Centre for Internet and Society

Consultation on 'National Geospatial Policy' - Notes and Submission

sinha — 2016-03-29T17:03:31Z

The Department of Science and Technology, Government of India, has constituted a National Expert Committee for developing a draft National Geospatial Policy (NGP) to provide appropriate guidelines for collection, analysis, use, and distribution of geospatial information across India, and to assure data availability, accessibility and quality. A pre-drafting consultation meeting for the NGP was organised in Delhi on February 03, 2016. Ms. Anubha Sinha represented CIS at the meeting, and shares her notes.

National Geospatial Policy - Pre-Drafting Consultation Meeting

Keeping in mind the importance of geospatial data in the context of national development, the Department of Science and Technology, Government of India, has constituted a National Expert Committee for developing a draft National Geospatial Policy (NGP). The Committee is Chaired by Major General Dr. R Siva Kumar, former Head of Natural Resources Data Management System (NRDMS) and CEO of National Spatial Data Infrastructure (NSDI), and Dr. Bhoop Singh, Head of NRDMS and NSDI Division at Department of Science and Technology, as Member Secretary. The Policy aims at providing appropriate guidelines for collection, analysis, use, and distribution of geospatial information across India, and to assure data availability, accessibility and quality.

A pre-drafting consultation meeting for the NGP was organised in Delhi by Dr. Valli Manickam, Professor at the Academic Staff College of India, on February 03, 2016, and CIS was invited to take part in it as the only participant from the civil society. The other participants included representatives from the geospatial industry and industry associations (like FICCI and CII), and Ms. Ranjana Kaul, Partner at Dua Associates. Among the drafting committee members, Major General Dr. R Siva Kumar, Dr. Bhoop Singh, Dr. Sandeep Tripathi (IFS), and Wing Commander Satyam Kushwaha were present.

National Geospatial Policy - Concept Note

The purpose of the meeting was to hear the stakeholders' response to a Concept Note on the NGP, circulated prior to the meeting [1]. The Note sets out the principles and concerns of the proposed policy, which plans to guarantee geospatial data availability, accessibility, quality and in consonance with the imperatives of national security and intellectual property rights. The applicability of the policy is aimed at:

all geospatial data created, generated and collected using public funds provided by Central and State Governments and International donor organizations, directly or through authorized agencies.

The note suggests establishment of an "empowered body" to ensure proper creation, updates, management, dissemination, and sharing of the data, and management of an online portal for the same. The institutional mechanism to implement the policy will be composed of an Appellate authority / National High Power Implementation Committee, the NGP Implementation Committee, and the NGP Steering Committee.

Notes from the Meeting

The Welcome Address was delivered by Dr. Bhoop Singh (Head of NRDMS and NSDI Division, DST) who informed the participants that the Expert Committee had already met National Security Council and heard their concerns on the policy. The principles on which the proposed policy is to be based were also shared. The policy resulted from an exercise started two years ago to fix quality and accuracy of geospatial data, which was when it was realised that there were significant gaps that need urgent redressal. It was also identified that in previous initiatives to manage geospatial data at the national level, some data-generating organisations had been left behind. The chief concerns for the Expert Committee are 1) tailoring a policy suited to India's unique security issues, 2) avoiding a blanket open policy that may lead to misuse of low resolution data, 3) heeding restrictions on mapping, considering that 43% of landmass was not represented on maps presently (a probable solution was to do feature based mapping), and 4) clarifying government regulation of drone-based mapping. Security concerns were raised frequently throughout the meeting. The Committee also recognised that for development, data sharing should be made more open. The Committee was keen to have the private industry as a partner in generation of geospatial data.

Private industry representatives agreed with the objectives of the policy and were willing to contribute to geospatial data generation. The Expert Committee mulled over the possibility of creating a Public Private Partnership to cater to data generation. The private industry complained about the lack of efforts in popularising geospatial technologies and making the process of tenders more transparent.

There were suggestions to examine the policies of other jurisdictions facing similar internal security threats as India, and delineating the types of data that could be openly shared (for instance, geospatial data from border regions versus non-border regions). Segregation of restricted and open geospatial data can also be done on the basis of its end-application, such as for military and engineering purposes. Participants also requested the creation of a clear Do's and Don'ts guideline. CIS presented a written submission that raised seven key concerns. These are listed in the section below.

On the question of making an open data policy, it was suggested that the committee needs to decide the fundamental approach of the policy first - whether the policy should be based on prohibition and restriction, or focus on identifying and regulating open and free geospatial. The UN General Assembly document on Principles relating to remote sensing of the Earth from space provides an appropriate international point of reference [2].

After listening to the concerns and comments of the stakeholders, the core committee made the following concluding remarks:

Existing policies of government and defence should be mapped out to avoid conflict or overlap with the proposed NGP policy
The sharing of data vests with government agencies and other organisations recommended by them – there needs to be a transparent mechanism for such recommendation based sharing
Industry should come up with self-regulatory mechanisms, do's and don'ts, and code of conduct
Develop a secure mechanism for providing data on sensitive areas (in terms of national security;
Even the defence agencies sometimes cannot access maps due to policies of the National Remote Sensing Centre and other agencies – such inconsistencies need to be fixed

It was announced that the next consultation will occur in a couple of months, and will be open to the public at large, including representatives of industry, defence, and civil society.

Key Concerns about the NGP Concept Note

1. Complete lack of availability of open geospatial data from Indian government agencies: No government agency in India publish open geospatial data. While maps are often sold, both in printed and in digital form, they are not provided in a machine-readable open format and under an open license. The concept note towards NGP has made strong commitments towards changing this situation. There is an immediate need to participate in the NGP drafting process, with coordination among various civil society actors interested in open geospatial data, to ensure that these principles are carried into and operationalised in the actual NGP document.

2. Need for explicit and comprehensive set of criteria to determine if a set of geospatial data is sensitive for national security reasons: In formal and informal conversations with various agencies collecting and creating geospatial data in India, the role played by security agencies in blocking proactive and reactive public disclosure of geospatial data, and even intra-governmental sharing of such data, has been highlighted. Addressing this issue requires development of an explicit and comprehensive list of criteria that will establish a clear and rule-based system for identifying if a specific geospatial data set is to be categorised as “shareable” or “non-shareable.”

3. No clarity regarding legal status of citizen/crowd-sourced geospatial data, and initiatives to generate them: Open user-contributed geospatial data, especially through the OpenStreetMap platform, has emerged as a key driver of the global geospatial services industry. There is a legal ambiguity created by the National Mapping Policy regarding generation of such data in India, which came into focus when Survey of India filed a case against Google for organising a Mapathon contest, which invited Indian users to add metadata about physical and built features through Google Maps platform.1 The NGP needs to expressly provide legal sanction (and perhaps framework) for citizen/crowd-sourcing of geospatial data.

4. Fragmented institutional structure for collection, management, and distribution of different kinds of geospatial data: Survey of India, Indian Institute of Remote Sensing, and Indian Space Research Organisation are all key government agencies involved in creating and managing geospatial data. Further, Election Commission of India is involved in preparing geospatial data about electoral units and their boundaries. The National Spatial Data Infrastructure was conceptualised to harmonise and centralise the geospatial data management processes, but is yet to be implemented with the backing of a policy or an Act. The NSDI can be institutionalised via the NGP as the national archive, aggregator, and distributor of open geospatial data, being originally collected and created by a range of government agencies.

5. Integration of National Geospatial Policy with National Data Sharing and Accessibility Policy (NDSAP): The proactive disclosure of “shareable” geospatial data using open geospatial standards and under open licenses must be carried out under the purview of the NDSAP, and through the open government data platform established through NDSAP. The decisions regarding licensing of open government data, as being discussed by the a committee set up under NDSAP, must also be applicable to open geospatial data that will be published following the instructions of the NGP. Further, instead of multiple online sources of open geospatial data collected by various Indian government agencies, must be identified as the primary and necessary source for publication of open geospatial data.

6. Integration of National Geospatial Policy with Right to Information (RTI) Act: Geospatial data must be treated as a special category of information under the RTI Act, which necessitates that if an Indian citizen requests for geospatial data from a government agency under the purview of RTI Act, the agency must provide the data in a human-readable and machine-readable open geospatial standard, and not only in the printed format, as key qualities of digital geospatial data can be substantially lost when printed in paper.

7. Need for special infrastructure for management and publication of real-time geospatial (big) data, and governance of the same: With increasing number of government assets being geo-referenced for the purpose of more effective and real-time management, especially in the transportation sector, the corresponding agencies (which are often not mapping agencies) are acquiring a vast amount of high-velocity geospatial data, which needs to be analysed and (sometimes) published in the real-time. The need for special infrastructure for such data, as well as its governance, has not been discussed in the concept note for NGP, which is a major omission.

Endnotes

[1] See: https://github.com/cis-india/website/raw/master/docs/DST_National-Geospatial-Policy_Concept-Note_2016.01.21.pdf.

[2] UNGA 41/65. Principles Relating to Remote Sensing of the Earth from Space: http://www.unoosa.org/pdf/gares/ARES_41_65E.pdf.

For more details visit https://cis-india.org/openness/consultation-on-national-geospatial-policy-03022016

A Pathfinding Approach for Digital India

Shyam Ponappa — 2017-03-03T16:39:37Z

It's not only the installation of the OFC, but of ensuring quality and reliability.

The article was published in the Business Standard on January 31, 2017 and reproduced on Organizing India Blogspot on February 1, 2017.

Most people believe an optical fibre cable (OFC) connection is necessary for broadband. While largely true, this is often financially viable only in urban agglomerations. What is less known is that trading companies use wireless links between New York and Chicago for high-speed electronic trades.[1] For people outside urban clusters, wireless is a less expensive alternative to fibre. They get only a few megabits per second, but realistically, ubiquitous broadband at 2 Mbps would be great.

Three factors are driving internet access and usage in India. An overriding factor is the growth of wireless devices and traffic as a global phenomenon. Cisco estimated in June 2016 that in 2015, wired access comprised 52 per cent of IP traffic, but would reduce to one-third by 2020, while wireless access would increase to two-thirds. This trend is reinforced by another factor: Innovation that lowers costs and improves performance in mobile wireless (Chart 1).

Chart 1: Mobile Innovation Lowers Costs and Improves Performance

Sources: Cisco Visual Networking Index; International Telecommunication Union; IE Market Research; Motorola, Deutsche Bank; Qualcomm
Note: Data speed indicated the maximum downlink speed, not average observed speeds. The average observed speeds depend on many factors, including infra, subscriber density and device harware and software

The third factor is the combination of the geographic spread of our population, the concentration of broadband penetration (Chart 2), and the limited coverage of OFC networks. While major cities and their connecting links are covered by OFC, less populated and less commercially attractive areas between them are not. In hilly terrain, there is considerable difficulty in laying OFC, which extends far beyond cost. In urban areas, cost can be a deterrent because we lack reasonable, uniform charges for rights-of-way. Such procedures and practices are difficult to institute and enforce, but are essential for robust, viable OFC networks.

Chart 2: Broadband Penetration

Source: http://www.thehindu.com/sci-tech/technology/internet/The-India-wide-web/article14588938.ece

It's not only the installation of the OFC, but of ensuring quality and reliability. OFC networks in India apparently suffer from 12 to 14 cuts per km per month, whereas the international benchmark is 0.7 cuts per km km per month. Apart from more frequent repairs, the capital expenditure in India is nearly three times as high as in Australia or the US.[2]

Estimates for installing OFC using standard procedures vary from about Rs 1 lakh to Rs 4 lakh per km. However, there have been attempts at getting costs down by radical changes in approach. For example, Andhra Pradesh considered an OFC installation of 22,500 km estimated Rs 4,700 crore. By stringing fibre overhead along electric cables, however, the estimate was cut to Rs 333 crore, reducing costs from Rs 21 lakh to under Rs 1.5 lakh per km. It remains to be seen how this network will perform in terms of quality and reliability. Also, wireless technology is needed to extend connectivity from the fibre to villages, and cellular network costs rise with less bandwidth. For instance, one estimate is that excluding spectrum costs, a network using 5 MHz costs nearly 70 percent more than using 20 MHz.

For all these reasons, we need concerted action to redesign our approach to broadband, covering the fundamentals of infrastructure, spectrum and market design. The exponential growth in mobile services has reached a plateau, and is complicated by the taint of the 2G spectrum scams. This has resulted in a mindset combining witch-hunting and paranoia in the press, the public, government departments, and the judiciary. This is not conducive for the coordinated, collective strategy and action that is required to extricate ourselves. Several proven wireless technologies are not permitted in India, although the Telecom Regulatory Authority of India has recommended their use. Methods to increase connectivity like those listed below are urgently needed, with requisite environmental safeguards such as the use of renewable energy.

60 GHz (V band) wireless gigabit for short-haul;
70 and 80 GHz (E band) for multi-gigabit backhaul up to 5 km;
TV White Space for the middle mile from the fibre to users in villages up to 8-10 km away in a single hop;

Additional steps, e.g.:

Increasing unlicensed spectrum in the 5.8 GHz band from 50 MHz to 80 MHz to enable 866 Mbps per channel, or more for gigabit capacity;

Enabling secondary sharing of spectrum bands such as TV White Space, which has the possibility of existing Indian IPR establishing domestic manufacturing and dominating this niche;

It is evident that despite intense efforts by the people involved, our existing approach is simply not getting us to where we need to be. This has been repeated by government and private sector representatives many times. There’s no substitute for developing a sound approach, collectively and participatively, with professional facilitation, cutting across government, industry (operators and equipment providers), users, and the judiciary, to devise whatever solutions will deliver better results. We have to move away from adversarial deadlock.

A good way to begin is by accepting facts, and considering the evidence before dismissing points of view. For licensing, we know that government collections from revenue sharing far exceed the auction fees foregone (“Breakthroughs Needed for Digital India”). We have the experience of building other infrastructure such as roads and airports on revenue-sharing principles. We have to take a similar systematic, phased approach to designing and implementing broadband networks. Policies on infrastructure resource use including spectrum need to be rationalised, and the sector organised through participative path-finding and problem solving. We have to build national champions in manufacturing to keep costs affordable, for instance, using TV White Space. India could set the standard with its IPR and products where OFC is infeasible or unviable for connectivity to villages and rural clusters. Both the administrative and political leadership need to do this, working with all stakeholders, and not treating any of them as adversaries, or cronies.

[1]. ‘Information Transmission between Financial Markets in Chicago and New York’, Gregory Laughlin, Anthony Aguirre, and Joseph Grundfest, Cornell University Library, arXiv.org

[2]. Conference presentation, Sterlite, http://www.trai.gov.in/sites/default/files/Sterlite-Badri.pdf

For more details visit https://cis-india.org/telecom/blog/business-standard-january-31-2017-and-organizing-india-blogspot-february-1-2017-shyam-ponappa-a-pathfinding-approach-for-digital-india

NIPFP Seminar on Exploring Policy Issues in the Digital Technology Arena

Admin — 2019-10-20T07:40:16Z

Anubha Sinha participated in this seminar as a discussant on the "Regulating emerging technologies" panel. The event was held at Indian Institute of Advanced Study, Shimla on October 10 - 11, 2019.

Click to view the agenda here. The session briefs can be seen here.

For more details visit https://cis-india.org/internet-governance/news/nipfp-seminar-on-exploring-policy-issues-in-the-digital-technology-arena

Pratap Vikram Singh - Why Aadhaar is Baseless?

praskrishna — 2016-04-02T05:31:30Z

This article by Pratap Vikram Singh, Governance Now, discusses the problems emerging out of the UIDAI project due to its lack of mechanisms for informed and granular consent, and for seeking recourse in the case of denial of service. The article quotes Sumandro Chattapadhyay and mentions Hans Varghese Mathew's work on the biometric basis of UIDAI. It was written before the Aadhaar bill was passed in Lok Sabha.

Cross-posted from Governance Now.

It was no less than a roller-coaster ride for Aadhaar, a programme formulated by the UPA government to assign a 12-digit unique number to every Indian resident. From the time it came into being in 2009, Aadhaar drew a volley of criticism, thanks to the misgivings and apprehensions that various critics and civil society organisations had. It was criticised for lack of a clear purpose, degree of effectiveness and absence of a privacy law and was virtually thrown into the bin by a parliamentary panel headed by BJP’s Yashwant Sinha in December 2011.

When the finance minister Arun Jaitley, in his budget speech, announced that the government would introduce the Aadhaar bill during the budget session, expectations were already set high. The bill, giving statutory backing to the unique identification authority of India (UIDAI), the implementing authority, was passed by the Lok Sabha on March 11. While the privacy and voluntary versus mandatory provisions are under the consideration of the supreme court, the bill makes way for linking Aadhaar with all government subsidies, benefits and services. The law on Aadhaar, former UIIDAI chairman Nandan Nilekani wrote in the Indian Express, will help the government in going paperless, presence-less and cashless. The legislation, however, fails to deliver on several counts.

However, prior to evaluating the bill (yet to be passed by the Rajya Sabha at the time of this writing though it is a money bill), let us take a look at its major aspects. For those, who always wondered whether Aadhaar is mandatory or voluntary, the bill 2016 makes it mandatory to avail subsidy, benefit or a service from the government.

The bill has provisions related to information security and confidentiality (section 28) which not only extend to employees of the UIDAI but also consultants and external agencies working with the authority.

The proposed law restricts information sharing. It bars UIDAI from sharing core biometric information – the bill defines it as fingerprints and iris scan – with “anyone for any reason whatsoever” or “used for any purpose other than generation of Aadhaar numbers and authentication under this Act”. The section 32 of the bill entitles Aadhaar number holders to access her or his authentication record. It also bars the authority from collecting, keeping or maintaining information about the purpose of authentication.

Odd Drives the Bill

While the intent is clear and is aimed at streamlining welfare schemes to ensure it reaches the bottom of the pyramid, cutting through the long chain of pilferage and subversion, the bill, however, has several shortcomings. To begin with, the government should not have taken the money bill route to pass the legislation – tactfully avoiding any conclusive discussion and debate in the Rajya Sabha, where it is in minority.

The bill assumes that the technology and the biometric system used by the UIDAI are flawless and it doesn’t provide any recourse in case of denial of a service. “If your fingerprint is not matching and you lose out on service, then what is the alternative mechanism you have,” asks Sumandro Chattapadhyay, research director, centre for internet and society (CIS). The bill doesn’t provide for recourse. “What if the scanning machine fails? What if the identifiers of two people match?”

Based on experiments conducted in the initial days of the Aadhaar programme, Hans Verghese Mathews, another CIS researcher, did a study on the probability of matching of identifiers of two persons. “For the current population of 1.2 billion the expected proportion of duplicands (users whose identifiers match) is 1/121, a ratio which is far too high,” Mathews wrote in the Economic and Political Weekly in February.

“It is like putting the technology in a black box – which can’t be reviewed,” says Chattapadhyay. The bill doesn’t talk about setting up an independent body to review the logs and keep an eye on wrong and duplicate matches.

Who Defines National Security?

According to public policy experts, it is an attempt to seek “minimal legitimacy” from parliament and further adds to the unbridled power of the executive.

Although the bill restricts information sharing in section 29, sections 33 and 48 provide exemption in cases of national security and public emergency, respectively. The legislation, nevertheless, doesn’t elaborate on what constitutes national security and public emergency, leaving it to the executives. The section 33 reads: “Nothing contained in… shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security….”

Similarly, section 48 states that if, at any time, the central government is of the opinion that a public emergency exists, “the central government may, by notification, supersede the Authority for such period, not exceeding six months, as may be specified in the notification and appoint a person or persons as the president may direct to exercise powers and discharge functions under this Act”.

Says Jayati Ghosh, professor, centre for economic studies and planning, Jawaharlal Nehru University, “National security is a very opaque term. Who decides what national security is? Today, the whole JNU is being projected as a threat to national security.” Swagato Sarkar, associate professor and executive director, Jindal school of government and public policy, OP Jindal Global University, says, “The bill has provisions for oversight on the use of Aadhaar, but then it suspends those provisions in case of emergency in the later sections, giving the state the power to use biometric information for whatever it deems fit.”

Sarkar adds, “It seems the bill is simply an instrument for seeking minimum legitimacy from parliament. The bill tries to address the concern of privacy minimally and it hardly serves any purpose.” He believes that there is a need to define the broader contours of democratic control of the state and reassess the changing state-citizen relationship, instead of rejecting the whole idea on the basis of surveillance and privacy. In other words, there is a need for strong parliamentary oversight, and that the Aadhaar related matters shouldn’t be completely delegated to the executive.

In its recommendations on formulating Privacy Act, the justice AP Shah committee in 2012 provided for establishing the office of privacy commissioner at the regional and central levels, defining the role of self-regulating organisations and co-regulation, and creating a system of complaints and redressal for aggrieved individuals. Since the country still doesn’t have any legislation on privacy, people are left on their own in case of an infringement or violation of privacy. Moreover, section 47 states, “No court shall take cognizance of any offence punishable under this Act, save on a complaint made by the Authority or any officer or person authorised by it.”

In its report, the parliamentary committee headed by Yashwant Sinha notes that “enactment of national data protection law… is a prerequisite for any law that deals with large scale collection of information from individuals and its linkages across separate databases”. The committee notes that in absence of data protection legislation, it would be difficult to deal with issues of access, misuse of personal information, surveillance, profiling, linking and matching of databases and securing confidentiality of information.

Subsidy-Aadhaar Linkage

The Sinha committee also takes a cautious view of the role of Aadhaar in curbing leakages in subsidy distribution, as beneficiary identification is done by states. It notes, “Even if the Aadhaar number links entitlements to targeted beneficiaries, it may not even ensure that beneficiaries have been correctly identified. Thus, the present problem of proper identification would persist.”

According to Ghosh, the biggest danger in using Aadhaar for social welfare programmes is that the fingerprints of the rural working class is not always in good shape and hence Aadhaar will not be the best way of identification. “If I am misidentified, I can go to so many places for recourse. But what if a labourer in a remote Jharkhand village is misidentified? Where and whether he would go?” the economist asks. Besides, the bill doesn’t limit the use of Aadhaar and defines areas where it can be used. Section 57 says that the law will not prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, “whether by the state or anybody corporate or person, pursuant to any law, for the time being in force or any contract to this effect.”

According to a PRS Legislative review, since the bill also allows private persons to use Aadhaar as a proof of identity for any purpose, the provision will open a floodgate and enable private entities such as airlines, telecom, insurance and real estate companies to mandate Aadhaar as a proof of identity for availing their services.

Since the bill doesn’t restrict its application, people will not have a choice to identify themselves other than using Aadhaar when corporate organisations make it mandatory, says Chattapadhyay of the CIS. Adds Sarkar, “The bill should clearly mention sectors or services where Aadhaar will be potentially used (or made mandatory). Every time a new sector or service is added to the list, it is done after parliamentary approval.”

So far, 98 crore people have been assigned Aadhaar number. So far the project has costed Rs 8,000 crore.

For more details visit https://cis-india.org/internet-governance/news/gov-now-pratap-vikram-singh-17032016-why-aadhaar-is-baseless

FAQ on the Aadhaar Project and the Bill

Elonnai Hickok, Vanya Rakesh, and Vipul Kharbanda — 2016-04-13T14:06:43Z

This FAQ attempts to address the key questions regarding the Aadhaar/UIDAI project and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 (henceforth, Bill). This is neither a comprehensive list of questions, nor does it contain fully developed answers. We will continue to add questions to this list, and edit/expand the answers, based on our ongoing research. We will be grateful to receive your comments, criticisms, evidences, edits, suggestions for new answers, and any other responses. These can either be shared as comments in the document hosted on Google Drive, or via tweets sent to the information policy team at @CIS_InfoPolicy.

To comment on and/or download the file, click here.

For more details visit https://cis-india.org/internet-governance/blog/aadhaar-project-and-bill-faq

Aadhaar Act and its Non-compliance with Data Protection Law in India

vanya — 2016-04-18T11:43:02Z

This post compares the provisions of the Aadhaar Act, 2016, with India's data protection regime as articulated in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

Download the file: PDF.

Amidst all the hue and cry, the Aadhaar Act 2016, which was introduced with the aim of providing statutory backing to the use of Aadhaar, was passed in the Lok Sabha in its original form on March 16, 2016, after rejecting the recommendations made by Rajya Sabha . Though the Act has been vehemently opposed on several grounds, one of the concerns that has been voiced is regarding privacy and protection of the demographic and biometric information collected for the purpose of issuing the Aadhaar number.

In India, for the purpose of data protection, a body corporate is subject to section 43A of the Information Technology Act, 2000 ("IT Act ") and subsequent Rules, i.e. -The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("IT Rules"). Section 43A of the IT Act, 2000 holds a body corporate, which is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, liable to compensate the affected person and pay damages.

Rule 3 of the IT Rules enlists personal information that would amount to Sensitive personal data or information of a person and includes the biometric information. Even the Aadhaar Act states under section 30 that the biometric information collected shall be deemed as "sensitive personal data or information", which shall have the same meaning as assigned to it in clause (iii) of the Explanation to section 43A of the IT Act; this reflects that biometric data collected in the Aadhaar scheme will receive the same level of protection as is provided to other sensitive personal data under Indian law. This implies that, the agencies contracted by the UIDAI (and not the UIDAI itself) to perform functions like collection, authentication, etc. like the Registrars, Enrolling Agencies and Requesting Entities, which meet the criteria of being a 'body corporate' as defined in section 43A, could be held responsible under this provision, as well as the Rules, to ensure security of the data and information of Aadhaar holder and could potentially be held liable for breach of information that results in loss to an individual if it can be proven that they failed to implement reasonable security practices and procedures.

In light of the fact that some actors in the Aadhaar scheme could be held accountable and liable under section 43A and associated Rules, this article compares the regulations regarding data security as found in section 43A and IT Rules 2011 with the provisions of Aadhaar Act 2016, and discusses the implications of the differences, if any.

1. Compensation and Penalty

Section 43A: Section 43A of the IT Act, 2000 (Amended in 2008) provides for compensation for failure to protect data. It states that a body corporate, which is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, is liable to compensate the affected person and pay damages not exceeding five crore rupees.

Aadhaar Act : Chapter VII of the Act provides for offences and penalties, but does not talk about damages to the affected party.

Section 37 states that intentional disclosure or dissemination of identity information, to any person not authorised under the Aadhaar Act, or in violation of any agreement entered into under the Act, will be punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).
Section 38 prescribes penalty with imprisonment up to three years and a fine not less than ten lakh rupees in case any of the acts listed under the provision are performed without authorisation from the UIDAI.
Section 39 prescribes penalty with imprisonment for a term which may extend to three years and fine which may extend to ten thousand rupees for tampering with data in Central Identities Data Repository.
Section 40 holds a requesting entity liable for penalty for use of identity information in violation of Section 8 (3) with imprisonment up to three years and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).
Section 41 holds a requesting entity or enrolling agency liable for penalty for violation of Section 8 (3) or Section 3 (2) with imprisonment up to one year and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).
Section 42 provides general penalty for any offence against the Act or regulations made under it, for which no specific penalty is provided, with imprisonment up to one year and/or a fine up to twenty five thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).

Though the Aadhaar Act prescribes penalty in case of unauthorised access, use or any other act contravening the Regulations, it fails to guarantee protection to the information and does not provide for compensation in case of violation of the provisions.

2. Privacy Policy

IT Rules: Rule 4 requires a body corporate to provide a privacy policy on their website, which is easily accessible, provides for the type and purpose of personal, sensitive personal information collected and used, and Reasonable security practices and procedures.

Aadhaar Act: Though in practise the contracting agencies (the body corporates under the Aadhaar ecosystem) may maintain a privacy policy on their website, the Aadhaar Act does not require a privacy policy for the UIDAI or other actors.

Implications: Because contracting agencies will be covered by the IT Rules if they are 'body corporates', the requirement to maintain a privacy policy will be applicable to them.

3. Consent

IT Rules: Rule 5 requires that prior to the collection of sensitive personal data, the body corporate must obtain consent, either in writing or through fax regarding the purpose of usage before collection of such information.

Aadhaar Act: The Act is silent regarding consent being acquired in case of the enrolling agency or registrars. However, section 8 provides that any requesting entity will take consent from the individual before collecting his/her Aadhaar information for authentication purposes, though it does not specify the nature (written/through fax).

Implications: If the enrolling agency is a body corporate, they will also be required to take consent prior to collecting and processing biometrics. It is possible that since the Aadhaar Act envisages a scheme which is quasi-compulsory in nature, a consent provision was deliberately left out. This circumstance would give the enrolling agencies an argument against taking consent, by saying that the Aadhaar Act is a specific legislation which is also later in point of time than the IT Rules, and a deliberate omission of consent coupled with the compulsory nature of the Aadhaar scheme would mean that they are not required to take consent of the individuals before enrolment.

4. Collection Limitation

IT Rules: Rule 5 (2) requires that a body corporate should only collect sensitive personal data if it is connected to a lawful purpose and is considered necessary for that purpose.

Aadhaar Act: Section 3(1) of the Act states that every resident shall be entitled to obtain an aadhaar number by submitting his demographic information and biometric information by undergoing the process of enrolment.

5. Notice

IT Rules: Rule 5(3) requires that while collecting information directly from an individual, the body corporate must provide the following information:

The fact that information is being collected
The purpose for which the information is being collected
The intended recipients of the information
The name and address of the agency that is collecting the information
The name and address of the agency that will retain the information

Aadhaar Act: Section 3 of the Act states that at the time of enrolment and collection of information, the enrolling agency shall notify the individual as to how their information will be used; what type of entities the information will be shared with; and that they have a right to see their information and also tell them how they can see their information. However, the Act is silent regarding notice of name and address of the agency collecting and retaining the information.

6. Retention Limitation

IT Rules: Rule 5(4) requires that body corporate must retain sensitive personal data only for as long as it takes to fulfil the stated purpose or otherwise required under law.

Aadhaar Act: The Act is silent regarding this and does not mention the duration for which the personal information of an individual shall be retained by the bodies/organisations contracted by UIDAI.

7. Purpose Limitation

IT Rules: Rule 5(5) requires that information must be used for the purpose that it was collected for.

Aadhaar Act Section 57 contravenes this and states that the Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies. Section 8 of the Act states that for the purpose of authentication, a requesting entity is required to take consent before collection of Aadhaar information and use it only for authentication with the CIDR. Section 29 of the Act states that the core biometric information collected will not be shared with anyone for any reason, and must not be used for any purpose other than generation of Aadhaar numbers and authentication. Also, the Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual's consent.

Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies.

8. Right to Access and Correct

IT Rules : Rule 5(6) requires a body corporate to provide individuals with the ability to review the information they have provided and access and correct their personal or sensitive personal information.

Aadhaar Act : The Act provides under section 3 that at the time of enrolment, the individual needs to be informed about the existence of a right to access information, the procedure for making requests for such access, and details of the person or department in-charge to whom such requests can be made. Section 28 of the Act provides that every aadhaar number holder may access his identity information except core biometric information. Section 32 provides that every Aadhaar number holder may obtain his authentication record. Also, if the demographic or biometric information about any Aadhaar number holder changes, is lost or is found to be incorrect, they may request the UIDAI to make changes to their record in the CIDR.

9. Right to 'Opt Out' and Withdraw Consent

IT Rules: Rule 5(7) requires that the individual must be provided with the option of 'opting out' of providing data or information sought by the body corporate. Also, they must have the right to withdraw consent at any point of time.

Aadhaar Act: The Aadhaar Act does not provide an opt- out provision and also does not provide an option to withdraw consent at any point of time. Section 7 of the Aadhaar Act actually implies that once the Central or State government makes aadhaar authentication mandatory for receiving a benefit then the individual has no other option but to apply for an Aadhaar number. The only concession that is made is that if an Aadhaar number is not assigned to an individual then s/he would be offered some alternative viable means of identification for receiving the benefit.

10. Grievance Officer

IT Rules: Rule 5(9) requires that body corporate must designate a grievance officer for redressal of grievances, details of which must be posted on the body corporate's website and grievances must be addressed within a month of receipt.

Aadhaar Act: The Aadhaar Act does not provide for any such mechanism for grievance redressal by the registrars, enrolling agencies or the requesting entities. However, since the contracting agencies will also get covered by the IT Rules if they are 'body corporates', the requirement to designate a grievance officer would be applicable to them as well due to the IT Rules.

11. Disclosure with Consent, Prohibition on Publishing and Further Disclosure

IT Rules: Rule 6 requires that body corporate must have consent before disclosing sensitive personal data to any third person or party, except in the case with Government agencies for the purpose of verification of identity, prevention, detection, investigation, on receipt of a written request. Also, the body corporate or any person on its behalf shall not publish the sensitive personal information and the third party receiving the sensitive personal information from body corporate or any person on its behalf shall not disclose it further.

Aadhaar Act: Regarding the requesting entities, the Act provides that they shall not disclose the identity information except with the prior consent of the individual to whom the information relates. The Act also states that the Authority shall take necessary measures to ensure confidentiality of information against disclosures. However, as an exception under section 33, the UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. The Act also allows disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose. The Act is silent on the issue of obtaining consent of the individual under these exceptions. Additionally, the Act also states that the Aadhaar number or any core biometric information collected or created regarding an individual under the Act shall not be published, displayed or posted publicly, except for the purposes specified by regulations.

12. Requirements for Transfer of Sensitive Personal Data

IT Rules : Rule 7 requires that body corporate may transfer sensitive personal data into another jurisdiction only if the country ensures the same level of protection and may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.

Aadhaar Act : The Act is silent regarding transfer of personal data into another jurisdiction by the any of the contracting bodies like the Registrar, Enrolling agencies or the requesting entities. However, if these agencies satisfy the requirement of being "body corporates" as defined under section 43A, then the above requirement regarding transfer of data to another jurisdiction under IT Rules would be applicable to them. However, considering the sensitive nature of the data involved, the lack of a prohibition of transferring data to another jurisdiction under the Aadhaar Act appears to be a serious lacuna.

13. Security of Information

IT Rules: Rule 8 requires that the body corporate must secure information in accordance with the ISO 27001 standard or any other best practices notified by Central Government. These practices must be audited annually or when the body corporate undertakes a significant up gradation of its process and computer resource.

Aadhaar Act: Section 28 of the Act states that the UIDAI must ensure the security and confidentiality of identity information and authentication records. It also states that the Authority shall adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons. However, it does not mention which standards/measures have to be adopted by all the actors in Aadhaar ecosystem for ensuring the security of information, though it can be argued that if the contractors employed by the UIDAI are body corporate then the standards prescribed under the IT Rules would be applicable to them.

Implications of the Differences for Body Corporates in Aadhaar Ecosystem

An analysis of the Rules in comparison to the data protection measures under the Aadhaar Act shows that the requirements regarding protection of personal or sensitive personal information differ and are not completely in line with each other.

Though the Aadhaar Act takes into account the provisions regarding consent of the individual, notice, restriction on sharing, etc., the Act is silent regarding many core measures like sharing of information across jurisdictions, taking consent before collection of information, adoption of security measures for protection of information, etc. which a body corporate in the Aadhaar ecosystem must adopt to be in compliance with section 43A of the IT Act. It is therefore important that the bodies collecting, handling, sharing the personal information and are governed by the Aadhaar Act, must adhere to section 43A and the IT Rules 2011. However, applicability of Aadhaar Act as well as section 43A and IT Rules 2011 would lead to ambiguity regarding interpretation and implementation of the Law. The differences must be duly taken into account and more clarity is required to make all the bodies under this Legislation like the enrolling agencies, Registrars and the Requesting Entities accountable under the correct provisions of Law. However, having two separate legislations governing the data protection standards in the Aadhaar scheme seems to have been overlooked. A harmonized and overarching privacy legislation is critical to avoid unclarity in the applicability of data protection standards and would also address many privacy concerns associated to the scheme.

Appendix I

The Rajya Sabha had proposed five amendments to the Aadhaar Act 2016, which are as follows:

i. Opt-out clause: A provision to allow a person to "opt out" of the Aadhaar system, even if already enrolled.

ii. Voluntary: To ensure that if a person chooses not to be part of the Aadhaar system, he/she would be provided "alternate and viable" means of identification for purposes of delivery of government subsidy, benefit or service.

iii. Amendment restricting the use of Aadhaar numbers only for targeting of government benefits or service and not for any other purpose.

iv. Amendment seeking change of the term "national security" to "public emergency or in the interest of public safety" in the provision specifying situations in which disclosure of identity information of an individual to certain law enforcement agencies can be allowed.

v. Oversight Committee: The oversight committee , which would oversee the possible disclosure of information, should include either the Central Vigilance Commissioner or the Comptroller and Auditor-General.

Sources:

Appendix II - Section 43A: Compensation for Failure to Protect Data

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

For the purposes of this section:

"body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;
"reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;
"sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.'.

The term 'body corporate' has been defined under section 43A as "any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities"

For more details visit https://cis-india.org/internet-governance/blog/aadhaar-act-and-its-non-compliance-with-data-protection-law-in-india

The Last Chance for a Welfare State Doesn’t Rest in the Aadhaar System

sumandro — 2016-04-19T13:18:42Z

Boosting welfare is the message, which is how Aadhaar is being presented in India. The Aadhaar system as a medium, however, is one that enables tracking, surveillance, and data monetisation. This piece by Sumandro Chattapadhyay was published in The Wire on April 19, 2016.

Originally published in and cross-posted from The Wire.

Once upon a time, a king desired that his parrot should be taught all the ancient knowledge of the kingdom. The priests started feeding the pages of the great books to the parrot with much enthusiasm. One day, the king asked the priests if the parrot’s education has completed. The priests poked the belly of the parrot but it made no sound. Only the rustle of undigested pages inside the belly could be heard. The priests declared that the parrot is indeed a learned one now.

The fate of the welfare system in our country is quite similar to this parrot from Tagore’s parable. It has been forcefully fed identification cards and other official documents (often four copies of the same) for years, and always with the same justification of making it more effective and fixing the leaks. These identification regimes are in effect killing off the welfare system. And some may say that that has been the actual plan in any case.

The Aadhaar number has been recently offered as the ‘last chance’ for the ailing welfare system – a last identification regime that it needs to gulp down to survive. This argument wilfully overlooks the acute problems with the Aadhaar project.

Firstly, the ‘last chance’ for a welfare state in India is not provided by implementing a new and improved identification regime (Aadhaar numbers or otherwise), but by enabling citizens to effectively track, monitor, and ensure delivery of welfare, services, and benefits. This ‘opening up’ of the welfare bureaucracy has been most effectively initiated by the Right to Information Act. Instead of a centralised biometrics-linked identity verification platform, which gives the privilege of tracking and monitoring welfare flows only to a few expert groups, an effective welfare state requires the devolution of such privilege and responsibility.

We should harness the tracking capabilities of electronic financial systems to disclose how money belonging to the Consolidated Fund of India travel around state agencies and departmental levels. Instead, the Aadhaar system effectively stacks up a range of entry barriers to accessing welfare – from malfunctioning biometric scanners, to connectivity problems, to the burden of keeping one’s fingerprint digitally legible under all labouring and algorithmic circumstances.

Secondly, authentication of welfare recipients by Aadhaar number neither make the welfare delivery process free of techno-bureaucratic hurdles, nor does it exorcise away corruption. Anumeha Yadav has recently documented the emerging ‘unrest at the ration shop’ across Rajasthan, as authentication processes face technical and connectivity delays, people get ‘locked out’ of public services for not having or having Aadhaar number with incorrect demographic details, and no mechanisms exist to provide rapid and definitive recourse.

RTI activists at the Satark Nagrik Sangathan have highlighted that the Delhi ration shops, using Aadhaar-based authentication, maintain only two columns of data to describe people who have come to the shop – those who received their ration, and those who did not (without any indication of the reason). This leads to erasure-by-design of evidence of the number of welfare-seekers who are excluded from welfare services when the Aadhaar-based authentication process fails (for valid reasons, or otherwise).

Reetika Khera has made it very clear that using Aadhaar Payments Bridge to directly transfer cash to a beneficiary’s account, in the best case scenario, may only take care of one form of corruption: deception (a different person claiming to be the beneficiary). But it does not address the other two common forms of public corruption: collusion (government officials approving undue benefits and creating false beneficiaries) and extortion (forceful rent seeking after the cash has been transferred to the beneficiary’s account). Evidently, going after only deception does not make much sense in an environment where collusion and extortion are commonplace.

Thirdly, the ‘relevant privacy question’ for Aadhaar is not limited to how UIDAI protects the data collected by it, but expands to usage of Aadhaar numbers across the public and private sectors. The privacy problem created by the Aadhaar numbers does begin but surely not end with internal data management procedures and responsibilities of the UIDAI.

On one hand, the Aadhaar Bill 2016 has reduced the personal data sharing restrictions of the NIAI Bill 2010, and has allowed for sharing of all data except core biometrics (fingerprints and iris scan) with all agencies involved in authentication of a person through her/his Aadhaar number. These agencies have been asked to seek consent from the person who is being authenticated, and to inform her/him of the ways in which the provided data (by the person, and by UIDAI) will be used by the agency. In careful wording, the Bill only asks the agencies to inform the person about “alternatives to submission of identity information to the requesting entity” (Section 8.3) but not to provide any such alternatives. This facilitates and legalises a much wider collection of personal demographic data for offering of services by public agencies “or any body corporate or person” (Section 57), which is way beyond the scope of data management practices of UIDAI.

On the other hand, the Aadhaar number is being seeded to all government databases – from lists of HIV patients, of rural citizens being offered 100 days of work, of students getting scholarships meant for specific social groups, of people with a bank account. Now in some sectors, such as banking, inter-agency sharing of data about clients is strictly regulated. But we increasingly have non-financial agencies playing crucial roles in the financial sector – from mobile wallets to peer-to-peer transaction to innovative credit ratings. Seeding of Aadhaar into all government and private databases would allow for easy and direct joining up of these databases by anyone who has access to them, and not at all by security agencies only.

When it becomes publicly acceptable that the money bill route was a ‘remedial’ instrument to put the Rajya Sabha ‘back on track’, one cannot not wonder about what was being remedied by avoiding a public debate about the draft bill before it was presented in Lok Sabha. The answer is simple: welfare is the message, surveillance is the medium.

Acceptance and adoption of all medium requires a message, a content. The users are interested in the message. The message, however, is not the business. Think of Free Basics. Facebook wants people with none or limited access to internet to enjoy parts of the internet at zero data cost. Facebook does not provide the content that the users consume on such internet. The content is created by the users themselves, and also provided by other companies. Facebook own and control the medium, and makes money out of all content, including interactions, passing through it.

The UIDAI has set up a biometric data bank and related infrastructure to offer authentication-as-a-service. As the Bill clarifies, almost all agencies (public or private, national or global) can use this service to verify the identity of Indian residents. Unlike Facebook, the content of these services do not flow through the Aadhaar system. Nonetheless, Aadhaar keeps track of all ‘authentication records’, that is records of whose identity was authenticated by whom, when, and where. This database is gold (data) mine for security agencies in India, and elsewhere. Further, as more agencies use authentication based on Aadhaar numbers, it becomes easier for them to combine and compare databases with other agencies doing the same, by linking each line of transaction across databases using Aadhaar numbers.

Welfare is the message that the Aadhaar system is riding on. The message is only useful for the medium as far as it ensures that the majority of the user population are subscribing to it. Once the users are enrolled, or on-boarded, the medium enables flow of all kinds of messages, and tracking and monetisation (perhaps not so much in the case of UIDAI) of all those flows. It does not matter if the Aadhaar system is being introduced to remedy the broken parliamentary process, or the broken welfare distribution system. What matters is that the UIDAI is establishing the infrastructure for a universal surveillance system in India, and without a formal acknowledgement and legal framework for the same.

For more details visit https://cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system