residents of the UK throughout their lives. The central database was purported to be a prime target for cyber attacks, and was also said to be a violation of the right to privacy of UK citizens. The Act was passed by the Labour Government in 2006, and repealed by the Conservative-Liberal Democrat Coalition Government as part of their measures to “reverse the substantial erosion of civil liberties under the Labour Government and roll back state intrusion.”</p>
<h3 id="33" style="text-align: justify;">Estonia</h3>
<p style="text-align: justify;">The Estonian i-card is a smart card issued to Estonian citizens by the Police and Border Guard Board. All Estonian citizens and permanent residents are legally obliged to possess this card from the age of 15. The card stores data such as the user's full name, gender, national identification number, and cryptographic keys and public key certificates. The cryptographic signature in the card is legally equivalent to a manual signature, since 15 December 2000. The following are a few examples of what the card is used for:</p>
<ul>
<li>As a national ID card for legal travel within the EU for Estonian citizens</li>
<li>As the national health insurance card</li>
<li>As proof of identification when logging into bank accounts from a home computer</li>
<li>For digital signatures</li>
<li>For i-voting</li>
<li>For accessing government databases to check one’s medical records, file taxes, etc.</li>
<li>For picking up e-Prescriptions</li>
<li>(This system is also operational in the country and has not been removed)</li></ul>
<h3 id="34" style="text-align: justify;">France</h3>
<p style="text-align: justify;">The biometric ID card was to include a compulsory chip containing personal information, such as fingerprints, a photograph, home address, height, and eye colour. A second, optional chip was to be implemented for online authentication and electronic signatures, to be used for e-government services and e-commerce. The law was passed with the purpose of combating “identity fraud”. It was referred to the Constitutional Council by more than 200 members of the French Parliament, who challenged the compatibility of the bill with the citizens’ fundamental rights, including the right to privacy and the presumption of innocence. The Council struck down the law, citing the issue of proportionality. “Regarding the nature of the recorded data, the range of the treatment, the technical characteristics and conditions of the consultation, the provisions of article 5 touch the right to privacy in a way that cannot be considered as proportional to the meant purpose”.</p>
<h3 id="35" style="text-align: justify;">Argentina</h3>
<p style="text-align: justify;">Documento Nacional de Identidad or DNI (which means National Identity Document) is the main identity document for Argentine citizens, as well as temporary or permanent resident aliens. It is issued at a person's birth, and updated at 8 and 14 years of age simultaneously in one format: a card (DNI tarjeta); it's valid if identification is required, and is required for voting. The front side of the card states the name, sex, nationality, specimen issue, date of birth, date of issue, date of expiry, and transaction number along with the DNI number and portrait and signature of the card's bearer. The back side of the card shows the address of the card's bearer along with their right thumb fingerprint. The front side of the DNI also shows a barcode while the back shows machine-readable information. The DNI is a valid travel document for entering Argentina, Bolivia, Brazil, Chile, Colombia, Ecuador, Paraguay, Peru, Uruguay, and Venezuela. (System still operational in the country)</p>
<h3 id="4" style="text-align: justify;"><strong>4. Technologies of Identification and Authentication</strong></h3>
<p style="text-align: justify;">The panel in the session titled ‘Aadhaar: Science, Technology, and Security’ explained the technical aspects of use of biometrics and privacy concerns, technology architecture for identification and inadequacy of infrastructure for information security. In this section, we have summarised the presentation and the ensuing discussions on these issues.</p>
<h3 id="41" style="text-align: justify;">Use of Biometric Information for Identification and Authentication</h3>
<p style="text-align: justify;">The panelists explained with examples that identification and authentication were different things. Identity provides an answer to the question “who are you?” while authentication is a challenge-response process that provides a proof of the claim of identity. Common examples of identity are User ID (Login ID), cryptographic public keys and ATM or Smart cards while common authenticators are passwords (including OTPs), PINs and cryptographic private keys. Identity is public information but an authenticator must be private and known only to the user. Authentication must necessarily be a conscious process and active participation by the user is a must. It should also always be possible to revoke an authenticator. After providing this understanding of the two processes the panellist then explained if biometric information could be used for identification or authentication under the UID Project. Biometric information is clearly public information and it is questionable if it can be revoked. Therefore it should never be used for authentication, but only for identity verification. There is a possibility of authentication by fingerprints under the UID Project, without conscious participation of the user. One could trace the fingerprints of an individual from any place the individual has been in contact with. Therefore, authentication must certainly be done by other means. The panellist pointed out that there were five kinds of authentication under the UID Project, out of which two-factor authentication and one time password were considered suitable but use of biometric information and demographic information was extremely threatening and must be withdrawn.</p>
<h3 id="42" style="text-align: justify;">Architectures of Identification</h3>
<p style="text-align: justify;">The panelists explained the architecture of the UID Project that has been designed for identification purposes, highlighted its limitations and suggested alternatives. His explanations are reproduced below.</p>
<p style="text-align: justify;">Under the UID Project, there is a centralised means of identification i.e. the aadhaar number and biometric information stored in one place, Central Identification Data Repository (CIDR). It is better to have multiple means of identification than one (as contemplated under the UID Project) for preservation of our civil liberties. The question is what the available alternatives are. Web of trust is a way for operationalizing distributed identification but the challenge is how one brings people from all social levels to participate in it. There is a need for registrars who will sign keys and public databases for this purpose.</p>
<p style="text-align: justify;">The aadhaar number functions as a common index and facilitates correlation of data across Government databases. While this is tremendously attractive it raises several privacy concerns as more and more information relating to an individual is available to others and is likely to be abused.</p>
<p style="text-align: justify;">The aadhaar number is available in human readable form. This raises the risk of identification without consent and unauthorised profiling. It cannot be revoked. Potential for damage in case of identity theft increases manifold.</p>
<p style="text-align: justify;">Under the UID Project, for the purpose of information security, Authentication User Agencies (“<strong>AUA</strong>”) are required to use local identifiers instead of aadhaar numbers but they are also required to map these local identifiers to the aadhaar numbers. Aadhaar numbers are not cryptographically secured; in fact they are publicly available. Hence this exercise for securing information is useless. An alternative would be to issue different identifiers for different domains and cryptographically embed a “master identifier” (in this case, equivalent of aadhaar number) into each local identifier.</p>
<p style="text-align: justify;">All field devices (for example POS machines) should be registered and must communicate directly with UIDAI. In fact, UIDAI must verify the authenticity (tamper proof) of the field device during run time and a UIDAI approved authenticity certificate must be issued for field devices. This certificate must be made available to users on demand. Further, the security and privacy frameworks within which AUAs work must be appropriately defined by legal and technical means.</p>
<h3 id="43" style="text-align: justify;">Security Infrastructure of CIDR</h3>
<p style="text-align: justify;">The panelists also enumerated the security features of the UID Project and highlighted the flaws in these features. These have been summarised below.</p>
<p>The security and privacy infrastructure of UIDAI has the following main features:</p>
<ul>
<li>2048 bit PKI encryption of biometric data in transit</li>
<li>End-to-end encryption from enrolment/POS to CIDR</li>
<li>HMAC based tamper detection of PID blocks</li>
<li>Registration and authentication of AUAs</li>
<li>Within CIDR only a SHA 1 Hash of Aadhaar number is stored</li>
<li>Audit trails are stored SHA 1 encrypted. Tamper detection?</li>
<li>Only hashes of passwords and PINs are stored. (biometric data stored in original form though!)</li>
<li>Authentication requests have unique session keys and HMAC</li>
<li>Resident data stored using 100 way sharding (vertical partitioning). First two digits of Aadhaar number as shard keys</li>
<li>All enrolment and update requests link to partitioned databases using Ref IDs (coded indices)</li>
<li>All accesses through a hardware security module</li>
<li>All analytics carried out on anonymised data</li></ul>
<p style="text-align: justify;">The panellists pointed out the concerns about information security on account of design flaws, lack of procedural safeguards, openness of the system and too much trust imposed on multiple players. All symmetric and private keys and hashes are stored somewhere within UIDAI. This indicates that trust is implicitly assumed which is a glaring design flaw. There is no well-defined approval procedure for data inspection, whether it is for the purpose of investigation or for data analytics. There is a likelihood of system hacks, insider leaks, and tampering of authentication records and audit trails. The ensuing discussions highlighted that the UIDAI had admitted to these security risks. The enrolment agencies and the enrolment devices cannot be trusted. AUAs cannot be trusted with biometric and demographic data; neither can they be trusted with sensitive user data of private nature. There is a need for an independent third party auditor for distributed key management, auditing and approving UIDAI programs, including those for data inspection and analytics, whitebox cryptographic compilation of critical parts of the UIDAI programs, issue of cryptographic keys to UIDAI programs for functional encryption, challenge-response for run-time authentication and certification of UIDAI programs. The panellist recommended that there was a need to to put a suitable legal framework to execute this.</p>
<p style="text-align: justify;">The participants also discussed that information infrastructure must not be made of proprietary software (possibility for backdoors for US) and there must be a third party audit with a non-negotiable clause for public audit.</p>
<h3 id="5" style="text-align: justify;"><strong>5. Aadhaar for Welfare?</strong></h3>
<p style="text-align: justify;">The Report has summarised the discussions that took place in the sessions on ‘Direct Benefits Transfers’ and ‘Aadhaar: Broad Issues - II’ where the panellists critically analysed the claims of benefits and inclusion of Aadhaar made by the government in light of the ground realities in states where Aadhaar has been adopted for social welfare schemes.</p>
<h3 id="51" style="text-align: justify;">Social Welfare: Modes of Access and Exclusion</h3>
<p style="text-align: justify;">Under the Act, a person may be required to authenticate or give proof of the aadhaar number in order to receive subsidy from the government (Section 7). A person is required to punch their fingerprints on POS machines in order to receive their entitlement under the social welfare schemes such as LPG and PDS. It was pointed out in the discussions that various states including Rajasthan and Delhi had witnessed fingerprint errors while doling out benefits at ration shops under the PDS scheme. People have failed to receive their entitled benefits because of these fingerprint errors thus resulting in exclusion of beneficiaries <a href="#ftn9">[9]</a>. A panellist pointed out that in Rajasthan, dysfunctional biometrics had led to further corruption in ration shops. Ration shop owners often lied to the beneficiaries about functioning of the biometric machines (POS Machines) and kept the ration for sale in the market therefore making a lot of money at the expense of uninformed beneficiaries and depriving them of their entitlements.</p>
<p style="text-align: justify;">Another participant organisation also pointed out similar circumstances in the ration shops in Patparganj and New Delhi constituencies. Here, the dealers had maintained the records of beneficiaries who had been categorized as follows: beneficiaries whose biometrics did not match, beneficiaries whose biometrics matched and entitlements were provided, beneficiaries who never visited the ration shop. It had been observed that there were no entries in the category of beneficiaries whose biometrics did not match however, the beneficiaries had a different story to tell. They complained that their biometrics did not match despite trying several times and there was no mechanism for a manual override. Consequently, they had not been able to receive any entitlements for months. The discussions also pointed out that the food authorities had placed complete reliance on authenticity of the POS machines and claim that this system would weed out families who were not entitled to the benefits. The MIS was also running technical glitches as a result there was a problem with registering information about these transactions hence, no records had been created with the State authority about these problems. A participant also discussed the plight of 30,000 widows in Delhi, who were entitled to pension and used to collect their entitlement from post offices, faced exclusion due to transition problems under the Jan Dhan Yojana (after the Jandhan was launched the money was transferred to their bank accounts in order to resolve the problem of misappropriation of money at the hands of post office officials). These widows were asked to open bank accounts to receive their entitlements and those who did not open these accounts and did not inform the post office were considered bogus.</p>
<p style="text-align: justify;">In the discussions, the participants also noted that this unreliability of fingerprints as a means of authentication of an individual’s identity was highlighted at the meeting of Empowered Group of Ministers in 2011 by J Dsouza, a biometrics scientist. He used his wife’s fingerprints to demonstrate that fingerprints may change overtime and in such an event, one would not be able to use the POS machine anymore as the machine would continue to identify the impressions collected initially.</p>
<p style="text-align: justify;">The participants who had been working in the field had contributed to the discussions by busting the myth that the UID Project helped to identify who was poor and resolve the problem of exclusion due to leakages in the social welfare programs. These discussions have been summarised below.</p>
<ul>
<li style="text-align: justify;">It is important to understand that the UID Project is merely an identification and authentication system. It only helps in verifying if an individual is entitled to benefits under a social security scheme. It does not ensure plugging of leakages and reducing corruption in social security schemes as has been claimed by the Government. The reduction in leakage of PDS, for instance, should be attributed to digitization and not UID. The Government claims, that it has saved INR 15000 crore in provision of LPG on identification of 3.34 crore inactive accounts on account of the UID Project. This is untrue because the accounts were weeded by using mechanisms completely unrelated to the UID Project. Consequently, the savings on account of UID are only of INR 120 crore and not 15000 crore.</li>
<li style="text-align: justify;">The UID Project has resulted in exclusion of people either because they do not have an aadhaar number, or they have a wrong identification, or there are errors of classification or wilful misclassification. About 99.7% people who were given aadhaar numbers already had an identification document. In fact, during enrolment a person is required to produce one of 14 identification documents listed under the law in order to get an aadhaar number which makes it very difficult for a person with no identity to become entitled to a social welfare scheme.</li></ul>
<p style="text-align: justify;">A participant condemned the Government’s claim that the UID Project had helped in removing fake, bogus and duplicate cards and said that these terms could not be used synonymously and the authorities had no clarity about the difference between the meanings of these terms. The UID Project had only helped in removal of duplicate cards but had not helped in combating the use of fake and bogus cards.</p>
<h3 id="52" style="text-align: justify;">Financial Inclusion and Direct Benefits Transfer</h3>
<p style="text-align: justify;">The participants also engaged in the discussions about the impact of the UID project on financial inclusion in India in the sessions titled ‘Aadhaar: Broad Issues - I & II’. We have summarised these discussions below.</p>
<p style="text-align: justify;">The UID Project seeks to directly transfer money to a bank account in order to combat corruption. The discussions highlighted that this was nothing but introducing a neo liberal thrust in social policy and that it was not feasible for various reasons. First, 95% of rural India did not have functioning banks and banks are quite far away. Second, in order to combat this dearth of banks the idea of business correspondents, who handled banking transactions and helped in opening of bank accounts, had been introduced which had created various problems. The Reserve Bank of India reported that there was dearth of business correspondents as there was very little incentive to become one; their salary is merely INR 4000. Third, there were concerns about how an aadhaar number was considered a valid document for Know Your Customer (KYC) checks. There was a requirement for scrutiny and auditing of documents submitted during the time of enrolment which, in the present scheme of things, could not be verified. Fourth, there were no restrictions on number of bank accounts that could be opened with a single aadhaar number which gave rise to a possibility of opening multiple and shell accounts on a single aadhaar number. Therefore, records only showed transactions when money was transferred from an aadhaar number to another aadhaar number as opposed to an account-to-account transfer. The discussion relied on NPCI data which shows which bank an aadhaar number is associated with but does not show if a transaction by an aadhaar number is overwritten by another bank account belonging to the same aadhaar number.</p>
<h3 id="6" style="text-align: justify;"><strong>6. Surveillance and UIDAI</strong></h3>
<p style="text-align: justify;">The participants had discussed the possibility of an alternative purpose for enrolling Aadhaar in the session titled ‘Privacy, Surveillance, and Ethical Dimensions of Aadhaar’. The discussion traced the history of this project to gain insight on this issue. We have summarised below the key take aways from this discussion.</p>
<p style="text-align: justify;">There are claims that the main objective of launching the UID Project is not to facilitate implementation of social security schemes but to collect personal (financial and non-financial) information of the citizens and residents of the country to build a data monopoly. For this purpose, PDS was chosen as a suitable social security scheme as it has the largest coverage. Several participants suggested that numerous reports authored by FICCI, KPMG and ASSOCHAM contained proposals for establishing a national identity authority which threw some light on the commercial intentions behind information collection under the UID Project.</p>
<p style="text-align: justify;">It was also pointed out that there was documented proof that information collected under the UID Project might have been shared with foreign companies. There are suggestions about links established between proponents of the UID Project and companies backed by CIA or the French Government which run security projects and deal in data sharing in several jurisdictions.</p>
<h3 id="7" style="text-align: justify;"><strong>7. Strategies for Future Action</strong></h3>
<p>The participants laid down a list of measures that must be taken to take the discussions forward. We have enumerated these recommendations below.</p>
<ul>
<li>Prepare and compile an anthology of articles as an output of this workshop. </li>
<li>Prepare position papers on specific issues related to the UID Project </li>
<li>Prepare pamphlets/brochures on issues with the UID Project for public consumption </li>
<li>Prepare counter-advertisements for Aadhaar</li>
<li>Publish existing empirical evidence on the flaws in Aadhaar.</li>
<li>Set up an online portal dedicated to providing updates on the UID Project and allows discussions on specific issues related to Aadhaar.</li>
<li>Use Social Media to reach out to the public. Regularly track and comment on social media pages of relevant departments of the government.</li>
<li>Create groups dedicated to research and advocacy of specific aspects of the UID Project. </li>
<li>Create a Coordination Committee preferably based in Delhi which would be responsible for regularly holding meetings and for preparing a coordinated plan of action. Employ permanent to staff to run the Committee.</li>
<li>Organise an advocacy campaign against use of Aadhaar in collaboration with other organisations and build public domain acceptance. </li>
<li>The campaign must specifically focus on the unfettered scope of UID and expanse, misrepresentation of the success of Aadhaar by highlighting real savings, technological flaws, status of pilot programs and increasing corruption on account of the UID Project</li>
<li>Prepare a statement of public concern regarding the UID Project and collect signatures from eminent persons including academics, technical experts, civil society groups and members of parliament.</li>
<li>Organise events and discussions on issues relating to Aadhaar and invite members og government departments to speak and discuss the issues. </li>
<li style="text-align: justify;">Write to Members of Parliament and Members of Legislative Assemblies raising questions on their or their parties’ support for Aadhaar and silence on the problems created by the UID Project. </li>
<li style="text-align: justify;">Organise public hearings in states like Rajasthan to observe and document ground realities of the UID Project and share these outcomes with the state government and media. </li>
<li>Plan a national social audit and public hearing on the working of UID Project in the country. </li>
<li style="text-align: justify;">File Contempt Petitions in the Supreme Court and High Courts against mandatory use of Aadhaar number for services not allowed by the Supreme Court. </li>
<li style="text-align: justify;">Reach out to and engage with various foreign citizens and organisations that have been fighting on similar issues. The organisations and individuals who could be approached would include EPIC, Electronic Frontier foundation, David Moss, UK, Roger Clarke, Australia, Prof. Ian Angel, Snowden, Assange and Chomsky.</li>
<li style="text-align: justify;">Work towards increasing awareness about the UID Project and gaining support from the student and research community, student organisations, trade unions, and other associations and networks in the unorganised sector.</li></ul>
<h3 id="AA" style="text-align: justify;"><strong>Annexure A – Workshop Agenda</strong></h3>
<h4>May 26, 2016</h4>
<table>
<tbody>
<tr>
<td>
<p>9:00-9:30</p>
</td>
<td>
<p><strong>Registration</strong></p>
</td>
</tr>
<tr>
<td>
<p>9:30-10:00</p>
</td>
<td>
<p>Prof. Dinesh Abrol - <em>Welcome</em><br />
<em>Self-introduction and expectations of participants</em><br />
Dr. Usha Ramanathan - <em>Overview of the Workshop</em></p>
</td>
</tr>
<tr>
<td>
<p>10:00-11:00</p>
</td>
<td>
<p><strong>Session 1: Current Status of Aadhaar</strong><br />
Dr. Usha Ramanathan, Legal Researcher, New Delhi - <em>What the 2016 Law Says, and How it Came into Being</em><br />
S. Prasanna, Advocate, New Delhi - <em>Status and Force of Supreme Court Orders on Aadhaar</em><br /> <em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>11:00-11:30</p>
</td>
<td>
<p><strong>Tea Break</strong></p>
</td>
</tr>
<tr>
<td>
<p>11:30-13:30</p>
</td>
<td>
<p><strong>Session 2: Direct Benefits Transfers</strong><br />
Prof. Reetika Khera, Indian Institute of Technology, Delhi - <em>Welfare Needs Aadhaar like a Fish Needs a Bicycle</em><br />
Prof. R. Ramakumar, Tata Institute of Social Sciences, Mumbai - <em>Aadhaar and the Social Sector: A critical analysis of the claims of benefits and inclusion</em><br />
Ashok Rao, Delhi Science Forum - <em>Cash Transfers Study</em><br />
<em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>13:30-14:30</p>
</td>
<td>
<p><strong>Lunch</strong></p>
</td>
</tr>
<tr>
<td>
<p>14:30-16:00</p>
</td>
<td>
<p><strong>Session 3: Aadhaar: Science, Technology, and Security</strong><br />
Prof. Subashis Banerjee, Dept of Computer Science & Engineering, IIT, Delhi - <em>Privacy and Security Issues Related to the Aadhaar Act</em><br />
Pukhraj Singh, Former National Cyber Security Manager, Aadhaar, New Delhi - <em>Aadhaar: Security and Surveillance Dimensions</em><br />
<em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>16:00-16:30</p>
</td>
<td>
<p><strong>Tea Break</strong></p>
</td>
</tr>
<tr>
<td>
<p>16:30-17:30</p>
</td>
<td>
<p><strong>Session 4: Aadhaar - International Dimensions</strong><br />
Joshita Pai, Center for Communication Governance, National Law University, Delhi - <em>Biometrics and Mandatory IDs in Other Parts of the World</em><br />
Dr. Gopal Krishna, Citizens Forum for Civil Liberties - <em>International Dimensions of Aadhaar</em><br />
<em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>17:30-18:00</p>
</td>
<td>
<p><strong>High Tea</strong></p>
</td>
</tr>
</tbody>
</table>
<h4>May 27, 2016</h4>
<table>
<tbody>
<tr>
<td>
<p>9:30-11:00</p>
</td>
<td>
<p><strong>Session 5: Privacy, Surveillance and Ethical Dimensions of Aadhaar</strong><br />
Prabir Purkayastha, Free Software Movement of India, New Delhi - <em>Surveillance Capitalism and the Commodification of Personal Data</em><br />
Arjun Jayakumar, SFLC - <em>Surveillance Projects Amalgamated</em><br />
Col Mathew Thomas, Bengaluru - <em>The Deceit of Aadhaar<em></em><br />
<em>Discussion</em></em></p>
<em>
</em></td>
</tr>
<tr>
<td>
<p>11:00-11:30</p>
</td>
<td>
<p><strong>Tea Break</strong></p>
</td>
</tr>
<tr>
<td>
<p><em>11:30-13:00</em></p>
</td>
<td>
<p><strong>Session 6: Aadhaar - Broad Issues I</strong><br />
Prof. G Nagarjuna, Homi Bhabha Center for Science Education, Tata Institute of Fundamental Research, Mumbai - <em>How to prevent linked data in the context of Aadhaar</em><br />
Dr. Anupam Saraph, Pune - <em>Aadhaar and Moneylaundering</em><br />
<em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>13:00-14:00</p>
</td>
<td>
<p><strong>Lunch</strong></p>
</td>
</tr>
<tr>
<td>
<p>14:00-15:30</p>
</td>
<td>
<p><strong>Session 7: Aadhaar - Broad Issues II</strong><br />
Prof. MS Sriram, Visiting Faculty, Indian Institute of Management, Bangalore - <em>Financial lnclusion</em><br />
Nikhil Dey, MKSS, Rajasthan - <em>Field witness: Technology on the Ground</em><br />
Prof. Himanshu, Centre for Economic Studies & Planning, JNU - <em>UID Process and Financial Inclusion</em><br />
<em>Discussion</em></p>
</td>
</tr>
<tr>
<td>
<p>15:30-16:00</p>
</td>
<td>
<p><strong>Session 8: Conclusion</strong></p>
</td>
</tr>
<tr>
<td>
<p>16:00-18:00</p>
</td>
<td>
<p><strong>Informal Meetings</strong></p>
</td>
</tr>
</tbody>
</table>
<h3 id="AB" style="text-align: justify;"><strong>Annexure B – Workshop Participants</strong></h3>
<p>Anjali Bhardwaj, Satark Nagrik Sangathan</p>
<p>Dr. Anupam Saraph</p>
<p>Arjun Jayakumar, Software Freedom Law Centre</p>
<p>Ashok Rao, Delhi Science Forum</p>
<p>Prof. Chinmayi Arun, National Law University, Delhi</p>
<p>Prof. Dinesh Abrol, Jawaharlal Nehru University</p>
<p>Prof. G Nagarjuna, Homi Bhabha Center for Science Education, Tata Institute of Fundamental Research, Mumbai</p>
<p>Dr. Gopal Krishna, Citizens Forum for Civil Liberties</p>
<p>Prof. Himanshu, Jawaharlal Nehru University</p>
<p>Japreet Grewal, the Centre for Internet and Society</p>
<p>Joshita Pai, National Law University, Delhi</p>
<p>Malini Chakravarty, Centre for Budget and Governance Accountability</p>
<p>Col. Mathew Thomas</p>
<p>Prof. MS Sriram, Indian Institute of Management, Bangalore</p>
<p>Nikhil Dey, Mazdoor Kisan Shakti Sangathan</p>
<p>Prabir Purkayastha, Knowledge Commons and Free Software Movement of India</p>
<p>Pukhraj Singh, Bhujang</p>
<p>Rajiv Mishra, Jawaharlal Nehru University</p>
<p>Prof. R Ramakumar, Tata Institute of Social Sciences, Mumbai</p>
<p>Dr. Reetika Khera, Indian Institute of Technology, Delhi</p>
<p>Dr. Ritajyoti Bandyopadhyay, Indian Institute of Science Education and Research, Mohali</p>
<p>S. Prasanna, Advocate</p>
<p>Sanjay Kumar, Science Journalist</p>
<p>Sharath, Software Freedom Law Centre</p>
<p>Shivangi Narayan, Jawaharlal Nehru University</p>
<p>Prof. Subhashis Banerjee, Indian Institute of Technology, Delhi</p>
<p>Sumandro Chattapadhyay, the Centre for Internet and Society</p>
<p>Dr. Usha Ramanathan, Legal Researcher</p>
<p><em>Note: This list is only indicative, and not exhaustive.</em></p>
<hr />
<p><a name="ftn1"><strong>[1]</strong></a> Civil Appeal No. 4853 of 2014</p>
<p><a name="ftn2"><strong>[2]</strong></a> WP(C) 494/2012</p>
<p><a name="ftn3"><strong>[3]</strong> </a>. WP(C) 829/2013</p>
<p><a name="ftn4"><strong>[4]</strong></a> WP(C) 833/2013</p>
<p><a name="ftn5"><strong>[5]</strong></a> WP (C) 37/2015; (Earlier intervened in the Aruna Roy petition in 2013)</p>
<p><a name="ftn6"><strong>[6]</strong></a> WP (C) 932/2015</p>
<p><a name="ftn7"><strong>[7]</strong></a> Transferred from Madras HC 2013.</p>
<p style="text-align: justify;"><a name="ftn8"><strong>[8]</strong></a> SLP (Crl) 2524/2014 filed against the order of the Goa Bench of the Bombay HC in CRLWP 10/2014 wherein the High Court had directed UIDAI to share biometric information held by them of all residents of a particular place in Goa to help with a criminal investigation in a case involving charges of rape and sexual assault.</p>
<p><a name="ftn9"><strong>[9]</strong></a> See :http://scroll.in/article/806243/rajasthan-presses-on-with-aadhaar-after-fingerprint-readers-fail-well-buy-iris-scanners</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/report-on-understanding-aadhaar-and-its-new-challenges'>https://cis-india.org/internet-governance/blog/report-on-understanding-aadhaar-and-its-new-challenges</a>
</p>
No publisherJapreet Grewal, Vanya Rakesh, Sumandro Chattapadhyay, and Elonnai HickockBig DataData SystemsPrivacyResearchers at WorkInternet GovernanceAadhaarWelfare GovernanceBiometricsBig Data for DevelopmentUID2019-03-16T04:42:52ZBlog EntryNo party's got a clear stand, Aadhaar's fate hangs in balance
https://cis-india.org/news/governance-now-april-13-2014-pratap-vikram-singh-no-party-has-got-clear-stand-aadhaar-fate-hangs-in-balance
<b>A non-UPA government for sure will review the multi-crore UID programme, but none of the parties have yet talked about scrapping it.</b>
<p style="text-align: justify; ">The article by Pratap Vikram Singh was <a class="external-link" href="http://www.governancenow.com/news/regular-story/no-partys-got-clear-stand-aadhaars-fate-hangs-balance">published in GovernanceNow.com</a> on April 13, 2014. Sunil Abraham is quoted.</p>
<hr />
<p style="text-align: justify; ">Since inception, Aadhaar’s foundation has been shaky. The Unique Identification Authority of India (UIDAI) has been functioning on an executive fiat, without parliamentary ratification. When the government first came up with a bill on the UID programme, it was rejected by the parliamentary standing committee, which questioned the purpose of the programme.</p>
<p style="text-align: justify; ">Aadhaar’s acceptability as proof of residence and its issuance to the illegal immigrants too has courted controversy. The opposition and the ministry of home affairs have repeatedly flagged the issue. Recently, the supreme court (SC) instructed the government to withdraw all orders mandating Aadhaar number for service delivery. In September last year too the apex court had ruled that no one should be denied a service for want of Aadhaar.</p>
<p style="text-align: justify; ">While the Congress hasn’t changed its position on Aadhaar and wishes to continue with Aadhaar-linked benefits transfer, the BJP hasn’t mentioned it even once in its 52-page manifesto. On April 8, Narendra Modi, BJP’s prime ministerial candidate, in an election rally near Bangalore was quoted as saying, “I asked several questions on the Aadhaar project. I asked them questions relating to illegal migrants and national security. They (the government) did not have any answer.”</p>
<p style="text-align: justify; ">Rajendra Pratap Gupta, member of BJP’s core committee on manifesto, told Governance Now: “If we come to power we will review this in totality. There is scepticism around the whole project and even the SC has ruled against mandating it.” He called Aadhaar one of the ‘biggest scams’ of the UPA. “We have found people owning multiple Aadhaar cards. It (Aadhaar) is not a very secure system,” he added.</p>
<p style="text-align: justify; ">On the other hand, Aam Aadmi Party doesn’t oppose the idea of Aadhaar, though it is critical of its linkage to delivering food and other subsidies. Atishi Marlena, the party’s manifesto committee chief, said, “In principle, we don’t oppose the Aadhaar programme. If it’s about providing an identification proof to the poor who don’t have other documents, we certainly welcome it. But Aadhaar’s linkage with benefits-transfer needs to be questioned. Who gets what and who doesn’t should be determined by gram sabhas and mohalla sabhas. It should be done via people participation.”</p>
<p style="text-align: justify; ">The CPI(M), in its manifesto, called for halting the project unless it gets parliamentary approval. It also underlined the need for a privacy and data protection law prior to the rollout of the UID programme. “The moment Aadhaar is linked with service delivery, the scope for exclusion widens. You need to have universal coverage of Aadhaar and banking before you roll out the benefits transfer programme,” CPI(M) Rajya Sabha member Tapan Sen said.</p>
<p style="text-align: justify; ">In its manifesto, the party has talked about ‘constituting an independent high-level expert panel for an appraisal of the technology of biometrics used in the project’.</p>
<p style="text-align: justify; ">Sunil Abraham of the Centre for Internet and Society said, “The centralised online authentication automatically raises issues of privacy infringement. The authentication, in a decentralised fashion, with help of smart cards, is less intrusive, as the logs are stored in a local fashion and not centralised as in the case of Aadhaar. It will be a welcome move if the next government selects resident ID (smart) card, issued by the home ministry, as proof for identification and service delivery.”</p>
<p>
For more details visit <a href='https://cis-india.org/news/governance-now-april-13-2014-pratap-vikram-singh-no-party-has-got-clear-stand-aadhaar-fate-hangs-in-balance'>https://cis-india.org/news/governance-now-april-13-2014-pratap-vikram-singh-no-party-has-got-clear-stand-aadhaar-fate-hangs-in-balance</a>
</p>
No publisherpraskrishnaUIDInternet GovernancePrivacy2014-05-05T06:01:08ZNews ItemBiometrics or Bust? Implications of the UID for Participation and Inclusion
https://cis-india.org/events/biometrics-or-bust-implications-of-uid-for-participation-and-inclusion
<b>Malavika Jayaram will give a talk on biometrics and the implications of UID for participation and inclusion at the office of the Centre for Internet and Society in Bangalore on January 10, 2014 at 6.00 p.m.</b>
<h2>Abstract</h2>
<p style="text-align: justify; ">Privacy is often portrayed as a luxury, as the intellectual preoccupation of nerdy privileged liberals, and an issue of salience only to the elite. This ignores the reality of the most marginalized sections of a society being disproportionately impacted by privacy intrusive technologies. The collusion of public and private agendas towards implementing large welfare projects is generally seen as progressive and neutral, yet the consequences of even well-intentioned efforts that trade privacy for convenience, welfare, security or a host of other compelling goals is troubling. The use of biometric technologies further complicates matters: the assumption that bodies can be rendered into infallible verifiers, as repositories of unchanging truth, is not without its catalogue of failures. This talk will examine the notion of biometric representations as a kind of capital, the possibility that failures are endemic to their functioning, and the implications of systemic errors on equality, participation and democracy.</p>
<h2 style="text-align: justify; ">Malavika Jayaram</h2>
<p style="text-align: justify; ">Malavika is a Fellow at the Berkman Center for Internet and Society at Harvard University, focusing on privacy, identity and free expression. She is also a Fellow at the Centre for Internet and Society, Bangalore, and the author of the India chapter for the Data Protection & Privacy volume in the Getting the Deal Done series. Malavika is one of 10 Indian lawyers in The International Who's Who of Internet e-Commerce & Data Protection Lawyers directory. In August 2013, she was voted one of India’s leading lawyers and one of only 8 women to be featured in the “40 under 45” survey conducted by Law Business Research, London. In a different life, she spent 8 years in London, practicing law with global firm Allen & Overy in the Communications, Media & Technology group, and as VP and Technology Counsel at Citigroup. During 2012-2013, she was a Visiting Scholar at the Annenberg School for Communication, University of Pennsylvania. She is working on completing her PhD at the National Law School.</p>
<p>
For more details visit <a href='https://cis-india.org/events/biometrics-or-bust-implications-of-uid-for-participation-and-inclusion'>https://cis-india.org/events/biometrics-or-bust-implications-of-uid-for-participation-and-inclusion</a>
</p>
No publisherpraskrishnaUIDEventInternet GovernancePrivacy2014-01-06T08:56:51ZEventCyberscholars Working Group at MIT
https://cis-india.org/news/cyberscholars-working-group-mit
<b>Malavika Jayaram is giving a talk on Biometrics or Bust - India’s Identity Crisis at this event organised by Berkman Center for Internet & Society on December 12 at 6.00 p.m.</b>
<hr />
<p style="text-align: justify; ">Read the original <a class="external-link" href="https://cyber.law.harvard.edu/events/cyberscholars/12/mit">published by Harvard University here</a>.</p>
<hr />
<p style="text-align: justify; ">The Cyberscholar Working Group is a forum for fellows and affiliates of MIT, Yale Law School Information Society Project, Columbia University, and the Berkman Center for Internet & Society at Harvard University to discuss their ongoing research. Each session is focused on the peer review and discussion of current projects submitted by a presenter. Meeting alternatively at Harvard, MIT, Yale, the working group aims to expand the shared knowledge of young scholars by bringing together these preeminent centers of thought on issues confronting the information age. Discussion sessions are designed to facilitate advancements in the individual research of presenters and in turn encourage exposure among the participants to the multi-disciplinary features of the issues addressed by their own work.</p>
<p style="text-align: justify; ">This month's presentations include:<br /> <b>(1) "Lines of Control: Networks of Imperialism and Independence in India (1840-1947)"</b><br />Abstract: This paper examines the history of communications networks in India and the relationship between communications and second-order networks. It draws attention to the wave of colonial network development that took place in India between 1840 and 1948. During these years, Britain constructed a series shipping, rail and telegraph networks to achieve a set of military and commercial goals. This paper studies how first- and second-order networks developed, and the intended and unintended effects of these networks on Indiaʼs economics, politics, and identity. The paper draws on economic and social studies of colonial communications networks in India, original reports by British officials and the Colonial Office, and the literature focusing on the role of technology in British imperialism. It shows how Indiaʼs colonial communication networks, built to augment and extend British control over the subcontinent, became conduits for Indian resistance and nationalism.<br />Keywords: shipping, telegraph, railroads, imperialism, nationalism, network theory, India</p>
<p style="text-align: justify; "><b>Colin Agur </b>is a PhD candidate at Columbia University and Visiting Fellow at Yale Law School's Information Society Project. His research examines India's telecommunications, focusing on mobile network formation and second-order effects of network growth. He spent the 2012-13 academic year in Delhi and Chennai, conducting document analysis, interviews with industry figures and participant observation related to mobile phone usage. He has published articles about Indian media and culture in Harvard's Nieman Lab, the Journal of Asian and African Studies and Journalism (forthcoming), and about telecommunications history in Information and Culture.</p>
<p style="text-align: justify; "><b>(2) Big Data Dramas in the 1960s and 1970s</b><br />Abstract: The recent frenzy in discussing NSA activities and the collecting of Big Data show a widespread critical concern for the current practice of gathering and using personal data. These concerns have their history. In my presentation, I track the beginnings of a growing public awareness and sensitivity towards the societal handling of personal data. I argue that the early computerization phase during the 1960s and 1970s played a crucial role in discussing these issues. Media reports, popular books, scientific publications, and political hearings all of a sudden began – often in quite different ways – to address and question contemporary practices of collecting, sharing, and storing of personal data. Their authors explored and negotiated all kind of societal settings where personal data played a significant role at that time. There have been concerns about these issues with personal data before, but – as I will show in my presentation – not on this broad societal level and to this extent as in the late 1960s and early 1970s. I argue that during that time, the usage of personal data became a highly controversial matter not only of public, but also of private interest.My inquiry examines how the term “data“ and in particular the collection of personal data became loaded with cultural and emotional significance in scientific and media discussions in the 1960s and 1970s in the United States and in Germany. Furthermore, it explores how the early computerization affected our societal handling of data long before the personal computer entered our private lives.</p>
<p style="text-align: justify; "><b>Julia Fleischhack</b> is a visiting postdoctoral research fellow in the program in Science, Technology, and Society at the Massachusetts Institute of Technology. She holds a PhD in anthropology from Zürich University. Her current research is on data centers from the private sector and funded by the Fritz Thyssen foundation.</p>
<p style="text-align: justify; "><b>(3) Biometrics or Bust - India’s Identity Crisis</b><br />Abstract: India's identity juggernaut - the Unique Identity (UID) project that has registered around 500 million people and is yet to be fully realized - is already the world's largest ever biometrics identity scheme. Grounded in the premise that centralized de-duplication and authentication will uniquely identify people and eliminate fraud, it is hailed as a game changer and a silver bullet that will solve myriad socio-economic problems, yet its conception and architecture raise significant concerns. Its implementation as a techno-utopian project in a legal vacuum, despite the potential for abuse and exclusion, give pause to the much-vaunted claims of transforming welfare delivery and galvanizing financial inclusion. I will provide an overview of the identity project and highlight some of the key implications for privacy and free speech, and more broadly, democracy and openness. I will also unpack some of the narratives being constructed, describe the current public discourse and legal developments, and locate the project within the broader surveillance state and database nation that India is morphing into.</p>
<p style="text-align: justify; "><b>Malavika Jayaram</b> is a Fellow at the Berkman Center for Internet and Society at Harvard, focusing on privacy, identity and free expression. A Fellow at the Centre for Internet and Society, Bangalore, she is one of 10 Indian lawyers in The International Who's Who of Internet e-Commerce & Data Protection directory. In August 2013, she was voted one of India's leading lawyers - one of only 8 women to be featured in the "40 under 45" survey conducted by Law Business Research, London.</p>
<p>
For more details visit <a href='https://cis-india.org/news/cyberscholars-working-group-mit'>https://cis-india.org/news/cyberscholars-working-group-mit</a>
</p>
No publisherpraskrishnaUIDInternet Governance2014-01-09T06:41:31ZNews ItemDespite apex court order, IOC proceeds with Aadhaar-linked DBT
https://cis-india.org/news/hindu-january-6-2014-deepa-kurup-despite-apex-court-order-ioc-proceeds-with-aadhar-linked-dbt
<b>Once DBT starts, there is no other method to avail of subsidy: IOC official.</b>
<p style="text-align: justify; ">The article by Deepa Kurup was <a class="external-link" href="http://www.thehindu.com/news/cities/bangalore/despite-apex-court-order-ioc-proceeds-with-aadhaar-seeding/article5542193.ece">published in the Hindu</a> on January 6, 2014. Sunil Abraham is quoted.</p>
<hr />
<p style="text-align: justify; ">Despite an interim order by the Supreme Court disallowing the government from making the Aadhaar number mandatory for accessing State subsidies and benefits, Indian Oil Corporation (IOC) Ltd. continues to inform consumers that they will not get their LPG subsidy if they do not seed their Aadhaar-linked bank accounts to the IOC database.</p>
<p style="text-align: justify; ">SMSes and publicity material released by IOC in the past week indicate that the company is going ahead with the Union government’s deadlines for the Direct Benefit Transfer scheme for LPG. While the deadline for Udupi and Dharwad districts has been extended till January-end, the “grace period” for Bangalore Urban will expire on March 1.</p>
<p style="text-align: justify; ">Over the past week, LPG consumers have been receiving frequent SMSes requesting them to submit their Aadhaar number to their LPG distributor and their bank, with “no further delay”. Though the SMS does not state whether or not this is mandatory, frequent messages have been instilling a sense of urgency and panic among consumers. Further, several consumers told <i>The Hindu</i> that, upon enquiry, distributors had been telling them that they would have to forego their subsidy amount (for nine cylinders a year) if they failed to register their details with the IOC database. Once the DBT scheme is enforced, the IOC will migrate customers entirely to the new system — that is, consumers will have to pay the market price, and the subsidy amount will be credited to their bank accounts.</p>
<p style="text-align: justify; ">‘<b>No other method’</b></p>
<p style="text-align: justify; ">Senior IOC officials said that while the oil manufacturing company was desisting from making statements on whether or not this was mandatory, in effect those whose details would not be seeded to the database would not be able to avail of the benefit. “Basically, once the DBT scheme starts there is no other method to receive or avail of the subsidy. As of now, there is no alternative method,” said R.K. Arora, executive director, Karnataka State office. He pointed out that in rural areas several other subsidies were already linked to Aadhaar, and the DBT scheme was at 100 per cent in Tumkur and Mysore districts.</p>
<p style="text-align: justify; ">As of January 1, an IOC official said, only 30 per cent of LPG consumers in the Bangalore Circle had ‘seeded’ their accounts to the IOC database, while in Udupi and Dharwad it was roughly around 50 per cent.</p>
<p style="text-align: justify; ">“We are not claiming it’s mandatory, and currently all companies have submitted an affidavit seeking the order be reconsidered. Meanwhile, we have just asked people to submit the details to the distributor as soon as they can,” the official said. He added that IOC was likely to keep extending the deadline to “be on the safe side”.</p>
<p style="text-align: justify; ">Meanwhile, there is confusion among consumers on the issue. Krishnan Pillai, a resident of R.T. Nagar here, said Aadhaar numbers were being delayed, and there was huge anxiety among people. “Last week, I saw an advertisement that implied that I will lose subsidy if I don’t submit my number. Is the Supreme Court verdict not applicable?” he said. Sumitra Gupta, a charted accountant from Majestic, said distributors were telling them to “ignore news report on the Supreme Court verdict”.</p>
<p style="text-align: justify; ">“This is arm twisting,” she said.</p>
<p style="text-align: justify; ">‘<b>So-called voluntary’</b></p>
<p style="text-align: justify; ">Sunil Abraham of the Centre for Internet and Society, a Bangalore-based NGO that has been part of the anti-Aadhaar campaign, said IOC was “pushing the boundary”. “From the very beginning, people have been objecting to the so-called voluntary nature of the scheme. It’s unfortunate that the will of the Supreme Court in its interim order on such as a critical component of our citizenship is also being ignored,” he said.</p>
<p>
For more details visit <a href='https://cis-india.org/news/hindu-january-6-2014-deepa-kurup-despite-apex-court-order-ioc-proceeds-with-aadhar-linked-dbt'>https://cis-india.org/news/hindu-january-6-2014-deepa-kurup-despite-apex-court-order-ioc-proceeds-with-aadhar-linked-dbt</a>
</p>
No publisherpraskrishnaUIDInternet GovernancePrivacy2014-01-31T06:50:33ZNews ItemThe Aadhaar Case
https://cis-india.org/internet-governance/blog/the-aadhaar-case
<b>In 2012 a writ petition was filed by Justice K.S. Puttaswamy in the Supreme Court of India challenging the policy of the government in making an Aadhaar card for every person in India and its later plans to link various government benefit schemes to the same.</b>
<p style="text-align: justify; ">Over time a number of other cases have been filed in the Supreme Court challenging the Aadhaar mechanism and/or its procedure most of which have now been linked to the main petition filed by Justice Puttaswamy.<a href="#_ftn1" name="_ftnref1">[1]</a> This means that the Supreme Court now hears all these cases together (i.e. at the same time) since they throw up similar questions and involve the same or similar issues. The court while hearing the case made an interim order on September 23, 2013 whereby it ordered that no person should suffer on account of not having an Aadhaar card and that Aadhaar cards should not be issued to any illegal immigrants. The relevant extract from the Order of the court is reproduced below:</p>
<p style="text-align: justify; ">"No person should suffer for not getting the Aadhaar card in spite of the fact that some authority had issued a circular making it mandatory and when any person applies to get the Aadhaar card voluntarily, it may be checked whether that person is entitled for it under the law and it should not be given to any illegal immigrant."<a href="#_ftn2" name="_ftnref2">[2]</a></p>
<p style="text-align: justify; ">It must be noted that the above order was only an interim measure taken by the Supreme Court till the time it finally decided all the issues involved in the case, which is still pending in the Supreme Court.</p>
<p style="text-align: justify; ">In November 2013 during one of the hearings of the matter, the Supreme Court came to the conclusion that it was an important enough matter for all the states and union territories to be impleaded as parties to the case and passed an order to this effect.<a href="#_ftn3" name="_ftnref3">[3]</a> This was probably because the Aadhaar cards will be issued in the entire country and this is a national issue and therefore it is possible that the court thought that if any of the states have any concerns regarding the issue they should have the opportunity to present their case.</p>
<p style="text-align: justify; ">In another petition filed by the Unique Identification Authority of India (UIDAI), the Supreme Court on March 24, 2014 reiterated its earlier order and held that no person shall be deprived of any service just because such person lacked an aadhaar number if he/she was otherwise eligible for the service. A direction was issued to all government authorities and departments to modify their forms/circulars, etc., so as to not compulsorily require an aadhaar number. In the same order the Supreme Court also restrained the UIDAI from transferring any biometric data to any agency without the consent of the person in writing as an interim measure.<a href="#_ftn4" name="_ftnref4">[4]</a> After passing these orders the Supreme Court linked this case as well to the petition filed by Justice Puttaswamy on which final arguments were being heard in February 2014 which so far do not seem to have concluded.</p>
<p style="text-align: justify; "><b>Note</b> : Please note that the case is still being heard by the Supreme Court and the orders given so far and explained in this blog are all interim measures till the case is finally disposed off. The status of the cases can be seen on the following link:</p>
<p style="text-align: justify; "><a href="http://courtnic.nic.in/supremecourt/casestatus_new/caseno_new_alt.asp">http://courtnic.nic.in/supremecourt/casestatus_new/caseno_new_alt.asp</a></p>
<p style="text-align: justify; ">The names and number of the cases that have been covered in this blog are given below:</p>
<ul>
<li>W.P(C) No. 439 of 2012 titled <i>S. Raju </i>v. <i>Govt. of India and Others </i> pending before the D.B. of the High Court of Judicature at Madras.</li>
<li>PIL No. 10 of 2012 titled <i>Vickram Crishna and Others</i> v. <i>UIDAI and Others</i> pending before the High Court of Judicature at Bombay.</li>
<li>W.P. No. 833 of 2013 titled <i>Aruna Roy & Anr</i> v. <i>Union of India & Ors</i>.</li>
<li>W.P. No. 829 of 2013 titled <i>S.G. Vombatkere & Anr</i> v. <i>Union of India & Ors.</i></li>
<li>Petition(s) for Special Leave to Appeal (Crl) No(s).2524/2014 titled <i>Unique Identification Authority of India & another</i> v. <i>Central Bureau of Investigation</i>. </li>
</ul>
<p style="text-align: justify; ">All the above cases have now been linked with the ongoing Supreme Court case of <i>K. Puttaswamy</i> v. <i>Union of India</i>.</p>
<div style="text-align: justify; ">
<hr />
<div id="ftn1">
<p><a href="#_ftnref1" name="_ftn1">[1]</a> W.P(C) No. 439 of 2012 titled <i>S. Raju </i>v. <i>Govt. of India and Others </i> pending before the D.B. of the High Court of Judicature at Madras and PIL No. 10 of 2012 titled <i>Vickram Crishna and Others</i> v. <i>UIDAI and Others</i> pending before the High Court of Judicature at Bombay were transferred to the Supreme Court vide Order dated September 23, 2013. Also W.P. No. 833 of 2013 titled Aruna Roy & Anr Vs Union of India & Ors, W.P. No. 829 of 2013 titled S G Vombatkere & Anr Vs Union of India & Ors and Petition(s) for Special Leave to Appeal (Crl) No(s).2524/2014 titled <i>Unique Identification Authority of India & another</i> v. <i>Central Bureau of Investigation</i>.</p>
</div>
<div id="ftn2">
<p><a href="#_ftnref2" name="_ftn2">[2]</a> <a href="http://judis.nic.in/temp/494201232392013p.txt">http://judis.nic.in/temp/494201232392013p.txt</a></p>
</div>
<div id="ftn3">
<p><a href="#_ftnref3" name="_ftn3">[3]</a> <a href="http://judis.nic.in/temp/4942012326112013p.txt">http://judis.nic.in/temp/4942012326112013p.txt</a></p>
</div>
<div id="ftn4">
<p><a href="#_ftnref4" name="_ftn4">[4]</a> <a href="http://courtnic.nic.in/supremecourt/temp/sr%20252414p.txt">http://courtnic.nic.in/supremecourt/temp/sr%20252414p.txt</a></p>
</div>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-aadhaar-case'>https://cis-india.org/internet-governance/blog/the-aadhaar-case</a>
</p>
No publishervipulUIDInternet GovernancePrivacy2014-09-05T09:12:21ZBlog EntryUID: A Data Subject's Registration Tale
https://cis-india.org/internet-governance/blog/uid-a-data-subjects-registration-tale
<b>A person who registered for UIDAI shares their experience of registering for the UID Number, on the condition of anonymity.</b>
<p style="text-align: justify; ">The registration process begins with filling a form, which has a verification clause at the end. This is a statement that the data, including biometric data, is correct and is that of the registrant. The presence of the word ‘biometric’ in relation to the verification creates tacit consent in the collection of biometric data.</p>
<p style="text-align: justify; ">The data subject registered for the UID number as several utilities were being linked to the UID number at that time.</p>
<p style="text-align: justify; ">The data subject pointed out three areas for concern: (i) optional data was being collected under protest; (ii) the subjects documents were being taken out of their sight for scanning; (iii) the ownership of data.</p>
<p style="text-align: justify; ">While registering for the UID number, data subjects have a choice not to link their bank numbers to bank accounts and to utilities such as gas connections. This data subject noticed that the data operator linked these by default and the data subject had to specifically request the de-linking. The data operator did not inform the data subject of the choice not to link the UID with these services. If this is the state of affairs for the conscious registrant, it is unlikely that those who cannot read will be informed of their right to choice. Their information will then be inadvertently linked and they will be denied the right to opt out of the linkage.</p>
<p style="text-align: justify; ">This data subject additionally noted that their right to refuse to provide optional data on the registration form was blatantly disregarded by the enrolling agency. Despite protests against providing this information, the enroller forcibly entered information such as ‘ward number’, which was optional. The enroller justified these actions - stating: the company will cut our salary. Unfortunately, registrants do not know who the data collection company is.</p>
<p style="text-align: justify; ">Where the data subjects do not know who collects their data and where it is going, there can be no accountability.</p>
<p style="text-align: justify; ">This incident seems to show that the rules on personal information are being violated. The right to know: the identity and address of the entity collecting the data,<a href="#_ftn1" name="_ftnref1">[1]</a> the purpose of data collection,<a href="#_ftn2" name="_ftnref2">[2]</a> the restrictions on data use<a href="#_ftn3" name="_ftnref3">[3]</a> and the right not to disclose sensitive personal data <a href="#_ftn4" name="_ftnref4">[4]</a> are all granted by the Information Technology Rules. Data subjects also have the right to be informed about the intended recipients<a href="#_ftn5" name="_ftnref5">[5]</a> and the entities that will retain the data. <a href="#_ftn6" name="_ftnref6">[6]</a> The data collector has failed to perform its corresponding duty to make such disclosures and has arguably limited the control of data subjects over their privacy.</p>
<p style="text-align: justify; ">If this is what other UID registrations are like, then perhaps it is time to modify the process of data handling and processing. The law should be implemented better and amended to enable better implementation either through greater state intervention or severe liability when personal information is improperly handled.</p>
<div style="text-align: justify; ">
<hr align="left" size="1" width="100%" />
<div id="ftn1">
<p><a href="#_ftnref1" name="_ftn1">[1]</a> R.4(3)(d) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.</p>
</div>
<div id="ftn2">
<p><a href="#_ftnref2" name="_ftn2">[2]</a> R. 4(3)(b) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.</p>
</div>
<div id="ftn3">
<p><a href="#_ftnref3" name="_ftn3">[3]</a> R. 4(7) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.</p>
</div>
<div id="ftn4">
<p><a href="#_ftnref4" name="_ftn4">[4]</a> R. 4 (7) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.</p>
</div>
<div id="ftn5">
<p><a href="#_ftnref5" name="_ftn5">[5]</a> R. 4 (3) (c) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.</p>
</div>
<div id="ftn6">
<p><a href="#_ftnref6" name="_ftn6">[6]</a> R.4(3)(d) Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.</p>
</div>
</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/uid-a-data-subjects-registration-tale'>https://cis-india.org/internet-governance/blog/uid-a-data-subjects-registration-tale</a>
</p>
No publisherMukta BatraUIDInternet GovernancePrivacy2014-09-11T09:05:07ZBlog EntryBiometrics: An ‘Angootha Chaap’ nation?
https://cis-india.org/internet-governance/blog/biometrics-an-angootha-chaap-nation
<b>This blog post throws light on the inconsistencies in biometric collection under the UID and NPR Schemes. </b>
<h2 style="text-align: justify; ">Introduction</h2>
<p style="text-align: justify; ">Fingerprints and iris scans. The Unique Identification (UID) Number aims to serve as a proof of identity that can be easily verified and linked to subsidies and to bank accounts. Four years into its implementation, the UID Scheme seems to have the vote of confidence of the public. More than 65 Crore Indians have been granted UID Numbers,<a href="#_ftn1" name="_ftnref1">[1]</a> and only a few have been concerned enough to seek clarity through Right to Information Requests to the UIDAI about the finances and legal authority backing the scheme.<a href="#_ftn2" name="_ftnref2">[2]</a> Parallel to the UID scheme, the National Population Register scheme is also under way, with enrolment in some areas, such as Srinagar, Shimla and Panchkula, having reached 100% of the estimated population.<a href="#_ftn3" name="_ftnref3">[3]</a></p>
<p style="text-align: justify; ">The NPR scheme is an offshoot of the census. It began in census cycle 2010-11, pursuant to the amendment of the Citizenship Act in 2004, under which national identity cards are to be issued. The desired outcome of the NPR scheme is an NPR card with a chip embedded with three bits of information built into a card: (i) biometric information, (ii) demographic information and (iii) UID Number.</p>
<p style="text-align: justify; ">Both the UID and NPR schemes aspire to be conduits that subsidies, utilities, and other benefits are routed through. While the UID and NPR schemes are distinct in terms of their legal sanctity, purpose and form, the harmonization of these two schemes is one of the UIDAI’s functions.</p>
<p style="text-align: justify; ">There are substantial overlaps in the information collected and the purpose they serve leading to the argument that having two schemes is redundant. The compatibility of the two schemes was questioned and it was initially thought that a merger would be unreasonable. While there has been speculation that the UID scheme may terminate, or that it would be taken over by the Home Ministry, it has been reported that the new government has directed expedited enrolments through the UID scheme. <a href="#_ftn4" name="_ftnref4">[4]</a></p>
<p style="text-align: justify; ">Both schemes are incomplete and suffer from vagaries, including, but not limited to: their legality, safeguards against misuse of the data, the implementation of the schemes – including the collection and storage of biometric information and their convergence or divergence.</p>
<p style="text-align: justify; ">This blog will focus on understanding the process of collecting biometric data in each scheme – calling out similarities and differences – as well as areas in which data collected under one scheme is incompatible with the other scheme. It will look at existing and missing safeguards in the collection of biometrics, overlap in the collection of biometrics by the two schemes, and existing practice in the collection of biometrics. In doing so the blog will highlight the lack of privacy safeguards for the biometric information and conclude that since the policies for data collection and use policy are unclear, the data subjects do not know how their data is being collected, used, and shared between the UID and the NPR schemes.</p>
<h2 style="text-align: justify; ">Unreliability of Biometric Data</h2>
<p style="text-align: justify; ">Biometric data has been qualified as being unreliable.<a href="#_ftn5" name="_ftnref5">[5]</a> It cannot always be successfully used to identify a person, especially in India, where manual labour degrades the fingerprint<a href="#_ftn6" name="_ftnref6">[6]</a> and nutritional deficiencies mar the iris. Even experts working with the UIDAI<a href="#_ftn7" name="_ftnref7">[7]</a> admit that fingerprints are not always good indicators of identity. If the very identification of a person fails, which is what the UID seeks to do, then the purpose of the UID is defeated.</p>
<h2 style="text-align: justify; ">Biometric Data Collection under the UID Scheme</h2>
<p style="text-align: justify; ">In the current structure of the scheme, collected biometric information is stored by, and vests with the UIDAI for an undefined period. The data if used only for identification and authentication purposes, as originally intended, could very well fail to serve its intended purpose. But amassing the personal data of the entire country is lucrative, particularly to the service providers who collect the information and are mandated with the task to manually collect the data before it is fed into the UID system and encrypted. Most of the service providers that collect information, including biometric data, for the UID are engaged in information services such as IT or online marketing service providers.<a href="#_ftn8" name="_ftnref8">[8]</a></p>
<p style="text-align: justify; ">The below chart delineates the process followed for the collection of biometrics under the UID Scheme:</p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/copy3_of_c1.png" alt="c1" class="image-inline" title="c1" /></th>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">Under the NIAI Bill, all data collected or authenticated by the UIDAI, until the Bill is enacted and the National Identification Authority of India is created, vests with the UIDAI. In practice this means that the UIDAI owns the biometric data of the data-subject, without clear safeguards against misuse of the data.</p>
<p style="text-align: justify; ">In the UID scheme, the collection of biometrics at the time of enrollment by the UIDAI is severely flawed for a number of reasons:</p>
<p style="text-align: justify; "><b>1. Lack of clear legal authority and procedure for collection of biometrics:</b> The only legal authority the UIDAI has to collect biometric information is via the notification of its constitution. Even then, the powers of the UIDAI are vague and broad. Importantly, the notification tells us nothing of how biometric data is to be collected and how it is to be used. These standards have only been developed by the UIDAI in an <i>ad-hoc manner </i>when the need arises or after a problem is spotted. The lack of purpose-specification is in violation of the law<a href="#_ftn9" name="_ftnref9">[9]</a> and prevents the data subject from giving informed consent to data collection. This is discussed at a later stage.</p>
<p style="text-align: justify; "><b>2. The collection of Biometrics is regulated through only a Bill, which delegates the development of safeguards to Rules:</b> The National Identification Authority of India (NIAI) Bill<a href="#_ftn10" name="_ftnref10">[10]</a> confers the National Information Authority of India (NOT THE UIDAI) with the power to pass rules to collect biometric data and to prescribe standards for collection.<a href="#_ftn11" name="_ftnref11">[11]</a> This is a rule-making power, which is conferred under a Bill. Neither has the Bill been enacted, nor have rules for the collection of biometrics been framed and notified.</p>
<p style="text-align: justify; "><b>3. Collection</b> <b>of</b> <b>biometric</b> <b>data only with implied consent:</b> Though collection of biometrics is mentioned in the enrolment form, explicit consent for the collection of biometrics is not collected and only implied consent may be inferred. The last line in the enrollment form is titled ‘CONSENT’ and is a declaration that all data, including biometric information, is true.<a href="#_ftn12" name="_ftnref12">[12]</a></p>
<p style="text-align: justify; "><b>4. Collection of biometric data outsourced to third party:</b> Collection of biometric information in the UID scheme is outsourced to third parties through tenders. For instance, Accenture has been declared a biometric service provider under a contract with the UID.<a href="#_ftn13" name="_ftnref13">[13]</a> The third party may be a company, firm, educational institution or an accreditation agency. The eligibility criteria are quite straightforward, they relate to the entity’s structure and previous experiences with small projects.<a href="#_ftn14" name="_ftnref14">[14]</a> Since the ability to protect privacy of the data subject is entirely absent from the eligibility criteria, a successful bidder may not have adequate procedure in place or sufficient experience in managing confidential data, to ensure the privacy of the data subject. By outsourcing the data collection, the UIDAI has arguably delegated a function it never had the legal authority to perform. Thus, the agency of the data collection is equally defective. To heighten the irregularity, these contract agents can sub-contract the job of physical data collection.<a href="#_ftn15" name="_ftnref15">[15]</a> This means that the data operator and the ground supervisors, who come into direct contact with the raw data, including biometric data, are not appointed by the government, or the UIDAI, but by a private agency, who is further removed from the chain. The data operator scans the documents submitted for verification and has physical access to the document.<a href="#_ftn16" name="_ftnref16">[16]</a></p>
<p style="text-align: justify; "><b>5. Biometric data is admittedly vulnerable to sale and leakage: </b>In an ongoing case in the Supreme Court of India, the national Capital Territory of Delhi has, in its counter-affidavit, admitted that data collected under the UID is vulnerable to sale and leakage.<a href="#_ftn17" name="_ftnref17">[17]</a> To quote from the counter-affidavit ‘<i>..in any exercise of gathering identities whether it is by census authority… or through the present process… there is always a possibility of leakage. Enumerators can scan and keep copies of all the forms and sell them for a price.- this (sic) it can never be said that the data gathered… is safe.’<a href="#_ftn18" name="_ftnref18"><b>[18]</b></a></i> Anyone who has registered for either UID is therefore a candidate for identity theft or unsolicited commercial information. This is also true for the NPR, as census data is the basis for the NPR.</p>
<h2 style="text-align: justify; ">Data collection under the NPR Scheme</h2>
<p style="text-align: justify; ">The declaration of courts that it is unnecessary to link the UID number for public utilities and the admission by Delhi in the case that a data subject cannot be compelled to provide biometrics or to obtain a UID Number under the Aadhaar scheme<a href="#_ftn19" name="_ftnref19">[19]</a> are steps forward in ensuring the voluntariness of UID. However, the UID Number is mandatory by implication. It is a pre-requisite for registration under the National Population Register, which is compulsory, pursuant to S. 14-A of the Citizenship Act. The below diagram delineates the collection of biometric information under the NPR scheme:</p>
<p style="text-align: justify; "><b>DATA FLOW PROCESS</b></p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/copy4_of_c2.png" alt="c2" class="image-inline" title="c2" /><br /></th>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; ">Flaws in the collection of biometric data under the NPR scheme<b> </b></h2>
<ol style="text-align: justify; ">
<li><b>Compulsion:</b> Registration in the NPR is legally mandated and individuals who fail to do so can face penalty. As a note, arguably, the compulsion to register for the NPR is untenable, as the Rules prescribe penalty, whereas the Act does not. <a href="#_ftn20" name="_ftnref20">[20]</a> A word of caution is appropriate here. The penalty under the Rules stands till it is deleted by the legislature or declared void by courts and one may be held liable for refusing to register for the NPR, though the above argument may be a good defense.</li>
<li><b>Duplicity: </b>Duplicity is a problem under the NPR Scheme. Biometric data is collected twice before the NPR exercise is completed. Even if one has registered under the UID scheme, they have to give their biometric information again under the NPR scheme. The first instance of collection of biometric information is for the UID number and the second, under the NPR scheme. The latter is necessary even if the data has already been collected for the UID number. Since the parties collecting biometric information for NPR are empanelled by the UIDAI and the eligibility is the same, the data is subject to the same or similar threats of data leakage that may arise when registering for the UID. The multi-level data collection only amplifies the admitted vulnerability of data as unauthorized actors can unlawfully access the data at any stage. This, coupled with the fact that UIDAI has to harmonize the NPR and UID schemes, and that the data comes to the UIDAI for de-duplication, means that the NPR data could be used by the UIDAI, but it may not result in a UID Number. There is no data that disproves this potential. This is a matter of concern, as one who wishes not to register for a UID number, in protection of their privacy, is at peril for their data falls into the hands of the UIDAI.</li>
<li><b>Biometric data collectors under the NPR scheme empanelled by the UIDAI:</b> The service providers collecting biometric data under the NPR are selected through bids and need to be empanelled with the UIDAI.<a href="#_ftn21" name="_ftnref21">[21]</a> Most enrolment agencies that are empanelled with the UIDAI are either IT or online marketing companies<a href="#_ftn22" name="_ftnref22">[22]</a>, making the fear of targeted marketing even more likely.</li>
<li><b>Public display and verification: </b>Under the NPR scheme, the biometric and demographic information and UID number of registrants is publicly displayed in their local area for verification.<a href="#_ftn23" name="_ftnref23">[23]</a> However, it is a violation of privacy to have sensitive personal data, such as biometrics put up publicly. Not only will the demographic information be readily accessible, nothing will prohibit the creation of a mailing list or collection of data for either data theft or for sending unsolicited commercial communication. The publicly available information is the kind of information that can be used for verification (Know Your Customer) and to authorize financial transactions. Since the personal information is displayed in the data subject’s local area, it is arguably a more invasive violation of privacy, since the members of the local area can make complex connections between the data subject and the data.</li>
<li><b>Smart Card: </b>The desired outcome of the NPR scheme is an NPR card. This card is to contain a chip, which is embedded with information such as the UID Number, biometrics and the demographic information. It is still unclear as to whether this information will be machine-readable. If so, this information may be just a swipe away. However, this cannot be confirmed without information on the level encryption and how the data will be stored on the chip.</li>
</ol><ol style="text-align: justify; " type="1"> </ol>
<h2 style="text-align: justify; ">‘Privacy safeguards available under the UID and NPR schemes are ad-hoc and incomplete</h2>
<p style="text-align: justify; ">The safeguards under both the UID and NPR schemes are quite similar, since the UIDAI and its empanelled biometric service providers are involved in collecting biometric information for both the UID and the NPR.</p>
<p style="text-align: justify; ">Pilot studies for the UID scheme, including the use of biometrics, were not conducted in advance to implementation. In line with this, the enactment of a legislation governing the UID and the implementation of policies with respect to data handling and use will be made as and when the need arises. The development of safeguards in relation to the NPR will also be ad-hoc.</p>
<p style="text-align: justify; ">Also, the data standards for one will potentially influence that of the other scheme. For instance, the change in privacy standards for handling biometrics under the UID may affect the empanelment of biometric service providers. This will automatically affect the data security level the NPR can seek to achieve.</p>
<p style="text-align: justify; ">Being developed ad-hoc and after the fact, there is a risk that these regulations may unreasonably curtail the rights of data subjects.</p>
<p style="text-align: justify; ">The existing Indian laws on data protection and privacy are not comprehensive. Certain laws protect privacy only in specific situations. For instance, the IT Act and related rules protect privacy in relation to digital information.</p>
<p style="text-align: justify; ">Any body that collects sensitive personal data such as biometric data, or any other data for processing and storage has a legal mandate under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011 to make certain disclosures BEFORE OR WHILE THE DATA IS COLLECTED. This includes, <i>inter-alia,</i> disclosures of (i) the purpose of information collection, (ii) the intended recipients of the information and (iii) name and addresses of the collector and of the party retaining the data.<a href="#_ftn24" name="_ftnref24">[24]</a></p>
<p style="text-align: justify; ">Under the Rules, the data collector has a duty to give the data subject an option to withhold personal sensitive information.<a href="#_ftn25" name="_ftnref25">[25]</a> A conversation with a data subject shows that this safeguard has not been upheld. The subject also conveyed a lack of knowledge of who the collection agency was. This is a problem of lack of accountability, as the data path cannot be traced and the party responsible for misuse or breach of security cannot be held liable.</p>
<h2 style="text-align: justify; ">Conclusion</h2>
<p style="text-align: justify; ">The data collection under the NPR and UID schemes shows several vulnerabilities. Apart from the vulnerabilities with biometric information, there is a real risk of misuse of the data and documents submitted for enrolment under these schemes. Since the data collectors are primarily online marketing or IT service providers, there is likelihood that they will use this data for marketing.</p>
<p style="text-align: justify; ">We can only hope that in time, data subjects will be able to withdraw their personal data from the UID database and surrender their UID number. We can only wait and watch to see whether (i) the UID Number is a legal prerequisite for the NPR Card and (ii) whether the compulsion to register for NPR is done away with.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; "><a href="#_ftnref1" name="_ftn1">[1]</a> <a href="https://portal.uidai.gov.in/uidwebportal/dashboard.do">https://portal.uidai.gov.in/uidwebportal/dashboard.do</a> accesed: 21 August, 2014</p>
<p style="text-align: justify; "><a href="#_ftnref2" name="_ftn2">[2]</a> As of January 2013, only 25 RTI requests were made to the UIDAI <a href="http://uidai.gov.in/rti/rti-requests.html">http://uidai.gov.in/rti/rti-requests.html</a> accessed: 21 August, 2014</p>
<p style="text-align: justify; "><a href="#_ftnref3" name="_ftn3">[3]</a> DIT-NPR Management Information System accessed: 22 August, 2014 <a href="http://nprmis.nic.in/NPRR33_DlyDigitPrgGraph.aspx">http://nprmis.nic.in/NPRR33_DlyDigitPrgGraph.aspx</a></p>
<p style="text-align: justify; "><a href="#_ftnref4" name="_ftn4">[4]</a> Cloud Still Hangs Over Aadhaar’s Future, Business Standard, accessed 28 August, 2014. <a href="http://www.business-standard.com/article/current-affairs/cloud-still-hangs-over-aadhaar-s-future-114081401131_1.html">http://www.business-standard.com/article/current-affairs/cloud-still-hangs-over-aadhaar-s-future-114081401131_1.html</a></p>
<p style="text-align: justify; "><a href="#_ftnref5" name="_ftn5">[5]</a> Frost & Sullivan, Best Practices Guide to Biometrics, accessed: 13 August, 2014 <a class="external-link" href="http://www.google.co.in/url?sa=t&amp;rct=j&amp;q=&amp;esrc=s&amp;source=web&amp;cd=5&amp;cad=rja&amp;uact=8&amp;ved=0CD8QFjAE&amp;url=http%3A%2F%2Fwww.frost.com%2Fprod%2Fservlet%2Fcpo%2F240303611&amp;ei=6VbsU4m8HcK58gWx64DYDQ&amp;usg=AFQjCNGqan81fX6qtG0S4VV6oh_B5R_QYg&amp;sig2=cOOPm1JJ79AcJq2Gfq1_3Q&amp;bvm=bv.73231344,d.dGc">http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&cad=rja&uact=8&ved=0CD8QFjAE&url=http%3A%2F%2Fwww.frost.com%2Fprod%2Fservlet%2Fcpo%2F240303611&ei=6VbsU4m8HcK58gWx64DYDQ&usg=AFQjCNGqan81fX6qtG0S4VV6oh_B5R_QYg&sig2=cOOPm1JJ79AcJq2Gfq1_3Q&bvm=bv.73231344,d.dGc</a></p>
<p style="text-align: justify; "><a href="#_ftnref6" name="_ftn6">[6]</a> Malavika Jayaram, “India’s Identity Crisis”, Internet Monitor 2013, reflections of a digital world, accessed: 13 August, 2014 <a href="http://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID2366840_code727672.pdf?abstractid=2366840&mirid=1">http://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID2366840_code727672.pdf?abstractid=2366840&mirid=1</a></p>
<p style="text-align: justify; "><a href="#_ftnref7" name="_ftn7">[7]</a>M. Vatsa, et.al, “Analyzing Fingerprints of Indian Population Using Image Quality: A UIDAI Case Study” , accessed: 13 August, 2014 <a href="https://research.iiitd.edu.in/groups/iab/ICPR2010-Fingerprint.pdf">https://research.iiitd.edu.in/groups/iab/ICPR2010-Fingerprint.pdf</a></p>
<p style="text-align: justify; "><a href="#_ftnref8" name="_ftn8">[8]</a> Prakash Chandra Sao, The Unique ID Project in India: An Exploratory Study, accessed: 21 August, 2014 <a href="http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/">http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/</a></p>
<p style="text-align: justify; "><a href="#_ftnref9" name="_ftn9">[9]</a> R. 5(3) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011, accessed: 20 August, 2013 <a href="http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf">http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf</a></p>
<p style="text-align: justify; "><a href="#_ftnref10" name="_ftn10">[10]</a> National Identification Authority of India Bill, 2010 (Bill No. LXXV of 2010), accessed: 26 August,2014 http://164.100.24.219/BillsTexts/RSBillTexts/asintroduced/national%20ident.pdf</p>
<p style="text-align: justify; "><a href="#_ftnref11" name="_ftn11">[11]</a> Clause 23 of the NIAI Bill, 2010</p>
<p style="text-align: justify; "><a href="#_ftnref12" name="_ftn12">[12]</a>The UID Enrollment form, accessed: 26 August, 2014 <a href="http://uidai.gov.in/images/uid_download/enrolment_form.pdf">http://uidai.gov.in/images/uid_download/enrolment_form.pdf</a></p>
<p style="text-align: justify; "><a href="#_ftnref13" name="_ftn13">[13]</a> Documents filed and relied on in Puttuswamy v Union of India</p>
<p style="text-align: justify; "><a href="#_ftnref14" name="_ftn14">[14]</a> Request for empanelment, accessed: 28 August, 2014. <a href="http://uidai.gov.in/images/tenders/rfe_for_concurrent_evaluation_of_processoperation_at_enrolment_centers_13082014.pdf">http://uidai.gov.in/images/tenders/rfe_for_concurrent_evaluation_of_processoperation_at_enrolment_centers_13082014.pdf</a></p>
<p style="text-align: justify; "><a href="#_ftnref15" name="_ftn15">[15]</a> This information is available from the documents filed and relied on in Puttuswamy v Union Of India, which is being heard in the Supreme Court of India</p>
<p style="text-align: justify; "><a href="#_ftnref16" name="_ftn16">[16]</a> An anonymous registrant observes that the data was scanned behind a screen and was not visible from the registered counter. The registrant is concerned that, in addition to collection of information for the UID, photocopies or digital copies could be taken for other uses and the registrant would not know.</p>
<p style="text-align: justify; "><a href="#_ftnref17" name="_ftn17">[17]</a> Counter Affidavit filed in the Supreme Court of India on behalf on New Delhi in K. Puttuswamy v Union of India</p>
<p style="text-align: justify; ">It is also admitted that the census is equally vulnerable. The information collected through census is used for the NPR exercise.</p>
<p style="text-align: justify; "><a href="#_ftnref18" name="_ftn18">[18]</a> Para. 48 in the Counter Affidavit filed by NCR Delhi.</p>
<p style="text-align: justify; "><a href="#_ftnref19" name="_ftn19">[19]</a> Affidavit in K. Puttuswamy v Union of India.</p>
<p style="text-align: justify; "><i>See also: </i>FAQs: Enrollment Agencies, accessed 22 August, 2014 <a href="http://uidai.gov.in/faq.html?catid=37">http://uidai.gov.in/faq.html?catid=37</a></p>
<p style="text-align: justify; "><a href="#_ftnref20" name="_ftn20">[20]</a> Usha Ramanathan, A Tale of Two Turfs, The Statesman, accessed: 20 August, 2014 <a href="http://www.thestatesman.net/news/10497-a-tale-of-two-turfs-npr-and-uid.html?page=3">http://www.thestatesman.net/news/10497-a-tale-of-two-turfs-npr-and-uid.html?page=3</a></p>
<p style="text-align: justify; "><a href="#_ftnref21" name="_ftn21">[21]</a> RFQ for Engaging MSP for Biometric Enrolment for the Creation of NPR, accessed: 26 August, 2014 http://ditnpr.nic.in/pdf/120102_RFQBiometricUrban_rebidding-Draft.pdf</p>
<p style="text-align: justify; "><a href="#_ftnref22" name="_ftn22">[22]</a> Prakash Chandra Sao, The Unique ID Project in India: An Exploratory Study, accessed: 21 August, 2014 <a href="http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/">http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/</a></p>
<p style="text-align: justify; "><a href="#_ftnref23" name="_ftn23">[23]</a> <a href="http://censusindia.gov.in/2011-Common/IntroductionToNpr.html">http://censusindia.gov.in/2011-Common/IntroductionToNpr.html</a>, accessed: 26 August, 2014</p>
<p style="text-align: justify; "><a href="#_ftnref24" name="_ftn24">[24]</a> R. 5(3) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011, accessed: 20 August, 2013 <a href="http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf">http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf</a></p>
<p style="text-align: justify; "><a href="#_ftnref25" name="_ftn25">[25]</a> R. 5(7) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011.</p>
<table style="text-align: justify; ">
</table>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/biometrics-an-angootha-chaap-nation'>https://cis-india.org/internet-governance/blog/biometrics-an-angootha-chaap-nation</a>
</p>
No publisherMukta BatraUIDAadhaarInternet GovernancePrivacy2014-09-19T06:12:17ZBlog EntryUID and NPR: Towards Common Ground
https://cis-india.org/internet-governance/blog/uid-npr-towards-common-ground
<b>The UID (Unique Identification) and NPR (National Population Register) are both government identity schemes that aggregate personal data, including biometric data for the provision of an identification factor, and aim to link them with the delivery of public utility services.</b>
<p style="text-align: justify; ">The differences between the two exist in terms of collection of data, the type of identification factor issued, authorities involved and the outcome.</p>
<p style="text-align: justify; ">Despite the differences, there has been talk of combining the two schemes because of the overlap.<a href="#_ftn1" name="_ftnref1">[1]</a> In the same breath, it has been argued that the two schemes are incompatible. <a href="#_ftn2" name="_ftnref2">[2]</a></p>
<p style="text-align: justify; ">One of the UIDAI’s (Unique Identification Authority of India) functions is to harmonize the two schemes. <a href="#_ftn3" name="_ftnref3">[3]</a></p>
<p style="text-align: justify; ">As it stands, the schemes are distinct. Enrolment for a UID does not lead to automatic enrolment in the NPR. The NPR website expressly states that even if a data subject has undergone census or has been granted a UID Number, it is necessary to visit a data collection centre to provide biometric data for the NPR.<a href="#_ftn4" name="_ftnref4">[4]</a></p>
<h2 style="text-align: justify; ">UID and NPR: The Differences</h2>
<h3 style="text-align: justify; ">The Basis of identity/ Unit of Survey</h3>
<p style="text-align: justify; ">The most striking difference between the UID and NPR Schemes is their notion of identity. The UID is individual based, whereas the NPR scheme focuses on the household or the family as a composite unit. Thus, the UID seeks to enroll individuals while the NPR seeks to gather data of the members of a household or family as a composite unit during the census and later register each person for an NPR Card, on the basis of the census data. To this extent, analysis of the data gathered from the two schemes will be different and will require differing analytical tools. The definition of the data subject and the population is different. In one scheme, the unit is an individual; in the other it is the household/family. Though the family is the composite unit in the NPR, the data is finally extracted it is unpaired to provide individuals NPR cards, but the family based association is not lost and it is argued that this household association of NPR should be used to calculate and provide subsidies. Some states have put on hold transfer of cooking gas subsidy, which is calculated for each household, through Aadhar-linked bank accounts.<a href="#_ftn5" name="_ftnref5">[5]</a> If both schemes were merged, the basis for determining entitlement to subsidies would be non-uniform.</p>
<h3 style="text-align: justify; ">Differences in Information Collection</h3>
<p style="text-align: justify; ">The UID and NPR have different procedures for collection of information. In the UID scheme, all data is collected in data collection centres whereas NPR data is collected door to door in part and in collection centres for the other part.</p>
<p style="text-align: justify; ">UID data is collected by the UIDAI themselves or by private parties, under contract. These contractors are private parties: often, online marketing service providers.<a href="#_ftn6" name="_ftnref6">[6]</a> The data subjects were initially allowed registration through an introducer and without any documentation. This was replaced with the verification system where documents were to be produced for registration for UID.</p>
<p style="text-align: justify; ">The NPR involves a dual collection process- the first stage is the door-to-door collection of data as part of the Census. This information is collected through questionnaire. No supporting documents/ proof is produced to verify this data. The verification happens at a later stage, through public display of the information. This data is digitized. The data subjects are then to give their biometric data at the data collection centres, on the production of the census slip. The biometric data collectors are parties who are empanelled by the UIDAI and are eligible to collect data under the UID Scheme. A subject’ s data is aggregated and then de-duplicated by the UIDAI. <a href="#_ftn7" name="_ftnref7">[7]</a></p>
<p style="text-align: justify; ">This shows two points of merger. It can be suggested that when data is collected for the UID number, then the subject should not have to give their biometrics for the NPR Scheme again. The sharing of biometrics across the schemes will reduce cost and redundancy. While sharing of UID data with NPR is feasible, the reverse is not true, since UID is optional and NPR is not. If NPR data is to be shared with UID, then the subject has the right to refuse. However, the consent for using NPR data for the UID is a default YES in the UID form. <a href="#_ftn8" name="_ftnref8">[8]</a> Prohibiting the information sharing is no option.</p>
<h3 style="text-align: justify; ">Differences in Stated Purposes</h3>
<p style="text-align: justify; ">The NPR is linked to citizenship status. The NPR exercise is being conducted to create a national citizen register and to assist in identifying and preventing illegal immigration. The NPR card, a desired outcome, is aimed to be a conduit for transactions relating to subsidies and public utilities.<a href="#_ftn9" name="_ftnref9">[9]</a> So is the UID Number, which was created to provide the residents of India an identity. The linkage and provision of subsidies through the NPR and UID cards have not taken off on a large scale and there is a debate as to which will be more appropriate for direct benefit transfer, with some leaders proclaiming that the NPR scheme is more suited to direct benefit transfer.<a href="#_ftn10" name="_ftnref10">[10]</a> Since the UID Number is linked to direct benefit transfer, but not to citizenship, benefits such as those under the MNREGA scheme, may be availed by non-citizens as well, though only citizens are eligible for the scheme.<a href="#_ftn11" name="_ftnref11">[11]</a></p>
<p style="text-align: justify; ">C. Chandramouli, the Registrar General and Census Commissioner of India, states that the conflict between the two schemes is only perceived, and results from a poor understanding of the differences in objective. The NPR, he states is created to provide national security through the creation of a citizen register, starting with a register of residents after authentication and verification of the residence of the subjects. On the other hand, the UID exercise is to provide a number that will be used to correctly identify a person.<a href="#_ftn12" name="_ftnref12">[12]</a></p>
<h3 style="text-align: justify; ">Difference in Legal Sanctity</h3>
<p style="text-align: justify; ">The UIDAI was set up through an executive notification, which dictates a few of its responsibility, including: assigning a UID number, collating the UID and NPR schemes, laying down standards for interlinking with partner databases and so on. However, the UIDAI has not expressed responsibility to collect, or authorize collection of data under this scheme. The power to authorize the collection of biometrics is vested with the National Identification Authority of India (NIAI), which will be set up under the National Identification Authority of India Bill, (NIAI Bill, which is at times referred to as the UID Bill).</p>
<p style="text-align: justify; ">The NPR Scheme has been created pursuant to the 2004 Amendment of the Citizenship Act. Under S. 14A of the Citizenship Act, the central government has the power to compulsorily register citizens for an Identity Card. This gives the NPR exercise sanctity. However, no authority to collect biometric information has been given either under this Act or Rules framed under it.</p>
<h2 style="text-align: justify; ">Future of Aadhaar</h2>
<p style="text-align: justify; ">The existence of both the UID and NPR Schemes leads to redundancy. Therefore, many have advocated for their merger. This seems impractical, as the standards in collection and management of data are not the same.</p>
<p style="text-align: justify; ">For some time, it was thought that the Aadhaar Scheme would be scrapped. This belief was based on the present government’s opposition to the scheme during and before the election. This was further strengthened by the fact that they did not expressly mention the continuance of the scheme in their manifesto. The Cabinet Committee on UIDAI was disbanded and the enrolment for the UID Number was stopped, only to be resumed a short while later.<a href="#_ftn13" name="_ftnref13">[13]</a></p>
<p style="text-align: justify; ">However, recent events show that the Aadhaar scheme will continue. First, the new government has stated that the UID scheme will continue. In support of the UID Scheme, the government has made budgetary allocation for the scheme to enable, <i>inter-alia,</i> it being sped-up. The Government even intends to enact a law to give the scheme sanctity. <a href="#_ftn14" name="_ftnref14">[14]</a></p>
<p style="text-align: justify; ">Second, the Government is assigning the UID Number new uses. To track attendance of government employees, the Government shall use a biometric attendance system, which is linked to the employees UID Number. <a href="#_ftn15" name="_ftnref15">[15]</a> The attendance will be uploaded onto a website, to boost transparency.</p>
<p style="text-align: justify; ">Third, direct benefit transfers under the UID will become more vigorous.</p>
<p style="text-align: justify; ">The UID is already necessary for registration under the NPR, which is compulsory.</p>
<p style="text-align: justify; ">Providing one’s UID Number for utilities such as cooking gas is also compulsory in several areas, despite the Courts diktat that it should not be so.<a href="#_ftn16" name="_ftnref16">[16]</a></p>
<h2 style="text-align: justify; ">Conclusion</h2>
<p style="text-align: justify; ">The government is in favour of continuing both the schemes. Therefore, it is unlikely that either scheme will be scrapped or that the two schemes will be combined. The registration for UID is becoming compulsory by implication as it is required for direct benefit transfers and for utilities. Data collected under NPR is being shared with the UIDAI by default, when one registers for a UID number. However, the reverse is unlikely, as the UID collects secondary data, whereas NPR requires primary data, which it collects through physical survey and authentication. Perhaps the sharing of data could be incorporated when one goes to the data collection centre to submit biometrics for the NPR. The subject could fill in the UID form and submit verification documents at this stage, completing both exercises in one go. This will drastically reduce the combined costs of the two exercises.</p>
<hr style="text-align: justify; " />
<p><a href="#_ftnref1" name="_ftn1">[1]</a> Rajesh Aggarwal, Merging UID and NPR???, Igovernment, accessed 5 September, 2014 <a href="http://www.igovernment.in/igov/opinion/41631/merging-npr-uid">http://www.igovernment.in/igov/opinion/41631/merging-npr-uid</a>; Bharti Jain, Rajnath Hints at Merger of NPR and Aadhar, Times of India, accessed 5 September, 2014 <a href="http://timesofindia.indiatimes.com/india/Rajnath-hints-at-merger-of-NPR-and-Aadhaar/articleshow/35740480.cms">http://timesofindia.indiatimes.com/india/Rajnath-hints-at-merger-of-NPR-and-Aadhaar/articleshow/35740480.cms</a></p>
<p style="text-align: justify; "><a href="#_ftnref2" name="_ftn2">[2]</a> Raju Rajagopal, The Aadhar-NPR Conundrum, Mint, accessed 5 September, 2014 <a href="http://www.livemint.com/Opinion/tvpoCYeHxrs2Z7EkAAu7bP/The-AadhaarNPR-conundrum.html">http://www.livemint.com/Opinion/tvpoCYeHxrs2Z7EkAAu7bP/The-AadhaarNPR-conundrum.html</a> .</p>
<p style="text-align: justify; "><a href="#_ftnref3" name="_ftn3">[3]</a> Cl, 4 of the Notification on the creation o fthe UIDAI, No. A-43011/02/2009-Admin.1 of the Planning Commission of India, dated 28 January, 2009</p>
<p style="text-align: justify; "><a href="#_ftnref4" name="_ftn4">[4]</a> FAQ for NPR, accessed: 3 September, 2014. <a href="http://censusindia.gov.in/2011-Common/FAQs.html">http://censusindia.gov.in/2011-Common/FAQs.html</a></p>
<p style="text-align: justify; "><a href="#_ftnref5" name="_ftn5">[5]</a> A Jolt for Aadhar: UPA Shouldn’t Have to Put on Hold its Only Good Idea,Business Standard, accessed 5 September, 2014 <a href="http://www.business-standard.com/article/opinion/a-jolt-for-aadhaar-114020301243_1.html">http://www.business-standard.com/article/opinion/a-jolt-for-aadhaar-114020301243_1.html</a></p>
<p style="text-align: justify; "><a href="#_ftnref6" name="_ftn6">[6]</a> Prakash Chandra Sao, The Unique ID Project in India: An Exploratory Study, accessed: 21 August, 2014 <a href="http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/">http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/</a></p>
<p style="text-align: justify; "><a href="#_ftnref7" name="_ftn7">[7]</a> NPR Activities, accessed 5 September, 2014, <a class="external-link" href="http://ditnpr.nic.in/NPR_Activities.aspx">http://ditnpr.nic.in/NPR_Activities.aspx</a></p>
<p style="text-align: justify; "><a href="#_ftnref8" name="_ftn8">[8]</a> R. Dinakaran, NPR and Aadhar- A Confused Process, The Hindu BusinessLine, accessed: 4 September, 2014 <a href="http://www.thehindubusinessline.com/blogs/blog-rdinakaran/npr-and-aadhaar-a-confused-process/article4940976.ece">http://www.thehindubusinessline.com/blogs/blog-rdinakaran/npr-and-aadhaar-a-confused-process/article4940976.ece</a></p>
<p style="text-align: justify; "><a href="#_ftnref9" name="_ftn9">[9]</a> More than sixty-five thousand NPR cards have been issued and biometric data of more than twenty-five lakh people has been captured, as on 28 August, 2014 <a href="http://censusindia.gov.in">http://censusindia.gov.in</a></p>
<p style="text-align: justify; "><a href="#_ftnref10" name="_ftn10">[10]</a> NPR, not Aadhaar, best tool for cash transfer: BJP's Sinha, accessed: 3 September, <a class="external-link" href="http://www.moneycontrol.com/master_your_money/stocks_news_consumption.php?autono=1035033">http://www.moneycontrol.com/master_your_money/stocks_news_consumption.php?autono=1035033</a></p>
<p style="text-align: justify; "><a href="#_ftnref11" name="_ftn11">[11]</a> Bharati Jain, NDA's national ID cards may kill UPA's Aadhaar, accessed 3 September, 2014 <a href="http://timesofindia.indiatimes.com/india/NDAs-national-ID-cards-may-kill-UPAs-Aadhaar/articleshow/36791858.cms">http://timesofindia.indiatimes.com/india/NDAs-national-ID-cards-may-kill-UPAs-Aadhaar/articleshow/36791858.cms</a></p>
<p style="text-align: justify; "><a href="#_ftnref12" name="_ftn12">[12]</a> <i>Id.</i></p>
<p style="text-align: justify; "><a href="#_ftnref13" name="_ftn13">[13]</a> Aadhar Enrolment Drive Begins Again, accessed 3 Spetember, 2014 <a href="http://timesofindia.indiatimes.com/city/gurgaon/Aadhaar-enrolment-drive-begins-again/articleshow/38280932.cms">http://timesofindia.indiatimes.com/city/gurgaon/Aadhaar-enrolment-drive-begins-again/articleshow/38280932.cms</a></p>
<p style="text-align: justify; "><a href="#_ftnref14" name="_ftn14">[14]</a> Mahendra Singh, Modi govt to give legal backing to Aadhaar, Times of India, <a href="http://timesofindia.indiatimes.com/india/Modi-govt-to-give-legal-backing-to-Aadhaar/articleshow/38336812.cms">http://timesofindia.indiatimes.com/india/Modi-govt-to-give-legal-backing-to-Aadhaar/articleshow/38336812.cms</a></p>
<p style="text-align: justify; "><a href="#_ftnref15" name="_ftn15">[15]</a> Narendra Modi Government to Launch Website to Track Attendance of Central Government Employees, DNA, accessed: 4 September, 2014 <a href="http://www.dnaindia.com/india/report-narendra-modi-government-to-launch-website-to-track-attendance-of-central-government-employees-2014684">http://www.dnaindia.com/india/report-narendra-modi-government-to-launch-website-to-track-attendance-of-central-government-employees-2014684</a></p>
<p style="text-align: justify; "><a href="#_ftnref16" name="_ftn16">[16]</a> No gas supply without Aadhaar card, Deccan Chronicle, accessed: 4 September, 2014, <a href="http://www.deccanchronicle.com/140829/nation-current-affairs/article/no-gas-supply-without-aadhaar-card">http://www.deccanchronicle.com/140829/nation-current-affairs/article/no-gas-supply-without-aadhaar-card</a></p>
<hr />
<p>Note: This is an anonymous post.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/uid-npr-towards-common-ground'>https://cis-india.org/internet-governance/blog/uid-npr-towards-common-ground</a>
</p>
No publisherMukta BatraUIDAadhaarInternet GovernancePrivacy2014-10-15T13:06:40ZBlog EntryPratap Vikram Singh - Why Aadhaar is Baseless?
https://cis-india.org/internet-governance/news/gov-now-pratap-vikram-singh-17032016-why-aadhaar-is-baseless
<b>This article by Pratap Vikram Singh, Governance Now, discusses the problems emerging out of the UIDAI project due to its lack of mechanisms for informed and granular consent, and for seeking recourse in the case of denial of service. The article quotes Sumandro Chattapadhyay and mentions Hans Varghese Mathew's work on the biometric basis of UIDAI. It was written before the Aadhaar bill was passed in Lok Sabha.</b>
<p> </p>
<p><em>Cross-posted from <a class="external-link" href="http://www.governancenow.com/news/regular-story/baseless-aadhaar">Governance Now</a>.</em></p>
<hr />
<p style="text-align: justify;">It was no less than a roller-coaster ride for Aadhaar, a programme formulated by the UPA government to assign a 12-digit unique number to every Indian resident. From the time it came into being in 2009, Aadhaar drew a volley of criticism, thanks to the misgivings and apprehensions that various critics and civil society organisations had. It was criticised for lack of a clear purpose, degree of effectiveness and absence of a privacy law and was virtually thrown into the bin by a parliamentary panel headed by BJP’s Yashwant Sinha in December 2011.</p>
<p style="text-align: justify;">When the finance minister Arun Jaitley, in his budget speech, announced that the government would introduce the Aadhaar bill during the budget session, expectations were already set high. The bill, giving statutory backing to the unique identification authority of India (UIDAI), the implementing authority, was passed by the Lok Sabha on March 11. While the privacy and voluntary versus mandatory provisions are under the consideration of the supreme court, the bill makes way for linking Aadhaar with all government subsidies, benefits and services. The law on Aadhaar, former UIIDAI chairman Nandan Nilekani wrote in the Indian Express, will help the government in going paperless, presence-less and cashless. The legislation, however, fails to deliver on several counts.</p>
<p style="text-align: justify;">However, prior to evaluating the bill (yet to be passed by the Rajya Sabha at the time of this writing though it is a money bill), let us take a look at its major aspects. For those, who always wondered whether Aadhaar is mandatory or voluntary, the bill 2016 makes it mandatory to avail subsidy, benefit or a service from the government.</p>
<p style="text-align: justify;">The bill has provisions related to information security and confidentiality (section 28) which not only extend to employees of the UIDAI but also consultants and external agencies working with the authority.</p>
<p style="text-align: justify;">The proposed law restricts information sharing. It bars UIDAI from sharing core biometric information – the bill defines it as fingerprints and iris scan – with “anyone for any reason whatsoever” or “used for any purpose other than generation of Aadhaar numbers and authentication under this Act”. The section 32 of the bill entitles Aadhaar number holders to access her or his authentication record. It also bars the authority from collecting, keeping or maintaining information about the purpose of authentication.</p>
<h3>Odd Drives the Bill</h3>
<p style="text-align: justify;">While the intent is clear and is aimed at streamlining welfare schemes to ensure it reaches the bottom of the pyramid, cutting through the long chain of pilferage and subversion, the bill, however, has several shortcomings. To begin with, the government should not have taken the money bill route to pass the legislation – tactfully avoiding any conclusive discussion and debate in the Rajya Sabha, where it is in minority.</p>
<p style="text-align: justify;">The bill assumes that the technology and the biometric system used by the UIDAI are flawless and it doesn’t provide any recourse in case of denial of a service. “If your fingerprint is not matching and you lose out on service, then what is the alternative mechanism you have,” asks Sumandro Chattapadhyay, research director, centre for internet and society (CIS). The bill doesn’t provide for recourse. “What if the scanning machine fails? What if the identifiers of two people match?”</p>
<p style="text-align: justify;">Based on experiments conducted in the initial days of the Aadhaar programme, Hans Verghese Mathews, another CIS researcher, did a study on the probability of matching of identifiers of two persons. “For the current population of 1.2 billion the expected proportion of duplicands (users whose identifiers match) is 1/121, a ratio which is far too high,” Mathews wrote in the Economic and Political Weekly in February.</p>
<p style="text-align: justify;">“It is like putting the technology in a black box – which can’t be reviewed,” says Chattapadhyay. The bill doesn’t talk about setting up an independent body to review the logs and keep an eye on wrong and duplicate matches.</p>
<h3>Who Defines National Security?</h3>
<p style="text-align: justify;">According to public policy experts, it is an attempt to seek “minimal legitimacy” from parliament and further adds to the unbridled power of the executive.</p>
<p style="text-align: justify;">Although the bill restricts information sharing in section 29, sections 33 and 48 provide exemption in cases of national security and public emergency, respectively. The legislation, nevertheless, doesn’t elaborate on what constitutes national security and public emergency, leaving it to the executives. The section 33 reads: “Nothing contained in… shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security….”</p>
<p style="text-align: justify;">Similarly, section 48 states that if, at any time, the central government is of the opinion that a public emergency exists, “the central government may, by notification, supersede the Authority for such period, not exceeding six months, as may be specified in the notification and appoint a person or persons as the president may direct to exercise powers and discharge functions under this Act”.</p>
<p style="text-align: justify;">Says Jayati Ghosh, professor, centre for economic studies and planning, Jawaharlal Nehru University, “National security is a very opaque term. Who decides what national security is? Today, the whole JNU is being projected as a threat to national security.” Swagato Sarkar, associate professor and executive director, Jindal school of government and public policy, OP Jindal Global University, says, “The bill has provisions for oversight on the use of Aadhaar, but then it suspends those provisions in case of emergency in the later sections, giving the state the power to use biometric information for whatever it deems fit.”</p>
<p style="text-align: justify;">Sarkar adds, “It seems the bill is simply an instrument for seeking minimum legitimacy from parliament. The bill tries to address the concern of privacy minimally and it hardly serves any purpose.” He believes that there is a need to define the broader contours of democratic control of the state and reassess the changing state-citizen relationship, instead of rejecting the whole idea on the basis of surveillance and privacy. In other words, there is a need for strong parliamentary oversight, and that the Aadhaar related matters shouldn’t be completely delegated to the executive.</p>
<p style="text-align: justify;">In its recommendations on formulating Privacy Act, the justice AP Shah committee in 2012 provided for establishing the office of privacy commissioner at the regional and central levels, defining the role of self-regulating organisations and co-regulation, and creating a system of complaints and redressal for aggrieved individuals. Since the country still doesn’t have any legislation on privacy, people are left on their own in case of an infringement or violation of privacy. Moreover, section 47 states, “No court shall take cognizance of any offence punishable under this Act, save on a complaint made by the Authority or any officer or person authorised by it.”</p>
<p style="text-align: justify;">In its report, the parliamentary committee headed by Yashwant Sinha notes that “enactment of national data protection law… is a prerequisite for any law that deals with large scale collection of information from individuals and its linkages across separate databases”. The committee notes that in absence of data protection legislation, it would be difficult to deal with issues of access, misuse of personal information, surveillance, profiling, linking and matching of databases and securing confidentiality of information.</p>
<h3>Subsidy-Aadhaar Linkage</h3>
<p style="text-align: justify;">The Sinha committee also takes a cautious view of the role of Aadhaar in curbing leakages in subsidy distribution, as beneficiary identification is done by states. It notes, “Even if the Aadhaar number links entitlements to targeted beneficiaries, it may not even ensure that beneficiaries have been correctly identified. Thus, the present problem of proper identification would persist.”</p>
<p style="text-align: justify;">According to Ghosh, the biggest danger in using Aadhaar for social welfare programmes is that the fingerprints of the rural working class is not always in good shape and hence Aadhaar will not be the best way of identification. “If I am misidentified, I can go to so many places for recourse. But what if a labourer in a remote Jharkhand village is misidentified? Where and whether he would go?” the economist asks. Besides, the bill doesn’t limit the use of Aadhaar and defines areas where it can be used. Section 57 says that the law will not prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, “whether by the state or anybody corporate or person, pursuant to any law, for the time being in force or any contract to this effect.”</p>
<p style="text-align: justify;">According to a PRS Legislative review, since the bill also allows private persons to use Aadhaar as a proof of identity for any purpose, the provision will open a floodgate and enable private entities such as airlines, telecom, insurance and real estate companies to mandate Aadhaar as a proof of identity for availing their services.</p>
<p style="text-align: justify;">Since the bill doesn’t restrict its application, people will not have a choice to identify themselves other than using Aadhaar when corporate organisations make it mandatory, says Chattapadhyay of the CIS. Adds Sarkar, “The bill should clearly mention sectors or services where Aadhaar will be potentially used (or made mandatory). Every time a new sector or service is added to the list, it is done after parliamentary approval.”</p>
<p style="text-align: justify;">So far, 98 crore people have been assigned Aadhaar number. So far the project has costed Rs 8,000 crore.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/gov-now-pratap-vikram-singh-17032016-why-aadhaar-is-baseless'>https://cis-india.org/internet-governance/news/gov-now-pratap-vikram-singh-17032016-why-aadhaar-is-baseless</a>
</p>
No publisherpraskrishnaUIDPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-04-02T05:31:30ZNews ItemFAQ on the Aadhaar Project and the Bill
https://cis-india.org/internet-governance/blog/aadhaar-project-and-bill-faq
<b>This FAQ attempts to address the key questions regarding the Aadhaar/UIDAI project and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 (henceforth, Bill). This is neither a comprehensive list of questions, nor does it contain fully developed answers. We will continue to add questions to this list, and edit/expand the answers, based on our ongoing research. We will be grateful to receive your comments, criticisms, evidences, edits, suggestions for new answers, and any other responses. These can either be shared as comments in the document hosted on Google Drive, or via tweets sent to the information policy team at @CIS_InfoPolicy. </b>
<p> </p>
<h4>To comment on and/or download the file, click <a href="https://docs.google.com/document/d/1ib5bQUgZZ7PABurMHlzmfwZK6932DFQI6hUlad-vwfI/edit?usp=sharing" target="_blank">here</a>.</h4>
<hr />
<iframe src="https://docs.google.com/document/d/1ib5bQUgZZ7PABurMHlzmfwZK6932DFQI6hUlad-vwfI/pub?embedded=true" height="500" width="100%"></iframe>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/aadhaar-project-and-bill-faq'>https://cis-india.org/internet-governance/blog/aadhaar-project-and-bill-faq</a>
</p>
No publisherElonnai Hickok, Vanya Rakesh, and Vipul KharbandaUIDPrivacyInternet GovernanceFeaturedDigital IndiaAadhaarBiometricsHomepage2016-04-13T14:06:43ZBlog EntryMongoDB startup hired by Aadhaar got funds from CIA VC arm
https://cis-india.org/news/economic-times-december-30-2013-lison-joseph-mongo-db-startup-hired-by-aadhar-got-funds-from-cia-vc-arm
<b>Two weeks ago, Max Schireson, chief executive of MongoDB, a New York-based technology startup, was in New Delhi to sew up a very important contract for his company — with the Unique Identification Authority of India (UIDAI).</b>
<p>The article by Lison Joseph was <a class="external-link" href="http://articles.economictimes.indiatimes.com/2013-12-03/news/44710564_1_uidai-chairman-nandan-nilekani-uid-data-in-q-tel">published in the Economic Times</a> on December 3, 2013. Sunil Abraham is quoted.</p>
<hr />
<p style="text-align: justify; ">The contract is yet to be announced but what could raise eyebrows is the fact that <a href="http://economictimes.indiatimes.com/topic/MongoDB">MongoDB</a> is part-funded by the US' <a href="http://economictimes.indiatimes.com/topic/Central%20Intelligence%20Agency">Central Intelligence Agency</a>.</p>
<p style="text-align: justify; ">The company is expected to help in capturing and analysing data related to the ambitious plan to issue a unique identity number — Aadhaar — to over a billion citizens.</p>
<p style="text-align: justify; ">MongoDB, which makes software that helps manage large databases, especially unstructured data, has raised $231 million (Rs1,400 crore) since being founded in 2007. Some of its funding is from In-Q-Tel, the not-for-profit venture capital arm of CIA.</p>
<p style="text-align: justify; ">While MongoDB lists In-Q-Tel as one of its investors on its website, the company has not disclosed the quantum of funding received from it. The fund's stated mission is to identify, adapt and deliver innovative technology solutions to support the missions of CIA and the broader US intelligence community.</p>
<p style="text-align: justify; ">Besides CIA, In-Q-Tel works with National Geospatial-Intelligence Agency, Defense Intelligence Agency and Department of Homeland Security Science and Technology Directorate.</p>
<table class="plain" style="text-align: justify; ">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/copy_of_crunchingdata.png" alt="crunching data" class="image-inline" title="crunching data" /></th>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">"Once an investment is made, IQT (the fund) works with the company and the intelligence community partner agency to complete a work program and facilitate solution delivery," the fund's website said. The quote describes IQT's relationship with any company in which it invests in and is not specific to MongoDB.</p>
<p style="text-align: justify; ">Neither <a href="http://economictimes.indiatimes.com/topic/UIDAI">UIDAI</a> nor MongoDB responded to queries from ET on whether the CIA link was considered before entering into a partnership. UIDAI Chairman <a href="http://economictimes.indiatimes.com/topic/Nandan%20Nilekani">Nandan Nilekani</a> did not respond to emails, messages and phone calls.</p>
<p style="text-align: justify; ">A senior UIDAI official confirmed the agency has entered into an agreement with MongoDB and that the company's database software is already being used for analysing the pace at which registration of new beneficiaries is taking place.</p>
<p style="text-align: justify; ">It is not clear if MongoDB's vendor relationship would be with UID directly or with one of the system integrators that UID works with. Schireson, the CEO, was also one of the national co-chairs for Technology for Obama, an interest group that campaigned for the reelection of President <a href="http://economictimes.indiatimes.com/topic/Barack%20Obama">Barack Obama</a> after his first term.</p>
<p style="text-align: justify; ">There is no evidence in the public domain that the firm is controlled or significantly influenced by the CIA in any manner.</p>
<p style="text-align: justify; ">But the revelations of <a href="http://economictimes.indiatimes.com/topic/Edward%20Snowden">Edward Snowden</a>, a former NSA contractor-turned-whistleblower that US intelligence agencies routinely intercepted communication in Europe and Asia, including in India has raised concerns. Experts said the UID's centralised design could pose a risk, where even a single mistake can make the whole system disproportionately vulnerable.</p>
<p style="text-align: justify; ">"The risk exposure because of CIA involvement (could be that) if MongoDB is a data controller, then secret courts and secret court orders could be used to get access to the UID data," said Sunil Abraham, executive director at the Centre for Internet and Society.</p>
<p style="text-align: justify; ">He added that even if UIDAI is only using the source code without getting into a commercial relationship with MongoDB, they should audit the source code to check if CIA has introduced any back doors. "This is because Snowden has told us that the army of mathematicians working for the US government has compromised some standards even though they were developed in an open, participatory and transparent fashion." MongoDB, whose name is a play on the word humongous, competes with Oracle, IBM and Microsoft. It has around 320 employees and some 600 customers. At its latest round of $150 million in fund-raising in October, the company was valued at about $1.2 billion, according to Bloomberg. Other investors include Intel Capital, Salesforce-.com, Red Hat and Sequoia.</p>
<p>
For more details visit <a href='https://cis-india.org/news/economic-times-december-30-2013-lison-joseph-mongo-db-startup-hired-by-aadhar-got-funds-from-cia-vc-arm'>https://cis-india.org/news/economic-times-december-30-2013-lison-joseph-mongo-db-startup-hired-by-aadhar-got-funds-from-cia-vc-arm</a>
</p>
No publisherpraskrishnaUIDInternet Governance2013-12-13T11:53:32ZNews ItemAadhaar Act and its Non-compliance with Data Protection Law in India
https://cis-india.org/internet-governance/blog/aadhaar-act-and-its-non-compliance-with-data-protection-law-in-india
<b>This post compares the provisions of the Aadhaar Act, 2016, with India's data protection regime as articulated in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.</b>
<p> </p>
<h4>Download the file: <a href="https://cis-india.org/internet-governance/blog/aadhaar-act-43a-it-rules" class="internal-link">PDF</a>.</h4>
<hr />
<p style="text-align: justify;">Amidst all the hue and cry, the Aadhaar Act 2016, which was introduced with the aim of providing statutory backing to the use of Aadhaar, was passed in the Lok Sabha in its original form on March 16, 2016, after rejecting the recommendations made by Rajya Sabha <a name="_ftnref1"></a> . Though the Act has been vehemently opposed on several grounds, one of the concerns that has been voiced is regarding privacy and protection of the demographic and biometric information collected for the purpose of issuing the Aadhaar number.</p>
<p style="text-align: justify;">In India, for the purpose of data protection, a body corporate is subject to section 43A of the Information Technology Act, 2000 ("<strong>IT Act</strong> ") and subsequent Rules, i.e. -The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("<strong>IT Rules</strong>"). Section 43A of the IT Act, 2000 <a name="_ftnref2"></a> holds a body corporate, which is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, liable to compensate the affected person and pay damages.</p>
<p style="text-align: justify;">Rule 3 of the IT Rules enlists personal information that would amount to Sensitive personal data or information of a person and includes the biometric information. Even the Aadhaar Act states under section 30 that the biometric information collected shall be deemed as "sensitive personal data or information", which shall have the same meaning as assigned to it in clause (iii) of the Explanation to section 43A of the IT Act; this reflects that biometric data collected in the Aadhaar scheme will receive the same level of protection as is provided to other sensitive personal data under Indian law. This implies that, the agencies contracted by the UIDAI (and not the UIDAI itself) to perform functions like collection, authentication, etc. like the Registrars, Enrolling Agencies and Requesting Entities, which meet the criteria of being a 'body corporate' as defined in section 43A, <a name="_ftnref3"></a> could be held responsible under this provision, as well as the Rules, to ensure security of the data and information of Aadhaar holder and could potentially be held liable for breach of information that results in loss to an individual if it can be proven that they failed to implement reasonable security practices and procedures.</p>
<p style="text-align: justify;">In light of the fact that some actors in the Aadhaar scheme could be held accountable and liable under section 43A and associated Rules, this article compares the regulations regarding data security as found in section 43A and IT Rules 2011 with the provisions of Aadhaar Act 2016, and discusses the implications of the differences, if any.</p>
<h3>1. Compensation and Penalty</h3>
<p style="text-align: justify;"><strong>Section 43A:</strong> Section 43A of the IT Act, 2000 (Amended in 2008) provides for compensation for failure to protect data. It states that a body corporate, which is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, is liable to compensate the affected person and pay damages not exceeding five crore rupees.</p>
<p style="text-align: justify;"><strong>Aadhaar</strong> <strong>Act :</strong> Chapter VII of the Act provides for offences and penalties, but does not talk about damages to the affected party.</p>
<ul style="text-align: justify;">
<li>Section 37 states that intentional disclosure or dissemination of identity information, to any person not authorised under the Aadhaar Act, or in violation of any agreement entered into under the Act, will be punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company). </li>
<li>Section 38 prescribes penalty with imprisonment up to three years and a fine not less than ten lakh rupees in case any of the acts listed under the provision are performed without authorisation from the UIDAI. </li>
<li>Section 39 prescribes penalty with imprisonment for a term which may extend to three years and fine which may extend to ten thousand rupees for tampering with data in Central Identities Data Repository. </li>
<li>Section 40 holds a requesting entity liable for penalty for use of identity information in violation of Section 8 (3) with imprisonment up to three years and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company). </li>
<li>Section 41 holds a requesting entity or enrolling agency liable for penalty for violation of Section 8 (3) or Section 3 (2) with imprisonment up to one year and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company). </li>
<li>Section 42 provides general penalty for any offence against the Act or regulations made under it, for which no specific penalty is provided, with imprisonment up to one year and/or a fine up to twenty five thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company). </li></ul>
<p style="text-align: justify;">Though the Aadhaar Act prescribes penalty in case of unauthorised access, use or any other act contravening the Regulations, it fails to guarantee protection to the information and does not provide for compensation in case of violation of the provisions.</p>
<h3>2. Privacy Policy</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 4 requires a body corporate to provide a privacy policy on their website, which is easily accessible, provides for the type and purpose of personal, sensitive personal information collected and used, and Reasonable security practices and procedures.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Though in practise the contracting agencies (the body corporates under the Aadhaar ecosystem) may maintain a privacy policy on their website, the Aadhaar Act does not require a privacy policy for the UIDAI or other actors.</p>
<p style="text-align: justify;"><strong>Implications:</strong> Because contracting agencies will be covered by the IT Rules if they are 'body corporates', the requirement to maintain a privacy policy will be applicable to them.</p>
<h3>3. Consent</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5 requires that prior to the collection of sensitive personal data, the body corporate must obtain consent, either in writing or through fax regarding the purpose of usage before collection of such information.</p>
<p style="text-align: justify;"><strong>Aadhaar Act: </strong> The Act is silent regarding consent being acquired in case of the enrolling agency or registrars. However, section 8 provides that any requesting entity will take consent from the individual before collecting his/her Aadhaar information for authentication purposes, though it does not specify the nature (written/through fax).</p>
<p style="text-align: justify;"><strong>Implications:</strong> If the enrolling agency is a body corporate, they will also be required to take consent prior to collecting and processing biometrics. It is possible that since the Aadhaar Act envisages a scheme which is quasi-compulsory in nature, a consent provision was deliberately left out. This circumstance would give the enrolling agencies an argument against taking consent, by saying that the Aadhaar Act is a specific legislation which is also later in point of time than the IT Rules, and a deliberate omission of consent coupled with the compulsory nature of the Aadhaar scheme would mean that they are not required to take consent of the individuals before enrolment.</p>
<h3>4. Collection Limitation</h3>
<p style="text-align: justify;"><strong>IT Rules: </strong> Rule 5 (2) requires that a body corporate should only collect sensitive personal data if it is connected to a lawful purpose and is considered necessary for that purpose.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Section 3(1) of the Act states that every resident shall be entitled to obtain an aadhaar number by submitting his demographic information and biometric information by undergoing the process of enrolment.</p>
<h3>5. Notice</h3>
<p style="text-align: justify;"><strong>IT Rules: </strong> Rule 5(3) requires that while collecting information directly from an individual, the body corporate must provide the following information:</p>
<ul style="text-align: justify;">
<li>The fact that information is being collected</li>
<li>The purpose for which the information is being collected</li>
<li>The intended recipients of the information</li>
<li>The name and address of the agency that is collecting the information</li>
<li>The name and address of the agency that will retain the information</li></ul>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Section 3 of the Act states that at the time of enrolment and collection of information, the enrolling agency shall notify the individual as to how their information will be used; what type of entities the information will be shared with; and that they have a right to see their information and also tell them how they can see their information. However, the Act is silent regarding notice of name and address of the agency collecting and retaining the information.</p>
<h3>6. Retention Limitation</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5(4) requires that body corporate must retain sensitive personal data only for as long as it takes to fulfil the stated purpose or otherwise required under law.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> The Act is silent regarding this and does not mention the duration for which the personal information of an individual shall be retained by the bodies/organisations contracted by UIDAI.</p>
<h3>7. Purpose Limitation</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5(5) requires that information must be used for the purpose that it was collected for.</p>
<p style="text-align: justify;"><strong>Aadhaar Act<a name="move447203643"></a></strong> Section 57 contravenes this and states that the Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies. Section 8 of the Act states that for the purpose of authentication, a requesting entity is required to take consent before collection of Aadhaar information and use it only for authentication with the CIDR. Section 29 of the Act states that the core biometric information collected will not be shared with anyone for any reason, and must not be used for any purpose other than generation of Aadhaar numbers and authentication. Also, the Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual's consent.</p>
<p style="text-align: justify;"><a name="move4472036436"></a> Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies.</p>
<h3>8. Right to Access and Correct</h3>
<p style="text-align: justify;"><strong>IT Rules :</strong> Rule 5(6) requires a body corporate to provide individuals with the ability to review the information they have provided and access and correct their personal or sensitive personal information.</p>
<p style="text-align: justify;"><strong>Aadhaar Act :</strong> The Act provides under section 3 that at the time of enrolment, the individual needs to be informed about the existence of a right to access information, the procedure for making requests for such access, and details of the person or department in-charge to whom such requests can be made. Section 28 of the Act provides that every aadhaar number holder may access his identity information except core biometric information. Section 32 provides that every Aadhaar number holder may obtain his authentication record. Also, if the demographic or biometric information about any Aadhaar number holder changes, is lost or is found to be incorrect, they may request the UIDAI to make changes to their record in the CIDR.</p>
<h3>9. Right to 'Opt Out' and Withdraw Consent</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5(7) requires that the individual must be provided with the option of 'opting out' of providing data or information sought by the body corporate. Also, they must have the right to withdraw consent at any point of time.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> The Aadhaar Act does not provide an opt- out provision and also does not provide an option to withdraw consent at any point of time. Section 7 of the Aadhaar Act actually implies that once the Central or State government makes aadhaar authentication mandatory for receiving a benefit then the individual has no other option but to apply for an Aadhaar number. The only concession that is made is that if an Aadhaar number is not assigned to an individual then s/he would be offered some alternative viable means of identification for receiving the benefit.</p>
<h3>10. Grievance Officer</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5(9) requires that body corporate must designate a grievance officer for redressal of grievances, details of which must be posted on the body corporate's website and grievances must be addressed within a month of receipt.</p>
<p style="text-align: justify;"><strong>Aadhaar Act</strong>: The Aadhaar Act does not provide for any such mechanism for grievance redressal by the registrars, enrolling agencies or the requesting entities. However, since the contracting agencies will also get covered by the IT Rules if they are 'body corporates', the requirement to designate a grievance officer would be applicable to them as well due to the IT Rules.</p>
<h3>11. Disclosure with Consent, Prohibition on Publishing and Further Disclosure</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 6 requires that body corporate must have consent before disclosing sensitive personal data to any third person or party, except in the case with Government agencies for the purpose of verification of identity, prevention, detection, investigation, on receipt of a written request. Also, the body corporate or any person on its behalf shall not publish the sensitive personal information and the third party receiving the sensitive personal information from body corporate or any person on its behalf shall not disclose it further.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Regarding the requesting entities, the Act provides that they shall not disclose the identity information except with the prior consent of the individual to whom the information relates. The Act also states that the Authority shall take necessary measures to ensure confidentiality of information against disclosures. However, as an exception under section 33, the UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. The Act also allows disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose. The Act is silent on the issue of obtaining consent of the individual under these exceptions. Additionally, the Act also states that the Aadhaar number or any core biometric information collected or created regarding an individual under the Act shall not be published, displayed or posted publicly, except for the purposes specified by regulations.</p>
<h3>12. Requirements for Transfer of Sensitive Personal Data</h3>
<p style="text-align: justify;"><strong>IT Rules :</strong> Rule 7 requires that body corporate may transfer sensitive personal data into another jurisdiction only if the country ensures the same level of protection and may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.</p>
<p style="text-align: justify;"><strong>Aadhaar Act :</strong> The Act is silent regarding transfer of personal data into another jurisdiction by the any of the contracting bodies like the Registrar, Enrolling agencies or the requesting entities. However, if these agencies satisfy the requirement of being "body corporates" as defined under section 43A, then the above requirement regarding transfer of data to another jurisdiction under IT Rules would be applicable to them. However, considering the sensitive nature of the data involved, the lack of a prohibition of transferring data to another jurisdiction under the Aadhaar Act appears to be a serious lacuna.</p>
<h3>13. Security of Information</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 8 requires that the body corporate must secure information in accordance with the ISO 27001 standard or any other best practices notified by Central Government. These practices must be audited annually or when the body corporate undertakes a significant up gradation of its process and computer resource.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Section 28 of the Act states that the UIDAI must ensure the security and confidentiality of identity information and authentication records. It also states that the Authority shall adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons. However, it does not mention which standards/measures have to be adopted by all the actors in Aadhaar ecosystem for ensuring the security of information, though it can be argued that if the contractors employed by the UIDAI are body corporate then the standards prescribed under the IT Rules would be applicable to them.</p>
<h3>Implications of the Differences for Body Corporates in Aadhaar Ecosystem</h3>
<p style="text-align: justify;">An analysis of the Rules in comparison to the data protection measures under the Aadhaar Act shows that the requirements regarding protection of personal or sensitive personal information differ and are not completely in line with each other. <a name="move446519928"></a></p>
<p style="text-align: justify;">Though the Aadhaar Act takes into account the provisions regarding consent of the individual, notice, restriction on sharing, etc., the Act is silent regarding many core measures like sharing of information across jurisdictions, taking consent before collection of information, adoption of security measures for protection of information, etc. which a body corporate in the Aadhaar ecosystem must adopt to be in compliance with section 43A of the IT Act. It is therefore important that the bodies collecting, handling, sharing the personal information and are governed by the Aadhaar Act, must adhere to section 43A and the IT Rules 2011. However, applicability of Aadhaar Act as well as section 43A and IT Rules 2011 would lead to ambiguity regarding interpretation and implementation of the Law. The differences must be duly taken into account and more clarity is required to make all the bodies under this Legislation like the enrolling agencies, Registrars and the Requesting Entities accountable under the correct provisions of Law. However, having two separate legislations governing the data protection standards in the Aadhaar scheme seems to have been overlooked. A harmonized and overarching privacy legislation is critical to avoid unclarity in the applicability of data protection standards and would also address many privacy concerns associated to the scheme.</p>
<h3>Appendix I</h3>
<p style="text-align: justify;">The Rajya Sabha had proposed five amendments to the Aadhaar Act 2016, which are as follows:</p>
<p style="text-align: justify;"><strong>i. Opt-out clause:</strong> A provision to allow a person to "opt out" of the Aadhaar system, even if already enrolled.</p>
<p style="text-align: justify;"><strong>ii. Voluntary:</strong> To ensure that if a person chooses not to be part of the Aadhaar system, he/she would be provided "alternate and viable" means of identification for purposes of delivery of government subsidy, benefit or service.</p>
<p style="text-align: justify;"><strong>iii.</strong> Amendment restricting the use of Aadhaar numbers only for targeting of government benefits or service and not for any other purpose.</p>
<p style="text-align: justify;"><strong>iv.</strong> Amendment seeking change of the term "national security" to "public emergency or in the interest of public safety" in the provision specifying situations in which disclosure of identity information of an individual to certain law enforcement agencies can be allowed.</p>
<p style="text-align: justify;"><strong>v. Oversight Committee:</strong> The oversight committee , which would oversee the possible disclosure of information, should include either the Central Vigilance Commissioner or the Comptroller and Auditor-General.</p>
<p><strong>Sources:</strong></p>
<ul>
<li> <a href="http://indianexpress.com/article/india/india-news-india/rajya-sabha-returns-aadhar-bill-to-lok-sabha-with-oppn-amendments/"> http://indianexpress.com/article/india/india-news-india/rajya-sabha-returns-aadhar-act-to-lok-sabha-with-oppn-amendments/ </a> </li>
<li> <a href="http://thewire.in/2016/03/16/three-rajya-sabha-amendments-that-will-shape-the-aadhaar-debate-24993/"> http://thewire.in/2016/03/16/three-rajya-sabha-amendments-that-will-shape-the-aadhaar-debate-24993/</a><br /><br /></li></ul>
<h3>Appendix II - Section 43A: Compensation for Failure to Protect Data</h3>
<p style="text-align: justify;">Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.</p>
<p style="text-align: justify;">For the purposes of this section:</p>
<ul>
<li>"body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;</li>
<li>"reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;</li>
<li>"sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.'.<br /><br /></li></ul>
<p style="text-align: justify;">The term 'body corporate' has been defined under section 43A as "any company and includes a firm, sole proprietorship or other association of individuals <em>engaged in commercial or professional activities</em>"</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/aadhaar-act-and-its-non-compliance-with-data-protection-law-in-india'>https://cis-india.org/internet-governance/blog/aadhaar-act-and-its-non-compliance-with-data-protection-law-in-india</a>
</p>
No publishervanyaUIDPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-04-18T11:43:02ZBlog Entry