The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 31 to 45.
Cyberscholars Working Group at MIT
https://cis-india.org/news/cyberscholars-working-group-mit
<b>Malavika Jayaram is giving a talk on Biometrics or Bust - India’s Identity Crisis at this event organised by Berkman Center for Internet & Society on December 12 at 6.00 p.m.</b>
<hr />
<p style="text-align: justify; ">Read the original <a class="external-link" href="https://cyber.law.harvard.edu/events/cyberscholars/12/mit">published by Harvard University here</a>.</p>
<hr />
<p style="text-align: justify; ">The Cyberscholar Working Group is a forum for fellows and affiliates of MIT, Yale Law School Information Society Project, Columbia University, and the Berkman Center for Internet & Society at Harvard University to discuss their ongoing research. Each session is focused on the peer review and discussion of current projects submitted by a presenter. Meeting alternatively at Harvard, MIT, Yale, the working group aims to expand the shared knowledge of young scholars by bringing together these preeminent centers of thought on issues confronting the information age. Discussion sessions are designed to facilitate advancements in the individual research of presenters and in turn encourage exposure among the participants to the multi-disciplinary features of the issues addressed by their own work.</p>
<p style="text-align: justify; ">This month's presentations include:<br /> <b>(1) "Lines of Control: Networks of Imperialism and Independence in India (1840-1947)"</b><br />Abstract: This paper examines the history of communications networks in India and the relationship between communications and second-order networks. It draws attention to the wave of colonial network development that took place in India between 1840 and 1948. During these years, Britain constructed a series shipping, rail and telegraph networks to achieve a set of military and commercial goals. This paper studies how first- and second-order networks developed, and the intended and unintended effects of these networks on Indiaʼs economics, politics, and identity. The paper draws on economic and social studies of colonial communications networks in India, original reports by British officials and the Colonial Office, and the literature focusing on the role of technology in British imperialism. It shows how Indiaʼs colonial communication networks, built to augment and extend British control over the subcontinent, became conduits for Indian resistance and nationalism.<br />Keywords: shipping, telegraph, railroads, imperialism, nationalism, network theory, India</p>
<p style="text-align: justify; "><b>Colin Agur </b>is a PhD candidate at Columbia University and Visiting Fellow at Yale Law School's Information Society Project. His research examines India's telecommunications, focusing on mobile network formation and second-order effects of network growth. He spent the 2012-13 academic year in Delhi and Chennai, conducting document analysis, interviews with industry figures and participant observation related to mobile phone usage. He has published articles about Indian media and culture in Harvard's Nieman Lab, the Journal of Asian and African Studies and Journalism (forthcoming), and about telecommunications history in Information and Culture.</p>
<p style="text-align: justify; "><b>(2) Big Data Dramas in the 1960s and 1970s</b><br />Abstract: The recent frenzy in discussing NSA activities and the collecting of Big Data show a widespread critical concern for the current practice of gathering and using personal data. These concerns have their history. In my presentation, I track the beginnings of a growing public awareness and sensitivity towards the societal handling of personal data. I argue that the early computerization phase during the 1960s and 1970s played a crucial role in discussing these issues. Media reports, popular books, scientific publications, and political hearings all of a sudden began – often in quite different ways – to address and question contemporary practices of collecting, sharing, and storing of personal data. Their authors explored and negotiated all kind of societal settings where personal data played a significant role at that time. There have been concerns about these issues with personal data before, but – as I will show in my presentation – not on this broad societal level and to this extent as in the late 1960s and early 1970s. I argue that during that time, the usage of personal data became a highly controversial matter not only of public, but also of private interest.My inquiry examines how the term “data“ and in particular the collection of personal data became loaded with cultural and emotional significance in scientific and media discussions in the 1960s and 1970s in the United States and in Germany. Furthermore, it explores how the early computerization affected our societal handling of data long before the personal computer entered our private lives.</p>
<p style="text-align: justify; "><b>Julia Fleischhack</b> is a visiting postdoctoral research fellow in the program in Science, Technology, and Society at the Massachusetts Institute of Technology. She holds a PhD in anthropology from Zürich University. Her current research is on data centers from the private sector and funded by the Fritz Thyssen foundation.</p>
<p style="text-align: justify; "><b>(3) Biometrics or Bust - India’s Identity Crisis</b><br />Abstract: India's identity juggernaut - the Unique Identity (UID) project that has registered around 500 million people and is yet to be fully realized - is already the world's largest ever biometrics identity scheme. Grounded in the premise that centralized de-duplication and authentication will uniquely identify people and eliminate fraud, it is hailed as a game changer and a silver bullet that will solve myriad socio-economic problems, yet its conception and architecture raise significant concerns. Its implementation as a techno-utopian project in a legal vacuum, despite the potential for abuse and exclusion, give pause to the much-vaunted claims of transforming welfare delivery and galvanizing financial inclusion. I will provide an overview of the identity project and highlight some of the key implications for privacy and free speech, and more broadly, democracy and openness. I will also unpack some of the narratives being constructed, describe the current public discourse and legal developments, and locate the project within the broader surveillance state and database nation that India is morphing into.</p>
<p style="text-align: justify; "><b>Malavika Jayaram</b> is a Fellow at the Berkman Center for Internet and Society at Harvard, focusing on privacy, identity and free expression. A Fellow at the Centre for Internet and Society, Bangalore, she is one of 10 Indian lawyers in The International Who's Who of Internet e-Commerce & Data Protection directory. In August 2013, she was voted one of India's leading lawyers - one of only 8 women to be featured in the "40 under 45" survey conducted by Law Business Research, London.</p>
<p>
For more details visit <a href='https://cis-india.org/news/cyberscholars-working-group-mit'>https://cis-india.org/news/cyberscholars-working-group-mit</a>
</p>
No publisherpraskrishnaUIDInternet Governance2014-01-09T06:41:31ZNews ItemComments on the Report of the Committee on Digital Payments (December 2016)
https://cis-india.org/internet-governance/blog/comments-on-the-report-of-the-committee-on-digital-payments-dec-2016
<b>The Committee on Digital Payments constituted by the Ministry of Finance and chaired by Ratan P. Watal, Principal Advisor, NITI Aayog, submitted its report on the "Medium Term Recommendations to Strengthen Digital Payments Ecosystem" on December 09, 2016. The report was made public on December 27, and comments were sought from the general public. Here are the comments submitted by the Centre for Internet and Society.</b>
<p> </p>
<h3><strong>1. Preliminary</strong></h3>
<p><strong>1.1.</strong> This submission presents comments by the Centre for Internet and Society (“CIS”) <strong>[1]</strong> in response to the report of the Committee on Digital Payments, chaired by Mr. Ratan P. Watal, Principal Advisor, NITI Aayog, and constituted by the Ministry of Finance, Government of India (“the report”) <strong>[2]</strong>.</p>
<h3><strong>2. The Centre for Internet and Society</strong></h3>
<p><strong>2.1.</strong> The Centre for Internet and Society, CIS, is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with diverse abilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, and open access), internet governance, telecommunication reform, digital privacy, and cyber-security.</p>
<p><strong>2.2.</strong> CIS is not an expert organisation in the domain of banking in general and payments in particular. Our expertise is in matters of internet and communication governance, data privacy and security, and technology regulation. We deeply appreciate and are most inspired by the Ministry of Finance’s decision to invite entities from both the sectors of finance and information technology. This submission is consistent with CIS’ commitment to safeguarding general public interest, and the interests and rights of various stakeholders involved, especially the citizens and the users. CIS is thankful to the Ministry of Finance for this opportunity to provide a general response on the report.</p>
<h3><strong>3. Comments</strong></h3>
<p><strong>3.1.</strong> CIS observes that the decision by the Government of India to withdraw the legal tender character of the old high denomination banknotes (that is, Rs. 500 Rs. 1,000 notes), declared on November 08, 2016 <strong>[3]</strong>, have generated <strong>unprecedented data about the user base and transaction patterns of digital payments systems in India, when pushed to its extreme use due to the circumstances</strong>. The majority of this data is available with the National Payments Corporation of India and the Reserve Bank of India. CIS requests the authorities concerned to consider <strong>opening up this data for analysis and discussion by public at large and experts in particular, before any specific policy and regulatory decisions are taken</strong> towards advancing digital payments proliferation in India. This is a crucial opportunity for the Ministry of Finance to embrace (open) data-driven regulation and policy-making.</p>
<p><strong>3.2.</strong> While the report makes a reference to the European General Data Protection Directive, it does not make a reference to any substantive provisions in the Directive which may be relevant to digital payments. Aside from the recommendation that privacy protections around the purpose limitation principle be relaxed to ensure that payment service providers be allowed to process data to improve fraud monitoring and anti-money laundering services, the report is silent on significant privacy and data protection concerns posed by digital payments services. <strong>CIS strongly warns that the existing data protection and security regulations under Information Technology (Reasonable security practices and procedures and sensitive personal data or information), Rules are woefully inadequate in their scope and application to effectively deal with potential privacy concerns posed by digital payments applications and services.</strong> Some key privacy issues that must be addressed either under a comprehensive data protection legislation or a sector specific financial regulation are listed below. The process of obtaining consent must be specific, informed and unambiguous and through a clear affirmative action by the data subject based upon a genuine choice provided along with an option to opt out at any stage. The data subjects should have clear and easily enforceable right to access and correct their data. Further, data subjects should have the right to restrict the usage of their data in circumstances such as inaccuracy of data, unlawful purpose and data no longer required in order to fulfill the original purpose.</p>
<p><strong>3.3.</strong> The initial recommendation of the report is to “[m]ake regulation of payments independent from the function of central banking” (page 22). This involves a fundamental transformation of the payment and settlement system in India and its regulation. <strong>We submit that a decision regarding transformation of such scale and implications is taken after a more comprehensive policy discussion, especially involving a wider range of stakeholders</strong>. The report itself notes that “[d]igital payments also have the potential of becoming a gateway to other financial services such as credit facilities for small businesses and low-income households” (page 32). Thus, a clear functional, and hence regulatory, separation between the (digital) payments industry and the lending/borrowing industry may be either effective or desirable. Global experience tells us that digital transactions data, along with other alternative data, are fast becoming the basis of provision of financial and other services, by both banking and non-banking (payments) companies. We appeal to the Ministry of Finance to adopt a comprehensive and concerted approach to regulating, enabling competition, and upholding consumers’ rights in the banking sector at large.</p>
<p><strong>3.4.</strong> The report recognises “banking as an activity is separate from payments, which is more of a technology business” (page 154). Contemporary banking and payment businesses are both are primarily technology businesses where information technology particularly is deployed intimately to extract, process, and drive asset management decisions using financial transaction data. Further, with payment businesses (such as, pre-paid instruments) offering return on deposited money via other means (such as, cashbacks), and potentially competing and/or collaborating with established banks to use financial transaction data to drive lending decisions, including but not limited to micro-loans, it appears unproductive to create a separation between banking as an activity and payments as an activity merely in terms of the respective technology intensity of these sectors. <strong>CIS firmly recommends that regulation of these financial services and activities be undertaken in a technology-agnostic manner, and similar regulatory regimes be deployed on those entities offering similar services irrespective of their technology intensity or choice</strong>.</p>
<p><strong>3.5.</strong> The report highlights two major shortcomings of the current regulatory regime for payments. Firstly “the law does not impose any obligation on the regulator to promote competition and innovation in the payments market” (page 153). It appears to us that the regulator’s role should not be to promote market expansion and innovation but to ensure and oversee competition. <strong>We believe that the current regulator should focus on regulating the existing market, and the work of the expansion of the digital payments market in particular and the digital financial services market in general be carried out by another government agency, as it creates conflict of interest for the regulator otherwise.</strong> Secondly, the report mentions that Payment and Settlement Systems Act does not “focus the regulatory attention on the need for consumer protection in digital payments” and then it notes that a “provision was inserted to protect funds collected from customers” in 2015 (page 153). <strong>This indicates that the regulator already has the responsibility to ensure consumer protection in digital payments. The purview and modalities of how this function of course needs discussion and changes with the growth in digital payments</strong>.</p>
<p><strong>3.6.</strong> The report identifies the high cost of cash as a key reason for the government’s policy push towards digital payments. Further, it mentions that a “sample survey conducted in 2014 across urban and rural neighbourhoods in Delhi and Meerut, shows that despite being keenly aware of the costs associated with transacting in cash, most consumers see three main benefits of cash, viz. freedom of negotiations, faster settlements, and ensuring exact payments” (page 30). It further notes that “[d]igital payments have significant dependencies upon power and telecommunications infrastructure. Therefore, the roll out of robust and user friendly digital payments solutions to unelectrified areas/areas without telecommunications network coverage, remains a challenge.” <strong>CIS much appreciates the discussion of the barriers to universal adoption and rollout of digital payments in the report, and appeals to the Ministry of Finance to undertake a more comprehensive study of the key investments required by the Government of India to ensure that digital payments become ubiquitously viable as well as satisfy the demands of a vast range of consumers that India has</strong>. The estimates about investment required to create a robust digital payment infrastructure, cited in the report, provide a great basis for undertaking studies such as these.</p>
<p><strong>3.7.</strong> CIS is very encouraged to see the report highlighting that “[w]ith the rising number of users of digital payment services, it is absolutely necessary to develop consumer confidence on digital payments. Therefore, it is essential to have legislative safeguards to protect such consumers in-built into the primary law.” <strong>We second this recommendation and would like to add further that financial transaction data is governed under a common data protection and privacy regime, without making any differences between data collected by banking and non-banking entities</strong>.</p>
<p><strong>3.8.</strong> We are, however, very discouraged to see the overtly incorrect use of the word “Open Access” in this report in the context of a payment system disallowing service when the client wants to transact money with a specific entity <strong>[4]</strong>. This is not an uncommon anti-competitive measure adopted by various platform players and services providers so as to disallow users from using competing products (such as, not allowing competing apps in the app store controlled by one software company). <strong>The term “Open Access” is not only the appropriate word to describe the negation of such anti-competitive behaviour, its usage in this context undermines its accepted meaning and creates confusion regarding the recommendation being proposed by the report.</strong> The closest analogy to the recommendation of the report would perhaps be with the principle of “network neutrality” that stands for the network provider not discriminating between data packets being processed by them, either in terms of price or speed.</p>
<p><strong>3.9.</strong> A major recommendation by the report involves creation of “a fund from savings generated from cash-less transactions … by the Central Government,” which will use “the trinity of JAM (Jan Dhan, Adhaar, Mobile) [to] link financial inclusion with social protection, contributing to improved Social and Financial Security and Inclusion of vulnerable groups/ communities” (page 160-161). <strong>This amounts to making Aadhaar a mandatory ID for financial inclusion of citizens, especially the marginal and vulnerable ones, and is in direct contradiction to the government’s statements regarding the optional nature of the Aadhaar ID, as well as the orders by the Supreme Court on this topic</strong>.</p>
<p><strong>3.10.</strong> The report recommends that “Aadhaar should be made the primary identification for KYC with the option of using other IDs for people who have not yet obtained Aadhaar” (page 163) and further that “Aadhaar eKYC and eSign should be a replacement for paper based, costly, and shared central KYC registries” (page 162). <strong>Not only these measures would imply making Aadhaar a mandatory ID for undertaking any legal activity in the country, they assume that the UIDAI has verified and audited the personal documents submitted by Aadhaar number holders during enrollment.</strong> A mandate for <em>replacement</em> of the paper-based central KYC agencies will only remove a much needed redundancy in the the identity verification infrastructure of the government.</p>
<p><strong>3.11.</strong> The report suggests that “[t]ransactions which are permitted in cash without KYC should also be permitted on prepaid wallets without KYC” (page 164-165). This seems to negate the reality that physical verification of a person remains one of the most authoritative identity verification process for a natural person, apart from DNA testing perhaps. <strong>Thus, establishing full equivalency of procedure between a presence-less transaction and one involving a physically present person making the payment will only amount to removal of relatively greater security precautions for the former, and will lead to possibilities of fraud</strong>.</p>
<p><strong>3.12.</strong> In continuation with the previous point, the report recommends promotion of “Aadhaar based KYC where PAN has not been obtained” and making of “quoting Aadhaar compulsory in income tax return for natural persons” (page 163). Both these measures imply a replacement of the PAN by Aadhaar in the long term, and a sharp reduction in growth of new PAN holders in the short term. <strong>We appeal for this recommendation to be reconsidered as integration of all functionally separate national critical information infrastructures (such as PAN and Aadhaar) into a single unified and centralised system (such as Aadhaar) engenders massive national and personal security threats</strong>.</p>
<p><strong>3.13.</strong> The report suggest the establishment of “a ranking and reward framework” to recognise and encourage for the best performing state/district/agency in the proliferation of digital payments. <strong>It appears to us that creation of such a framework will only lead to making of an environment of competition among these entities concerned, which apart from its benefits may also have its costs. For example, the incentivisation of quick rollout of digital payment avenues by state government and various government agencies may lead to implementation without sufficient planning, coordination with stakeholders, and precautions regarding data security and privacy</strong>. The provision of central support for digital payments should be carried out in an environment of cooperation and not competition.</p>
<p><strong>3.14.</strong> CIS welcomes the recommendation by the report to generate greater awareness about cost of cash, including by ensuring that “large merchants including government agencies should account and disclose the cost of cash collection and cash payments incurred by them periodically” (page 164). It, however, is not clear to whom such periodic disclosures should be made. <strong>We would like to add here that the awareness building must simultaneously focus on making public how different entities shoulder these costs. Further, for reasons of comparison and evidence-driven policy making, it is necessary that data for equivalent variables are also made open for digital payments - the total and disaggregate cost, and what proportion of these costs are shouldered by which entities</strong>.</p>
<p><strong>3.15.</strong> The report acknowledges that “[t]oday, most merchants do not accept digital payments” and it goes on to recommend “that the Government should seize the initiative and require all government agencies and merchants where contracts are awarded by the government to provide at-least one suitable digital payment option to its consumers and vendors” (page 165). This requirement for offering digital payment option will only introduce an additional economic barrier for merchants bidding for government contracts. <strong>We appeal to the Ministry of Finance to reconsider this approach of raising the costs of non-digital payments to incentivise proliferation of digital payments, and instead lower the existing economic and other barriers to digital payments that keep the merchants away</strong>. The adoption of digital payments must not lead to increasing costs for merchants and end-users, but must decrease the same instead.</p>
<p><strong>3.16.</strong> As the report was submitted on December 09, 2016, and was made public only on December 27, 2016, <strong>it would have been much appreciated if at least a month-long window was provided to study and comment on the report, instead of fifteen days</strong>. This is especially crucial as the recently implemented demonetisation and the subsequent banking and fiscal policy decisions taken by the government have rapidly transformed the state and dynamics of the payments system landscape in India in general, and digital payments in particular.</p>
<h3><strong>Endnotes</strong></h3>
<p><strong>[1]</strong> See: <a href="http://cis-india.org/">http://cis-india.org/</a>.</p>
<p><strong>[2]</strong> See: <a href="http://finmin.nic.in/reports/Note-watal-report.pdf">http://finmin.nic.in/reports/Note-watal-report.pdf</a> and <a href="http://finmin.nic.in/reports/watal_report271216.pdf">http://finmin.nic.in/reports/watal_report271216.pdf</a>.</p>
<p><strong>[3]</strong> See: <a href="http://finmin.nic.in/cancellation_high_denomination_notes.pdf">http://finmin.nic.in/cancellation_high_denomination_notes.pdf</a>.</p>
<p><strong>[4]</strong> Open Access refers to “free and unrestricted online availability” of scientific and non-scientific literature. See: <a href="http://www.budapestopenaccessinitiative.org/read">http://www.budapestopenaccessinitiative.org/read</a>.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/comments-on-the-report-of-the-committee-on-digital-payments-dec-2016'>https://cis-india.org/internet-governance/blog/comments-on-the-report-of-the-committee-on-digital-payments-dec-2016</a>
</p>
No publisherSumandro Chattapadhyay and Amber SinhaUIDDigital IDBig DataDigital EconomyDigital AccessPrivacyDigital SecurityData RevolutionDigital PaymentInternet GovernanceDigital IndiaData ProtectionDemonetisationHomepageFeaturedAadhaar2017-01-12T12:32:22ZBlog EntryCIS Submission to TRAI Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks
https://cis-india.org/telecom/blog/cis-submission-trai-note-on-interoperable-scalable-public-wifi
<b>This submission presents responses by the CIS on the Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks published by the TRAI on November 15, 2016. Our analysis of the solution proposed in the Note, in brief, is that there is no need of a solution for non-existing interoperability problem for authentication and payment services for accessing public Wi-Fi networks. The proposed solution in this Note only adds to over-regulation in this sector, and does not incentivise new investment in the sector, but only establishes UIDAI and NPCI as the monopoly service providers for authentication and payment services.</b>
<p> </p>
<p>The comments were authored by Japreet Grewal, Pranesh Prakash, Sharath Chandra, Sumandro Chattapadhyay, Sunil Abraham, and Udbhav Tiwari, with expert comments from Amelia Andersdotter.</p>
<hr />
<h2>1. Preliminary</h2>
<p><strong>1.1.</strong> This submission presents responses by the Centre for Internet and Society (“CIS”) <strong>[1]</strong> on the <em>Consultation Note on Model for Nation-wide Interoperable and Scalable Public Wi-Fi Networks</em> (“the Note”) published by the Telecom Regulatory Authority of India (“TRAI”) on November 15, 2016 <strong>[2]</strong>.</p>
<p><strong>1.2.</strong> The CIS welcomes the effort undertaken by TRAI to map regulatory and other barriers to deployment of public Wi-Fi in India. We especially appreciate that TRAI has recognised <strong>[3]</strong> two key barriers to provision of public Wi-Fi networks identified and highlighted in our earlier response to the <em>Consultation Paper on Proliferation of Broadband through Public WiFi</em> <strong>[4]</strong>: 1) over regulation (including, licensing requirements, data retention, and Know Your Customer policy), and 2) paucity of spectrum <strong>[5]</strong>.</p>
<h2>2. General Responses</h2>
<p><strong>2.1.</strong> Before responding to the specific questions posed by the Note, we would like to make the following observations.</p>
<p><strong>2.2.</strong> There is no need of a solution for non-existing interoperability problem for authentication and payment services for accessing public Wi-Fi networks. The proposed solution in this Note only adds to over-regulation in this sector. The proposed solution does not incentivise new investment in the sector, but only establishes UIDAI and NPCI as the monopoly service providers for authentication and payment services.</p>
<p><strong>2.3.</strong> As the TRAI has consulted widely with industry and other stakeholders before it settled on the list of priority issues contained in Section C.6 of the Note, we are surprised to find that this Note aims to address only the problem of lack of “seamless interoperable payment system for Wi-Fi networks” (Section C.6.d. Of the Note), and does not discuss and propose solutions for any other key barriers identified by the Note.</p>
<p><strong>2.4.</strong> The Note fails to clarify the “interoperability” problem in the payment system for usage of public Wi-Fi networks that it is attempting to solve. The Note identifies that lack of “single standard” for “authentication and payment mechanisms” for accessing public Wi-Fi networks as a key impediment to provide scalable and interoperable public Wi-Fi networks across the country <strong>[6]</strong>. By conceptualising the problem in this manner, TRAI has bundled together two completely different concerns - authentication and payment - into one and this is at the root of the problems emanating from the proposed solution in this Note.</p>
<p><strong>2.5.</strong> Lack of standard process for authentication is created by over-regulation via Know Your Customer (“KYC”) policies, and selection of eKYC service provided by UIDAI as the only acceptable authentication mechanism for all users of public Wi-Fi networks across India, creating further economic and legal challenges for smaller would-be providers of public Wi-Fi networks as they assess their liabilities and start-up costs. Additionally, since this would amount to making UID/Aadhaar enrolment mandatory for any user of public wi-fi networks, it seems to create a contradiction with previously communicated policy from the UIDAI and the Government that no such obligation should arise. Supreme Court has also mandated over successive Orders that enrolment for UID/Aadhaar number should remain optional for the citizens and residents.</p>
<p><strong>2.6.</strong> As was observed by the respondents to the TRAI Consultation concluded earlier this year, there is no interoperability problem that needs to be solved regarding payments for accessing public Wi-Fi networks. Payment services continue to be evolved and payment aggregator services provided by existing companies may be expected to resolve many of the outstanding issues of service proliferation in the upcoming years, at least in the absence of additional mandatory technical measures imposed by the government. Bundling of payment with authentication will only undermine the already existing independent market for payment aggregators, and further enforce mandatoriness of UID/Aadhaar number.</p>
<p><strong>2.7.</strong> Further, the payment mechanism proposed would seem to worsen difficulties for tourists and foreigners in accessing public Wi-Fi in India, as well adds an additional layer of authentication in a system already identified (even in the Note itself) to be overburdened by regulations regarding KYC and data retention. Section C.6.b of the Note highlights the problems faced by foreigners and tourists when the authentication mechanism is premised upon use of One Time Password (OTP) that requires a functioning local mobile phone number. It contradicts itself later by proposing an authentication method that requires the user to not only download an application onto their mobile/desktop device, but also to enrol for UID/Aadhaar number and/or to use their existing UID/Aadhaar number. Instead of reducing the existing barriers to provision of and access to public Wi-Fi, which the Note is supposed to achieve, it creates significant new barriers.</p>
<p><strong>2.8.</strong> The technological architecture advanced by the Note upholds support of governance and surveillance projects that, in addition to being costly in their implementation and thereby slowing down the objective of getting India connected, are also of questionable value to the security of the Indian polity. UID, UPI, and related projects risk undermining cyber-security through their reliance on centralised architectures and interfere with healthy competitive market dynamics between commercial and non-commercial actors.</p>
<p><strong>2.9.</strong> The Note continues to only consider and enable commercial models for the provision of public Wi-Fi networks. We have identified this as a problematic assumption in our last submission <strong>[7]</strong>. It is most crucial that TRAI does not ignore and fail to promote and facilitate the possibility of not-for-profit models that involve grassroot communities, academia, and civil society.</p>
<p><strong>2.10.</strong> Last but not the least, the term “Wi-Fi” refers to a particular technology for establishing wireless local area networks. Further, the term is a trademark of the Wi-Fi Alliance <strong>[8]</strong>. It is this not a neutral term, and it must not be used as a general and universal synonym for wireless local area networks. We recommend that TRAI may consider using a technology-neutral term, say “public wireless services” or “public networking services”, to describe the sector. Following the terminology used in the Note, we have decided to continue using the term “Wi-Fi” in this response. This does not reflect our agreement about the appropriateness of this term. Important: The recommendation for technology-neutral regulation also comes with the qualification that safeguards like regulations on Listen Before Talk and Cycle Time are required to prevent technologies like LTE-U from squatting on spectrum and interfering with connections based on other standards.</p>
<h2>3. Specific Responses</h2>
<h4>Q1. Is the architecture suggested in the consultation note for creating unified authentication and payment infrastructure will enable nationwide standard for authentication and payment interoperability?</h4>
<p><strong>3.1.</strong> No. The proposed infrastructure is likely to be costly for a large number of actors to implement and undermine some of the ongoing innovation in the Indian digital payment services industry. Rather than being helpful, it risks introducing additional requirements on an industry that TRAI has already identified as facing a number of large challenges.</p>
<p><strong>3.2.</strong> There is no need for a unified architecture that provides nationwide standard for authentication and payment interoperability. It does not offer any incentive towards provision of public Wi-Fi networks. Neither is there an interoperability problem at the physical or data link layers that has been pointed out, nor is government mandated interoperability required at the payment or ID layer since there are private entities that provide such interoperability (like, payment aggregators). Additionally, we believe it is inappropriate that the TRAI is trying to predict the most suitable business/technological model for digital payments to be used for accessing commercial Wi-Fi networks. India has a booming online payments industry, and it must be allowed to evolve in an enabling regulatory environment that allow for competition and ensures responsible practices.</p>
<p><strong>3.3.</strong> The Note identifies several structural impediments to expansion of public Wi-Fi networks in India, namely paucity of backhaul connectivity infrastructure (Section C.6.a), Inadequate associated infrastructure to offer carrier grade Wi-Fi network (Section C.6.c), dependency of authentication mechanism on pre-existing (Indian) mobile phone connection (Section C.6.b), and limited availability of spectrum to be used for public Wi-Fi networks (Section C.6.e). All these are crucial concerns and none of them have been addressed by the architecture suggested in the Note.</p>
<h4>Q2. Would you like to suggest any alternate model?</h4>
<p><strong>3.4.</strong> Yes. The model proposed in the Note is likely to exclude several types of potential users (say, foreigners and tourists), and impose a single authentication and payment service provider for accessing public Wi-Fi networks, which may undermine both competition and security in the market for these services.</p>
<p><strong>3.5.</strong> Internationally, there are cities and regions (say, the city of Barcelona and the Catalonia region in Spain) where public Wi-Fi networks have been provided in a pervasive and efficient manner by taking a light regulatory approach that enables opportunities for potential providers to set up their own infrastructures and additionally have access to backhaul. Further, reducing legal requirements on authentication should be considered in place of government mandated technical architectures for authentication and payment. In particular, allowing for anonymous access to Public Wi-Fi or wireless connectivity would reduce both the administrative and the technical burden on potential providers at the hyper-local level, especially for providers whose main activity it is not, and cannot be, to provide internet services (say, event venues, malls, and shops).</p>
<p><strong>3.6.</strong> The CIS suggests the following steps towards conceptualising an “alternative model”:</p>
<ol><li>remove existing regulatory disincentives,<br /><br /></li>
<li>urgently explore policies to promote deployment of wired infrastructures in general, and to enable a larger range of actors, including local authorities, to invest in and deploy local infrastructures by reducing licensing requirements in particular,<br /><br /></li>
<li>examine spectrum requirements for provision of public Wi-Fi, and<br /><br /></li>
<li>provide incentives, such as allowing telecom service providers to share backhaul traffic over public Wi-Fi, and ways for telecom service providers to lower their costs if they also make Internet access available for free.</li></ol>
<h4>Q3. Can Public Wi-Fi access providers resell capacity and bandwidth to retail users? Is “light touch regulation” using methods such as “registration” instead of “licensing” preferred for them?</h4>
<p><strong>3.7.</strong> CIS holds that capacity and bandwidth are neither comparable to tangible goods nor to digital currency. They are a utility, and the provider of the utility has to accept that their customers use the utility in the way they see fit, even if that use entails sharing said capacity and bandwidth with downstream private persons or customers. Wi-Fi capabilities are currently a built-in standardised feature of all consumer routers. Any individual, community, or store with access to an internet connection and a consumer router could become a public Wi-Fi access provider at no additional cost to themselves, furthering the goals of the Indian government in its Digital India strategy to ensure public and universal access to the internet.</p>
<p><strong>3.8.</strong> In order to exploit the opportunities awarded by a large amount of entities in the Indian society potentially becoming Public Wi-Fi providers, TRAI should require neither registration nor licensing of these actors. Imposing administrative burdens on potential public Wi-Fi access providers creates legal uncertainty and will cause a lot of actors, who may otherwise contribute to the goals of Digital India, not to do so. This is particularly true for community organisers and citizens, who may not have access to legal assistance and therefore may avoid contributing to the goals of the government.</p>
<p><strong>3.9.</strong> Light touch regulation when it comes to both granting license to public Wi-Fi access providers as well as authentication of retail users, however, are needed not only as an exceptional practice for such instances but as a general practice in case of entities offering public Wi-Fi services, either commercially or otherwise. Further, additional laxity in administrative responsibilities is needed to incentivise provision of free, that is non-commercial, public Wi-Fi networks.</p>
<h4>Q4. What should be the regulatory guidelines on “unbundling” Wi-Fi at access and backhaul level?</h4>
<p><strong>3.10.</strong> The Note refers to unbundling of activities related to provision of Wi-Fi but it does not define the term. It is neither explained which specific activities at access and backhaul levels must be considered for unbundling.</p>
<p><strong>3.11.</strong> While unbundling should clearly be allowed and any regulatory hurdles to unbundling should be removed, any such decision must be taken with a focus on urgently addressing the stagnated growth in landline and backhaul, as identified in Section C.6.a of the Note. Relying only on spectrum intensive infrastructures, such as mobile base stations, for providing connectivity, creates a heavy regulatory burden for the TRAI, while simultaneously not ensuring optimal connectivity for business and private users. The CIS is concerned that the focus of the Note on standardising a government-mediated authentication and payment mechanism detracts attention from this urgent obstacle to the fulfillment of the Digital India plans of accelerated provision of broadband highways, universal access, and public, especially free, access to internet services.</p>
<p><strong>3.12.</strong> From the example of European telecommunications legislations, implementation of policy measures to ensure that vertical integration between infrastructure (say, cables, switches, and hubs) providers and service (say, providing a subscriber with a household modem or a SIM card) providers in the telecommunications sector does not become a barrier to new market entrants has yielded much success in countries that have pursued it, like Sweden and Great Britain.</p>
<p><strong>3.13.</strong> Further, there should be no default assumption of bundling by the TRAI. In particular, the TRAI should consider reviewing all regulations that may cause bundling to occur when this is not necessary, and put in place in a monitoring mechanism for ensuring that bundled practises (especially in electronic networks, base station infrastructures, backhaul and similar) do not cause competitive problems or raise market entry barriers <strong>[9]</strong>. In most EU countries, especially where the corporate structure of incumbent(s) is not highly vertically integrated, interconnection requirements for electronic network providers of wired networks in the backhaul or backbone (effectively price regulated interconnection), and a conscious effort to ensure that new market players can enter the field, have ensured a competitive telecommunications environment. TRAI may consider reviewing the European regulation on local loop unbundling (1999) and discussions on functional separation (especially by the British regulatory authority Ofcom), within an Indian context.</p>
<h4>Q5. Whether reselling of bandwidth should be allowed to venue owners such as shop keepers through Wi-Fi at premise? In such a scenario please suggest the mechanism for security compliance.</h4>
<p><strong>3.14.</strong> Yes. Venue owners should be allowed to provide public Wi-Fi service both on a commercial and non-commercial basis.</p>
<p><strong>3.15.</strong> It is not clear from the Note and the question what type of security concerns the TRAI is seeking to address. In terms of payment security, the payment industry already has a large range of verification and testing mechanisms. The CIS objects to the mandatory introduction of the proposed payment system so as to ensure greater security for Wi-Fi access providers and the users.</p>
<p><strong>3.16.</strong> As far as hardware-related security issues are concerned, it is again unclear why consumer equipment compliant with existing Wi-Fi standards would not be sufficiently secure in the Indian context. Wi-Fi has proven to be a sturdy technical standard, its adoption is high in multiple jurisdictions around the world, and it also enjoys great technical stability. Similar security assessments could easily be made for alternative wireless technologies, such as WiMaX.</p>
<p><strong>3.17.</strong> The CIS foresees problems is in the allocation of risk and liability by law. The already existing legal obligation to verify the identity of each user, for instance, is likely to introduce a large administrative burden on potential Public Wi-Fi providers, which may lead to such potential providers abstaining from entering the market. Should the identification requirement be removed, however, other concerns pertaining to legal obligations may arise. These include liability for user activities on the web or on the internet (cf. copyright infringement, libel, hate speech). We propose a “safe harbour” mechanism in these cases, limiting the liability of the potential public Wi-Fi provider.</p>
<h4>Q6. What should be the guidelines regarding sharing of costs and revenue across all entities in the public Wi-Fi value chain? Is regulatory intervention required or it should be left to forbearance and individual contracting?</h4>
<p><strong>3.18.</strong> The market segments identified by the TRAI in Section F.18 of the Note should normally all be competitive markets themselves, and so do not require regulatory assistance in sharing of costs and revenues. The more elaborate the requirements imposed on each actor of each market segment identified by the TRAI in Section F.18, the more costly the roll-out of public Wi-Fi is going to be for the market actors. Such a cost is not avoided by price regulation.</p>
<p><strong>3.19.</strong> The TRAI may instead consider introducing public funding for backhaul roll-out in remote areas, where the market is unlikely to engage in such roll-out on its own. Presently, some Indian states (such as Karnataka) are committing to public funding for wireless access in remote areas. The Union Government can assist such endeavours.</p>
<h2>Endnotes</h2>
<p><strong>[1]</strong> See: <a href="http://cis-india.org/">http://cis-india.org/</a>.</p>
<p><strong>[2]</strong> See: <a href="http://trai.gov.in/Content/ConDis/20801_0.aspx">http://trai.gov.in/Content/ConDis/20801_0.aspx</a>.</p>
<p><strong>[3]</strong> See Section C.6 of the Note.</p>
<p><strong>[4]</strong> See: <a href="http://trai.gov.in/Content/ConDis/20782_0.aspx">http://trai.gov.in/Content/ConDis/20782_0.aspx</a>.</p>
<p><strong>[5]</strong> See: <a href="http://cis-india.org/telecom/blog/cis-submission-to-trai-consultation-on-proliferation-of-broadband-through-public-wifi-networks">http://cis-india.org/telecom/blog/cis-submission-to-trai-consultation-on-proliferation-of-broadband-through-public-wifi-networks</a>.</p>
<p><strong>[6]</strong> See Section E.11. of the Note.</p>
<p><strong>[7]</strong> See: <a href="http://cis-india.org/telecom/blog/cis-submission-to-trai-consultation-on-proliferation-of-broadband-through-public-wifi-networks">http://cis-india.org/telecom/blog/cis-submission-to-trai-consultation-on-proliferation-of-broadband-through-public-wifi-networks</a>.</p>
<p><strong>[8]</strong> See: <a href="https://www.wi-fi.org/">https://www.wi-fi.org/</a>.</p>
<p><strong>[9]</strong> See: Monitoring bundled products in the telecommunications sector is also recommended by the OECD: <a href="http://oecdinsights.org/2015/06/22/triple-and-quadruple-play-bundles-of-communication-services-towards-all-in-one-packages/">http://oecdinsights.org/2015/06/22/triple-and-quadruple-play-bundles-of-communication-services-towards-all-in-one-packages/</a>.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/telecom/blog/cis-submission-trai-note-on-interoperable-scalable-public-wifi'>https://cis-india.org/telecom/blog/cis-submission-trai-note-on-interoperable-scalable-public-wifi</a>
</p>
No publisherJapreet Grewal, Pranesh Prakash, Sharath Chandra, Sumandro Chattapadhyay, Sunil Abraham, and Udbhav Tiwari, with expert comments from Amelia AndersdotterDigital PaymentPublic Wireless NetworkTRAIInternet GovernanceTelecomFeaturedAadhaarHomepageUID2016-12-12T13:59:00ZBlog EntryCard transactions with Aadhaar validation need more time: experts
https://cis-india.org/news/livemint-december-5-2013-kirthi-v-rao-moulishree-srivastava-card-transactions-with-aadhar-validation-need-more-time
<b>Cost and supply implications are seen by experts as the main hurdles in implementing the RBI directive. </b>
<hr />
<p style="text-align: justify; ">The article by Kirti V. Rao and Moulishree Srivastava was <a class="external-link" href="http://www.livemint.com/Politics/f0P6jklKaCVt5rP6RKBHbJ/Card-transactions-with-Aadhaar-validation-need-more-time-ex.html">published in Livemint</a> on December 5, 2013. Sunil Abraham is quoted.</p>
<hr />
<p style="text-align: justify; ">The Reserve Bank of India’s (RBI’s) move to introduce a new card payment infrastructure able to authenticate transactions using Aadhaar unique identity number-linked biometrics may take some time to implement as it has cost and supply implications.</p>
<p style="text-align: justify; ">“All new card present infrastructure has to be enabled for both EMV chip and PIN and Aadhaar (biometric validation) acceptance,” RBI said in a notification on 26 November.</p>
<p style="text-align: justify; ">Europay MasterCard Visa, or EMV, chip and PIN authentication involves card information stored in a chip that is accessible through a PIN or personal identification number, which replaces a cardholder’s signature.</p>
<p style="text-align: justify; ">Currently, all card infrastructure in India such as automated teller machines (ATMs) and point-of-sales (PoS) machines are moving towards full compliance with the global EMV standard that requires reading integrated circuit cards to authenticate credit and debit card transactions.</p>
<p style="text-align: justify; ">Although all transactions through debit cards are now required to be authenticated by PIN, validating financial transactions by using the biometric Aadhaar identity number database is yet to gain traction. Such a service is expected to begin in May.</p>
<p style="text-align: justify; ">Not all experts are in favour of the central bank’s move to use biometrics data to authenticate transactions.</p>
<p style="text-align: justify; ">“This is a terrible idea. Biometrics should never be used as authentication factor since it cannot be revoked when it is compromised,” said Sunil Abraham, executive director of Bangalore-based think-tank Centre for Internet and Society. “Digital signatures and its variations like the EMV chip are the right way to proceed.”</p>
<p style="text-align: justify; ">A banker did not fully agree with Abraham.</p>
<p style="text-align: justify; ">Pulak Sinha, general manager (payment solutions) at State Bank of India, said: “In our experience, there is a need for biometric authentication in certain geographical segments in the country. Our bank has used biometric authentication for financial inclusion initiatives and has found it very useful. Having said that, each bank is the best judge as to which technology is more relevant for their customers.”</p>
<p style="text-align: justify; ">Sinha added, “Also changing new infrastructure to accept all types of technologies has its own challenges as well as financial implications. Again, business cases need to be built and when people get additional services they may have to pay.”</p>
<p style="text-align: justify; ">There are cost implications if the RBI directive is to be implemented, according to Rajiv Kaul, chief executive of CMS Info Systems Pvt. Ltd, which runs two cash management companies and has recently received an order from SBI to deploy 8,000 cash machines across the country.</p>
<p style="text-align: justify; ">“Some of the ATM infrastructure currently installed have some of the capabilities for EMV chip cards, but even as they are hardware-equipped, software will need to be upgraded,” Kaul said. “For biometric compliance, both hardware and software will need to be installed, which will result in extra cost. So, for the short term, from the biometric perspective, the cost will go up.”<br />Some experts hold that the notification provides a chance to assess the as-yet-untested Aadhaar-linked biometrics model where the EMV model may be hard to implement.</p>
<p style="text-align: justify; ">“RBI has been pragmatic in mandating it incrementally as it is giving Aadhaar a runway to evolve in terms of operations, use cases, risk, technology standards, dispute resolution and get these things in order,” Uttam Nayak, group country manager, India and South Asia at Visa Consolidated Support Services (India) Pvt. Ltd, told Mint on 26 November. “Because Aadhaar is tokenless and doesn’t need a card, it has great potential for inclusion.”</p>
<p style="text-align: justify; ">Biometrics-enabled cash and PoS machines will require additional expenditure as they need high-speed Internet connectivity to transmit biometrics data, Rajeev Chandrasekhar, member of the upper house of Parliament, said in a letter to RBI governor Raghuram Rajan.</p>
<p style="text-align: justify; ">“The hardware and software cost of upgrading a single unit with biometrics hardware is not very much but changing the entire ecosystem would have costs,” acknowledged SBI’s Sinha. “When people get additional services they will have to pay.”</p>
<p style="text-align: justify; ">“A high percentage of the population is still unbanked. The opportunity (to reach people through biometric validation and Aadhaar) is too tempting for the acquirers (banks and others using PoS devices) to not take this up,” said Robin Roy, associate director of financial services at consultancy firm PricewaterhouseCoopers Pvt. Ltd.</p>
<p style="text-align: justify; ">Whether there would be enough suppliers of machines to implement the directive is also a concern, some experts said.</p>
<p>
For more details visit <a href='https://cis-india.org/news/livemint-december-5-2013-kirthi-v-rao-moulishree-srivastava-card-transactions-with-aadhar-validation-need-more-time'>https://cis-india.org/news/livemint-december-5-2013-kirthi-v-rao-moulishree-srivastava-card-transactions-with-aadhar-validation-need-more-time</a>
</p>
No publisherpraskrishnaUIDInternet Governance2013-12-26T06:25:04ZNews ItemCan the Matters Dealt with in the Aadhaar Act be the Objects of a Money Bill?
https://cis-india.org/internet-governance/blog/can-matters-dealt-with-in-aadhaar-act-be-objects-of-money-bill
<b>In this infographic, we highlight the matters dealt with in the Aadhaar Act 2016, recently tabled in and passed by the Lok Sabha as a money bill, and consider if these can be objects of a money bill. The infographic is designed by Pooja Saxena, based on information compiled by Sumandro Chattapadhyay and Amber Sinha. </b>
<p> </p>
<h4>Download the infographic: <a href="https://github.com/cis-india/website/raw/master/infographics/CIS_NotAMoneyBill_ObjectsOfMoneyBill.pdf">PDF</a> and <a href="https://github.com/cis-india/website/raw/master/infographics/CIS_NotAMoneyBill_ObjectsOfMoneyBill.jpg">JPG</a>.</h4>
<p> </p>
<p><strong>License:</strong> It is shared under Creative Commons <a href="https://creativecommons.org/licenses/by/4.0/">Attribution 4.0 International</a> License.</p>
<p> </p>
<img src="https://github.com/cis-india/website/raw/master/infographics/CIS_NotAMoneyBill_ObjectsOfMoneyBill.jpg" alt="Can the matters dealt with in the Aadhaar Act be the objects of a money bill?" />
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/can-matters-dealt-with-in-aadhaar-act-be-objects-of-money-bill'>https://cis-india.org/internet-governance/blog/can-matters-dealt-with-in-aadhaar-act-be-objects-of-money-bill</a>
</p>
No publisherPooja SaxenaUIDPrivacyInternet GovernanceDigital IndiaAadhaar2016-04-24T14:15:06ZBlog EntryCan the Aadhaar Act 2016 be Classified as a Money Bill?
https://cis-india.org/internet-governance/blog/can-the-aadhaar-act-2016-be-classified-as-a-money-bill
<b>In this infographic, we show if the Aadhaar Act 2016, recently tabled in and passed by the Lok Sabha as a money bill, can be classified as a money bill. The infographic is designed by Pooja Saxena, based on information compiled by Amber Sinha and Sumandro Chattapadhyay. </b>
<p> </p>
<h4>Download the infographic: <a href="https://github.com/cis-india/website/raw/master/infographics/CIS_NotAMoneyBill_DoesAadharSatisfy.pdf">PDF</a> and <a href="https://github.com/cis-india/website/raw/master/infographics/CIS_NotAMoneyBill_DoesAadharSatisfy.jpg">JPG</a>.</h4>
<p> </p>
<p><strong>License:</strong> It is shared under Creative Commons <a href="https://creativecommons.org/licenses/by/4.0/">Attribution 4.0 International</a> License.</p>
<p> </p>
<img src="https://github.com/cis-india/website/raw/master/infographics/CIS_NotAMoneyBill_DoesAadharSatisfy.jpg" alt="Does Aadhaar Act satisfy the conditions for a money bill?" />
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/can-the-aadhaar-act-2016-be-classified-as-a-money-bill'>https://cis-india.org/internet-governance/blog/can-the-aadhaar-act-2016-be-classified-as-a-money-bill</a>
</p>
No publisherPooja SaxenaUIDPrivacyInternet GovernanceDigital IndiaAadhaar2016-04-25T13:48:41ZBlog EntryBiometrics: An ‘Angootha Chaap’ nation?
https://cis-india.org/internet-governance/blog/biometrics-an-angootha-chaap-nation
<b>This blog post throws light on the inconsistencies in biometric collection under the UID and NPR Schemes. </b>
<h2 style="text-align: justify; ">Introduction</h2>
<p style="text-align: justify; ">Fingerprints and iris scans. The Unique Identification (UID) Number aims to serve as a proof of identity that can be easily verified and linked to subsidies and to bank accounts. Four years into its implementation, the UID Scheme seems to have the vote of confidence of the public. More than 65 Crore Indians have been granted UID Numbers,<a href="#_ftn1" name="_ftnref1">[1]</a> and only a few have been concerned enough to seek clarity through Right to Information Requests to the UIDAI about the finances and legal authority backing the scheme.<a href="#_ftn2" name="_ftnref2">[2]</a> Parallel to the UID scheme, the National Population Register scheme is also under way, with enrolment in some areas, such as Srinagar, Shimla and Panchkula, having reached 100% of the estimated population.<a href="#_ftn3" name="_ftnref3">[3]</a></p>
<p style="text-align: justify; ">The NPR scheme is an offshoot of the census. It began in census cycle 2010-11, pursuant to the amendment of the Citizenship Act in 2004, under which national identity cards are to be issued. The desired outcome of the NPR scheme is an NPR card with a chip embedded with three bits of information built into a card: (i) biometric information, (ii) demographic information and (iii) UID Number.</p>
<p style="text-align: justify; ">Both the UID and NPR schemes aspire to be conduits that subsidies, utilities, and other benefits are routed through. While the UID and NPR schemes are distinct in terms of their legal sanctity, purpose and form, the harmonization of these two schemes is one of the UIDAI’s functions.</p>
<p style="text-align: justify; ">There are substantial overlaps in the information collected and the purpose they serve leading to the argument that having two schemes is redundant. The compatibility of the two schemes was questioned and it was initially thought that a merger would be unreasonable. While there has been speculation that the UID scheme may terminate, or that it would be taken over by the Home Ministry, it has been reported that the new government has directed expedited enrolments through the UID scheme. <a href="#_ftn4" name="_ftnref4">[4]</a></p>
<p style="text-align: justify; ">Both schemes are incomplete and suffer from vagaries, including, but not limited to: their legality, safeguards against misuse of the data, the implementation of the schemes – including the collection and storage of biometric information and their convergence or divergence.</p>
<p style="text-align: justify; ">This blog will focus on understanding the process of collecting biometric data in each scheme – calling out similarities and differences – as well as areas in which data collected under one scheme is incompatible with the other scheme. It will look at existing and missing safeguards in the collection of biometrics, overlap in the collection of biometrics by the two schemes, and existing practice in the collection of biometrics. In doing so the blog will highlight the lack of privacy safeguards for the biometric information and conclude that since the policies for data collection and use policy are unclear, the data subjects do not know how their data is being collected, used, and shared between the UID and the NPR schemes.</p>
<h2 style="text-align: justify; ">Unreliability of Biometric Data</h2>
<p style="text-align: justify; ">Biometric data has been qualified as being unreliable.<a href="#_ftn5" name="_ftnref5">[5]</a> It cannot always be successfully used to identify a person, especially in India, where manual labour degrades the fingerprint<a href="#_ftn6" name="_ftnref6">[6]</a> and nutritional deficiencies mar the iris. Even experts working with the UIDAI<a href="#_ftn7" name="_ftnref7">[7]</a> admit that fingerprints are not always good indicators of identity. If the very identification of a person fails, which is what the UID seeks to do, then the purpose of the UID is defeated.</p>
<h2 style="text-align: justify; ">Biometric Data Collection under the UID Scheme</h2>
<p style="text-align: justify; ">In the current structure of the scheme, collected biometric information is stored by, and vests with the UIDAI for an undefined period. The data if used only for identification and authentication purposes, as originally intended, could very well fail to serve its intended purpose. But amassing the personal data of the entire country is lucrative, particularly to the service providers who collect the information and are mandated with the task to manually collect the data before it is fed into the UID system and encrypted. Most of the service providers that collect information, including biometric data, for the UID are engaged in information services such as IT or online marketing service providers.<a href="#_ftn8" name="_ftnref8">[8]</a></p>
<p style="text-align: justify; ">The below chart delineates the process followed for the collection of biometrics under the UID Scheme:</p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/copy3_of_c1.png" alt="c1" class="image-inline" title="c1" /></th>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">Under the NIAI Bill, all data collected or authenticated by the UIDAI, until the Bill is enacted and the National Identification Authority of India is created, vests with the UIDAI. In practice this means that the UIDAI owns the biometric data of the data-subject, without clear safeguards against misuse of the data.</p>
<p style="text-align: justify; ">In the UID scheme, the collection of biometrics at the time of enrollment by the UIDAI is severely flawed for a number of reasons:</p>
<p style="text-align: justify; "><b>1. Lack of clear legal authority and procedure for collection of biometrics:</b> The only legal authority the UIDAI has to collect biometric information is via the notification of its constitution. Even then, the powers of the UIDAI are vague and broad. Importantly, the notification tells us nothing of how biometric data is to be collected and how it is to be used. These standards have only been developed by the UIDAI in an <i>ad-hoc manner </i>when the need arises or after a problem is spotted. The lack of purpose-specification is in violation of the law<a href="#_ftn9" name="_ftnref9">[9]</a> and prevents the data subject from giving informed consent to data collection. This is discussed at a later stage.</p>
<p style="text-align: justify; "><b>2. The collection of Biometrics is regulated through only a Bill, which delegates the development of safeguards to Rules:</b> The National Identification Authority of India (NIAI) Bill<a href="#_ftn10" name="_ftnref10">[10]</a> confers the National Information Authority of India (NOT THE UIDAI) with the power to pass rules to collect biometric data and to prescribe standards for collection.<a href="#_ftn11" name="_ftnref11">[11]</a> This is a rule-making power, which is conferred under a Bill. Neither has the Bill been enacted, nor have rules for the collection of biometrics been framed and notified.</p>
<p style="text-align: justify; "><b>3. Collection</b> <b>of</b> <b>biometric</b> <b>data only with implied consent:</b> Though collection of biometrics is mentioned in the enrolment form, explicit consent for the collection of biometrics is not collected and only implied consent may be inferred. The last line in the enrollment form is titled ‘CONSENT’ and is a declaration that all data, including biometric information, is true.<a href="#_ftn12" name="_ftnref12">[12]</a></p>
<p style="text-align: justify; "><b>4. Collection of biometric data outsourced to third party:</b> Collection of biometric information in the UID scheme is outsourced to third parties through tenders. For instance, Accenture has been declared a biometric service provider under a contract with the UID.<a href="#_ftn13" name="_ftnref13">[13]</a> The third party may be a company, firm, educational institution or an accreditation agency. The eligibility criteria are quite straightforward, they relate to the entity’s structure and previous experiences with small projects.<a href="#_ftn14" name="_ftnref14">[14]</a> Since the ability to protect privacy of the data subject is entirely absent from the eligibility criteria, a successful bidder may not have adequate procedure in place or sufficient experience in managing confidential data, to ensure the privacy of the data subject. By outsourcing the data collection, the UIDAI has arguably delegated a function it never had the legal authority to perform. Thus, the agency of the data collection is equally defective. To heighten the irregularity, these contract agents can sub-contract the job of physical data collection.<a href="#_ftn15" name="_ftnref15">[15]</a> This means that the data operator and the ground supervisors, who come into direct contact with the raw data, including biometric data, are not appointed by the government, or the UIDAI, but by a private agency, who is further removed from the chain. The data operator scans the documents submitted for verification and has physical access to the document.<a href="#_ftn16" name="_ftnref16">[16]</a></p>
<p style="text-align: justify; "><b>5. Biometric data is admittedly vulnerable to sale and leakage: </b>In an ongoing case in the Supreme Court of India, the national Capital Territory of Delhi has, in its counter-affidavit, admitted that data collected under the UID is vulnerable to sale and leakage.<a href="#_ftn17" name="_ftnref17">[17]</a> To quote from the counter-affidavit ‘<i>..in any exercise of gathering identities whether it is by census authority… or through the present process… there is always a possibility of leakage. Enumerators can scan and keep copies of all the forms and sell them for a price.- this (sic) it can never be said that the data gathered… is safe.’<a href="#_ftn18" name="_ftnref18"><b>[18]</b></a></i> Anyone who has registered for either UID is therefore a candidate for identity theft or unsolicited commercial information. This is also true for the NPR, as census data is the basis for the NPR.</p>
<h2 style="text-align: justify; ">Data collection under the NPR Scheme</h2>
<p style="text-align: justify; ">The declaration of courts that it is unnecessary to link the UID number for public utilities and the admission by Delhi in the case that a data subject cannot be compelled to provide biometrics or to obtain a UID Number under the Aadhaar scheme<a href="#_ftn19" name="_ftnref19">[19]</a> are steps forward in ensuring the voluntariness of UID. However, the UID Number is mandatory by implication. It is a pre-requisite for registration under the National Population Register, which is compulsory, pursuant to S. 14-A of the Citizenship Act. The below diagram delineates the collection of biometric information under the NPR scheme:</p>
<p style="text-align: justify; "><b>DATA FLOW PROCESS</b></p>
<table class="listing" style="text-align: justify; ">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/copy4_of_c2.png" alt="c2" class="image-inline" title="c2" /><br /></th>
</tr>
</tbody>
</table>
<h2 style="text-align: justify; ">Flaws in the collection of biometric data under the NPR scheme<b> </b></h2>
<ol style="text-align: justify; ">
<li><b>Compulsion:</b> Registration in the NPR is legally mandated and individuals who fail to do so can face penalty. As a note, arguably, the compulsion to register for the NPR is untenable, as the Rules prescribe penalty, whereas the Act does not. <a href="#_ftn20" name="_ftnref20">[20]</a> A word of caution is appropriate here. The penalty under the Rules stands till it is deleted by the legislature or declared void by courts and one may be held liable for refusing to register for the NPR, though the above argument may be a good defense.</li>
<li><b>Duplicity: </b>Duplicity is a problem under the NPR Scheme. Biometric data is collected twice before the NPR exercise is completed. Even if one has registered under the UID scheme, they have to give their biometric information again under the NPR scheme. The first instance of collection of biometric information is for the UID number and the second, under the NPR scheme. The latter is necessary even if the data has already been collected for the UID number. Since the parties collecting biometric information for NPR are empanelled by the UIDAI and the eligibility is the same, the data is subject to the same or similar threats of data leakage that may arise when registering for the UID. The multi-level data collection only amplifies the admitted vulnerability of data as unauthorized actors can unlawfully access the data at any stage. This, coupled with the fact that UIDAI has to harmonize the NPR and UID schemes, and that the data comes to the UIDAI for de-duplication, means that the NPR data could be used by the UIDAI, but it may not result in a UID Number. There is no data that disproves this potential. This is a matter of concern, as one who wishes not to register for a UID number, in protection of their privacy, is at peril for their data falls into the hands of the UIDAI.</li>
<li><b>Biometric data collectors under the NPR scheme empanelled by the UIDAI:</b> The service providers collecting biometric data under the NPR are selected through bids and need to be empanelled with the UIDAI.<a href="#_ftn21" name="_ftnref21">[21]</a> Most enrolment agencies that are empanelled with the UIDAI are either IT or online marketing companies<a href="#_ftn22" name="_ftnref22">[22]</a>, making the fear of targeted marketing even more likely.</li>
<li><b>Public display and verification: </b>Under the NPR scheme, the biometric and demographic information and UID number of registrants is publicly displayed in their local area for verification.<a href="#_ftn23" name="_ftnref23">[23]</a> However, it is a violation of privacy to have sensitive personal data, such as biometrics put up publicly. Not only will the demographic information be readily accessible, nothing will prohibit the creation of a mailing list or collection of data for either data theft or for sending unsolicited commercial communication. The publicly available information is the kind of information that can be used for verification (Know Your Customer) and to authorize financial transactions. Since the personal information is displayed in the data subject’s local area, it is arguably a more invasive violation of privacy, since the members of the local area can make complex connections between the data subject and the data.</li>
<li><b>Smart Card: </b>The desired outcome of the NPR scheme is an NPR card. This card is to contain a chip, which is embedded with information such as the UID Number, biometrics and the demographic information. It is still unclear as to whether this information will be machine-readable. If so, this information may be just a swipe away. However, this cannot be confirmed without information on the level encryption and how the data will be stored on the chip.</li>
</ol><ol style="text-align: justify; " type="1"> </ol>
<h2 style="text-align: justify; ">‘Privacy safeguards available under the UID and NPR schemes are ad-hoc and incomplete</h2>
<p style="text-align: justify; ">The safeguards under both the UID and NPR schemes are quite similar, since the UIDAI and its empanelled biometric service providers are involved in collecting biometric information for both the UID and the NPR.</p>
<p style="text-align: justify; ">Pilot studies for the UID scheme, including the use of biometrics, were not conducted in advance to implementation. In line with this, the enactment of a legislation governing the UID and the implementation of policies with respect to data handling and use will be made as and when the need arises. The development of safeguards in relation to the NPR will also be ad-hoc.</p>
<p style="text-align: justify; ">Also, the data standards for one will potentially influence that of the other scheme. For instance, the change in privacy standards for handling biometrics under the UID may affect the empanelment of biometric service providers. This will automatically affect the data security level the NPR can seek to achieve.</p>
<p style="text-align: justify; ">Being developed ad-hoc and after the fact, there is a risk that these regulations may unreasonably curtail the rights of data subjects.</p>
<p style="text-align: justify; ">The existing Indian laws on data protection and privacy are not comprehensive. Certain laws protect privacy only in specific situations. For instance, the IT Act and related rules protect privacy in relation to digital information.</p>
<p style="text-align: justify; ">Any body that collects sensitive personal data such as biometric data, or any other data for processing and storage has a legal mandate under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011 to make certain disclosures BEFORE OR WHILE THE DATA IS COLLECTED. This includes, <i>inter-alia,</i> disclosures of (i) the purpose of information collection, (ii) the intended recipients of the information and (iii) name and addresses of the collector and of the party retaining the data.<a href="#_ftn24" name="_ftnref24">[24]</a></p>
<p style="text-align: justify; ">Under the Rules, the data collector has a duty to give the data subject an option to withhold personal sensitive information.<a href="#_ftn25" name="_ftnref25">[25]</a> A conversation with a data subject shows that this safeguard has not been upheld. The subject also conveyed a lack of knowledge of who the collection agency was. This is a problem of lack of accountability, as the data path cannot be traced and the party responsible for misuse or breach of security cannot be held liable.</p>
<h2 style="text-align: justify; ">Conclusion</h2>
<p style="text-align: justify; ">The data collection under the NPR and UID schemes shows several vulnerabilities. Apart from the vulnerabilities with biometric information, there is a real risk of misuse of the data and documents submitted for enrolment under these schemes. Since the data collectors are primarily online marketing or IT service providers, there is likelihood that they will use this data for marketing.</p>
<p style="text-align: justify; ">We can only hope that in time, data subjects will be able to withdraw their personal data from the UID database and surrender their UID number. We can only wait and watch to see whether (i) the UID Number is a legal prerequisite for the NPR Card and (ii) whether the compulsion to register for NPR is done away with.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; "><a href="#_ftnref1" name="_ftn1">[1]</a> <a href="https://portal.uidai.gov.in/uidwebportal/dashboard.do">https://portal.uidai.gov.in/uidwebportal/dashboard.do</a> accesed: 21 August, 2014</p>
<p style="text-align: justify; "><a href="#_ftnref2" name="_ftn2">[2]</a> As of January 2013, only 25 RTI requests were made to the UIDAI <a href="http://uidai.gov.in/rti/rti-requests.html">http://uidai.gov.in/rti/rti-requests.html</a> accessed: 21 August, 2014</p>
<p style="text-align: justify; "><a href="#_ftnref3" name="_ftn3">[3]</a> DIT-NPR Management Information System accessed: 22 August, 2014 <a href="http://nprmis.nic.in/NPRR33_DlyDigitPrgGraph.aspx">http://nprmis.nic.in/NPRR33_DlyDigitPrgGraph.aspx</a></p>
<p style="text-align: justify; "><a href="#_ftnref4" name="_ftn4">[4]</a> Cloud Still Hangs Over Aadhaar’s Future, Business Standard, accessed 28 August, 2014. <a href="http://www.business-standard.com/article/current-affairs/cloud-still-hangs-over-aadhaar-s-future-114081401131_1.html">http://www.business-standard.com/article/current-affairs/cloud-still-hangs-over-aadhaar-s-future-114081401131_1.html</a></p>
<p style="text-align: justify; "><a href="#_ftnref5" name="_ftn5">[5]</a> Frost & Sullivan, Best Practices Guide to Biometrics, accessed: 13 August, 2014 <a class="external-link" href="http://www.google.co.in/url?sa=t&amp;rct=j&amp;q=&amp;esrc=s&amp;source=web&amp;cd=5&amp;cad=rja&amp;uact=8&amp;ved=0CD8QFjAE&amp;url=http%3A%2F%2Fwww.frost.com%2Fprod%2Fservlet%2Fcpo%2F240303611&amp;ei=6VbsU4m8HcK58gWx64DYDQ&amp;usg=AFQjCNGqan81fX6qtG0S4VV6oh_B5R_QYg&amp;sig2=cOOPm1JJ79AcJq2Gfq1_3Q&amp;bvm=bv.73231344,d.dGc">http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&cad=rja&uact=8&ved=0CD8QFjAE&url=http%3A%2F%2Fwww.frost.com%2Fprod%2Fservlet%2Fcpo%2F240303611&ei=6VbsU4m8HcK58gWx64DYDQ&usg=AFQjCNGqan81fX6qtG0S4VV6oh_B5R_QYg&sig2=cOOPm1JJ79AcJq2Gfq1_3Q&bvm=bv.73231344,d.dGc</a></p>
<p style="text-align: justify; "><a href="#_ftnref6" name="_ftn6">[6]</a> Malavika Jayaram, “India’s Identity Crisis”, Internet Monitor 2013, reflections of a digital world, accessed: 13 August, 2014 <a href="http://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID2366840_code727672.pdf?abstractid=2366840&mirid=1">http://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID2366840_code727672.pdf?abstractid=2366840&mirid=1</a></p>
<p style="text-align: justify; "><a href="#_ftnref7" name="_ftn7">[7]</a>M. Vatsa, et.al, “Analyzing Fingerprints of Indian Population Using Image Quality: A UIDAI Case Study” , accessed: 13 August, 2014 <a href="https://research.iiitd.edu.in/groups/iab/ICPR2010-Fingerprint.pdf">https://research.iiitd.edu.in/groups/iab/ICPR2010-Fingerprint.pdf</a></p>
<p style="text-align: justify; "><a href="#_ftnref8" name="_ftn8">[8]</a> Prakash Chandra Sao, The Unique ID Project in India: An Exploratory Study, accessed: 21 August, 2014 <a href="http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/">http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/</a></p>
<p style="text-align: justify; "><a href="#_ftnref9" name="_ftn9">[9]</a> R. 5(3) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011, accessed: 20 August, 2013 <a href="http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf">http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf</a></p>
<p style="text-align: justify; "><a href="#_ftnref10" name="_ftn10">[10]</a> National Identification Authority of India Bill, 2010 (Bill No. LXXV of 2010), accessed: 26 August,2014 http://164.100.24.219/BillsTexts/RSBillTexts/asintroduced/national%20ident.pdf</p>
<p style="text-align: justify; "><a href="#_ftnref11" name="_ftn11">[11]</a> Clause 23 of the NIAI Bill, 2010</p>
<p style="text-align: justify; "><a href="#_ftnref12" name="_ftn12">[12]</a>The UID Enrollment form, accessed: 26 August, 2014 <a href="http://uidai.gov.in/images/uid_download/enrolment_form.pdf">http://uidai.gov.in/images/uid_download/enrolment_form.pdf</a></p>
<p style="text-align: justify; "><a href="#_ftnref13" name="_ftn13">[13]</a> Documents filed and relied on in Puttuswamy v Union of India</p>
<p style="text-align: justify; "><a href="#_ftnref14" name="_ftn14">[14]</a> Request for empanelment, accessed: 28 August, 2014. <a href="http://uidai.gov.in/images/tenders/rfe_for_concurrent_evaluation_of_processoperation_at_enrolment_centers_13082014.pdf">http://uidai.gov.in/images/tenders/rfe_for_concurrent_evaluation_of_processoperation_at_enrolment_centers_13082014.pdf</a></p>
<p style="text-align: justify; "><a href="#_ftnref15" name="_ftn15">[15]</a> This information is available from the documents filed and relied on in Puttuswamy v Union Of India, which is being heard in the Supreme Court of India</p>
<p style="text-align: justify; "><a href="#_ftnref16" name="_ftn16">[16]</a> An anonymous registrant observes that the data was scanned behind a screen and was not visible from the registered counter. The registrant is concerned that, in addition to collection of information for the UID, photocopies or digital copies could be taken for other uses and the registrant would not know.</p>
<p style="text-align: justify; "><a href="#_ftnref17" name="_ftn17">[17]</a> Counter Affidavit filed in the Supreme Court of India on behalf on New Delhi in K. Puttuswamy v Union of India</p>
<p style="text-align: justify; ">It is also admitted that the census is equally vulnerable. The information collected through census is used for the NPR exercise.</p>
<p style="text-align: justify; "><a href="#_ftnref18" name="_ftn18">[18]</a> Para. 48 in the Counter Affidavit filed by NCR Delhi.</p>
<p style="text-align: justify; "><a href="#_ftnref19" name="_ftn19">[19]</a> Affidavit in K. Puttuswamy v Union of India.</p>
<p style="text-align: justify; "><i>See also: </i>FAQs: Enrollment Agencies, accessed 22 August, 2014 <a href="http://uidai.gov.in/faq.html?catid=37">http://uidai.gov.in/faq.html?catid=37</a></p>
<p style="text-align: justify; "><a href="#_ftnref20" name="_ftn20">[20]</a> Usha Ramanathan, A Tale of Two Turfs, The Statesman, accessed: 20 August, 2014 <a href="http://www.thestatesman.net/news/10497-a-tale-of-two-turfs-npr-and-uid.html?page=3">http://www.thestatesman.net/news/10497-a-tale-of-two-turfs-npr-and-uid.html?page=3</a></p>
<p style="text-align: justify; "><a href="#_ftnref21" name="_ftn21">[21]</a> RFQ for Engaging MSP for Biometric Enrolment for the Creation of NPR, accessed: 26 August, 2014 http://ditnpr.nic.in/pdf/120102_RFQBiometricUrban_rebidding-Draft.pdf</p>
<p style="text-align: justify; "><a href="#_ftnref22" name="_ftn22">[22]</a> Prakash Chandra Sao, The Unique ID Project in India: An Exploratory Study, accessed: 21 August, 2014 <a href="http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/">http://subversions.tiss.edu/the-unique-id-project-in-india-an-exploratory-study/</a></p>
<p style="text-align: justify; "><a href="#_ftnref23" name="_ftn23">[23]</a> <a href="http://censusindia.gov.in/2011-Common/IntroductionToNpr.html">http://censusindia.gov.in/2011-Common/IntroductionToNpr.html</a>, accessed: 26 August, 2014</p>
<p style="text-align: justify; "><a href="#_ftnref24" name="_ftn24">[24]</a> R. 5(3) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011, accessed: 20 August, 2013 <a href="http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf">http://deity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf</a></p>
<p style="text-align: justify; "><a href="#_ftnref25" name="_ftn25">[25]</a> R. 5(7) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information) Rules, 2011.</p>
<table style="text-align: justify; ">
</table>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/biometrics-an-angootha-chaap-nation'>https://cis-india.org/internet-governance/blog/biometrics-an-angootha-chaap-nation</a>
</p>
No publisherMukta BatraUIDAadhaarInternet GovernancePrivacy2014-09-19T06:12:17ZBlog EntryBiometrics or Bust? Implications of the UID for Participation and Inclusion
https://cis-india.org/events/biometrics-or-bust-implications-of-uid-for-participation-and-inclusion
<b>Malavika Jayaram will give a talk on biometrics and the implications of UID for participation and inclusion at the office of the Centre for Internet and Society in Bangalore on January 10, 2014 at 6.00 p.m.</b>
<h2>Abstract</h2>
<p style="text-align: justify; ">Privacy is often portrayed as a luxury, as the intellectual preoccupation of nerdy privileged liberals, and an issue of salience only to the elite. This ignores the reality of the most marginalized sections of a society being disproportionately impacted by privacy intrusive technologies. The collusion of public and private agendas towards implementing large welfare projects is generally seen as progressive and neutral, yet the consequences of even well-intentioned efforts that trade privacy for convenience, welfare, security or a host of other compelling goals is troubling. The use of biometric technologies further complicates matters: the assumption that bodies can be rendered into infallible verifiers, as repositories of unchanging truth, is not without its catalogue of failures. This talk will examine the notion of biometric representations as a kind of capital, the possibility that failures are endemic to their functioning, and the implications of systemic errors on equality, participation and democracy.</p>
<h2 style="text-align: justify; ">Malavika Jayaram</h2>
<p style="text-align: justify; ">Malavika is a Fellow at the Berkman Center for Internet and Society at Harvard University, focusing on privacy, identity and free expression. She is also a Fellow at the Centre for Internet and Society, Bangalore, and the author of the India chapter for the Data Protection & Privacy volume in the Getting the Deal Done series. Malavika is one of 10 Indian lawyers in The International Who's Who of Internet e-Commerce & Data Protection Lawyers directory. In August 2013, she was voted one of India’s leading lawyers and one of only 8 women to be featured in the “40 under 45” survey conducted by Law Business Research, London. In a different life, she spent 8 years in London, practicing law with global firm Allen & Overy in the Communications, Media & Technology group, and as VP and Technology Counsel at Citigroup. During 2012-2013, she was a Visiting Scholar at the Annenberg School for Communication, University of Pennsylvania. She is working on completing her PhD at the National Law School.</p>
<p>
For more details visit <a href='https://cis-india.org/events/biometrics-or-bust-implications-of-uid-for-participation-and-inclusion'>https://cis-india.org/events/biometrics-or-bust-implications-of-uid-for-participation-and-inclusion</a>
</p>
No publisherpraskrishnaUIDEventInternet GovernancePrivacy2014-01-06T08:56:51ZEventBig Data in India: Benefits, Harms, and Human Rights - Workshop Report
https://cis-india.org/internet-governance/big-data-in-india-benefits-harms-and-human-rights-a-report
<b>The Centre for Internet and Society held a one-day workshop on “Big Data in India: Benefits, Harms and Human Rights” at India Habitat Centre, New Delhi on the 1st of October, 2016. This report is a compilation of the the issues discussed, ideas exchanged and challenges recognized during the workshop. The objective of the workshop was to discuss aspects of big data technologies in terms of harms, opportunities and human rights. The discussion was designed around an extensive study of current and potential future uses of big data for governance in India, that CIS has undertaken over the last year with support from the MacArthur Foundation.</b>
<p> </p>
<p><strong>Contents</strong></p>
<p><a href="#1"><strong>Big Data: Definitions and Global South Perspectives</strong></a></p>
<p><a href="#2"><strong>Aadhaar as Big Data</strong></a></p>
<p><a href="#3"><strong>Seeding</strong></a></p>
<p><a href="#4"><strong>Aadhaar and Data Security</strong></a></p>
<p><a href="#5"><strong>Aadhaar’s Relational Arrangement with Big Data Scheme</strong></a></p>
<p><a href="#6"><strong>The Myths surrounding Aadhaar</strong></a></p>
<p><a href="#7"><strong>IndiaStack and FinTech Apps</strong></a></p>
<p><a href="#8"><strong>Problems with UID</strong></a></p>
<hr />
<h2 id="1">Big Data: Definitions and Global South Perspectives</h2>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">“Big Data” has been defined by multiple scholars till date. The first consideration at the workshop was to discuss various definitions of big data, and also to understand what could be considered Big Data in terms of governance, especially in the absence of academic consensus. One of the most basic ways to define it, as given by the National Institute of Standards and Technology, USA, is to take it to be the data that is beyond the computational capacity of current systems. This definition has been accepted by the UIDAI of India. Another participant pointed out that Big Data is not only indicative of size, but rather the nature of data which is unstructured, and continuously flowing. The Gartner definition of Big Data relies on the three Vs i.e. Volume (size), Velocity (infinite number of ways in which data is being continuously collected) and Variety (the number of ways in which data can be collected in rows and columns).</p>
<p style="text-align: justify;" dir="ltr">The presentation also looked at ways in which Big Data is different from traditional data. It was pointed out that it can accommodate diverse unstructured datasets, and it is ‘relational’ i.e. it needs the presence of common field(s) across datasets which allows these fields to be conjoined. For e.g., the UID in India is being linked to many different datasets, and they don’t constitute Big Data separately, but do so together. An increasingly popular definition is to define data as “Big Data” based on what can be achieved through it. It has been described by authors as the ability to harness new kinds of insight which can inform decision making. It was pointed out that CIS does not subscribe to any particular definition, and is still in the process of coming up with a comprehensive definition of Big Data.</p>
<p style="text-align: justify;" dir="ltr">Further, discussion touched upon the approach to Big Data in the Global South. It was pointed out that most discussions about Big Data in the Global South are about the kind of value that it can have, the ways in which it can change our society. The Global North, on the other hand, has moved on to discussing the ethics and privacy issues associated with Big Data.</p>
<p style="text-align: justify;" dir="ltr">After this, the presentation focussed on case studies surrounding key Central Government initiatives and projects like Aadhaar, Predictive Policing, and Financial Technology (FinTech).</p>
<h2 id="2">Aadhaar as Big Data</h2>
<p style="text-align: justify;" dir="ltr">In presenting CIS’ case study on Aadhaar, it was pointed out that initially, Aadhaar, with its enrollment dataset was by itself being seen as Big Data. However, upon careful consideration in light of definitions discussed above, it can be seen as something that enables Big Data. The different e-governance projects within Digital India, along with Aadhaar, constitute Big Data. The case study discussed the Big Data implications of Aadhaar, and in particular looked at a ‘cradle to grave’ identity mapping through various e-government projects and the datafication of various transaction generated data.</p>
<h2 id="3">Seeding</h2>
<p style="text-align: justify;" dir="ltr">Any digital identity like Aadhaar typically has three features: 1. Identification i.e. a number or card used to identify yourself; 2. Authentication, which is based on your number or card and any other digital attributes that you might have; 3. Authorisation: As bearers of the digital identity, we can authorise the service providers to take some steps on our behalf. The case study discussed ‘seeding’ which enables the Big Data aspects of Digital India. In the process of seeding, different government databases can be seeded with the UID number using a platform called Ginger. Due to this, other databases can be connected to UIDAI, and through it, data from other databases can be queried by using your Aadhaar identity itself. This is an example of relationality, where fractured data is being brought together. At the moment, it is not clear whether this access by UIDAI means that an actual physical copy of such data from various sources will be transferred to UIDAI’s servers or if they will just access it through internet, but the data remains on the host government agency’s server. An example of even private parties becoming a part of this infrastructure was raised by a participant when it was pointed out that Reliance Jio is now asking for fingerprints. This can then be connected to the relational infrastructure being created by UIDAI. The discussion then focused on how such a structure will function, where it was mentioned that as of now, it cannot be said with certainty that UIDAI will be the agency managing this relational infrastructure in the long run, even though it is the one building it.</p>
<h2 id="4">Aadhaar and Data Security</h2>
<p style="text-align: justify;" dir="ltr">This case study also dealt with the sheer lack of data protection legislation in India except for S.43A of the IT Act. The section does not provide adequate protection as the constitutionality of the rules and regulations under S.43A is ambivalent. More importantly, it only refers to private bodies. Hence, any seeding which is being done by the government is outside the scope of data protection legislation. Thus, at the moment, no legal framework covers the processes and the structures being used for datasets. Due to the inapplicability of S.43A to public bodies, questions were raised as to the existence of a comprehensive data protection policy for government institutions. Participants answered the question in the negative. They pointed out that if any government department starts collecting data, they develop their own privacy policy. There are no set guidelines for such policies and they do not address concerns related to consent, data minimisation and purpose limitation at all. Questions were also raised about the access and control over Big Data with government institutions. A tentative answer from a participant was that such data will remain under the control of the domain specific government ministry or department, for e.g. MNREGA data with the Ministry of Rural Development, because the focus is not on data centralisation but rather on data linking. As long as such fractured data is linked and there is an agency that is responsible to link them, this data can be brought together. Such data is primarily for government agencies. But the government is opening up certain aspects of the data present with it for public consumption for research and entrepreneurial purposes.The UIDAI provides you access to your own data after paying a minimal fee. The procedure for such access is still developing.</p>
<h2 id="5">Aadhaar’s Relational Arrangement with Big Data Scheme</h2>
<p style="text-align: justify;" dir="ltr">The various Digital India schemes brought in by the government were elucidated during the workshop. It was pointed out that these schemes extend to myriad aspects of a citizen’s daily life and cover all the essential public services like health, education etc. This makes Aadhaar imperative even though the Supreme Court has observed that it is not mandatory for every citizen to have a unique identity number. The benefits of such identity mapping and the ecosystem being generated by it was also enumerated during the discourse. But the complete absence of any data ethics or data confidentiality principles make us unaware of the costs at which these benefits are being conferred on us. Apart from surveillance concerns, the knowledge gap being created between the citizens and the government was also flagged. Three main benefits touted to be provided by Aadhaar were then analysed. The first is the efficient delivery of services. This appears to be an overblown claim as the Aadhaar specific digitisation and automation does not affect the way in which employment will be provided to citizens through MNREGA or how wage payment delays will be overcome. These are administrative problems that Aadhaar and associated technologies cannot solve. The second is convenience to the citizens. The fallacies in this assertion were also brought out and identified. Before the Aadhaar scheme was rolled in, ration cards were issued based on certain exclusion and inclusion criteria.. The exclusion and inclusion criteria remain the same while another hurdle in the form of Aadhaar has been created. As India is still lacking in supporting infrastructure such as electricity, server connectivity among other things, Aadhaar is acting as a barrier rather than making it convenient for citizens to enroll in such schemes.The third benefit is fraud management. Here, a participant pointed out that this benefit was due to digitisation in the form of GPS chips in food delivery trucks and electronic payment and not the relational nature of Aadhaar. Aadhaar is only concerned with the linking up or relational part. About deduplication, it was pointed out how various government agencies have tackled it quite successfully by using technology different from biometrics which is unreliable at the best of times.</p>
<h2 id="6">The Myths surrounding Aadhaar</h2>
<p style="text-align: justify;" dir="ltr">The discussion also reflected on the fact that Aadhaar is often considered to be a panacea that subsumes all kinds of technologies to tackle leakages. However, this does not take into account the fact that leakages happen in many ways. A system should have been built to tackle those specific kinds of leakages, but the focus is solely on Aadhaar as the cure for all. Notably, participants who have been a part of the government pointed out how this myth is misleading and should instead be seen as the first step towards a more digitally enhanced country which is combining different technologies through one medium.</p>
<h2 id="7">IndiaStack and FinTech Apps</h2>
<h3 id="71">What is India Stack?</h3>
<p style="text-align: justify;" dir="ltr">The focus then shifted to another extremely important Big Data project, India Stack, being conceptualised and developed by a team of private developers called iStack, for the NPCI. It builds on the UID project, Jan Dhan Yojana and mobile services trinity to propagate and develop a cashless, presence-less, paperless and granular consent layer based on UID infrastructure to digitise India.</p>
<p style="text-align: justify;" dir="ltr">A participant pointed out that the idea of India Stack is to use UID as a platform and keep stacking things on it, such that more and more applications are developed. This in turn will help us to move from being a ‘data poor’ country to a ‘data rich’ one. The economic benefits of this data though as evidenced from the TAGUP report - a report about the creation of National Information Utilities to manage the data that is present with the government - is for the corporations and not the common man. The TAGUP report openly talks about privatisation of data.</p>
<h3 id="72">Problems with India Stack</h3>
<p style="text-align: justify;" dir="ltr">The granular consent layer of India Stack hasn’t been developed yet but they have proposed to base it on MIT Media Lab’s OpenPDS system. The idea being that, on the basis of the choices made by the concerned person, access to a person’s personal information may be granted to an agency like a bank. What is more revolutionary is that India Stack might even revoke this access if the concerned person expresses a wish to do so or the surrounding circumstances signal to India Stack that it will be prudent to do so. It should be pointed out that the the technology required for OpenPDS is extremely complex and is not available in India. Moreover, it’s not clear how this system would work. Apart from this, even the paperless layer has its faults and has been criticised by many since its inception, because an actual government signed and stamped paper has been the basis of a claim.. In the paperless system, you are provided a Digilocker in which all your papers are stored electronically, on the basis of your UID number. However, it was brought to light that this doesn’t take into account those who either do not want a Digilocker or UID number or cases where they do not have access to their digital records. How in such cases will people make claims?</p>
<h3 id="73">A Digital Post-Dated Cheque: It’s Ramifications</h3>
<p style="text-align: justify;" dir="ltr">A key change that FinTech apps and the surrounding ecosystem want to make is to create a digital post-dated cheque so as to allow individuals to get loans from their mobiles especially in remote areas. This will potentially cut out the need to construct new banks, thus reducing the capital expenditure , while at the same time allowing the credit services to grow. The direct transfer of money between UID numbers without the involvement of banks is a step to further help this ecosystem grow. Once an individual consents to such a system, however, automatic transfer of money from one’s bank accounts will be affected, regardless of the reason for payment. This is different from auto debt deductions done by banks presently, as in the present system banks have other forms of collateral as well. The automatic deduction now is only affected if these other forms are defaulted upon. There is no knowledge as to whether this consent will be reversible or irreversible. As Jan Dhan Yojana accounts are zero balance accounts, the account holder will be bled dry. The implication of schemes such as “Loan in under 8 minutes” were also discussed. The advantage of such schemes is that transaction costs are reduced.The financial institution can thus grant loans for the minimum amount without any additional enquiries. It was pointed out that this new system is based on living on future income much like the US housing bubble crash. Interestingly, in Public Distribution Systems, biometrics are insisted upon even though it disrupts the system. This can be seen as a part of the larger infrastructure to ensure that digital post-dated cheques become a success.</p>
<h3 id="74">The Role of FinTech Apps</h3>
<p style="text-align: justify;" dir="ltr">FinTech ‘apps’ are being presented with the aim of propagating financial inclusion. The Technology Advisory Group for Unique Projects report stated that as managing such information sources is a big task, just like electricity utilities, a National Information Utilities (NIU) should be set up for data sources. These NIUs as per the report will follow a fee based model where they will be charging for their services for government schemes. The report identified two key NIUs namely the National Payments Corporation of India (NPCI) and the Goods and Services Tax Network (GSTN). The key usage that FinTech applications will serve is credit scoring. The traditional credit scoring data sources only comprised a thin file of records for an individual, but the data that FinTech apps collect - a person’s UID number, mobile number. and bank account number all linked up, allow for a far more comprehensive credit rating. Government departments are willing to share this data with FinTech apps as they are getting analysis in return. Thus, by using UID and the varied data sources that have been linked together by UID, a ‘thick file’ is now being created by FinTech apps. Banking apps have not yet gone down the route of FinTech apps to utilise Big Data for credit scoring purposes.</p>
<p style="text-align: justify;" dir="ltr"> </p>
<p style="text-align: justify;" dir="ltr">The two main problems with such apps is that there is no uniform way of credit scoring. This distorts the rate at which a person has to pay interest. The consent layer adds another layer of complication as refusal to share mobile data with a FinTech app may lead to the app declaring one to be a risky investment thus, subjecting that individual to a higher rate of interest .</p>
<div style="text-align: justify;" dir="ltr"> </div>
<h3 id="75">Regulation of FinTech Apps and the UID Infrastructure</h3>
<p style="text-align: justify;" dir="ltr"> India Stack and the applications that are being built on it, generate a lot of transaction metadata that is very intimate in nature. The privacy aspects of the UID legislation doesn't cover such data. The granular consent layer which has been touted to cover this still has to come into existence. Also, Big Data is based on sharing and linking of data. Here, privacy concerns and Big Data objectives clash. Big Data by its very nature challenges privacy principles like data minimisation and purpose limitation.The need for regulation to cover the various new apps and infrastructure which are being developed was pointed out.</p>
<h2 id="8">Problems with UID</h2>
<p style="text-align: justify;" dir="ltr">It has been observed that any problem present with Aadhaar is usually labelled as a teething problem, it’s claimed that it will be solved in the next 10 years. But, this begs the question - why is the system online right now?</p>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">Aadhaar is essentially a new data condition and a new exclusion or inclusion criteria. Data exclusion modalities as observed in Rajasthan after the introduction of biometric Point of Service (POS) machines at ration shops was found to be 45% of the population availing PDS services. This number also includes those who were excluded from the database by being included in the wrong dataset. There is no information present to tell us how many actual duplicates and how many genuine ration card holders were weeded out/excluded by POS.</p>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">It was also mentioned that any attempt to question Aadhaar is considered to be an attempt to go back to the manual system and this binary thinking needs to change. Big Data has the potential to benefit people, as has been evidenced by the scholarship and pension portals. However, Big Data’s problems arise in systems like PDS, where there is centralised exclusion at the level of the cloud. Moreover, the quantity problem present in the PDS and MNREGA systems persists. There is still the possibility of getting lesser grains and salary even with analysis of biometrics, hence proving that there are better technologies to tackle these problems. Presently, the accountability mechanisms are being weakened as the poor don’t know where to go to for redressal. Moreover, the mechanisms to check whether the people excluded are duplicates or not is not there. At the time of UID enrollment, out of 90 crores, 9 crore were rejected. There was no feedback or follow-up mechanism to figure out why are people being rejected. It was just assumed that they might have been duplicates.</p>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">Another problem is the rolling out of software without checking for inefficiencies or problems at a beta testing phase. The control of developers over this software, is so massive that it can be changed so easily without any accountability.. The decision making components of the software are all proprietary like in the the de-duplication algorithm being used by the UIDAI. Thus, this leads to a loss of accountability because the system itself is in flux, none of it is present in public domain and there are no means to analyse it in a transparent fashion..</p>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">These schemes are also being pushed through due to database politics. On a field study of NPR of citizens, another Big Data scheme, it was found that you are assumed to be an alien if you did not have the documents to prove that you are a citizen. Hence, unless you fulfill certain conditions of a database, you are excluded and are not eligible for the benefits that being on the database afford you.</p>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">Why is the private sector pushing for UIDAI and the surrounding ecosystem?</p>
<p style="text-align: justify;" dir="ltr">Financial institutions stand to gain from encouraging the UID as it encourages the credit culture and reduces transaction costs.. Another advantage for the private sector is perhaps the more obvious one, that is allows for efficient marketing of products and services..</p>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">The above mentioned fears and challenges were actually observed on the ground and the same was shown through the medium of a case study in West Bengal on the smart meters being installed there by the state electricity utility. While the data coming in from these smart meters is being used to ensure that a more efficient system is developed,it is also being used as a surrogate for income mapping on the basis of electricity bills being paid. This helps companies profile neighbourhoods. The technical officer who first receives that data has complete control over it and he can easily misuse the data. This case study again shows that instruments like Aadhaar and India Stack are limited in their application and aren’t the panacea that they are portrayed to be.</p>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">A participant pointed out that in the light of the above discussions, the aim appears to be to get all kinds of data, through any source, and once you have gotten the UID, you link all of this data to the UID number, and then use it in all the corporate schemes that are being started. Most of the problems associated with Big Data are being described as teething problems. The India Stack and FinTech scheme is coming in when we already know about the problems being faced by UID. The same problems will be faced by India Stack as well.</p>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">Can you opt out of the Aadhaar system and the surrounding ecosystem?</p>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">The discussion then turned towards whether there can be voluntary opting out from Aadhaar. It was pointed out that the government has stated that you cannot opt out of Aadhaar. Further, the privacy principles in the UIDAI bill are ambiguously worded where individuals only have recourse for basic things like correction of your personal information. The enforcement mechanism present in the UIDAI Act is also severely deficient. There is no notification procedure if a data breach occurs. . The appellate body ‘Cyber Appellate Tribunal’ has not been set up in three years.</p>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">CCTNS: Big Data and its Predictive Uses</p>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">What is Predictive Policing?</p>
<p style="text-align: justify;" dir="ltr">The next big Big Data case study was on the Crime and Criminal Tracking Network & Systems (CCTNS). Originally it was supposed to be a digitisation and interconnection scheme where police records would be digitised and police stations across the length and breadth of the country would be interconnected. But, in the last few years some police departments of states like Chandigarh, Delhi and Jharkhand have mooted the idea of moving on to predictive policing techniques. It envisages the use of existing statistical and actuarial techniques along with many other tropes of data to do so. It works in four ways: 1. By predicting the place and time where crimes might occur; 2. To predict potential future offenders; 3. To create profiles of past crimes in order to predict future crimes; 4. Predicting groups of individuals who are likely to be victims of future crimes.</p>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">How is Predictive Policing done?</p>
<p style="text-align: justify;" dir="ltr">To achieve this, the following process is followed: 1. Data collection from various sources which includes structured data like FIRs and unstructured data like call detail records, neighbourhood data, crime seasonal patterns etc. 2. Analysis by using theories like the near repeat theory, regression models on the basis of risk factors etc. 3. Intervention</p>
<div style="text-align: justify;" dir="ltr"> </div>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">Flaws in Predictive Policing and questions of bias</p>
<p style="text-align: justify;" dir="ltr">An obvious weak point in the system is that if the initial data going into the system is wrong or biased, the analysis will also be wrong. Efforts are being made to detect such biases. An important way to do so will be by building data collection practices into the system that protect its accuracy. The historical data being entered into the system is carrying on the prejudices inherited from the British Raj and biases based on religion, caste, socio-economic background etc.</p>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">One participant brought about the issue of data digitization in police stations, and the impact of this haphazard, unreliable data on a Big Data system. This coupled with paucity of data is bound to lead to arbitrary results. An effective example was that of black neighbourhoods in the USA. These are considered problematic and thus they are policed more, leading to a higher crime rate as they are arrested for doing things that white people in an affluent neighbourhood get away with. This in turn further perpetuates the crime rate and it becomes a self-fulfilling prophecy. In India, such a phenomenon might easily develop in the case of migrants, de-notified tribes, Muslims etc. A counter-view on bias and discrimination was offered here. One participant pointed out that problems with haphazard or poor quality of data is not a colossal issue as private companies are willing to fill this void and are actually doing so in exchange for access to this raw data. It was also pointed out how bias by itself is being used as an all encompassing term. There are multiplicities of biases and while analysing the data, care should be taken to keep it in mind that one person’s bias and analysis might and usually does differ from another. Even after a computer has analysed the data, the data still falls into human hands for implementation.</p>
<p style="text-align: justify;" dir="ltr">The issue of such databases being used to target particular communities on the basis of religion, race, caste, ethnicity among other parameters was raised. Questions about control and analysis of data were also discussed, i.e. whether it will be top-down with data analysis being done in state capitals or will this analysis be done at village and thana levels as well too. It was discussed as topointed out how this could play a major role in the success and possible persecutory treatment of citizens, as the policemen at both these levels will have different perceptions of what the data is saying. . It was further pointed out, that at the moment, there’s no clarity on the mode of implementation of Big Data policing systems. Police in the USA have been seen to rely on Big Data so much that they have been seen to become ‘data myopic’. For those who are on the bad side of Big Data, in the Indian context, laws like preventive detention can be heavily misused.There’s a very high chance that predictive policing due to the inherent biases in the system and the prejudices and inefficiency of the legal system will further suppress the already targeted sections of the society. A counterpoint was raised and it was suggested that contrary to our fears, CCTNS might lead to changes in our understanding and help us to overcome longstanding biases.</p>
<p style="text-align: justify;" dir="ltr">Open Knowledge Architecture as a solution to Big Data biases?</p>
<p style="text-align: justify;" dir="ltr">The conference then mulled over the use of ‘Open Knowledge’ architecture to see whether it can provide the solution to rid Big Data of its biases and inaccuracies if enough eyes are there. It was pointed out that Open Knowledge itself can’t provide foolproof protection against these biases as the people who make up the eyes themselves are predominantly male belonging to the affluent sections of the society and they themselves suffer from these biases.</p>
<p style="text-align: justify;" dir="ltr">Who exactly is Big Data supposed to serve?</p>
<p style="text-align: justify;" dir="ltr">The discussion also looked at questions such as who is this data for? Janata Information System (JIS), is a concept developed by MKSS where the data collected and generated by the government is taken to be for the common citizens. For e.g. MNREGA data should be used to serve the purposes of the labourers. The raw data as is available at the moment, usually cannot be used by the common man as it is so vast and full of information that is not useful for them at all. It was pointed out that while using Big Data for policy planning purposes, the actual string of information that turned out to be needed was very little but the task of unravelling this data for civil society purposes is humongous. By presenting the data in the right manner, the individual can be empowered. The importance of data presentation was also flagged. It was agreed upon that the content of the data should be for the labourer and not a MNC, as the MNC has the capability to utilise the raw data on it’s own regardless.</p>
<p style="text-align: justify;" dir="ltr">Concerns about Big Data usage</p>
<ol><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">Participants pointed out that privacy concerns are usually brushed under the table due to a belief that the law is sufficient or that the privacy battle has already been lost. </p>
</li><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">In the absence of knowledge of domain and context, Big Data analysis is quite limited. Big Data’s accuracy and potential to solve problems needs to be factually backed.</p>
</li><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">The narrative of Big Data often rests on the assumption that descriptive statistics take over inferential statistics, thus eliminating the need for domain specific knowledge. It is claimed that the data is so big that it will describe everything that we need to know.</p>
</li><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">Big Data is creating a shift from a deductive model of scientific rigour to an inductive one. In response to this, a participant offered the idea that troves of good data allow us to make informed questions on the basis of which the deductive model will be formed. A hybrid approach combining both deductive and inductive might serve us best.</p>
</li><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">The need to collect the right data in the correct format, in the right place was also expressed.</p>
</li></ol>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">Potential Research Questions & Participants’ Areas of Research</p>
<p style="text-align: justify;" dir="ltr">Following this discussion, participants brainstormed to come up with potential areas of research and research questions. They have been captured below:</p>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">Big Data, Aadhaar and India Stack:</p>
<div style="text-align: justify;" dir="ltr"> </div>
<ol><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">Has Aadhaar been able to tackle illegal ways of claiming services or are local negotiations and other methods still prevalent?</p>
</li><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">Is the consent layer of India Stack being developed in a way that provides an opportunity to the UID user to give informed consent? The OpenPDS and its counterpart in the EU i.e. the My Data Structure were designed for countries with strong privacy laws. Importantly, they were meant for information shared on social media and not for an individual’s health or credit history. India is using it in a completely different sphere without strong data protection laws. What were the granular consent layer structures present in the West designed for and what were they supposed to protect?</p>
</li><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">The question of ownership of data needs to be studied especially in context of a globalised world where MNCs are collecting copious amounts of data of Indian citizens. What is the interaction of private parties in this regard?</p>
</li></ol>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">Big Data and Predictive Policing:</p>
<div style="text-align: justify;" dir="ltr"> </div>
<ol><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">How are inequalities being created through the Big Data systems? Lessons should be taken from the Western experience with the advent of predictive policing and other big data techniques - they tend to lead to perpetuation of the current biases which are already ingrained in the system.</p>
</li><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">It was also pointed out how while studying these topics and anything related to technology generally, we become aware of a divide that is present between the computational sciences and social sciences. This divide needs to be erased if Big Data or any kind of data is to be used efficiently. There should be a cross-pollination between different groups of academics. An example of this can be seen to be the ‘computational social sciences departments’ that have been coming up in the last 3-4 years.</p>
</li><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">Why are so many interim promises made by Big Data failing? A study of this phenomenon needs to be done from a social science perspective. This will allow one to look at it from a different angle.</p>
</li></ol>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">Studying Big Data:</p>
<div style="text-align: justify;" dir="ltr"> </div>
<ol><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">What is the historical context of the terms of reference being used for Big Data? The current Big Data debate in India is based on parameters set by the West. For better understanding of Big Data, it was suggested that P.C. Mahalanobis’ experience while conducting the Indian census, (which was the Big Data of that time) can be looked at to get a historical perspective on Big Data. This comparison might allow us to discover questions that are important in the Indian context. It was also suggested that rather than using ‘Big Data’ as a catchphrase to describe these new technological innovations, we need to be more discerning.</p>
</li><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">What are the ideological aspects that must be considered while studying Big Data? What does the dialectical promise of technology mean? It was contended that every time there is a shift in technology, the zeitgeist of that period is extremely excited and there are claims that it will solve everything. There’s a need to study this dialectical promise and the social promise surrounding it.</p>
</li><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">Apart from the legitimate fears that Big Data might lead to exclusion, what are the possibilities in which it improve inclusion too?</p>
</li><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">The diminishing barrier between the public and private self, which is a tangent to the larger public-private debate was mentioned.</p>
</li><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">How does one distinguish between technology failure and process failure while studying Big Data? </p>
</li></ol>
<div style="text-align: justify;" dir="ltr"> </div>
<div style="text-align: justify;" dir="ltr"> </div>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">Big Data: A Friend?</p>
<p style="text-align: justify;" dir="ltr">In the concluding session, the fact that the Big Data moment cannot be wished away was acknowledged. The use of analytics and predictive modelling by the private sector is now commonplace and India has made a move towards a database state through UID and Digital India. The need for a nuanced debate, that does away with the false equivalence of being either a Big Data enthusiast or a luddite is crucial.</p>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">A participant offered two approaches to solving a Big Data problem. The first was the Big Data due process framework which states that if a decision has been taken that impacts the rights of a citizen, it needs to be cross examined. The efficacy and practicality of such an approach is still not clear. The second, slightly paternalistic in nature, was the approach where Big Data problems would be solved at the data science level itself. This is much like the affirmative algorithmic approach which says that if in a particular dataset, the data for the minority community is not available then it should be artificially introduced in the dataset. It was also suggested that carefully calibrated free market competition can be used to regulate Big Data. For e.g. a private personal wallet company that charges higher, but does not share your data at all can be an example of such competition. </p>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">Another important observation was the need to understand Big Data in a Global South context and account for unique challenges that arise. While the convenience of Big Data is promising, its actual manifestation depends on externalities like connectivity, accurate and adequate data etc that must be studied in the Global South.</p>
<div style="text-align: justify;" dir="ltr"> </div>
<p style="text-align: justify;" dir="ltr">While the promises of Big Data are encouraging, it is also important to examine its impacts and its interaction with people's rights. Regulatory solutions to mitigate the harms of big data while also reaping its benefits need to evolve.</p>
<div style="text-align: justify;" dir="ltr"> </div>
<div style="text-align: justify;" dir="ltr"> </div>
<p><span id="docs-internal-guid-90fa226f-6157-27d9-30cd-050bdc280875"></span></p>
<div style="text-align: justify;" dir="ltr"> </div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/big-data-in-india-benefits-harms-and-human-rights-a-report'>https://cis-india.org/internet-governance/big-data-in-india-benefits-harms-and-human-rights-a-report</a>
</p>
No publisherVidushi Marda, Akash Deep Singh and Geethanjali JujjavarapuHuman RightsUIDBig DataPrivacyArtificial IntelligenceInternet GovernanceMachine LearningFeaturedDigital IndiaAadhaarInformation TechnologyE-Governance2016-11-18T12:58:19ZBlog EntryAnalysis of Key Provisions of the Aadhaar Act Regulations
https://cis-india.org/internet-governance/blog/analysis-of-key-provisions-of-aadhaar-act-regulations
<b>In exercise of their powers under of the powers conferred by Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016, (Aadhaar Act) the UIDAI has come out with a set of five regulations in late 2016 last year. In this policy brief, we look at the five regulations, their key provisions and highlight point out the unresolved, issues, unaddressed, and created issues as result of these regulations. </b>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">This blog post was edited by Elonnai Hickok</p>
<hr style="text-align: justify; " />
<h3 style="text-align: justify; ">Introduction</h3>
<p style="text-align: justify; ">At the outset it is important to note that a concerning feature of these regulations is that they intend to govern the processes of a body which has been in existence for over six years, and has engaged in all the activities sought to be governed by these policies at a massive scale, considering the claims of over one billion Aadhaar number holders. However, the regulation do not acknowledge, let alone address past processes, practices, enrollments, authentications, use of technology etc. this fact, and there are no provisions that effectively address the past operations of the UIDAI. Below is an analysis of the five regulations issued thus far by the UIDAI.</p>
<h3 style="text-align: justify; ">Unique Identification Authority of India (Transactions of Business at Meetings of the Authority) Regulations<a href="#_ftn1" name="_ftnref1"><sup><sup>[1]</sup></sup></a></h3>
<p style="text-align: justify; ">These regulations framed under clause (h) of sub-section (2) of section 54 read with sub-section (1) of section 19 of the Aadhaar Act, deal with the meetings of the UIDAI, the process following up to each meeting, and the manner in which all meetings are to be conducted.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 3.</h4>
<p style="text-align: justify; ">Meetings of the Authority– (1) There shall be no less than three meetings of the Authority in a financial year on such dates and at such places as the Chairperson may direct and the interval between any two meetings shall not in any case, be longer than five months</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">The number of times that UIDAI would meet in a year is far too less, taking in account the significance of the responsibilities of UIDAI as the sole body for policy making for all issues related to Aadhaar. In contrast, the Telecom Regulatory Authority of India is required to meet at least once a month. Other bodies such as SEBI and IRDAI are also required to meet at least four times<a href="#_ftn2" name="_ftnref2"><sup><sup>[2]</sup></sup></a> and six times<a href="#_ftn3" name="_ftnref3"><sup><sup>[3]</sup></sup></a> in a year respectively.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 8 (5)</h4>
<p style="text-align: justify; ">Decisions taken at every meeting of the Authority shall be published on the website of Authority unless the Chairperson determines otherwise on grounds of ensuring confidentiality.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">The Chairperson has the power to determine withholding publication of the decisions of the meeting on the broad grounds of ‘confidentiality’. Given the fact that the decisions taken by UIDAI as a public body can have very real implications for the rights of residents, the ground of confidentiality is not sufficient to warrant withholding publication. It is curious that instead of referring to the clearly defined exceptions laid down in other similar provisions such as the exceptions in Section 8 of the Right to Information Act, 2005, the rules merely refer to vague and undefined criteria of ‘confidentiality’.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 14 (4)</h4>
<p style="text-align: justify; ">Members of the Authority and invitees shall sign an initial Declaration at the first meeting of the Authority for maintaining the confidentiality of the business transacted at meetings of the Authority in Schedule II.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">The above provision, combined with the fact that there is no provision regarding publication of the minutes of the meetings of UIDAI raise serious questions about the transparency of its functioning.</p>
<h3 style="text-align: justify; ">Unique Identification Authority of India (Enrolment and Update) Regulations<a href="#_ftn4" name="_ftnref4"><sup><sup>[4]</sup></sup></a></h3>
<p style="text-align: justify; ">These regulations, framed under sub-section (1), and sub-clauses (a), (b), (d,) (e), (j), (k), (l), (n), (r), (s), and (v) of sub-section (2), of Section 54 of the Aadhaar Act deals with the enrolment process, the generation of an Aadhaar number, updation of information and governs the conduct of enrolment agencies and associated third parties.</p>
<h4 style="text-align: justify; ">Provisions:</h4>
<p style="text-align: justify; ">Sub-Regulation 8 (2), (3) and (4)</p>
<p style="text-align: justify; ">The standard enrolment/update software shall have the security features as may be specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">All equipment used in enrolment, such as computers, printers, biometric devices and other accessories shall be as per the specifications issued by the Authority for this purpose.</p>
<p style="text-align: justify; ">The biometric devices used for enrolment shall meet the specifications, and shall be certified as per the procedure, as may be specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">Sub-Regulation 3 (2)</p>
<p style="text-align: justify; ">The standards for collecting the biometric information shall be as specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">Sub-Regulation 4 (5)</p>
<p style="text-align: justify; ">The standards of the above demographic information shall be as may be specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">Sub-Regulation 6 (2)</p>
<p style="text-align: justify; ">For residents who are unable to provide any biometric information contemplated by these regulations, the Authority shall provide for handling of such exceptions in the enrolment and update software, and such enrolment shall be carried out as per the procedure as may be specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">Sub-Regulation 14 (2)</p>
<p style="text-align: justify; ">In case of rejection due to duplicate enrolment, resident may be informed about the enrolment against which his Aadhaar number has been generated in the manner as may be specified by the Authority.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">Though in February 2017, the UIDAI published technical specifications for registered devices<a href="#_ftn5" name="_ftnref5"><sup><sup>[5]</sup></sup></a>, the regulations leave unaddressed issues such as lack of appropriately defined security safeguards in the Aadhaar. There is a general trend of continued deferrals in the regulations by stating that matters would be specified later on important aspects such as rejection of applications, uploading of the enrolment packet to the CIDR, the procedure for enrolling residents with biometric exceptions, the procedure for informing residents about acceptance/rejection of enrolment application, specifying the convenience fee for updation of residents’ information, the procedure for authenticating individuals across services etc.c. There is a clear failure to exercise the mandate delegated to UIDAI, leaving key matters to determined at a future unspecified date. The delay and ambiguity around when regulations will be defined is all the more problematic in light of the fact that the project has been implemented since 2010 and the Aadhaar number is now mandatory for availing a number of services.</p>
<p style="text-align: justify; ">Further it is important to note that a number of policies put out by the UIDAI predate these regulations, on which the regulations are completely silent, thus neither endorsing previous policies nor suggesting that they may be revisited. Further, the regulations choose to not engage with the question of operation of the Aadhaar project, enrolment and storage of data etc prior to the notification of these regulations, or the policies which these regulations may regularise. For instance, the regulations do not specify any measures to deal with issues arising out of enrolment devices used prior to the development of the February 2017 specifications.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 32</h4>
<p style="text-align: justify; ">The Authority shall set up a contact centre to act as a central point of contact for resolution of queries and grievances of residents, accessible to residents through toll free number(s) and/ or e-mail, as may be specified by the Authority for this purpose.</p>
<p style="text-align: justify; ">(2) The contact centre shall:</p>
<ol style="text-align: justify; ">
<li>Provide a mechanism to log queries or grievances and provide residents with a unique reference number for further tracking till closure of the matter;</li>
<li>Provide regional language support to the extent possible;</li>
<li>Ensure safety of any information received from residents in relation to their identity information;</li>
<li>Comply with the procedures and processes as may be specified by the Authority for this purpose.</li>
</ol>
<p style="text-align: justify; ">(3) Residents may also raise grievances by visiting the regional offices of the Authority or through any other officers or channels as may be specified by the Authority.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">While the setting up of a grievance redressal mechanism under the regulations is a welcome move, there is little clarity about the procedure to be followed, nor is a timeline for it specified. The chapter on grievance redressal is in fact one of the shortest chapters in the regulations. The only provision in this chapter deals with the setting up of a contact centre, a curious choice of term for what is supposed to be the primary quasi judicial grievance redressal body for the Aadhaar project. In line with the indifferent and insouciant terminology of ‘contact centre’, the chapter is restricted to the matters of the logging of queries and grievances by the contact centre, and does not address the matter of procedure or timelines, and even the substantive provisions about the nature of redress available. Furthermore, the obligation on the contact centre to protect information received is limited to ‘ensuring safety’ an ambiguous standard that does not speak to any other standards in Indian law.</p>
<h3 style="text-align: justify; ">Aadhaar (Authentication) Regulations, 2016<a href="#_ftn6" name="_ftnref6"><sup><sup>[6]</sup></sup></a></h3>
<p style="text-align: justify; ">These regulations, framed under sub-section (1), and sub-clauses (f) and (w) of sub-section (2) of Section 54 of the Aadhaar Act deals with the authentication framework for Aadhaar numbers, the governance of authentication agencies and the procedure for collection, storage of authentication data and records.</p>
<h4 style="text-align: justify; ">Provisions:</h4>
<p style="text-align: justify; ">Sub-Regulation 5 (1)</p>
<p style="text-align: justify; ">At the time of authentication, a requesting entity shall inform the Aadhaar number holder of the following details:—</p>
<p style="text-align: justify; ">(a) the nature of information that will be shared by the Authority upon authentication;</p>
<p style="text-align: justify; ">(b) the uses to which the information received during authentication may be put; and</p>
<p style="text-align: justify; ">(c) alternatives to submission of identity information</p>
<p style="text-align: justify; ">Sub-Regulation 6 (2)</p>
<p style="text-align: justify; ">A requesting entity shall obtain the consent referred to in sub-regulation (1) above in physical or preferably in electronic form and maintain logs or records of the consent obtained in the manner and form as may be specified by the Authority for this purpose.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">Sub-regulation 5 mentions that at the time of authentication, requesting entities shall inform the Aadhaar number holder of alternatives to submission of identity information for the purpose of authentication. Similarly, sub-regulation 6 mentions that requesting entity shall obtain the consent of the Aadhaar number holder for the authentication. However, in neither of the above circumstances do the regulations specify the clearly defined options that must be made available to the Aadhaar number holder in case they do not wish submit identity information, nor do the regulations specify the procedure to be followed in case the Aadhaar number holder does not provide consent.</p>
<p style="text-align: justify; ">Most significantly, this provision does little by way of allaying the fears raised by the language in Section 8 (4) of the Aadhaar Act which states that UIDAI “shall respond to an authentication query with a positive, negative or any other appropriate response sharing such identity information.” This section gives a very wide discretion to UIDAI to share personal identity information with third parties, and the regulations do not temper or qualify this power in any way.</p>
<h4 style="text-align: justify; ">Sub-Regulation 11 (1) and (4)</h4>
<p style="text-align: justify; ">The Authority may enable an Aadhaar number holder to permanently lock his biometrics and temporarily unlock it when needed for biometric authentication.</p>
<p style="text-align: justify; ">The Authority may make provisions for Aadhaar number holders to remove such permanent locks at any point in a secure manner.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">A welcome provision in the regulation is that of biometric locking which allows Aadhaar number holders to permanently lock his biometrics and temporarily unlock it only when needed for biometric authentication. However, in the same breath, the regulation also provides for the UIDAI to make provisions to remove such locking without any specified grounds for doing so.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 18 (2), (3) and (4)</h4>
<p style="text-align: justify; ">The logs of authentication transactions shall be maintained by the requesting entity for a period of 2 (two) years, during which period an Aadhaar number holder shall have the right to access such logs, in accordance with the procedure as may be specified.</p>
<p style="text-align: justify; ">Upon expiry of the period specified in sub-regulation (2), the logs shall be archived for a period of five years or the number of years as required by the laws or regulations governing the entity, whichever is later, and upon expiry of the said period, the logs shall be deleted except those records required to be retained by a court or required to be retained for any pending disputes.</p>
<p style="text-align: justify; ">The requesting entity shall not share the authentication logs with any person other than the concerned Aadhaar number holder upon his request or for grievance redressal and resolution of disputes or with the Authority for audit purposes. The authentication logs shall not be used for any purpose other than stated in this sub-regulation.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">While it is specified that the authentication logs collected by the requesting entities shall not be shared with any person other than the concerned Aadhaar number holder upon their request or for grievance redressal and resolution of disputes or with the Authority for audit purposes, and that the authentication logs may not be used for any other purpose, the maintenance of the logs for a period of seven years seems excessive. Similarly, the UIDAI is also supposed to store Authentication transaction data for over five years. This is in violation of the widely recognized data minimisation principles which seeks that data collectors and data processors delete personal data records when the purpose for which it has been collected if fulfilled. While retention of data for audit and dispute-resolution purpose is legitimate, the lack of specification of security standards and the overall lack of transparency and inadequate grievance redressal mechanism greatly exacerbate the risks associated with data retention.</p>
<h3 style="text-align: justify; ">Aadhaar (Sharing of Information) Regulations, 2016 and Aadhaar (Data security) Regulations, 2016<a href="#_ftn7" name="_ftnref7"><sup><sup>[7]</sup></sup></a></h3>
<p style="text-align: justify; ">Framed under the powers conferred by sub-section (1), and sub-clause (o) of sub-section (2), of Section 54 read with sub-clause (k) of sub-section (2) of Section 23, and sub-sections</p>
<p style="text-align: justify; ">(2) and (4) of Section 29, of the Aadhaar Act, the Sharing of Information regulations look at the restrictions on sharing of identity information collected by the UIDAI and requesting entities. The Data Security regulation, framed under powers conferred by clause (p) of subsection (2) of section 54 of the Aadhaar Act, looks at security obligations of all service providers engaged by the UIDAI.</p>
<h4 style="text-align: justify; ">Provision: Sub-Regulation 6 (1)</h4>
<p style="text-align: justify; ">All agencies, consultants, advisors and other service providers engaged by the Authority, and ecosystem partners such as registrars, requesting entities, Authentication User Agencies and Authentication Service Agencies shall get their operations audited by an information systems auditor certified by a recognised body under the Information Technology Act, 2000 and furnish certified audit reports to the Authority, upon request or at time periods specified by the Authority.</p>
<h5 style="text-align: justify; ">Observations:</h5>
<p style="text-align: justify; ">The regulation states that audits shall be conducted by an information systems auditor certified by a recognised body under the Information Technology Act, 2000. However, there is no such certifying body under the Information Technology Act. This suggests a lack of diligence in framing the rules, and will inevitably to lead to inordinate delays, or alternately, a lack of a clear procedure in the appointment of an auditor. Further, instead of prescribing a regular and proactive process of audits, the regulation only limits audits to when requested or as deemed appropriate by UIDAI. This is another, in line of many provisions, whose implication is power being concentrated in the hands of UIDAI, with little scope for accountability and transparency.</p>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">In conclusion, it must be stated that the regulations promulgated by the UIDAI leave a lot to be desired. Some of the most important issues raised against the Aadhaar Act, which were delegated to the UIDAI’s rule making powers have not been addressed at all. Some of the most important issues such as data security policies, right to access records of Aadhaar number holders, procedure to be followed by the grievance redressal bodies, uploading of the enrolment packet to the CIDR, procedure for enrolling residents with biometric exceptions, procedure for informing residents about acceptance/rejection of enrolment application have left unaddressed and ‘may be specified’ at a later data. These failures leave a gaping hole especially in light of the absence of a comprehensive data protection legislation in India, as well the speed and haste with the enrolment and seeding has been done by the UIDAI, and the number of services, both private and public, which are using or planning to use the Aadhaar number and the authentication process as a primary identifier for residents.</p>
<p style="text-align: justify; "><a href="#_ftnref1" name="_ftn1"><sup><sup>[1]</sup></sup></a> Available at <a href="https://uidai.gov.in/legal-framework/acts/regulations.html">https://uidai.gov.in/legal-framework/acts/regulations.html</a></p>
<p style="text-align: justify; "><a href="#_ftnref2" name="_ftn2"><sup><sup>[2]</sup></sup></a> <a href="https://www.irda.gov.in/ADMINCMS/cms/frmGeneral_Layout.aspx?page=PageNo62&flag=1">https://www.irda.gov.in/ADMINCMS/cms/frmGeneral_Layout.aspx?page=PageNo62&flag=1</a></p>
<p style="text-align: justify; "><a href="#_ftnref3" name="_ftn3"><sup><sup>[3]</sup></sup></a> <a href="http://www.sebi.gov.in/acts/boardregu.html">http://www.sebi.gov.in/acts/boardregu.html</a></p>
<p style="text-align: justify; "><a href="#_ftnref4" name="_ftn4"><sup><sup>[4]</sup></sup></a> Available at <a href="https://uidai.gov.in/legal-framework/acts/regulations.html">https://uidai.gov.in/legal-framework/acts/regulations.html</a></p>
<p style="text-align: justify; "> </p>
<p style="text-align: justify; "><a href="#_ftnref5" name="_ftn5"><sup><sup>[5]</sup></sup></a> Available at: https://uidai.gov.in/images/resource/aadhaar_registered_devices_2_0_09112016.pdf</p>
<p style="text-align: justify; "><a href="#_ftnref6" name="_ftn6"><sup><sup>[6]</sup></sup></a> Available at <a href="https://uidai.gov.in/legal-framework/acts/regulations.html">https://uidai.gov.in/legal-framework/acts/regulations.html</a></p>
<p style="text-align: justify; "><a href="#_ftnref7" name="_ftn7"><sup><sup>[7]</sup></sup></a> Available at <a href="https://uidai.gov.in/legal-framework/acts/regulations.html">https://uidai.gov.in/legal-framework/acts/regulations.html</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/analysis-of-key-provisions-of-aadhaar-act-regulations'>https://cis-india.org/internet-governance/blog/analysis-of-key-provisions-of-aadhaar-act-regulations</a>
</p>
No publisheramberUIDPrivacyInternet GovernanceUIDAIBiometricsAadhaar2017-04-03T14:05:01ZBlog EntryAn Urgent Need for the Right to Privacy
https://cis-india.org/internet-governance/blog/an-urgent-need-for-the-right-to-privacy
<b>Along with a group of individuals and organisations from academia and civil society, we have drafted and are signatories to an open letter addressed to the Union government and urging the same to "urgently take steps to uphold the constitutional basis to the right to privacy and fulfil it’s constitutional and international obligations." Here we publish the text of the open letter. Please follow the link below to support it by joining the signatories.</b>
<p> </p>
<h4><a href="http://goo.gl/forms/hw4huFcc4b" target="_blank">Read and sign the open letter.</a></h4>
<p> </p>
<h2>Text of the Open Letter</h2>
<p>As our everyday lives are conducted increasingly through electronic communications the necessity for privacy protections has also increased. While several countries across the globe have recognised this by furthering the right to privacy of their citizens the Union Government has adopted a regressive attitude towards this core civil liberty. We urge the Union Government to take urgent measures to safeguard the right to privacy in India.</p>
<p>Our concerns are based on a continuing pattern of disregard for the right to privacy by several governments in the past. This trend has increased as can be plainly viewed from the following developments.</p>
<p>In 2015, the Attorney General in the case of *K.S. Puttaswamy v. Union of India*, argued before the Hon’ble Supreme Court that there is no right to privacy under the Constitution of India. The Hon'ble Court was persuaded to re-examine the basis of the right to privacy upsetting 45 years of judicial precedent. This has thrown the constitutional right to privacy in doubt and the several judgements that have been given under it. This includes the 1997 PUCL Telephone Tapping judgement as well. We urge the Union Government to take whatever steps are necessary and urge the Supreme Court to hold that a right to privacy exists under the Constitution of India.</p>
<p>Recently Mr. Arun Jaitley, Minister for Finance introduced the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016. This bill was passed on March 11, 2016 in the middle of budget discussion on a short notice as a money bill in the Lok Sabha when only 73 of 545 members were present. Its timing and introduction as a money bill prevents necessary scrutiny given the large privacy risks that arise under it. This version of the bill was never put up for public consultation and is being rushed through without adequate discussion. Even substantively it fails to give accountable privacy safeguards while making Aadhaar mandatory for availing any government subsidy, benefit, or service.</p>
<p>We urge the Union Government to urgently take steps to uphold the constitutional basis to the right to privacy and fulfil it’s constitutional and international obligations. We encourage the Government to have extensive public discussions on the Aadhaar Bill before notifying it. We further call upon them to constitute a drafting committee with members of civil society to draft a comprehensive statute as suggested by the Justice A.P. Shah Committee Report of 2012.</p>
<p>Signatories:</p>
<ul><li>Amber Sinha, the Centre for Internet and Society</li>
<li>Japreet Grewal, the Centre for Internet and Society</li>
<li>Joshita Pai, Centre for Communication Governance, National Law University</li>
<li>Raman Jit Singh Chima, Access Now</li>
<li>Sarvjeet Singh, Centre for Communication Governance, National Law University</li>
<li>Sumandro Chattapadhyay, the Centre for Internet and Society</li>
<li>Sunil Abraham, the Centre for Internet and Society</li>
<li>Vanya Rakesh, the Centre for Internet and Society</li></ul>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/an-urgent-need-for-the-right-to-privacy'>https://cis-india.org/internet-governance/blog/an-urgent-need-for-the-right-to-privacy</a>
</p>
No publishersumandroUIDBig DataPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-03-17T07:40:12ZBlog EntryAadhaar data leaks not from UIDAI: Centre
https://cis-india.org/internet-governance/news/hindu-krishnadas-rajagopal-may-3-2017-aadhaar-data-leaks-not-from-uidai
<b>Aadhaar is foolproof, it tells SC </b>
<p style="text-align: justify; ">The article by Krishnadas Rajagopal was <a class="external-link" href="http://www.thehindu.com/news/national/aadhaar-data-leaks-not-from-uidai-centre/article18379074.ece">published in the Hindu </a>on May 3, 2017.</p>
<hr />
<p style="text-align: justify; ">Leaks of Aadhaar card details are not from the UIDAI, but at the State level, the Union government told the Supreme Court on Wednesday.<br /><br />“As of today, Aadhaar is foolproof. Biometric technology is the best system in 2016. There has not been a single leak from the UIDAI. The leaks of details may have been from the States... their offices and agencies,” advocate Arghya Sengupta, counsel for the Centre, submitted in the court.<br /><br />The Centre’s clarification comes in the midst of reports that data of over 130 million Aadhaar cardholders have been leaked from four government websites.<br /><br />Reports, based on a study conducted by the Centre for Internet and Society (CIS), a Bengaluru-based organisation, said Aadhaar numbers, names and other personal details of people have been leaked.<br /><br />The Centre was washing its hands of the alleged leaks for the second consecutive day in the Supreme Court.<br /><b><br />A-G’s assurance</b><br /><br />On Tuesday, Attorney-General Mukul Rohatgi had emphatically assured the Supreme Court that biometrics of Aadhaar cardholders were safe and had not fallen into other hands. He said the biometric details were kept in a central database run by the Centre.<br /><br /></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/hindu-krishnadas-rajagopal-may-3-2017-aadhaar-data-leaks-not-from-uidai'>https://cis-india.org/internet-governance/news/hindu-krishnadas-rajagopal-may-3-2017-aadhaar-data-leaks-not-from-uidai</a>
</p>
No publisherpraskrishnaUIDPrivacyInternet GovernanceUIDAIAadhaar2017-05-20T08:27:28ZNews ItemAadhaar Bill fails to incorporate suggestions by the Standing Committee
https://cis-india.org/internet-governance/blog/aadhaar-bill-fails-to-incorporate-suggestions-by-the-standing-committee
<b>In 2011, a standing committee report led by Yashwant Sinha had been scathing in its indictments of the Aadhaar BIll introduced by the UPA government. Five years later, the NDA government has introduced a new bill which is a rehash of the same. I look at the concerns raised by the committee report, none of which have been addressed by the new bill.
</b>
<p id="docs-internal-guid-0c1d0148-5959-8221-80f0-984c1f109411" dir="ltr">The article was published by <a class="external-link" href="http://thewire.in/2016/03/10/aadhaar-bill-fails-to-incorporate-standing-committees-suggestions-24433/">The Wire</a><a class="external-link" href="https://globalvoices.org/2016/02/09/a-good-day-for-the-internet-everywhere-india-bans-differential-data-pricing/"> </a>on March 10, 2016</p>
<p dir="ltr">In December, 2010, the UPA Government introduced the National Identification Authority of India Bill, 2010 in the Parliament. It was subsequently referred to a Standing Committee on Finance by the Speaker of Lok Sabha under Rule 331E of the the Rules of Procedure and Conduct of Business in Lok Sabha. This Committee, headed by BJP leader Yashwant Sinha took evidence from the Minister of Planning and the UIDAI from the government, as well as seeking the view of parties such as the National Human Rights Commission, Indian Banks Association and researchers like Dr Reetika Khera and Dr. Usha Ramanathan. In 2011, having heard from various parties and considering the concerns and apprehensions about the UID scheme, the Committee deemed the bill unacceptable and suggested a re-consideration of the the UID scheme as well as the draft legislation.</p>
<p dir="ltr">The Aadhaar programme has so far been implemented under the Unique Identification Authority of India, a Central Government agency created through an executive order. This programme has been shrouded in controversy over issues of privacy and security resulting in a Public Interest Litigation filed by Judge Puttaswamy in the Supreme Court. While the BJP had criticised the project as well as the draft legislation when it was in opposition, once it came to power and particularly, after it launched various welfare schemes like Digital India and Jan Dhan Yojna, it decided to continue with it and use Aadhaar as the identification technology for these projects. In the last year, there have been orders passed by the Supreme Court which prohibited making Aadhaar mandatory for availing services. One of the questions that the government has had to answer both inside and outside the court on the UID project is the lack of a legislative mandate for a project of this size. About five years later, the new BJP led government has come back with a rehash of the same old draft, and no comments made by the standing committee have been taken into account.</p>
<p dir="ltr">The Standing Committee on the old bill had taken great exception to the continued collection of data and issuance of Aadhaar numbers, while the Bill was pending in the Parliament. The report said that the implementation of the provisions of the Bill and continuing to incur expenditure from the exchequer was a circumvention of the prerogative powers of the Parliament. However, the project has continued without abeyance since its inception in 2009. I am listing below some of the issues that the Committee identified with the UID project and draft legislation, none of which have been addressed in current Bill.</p>
<p dir="ltr">One of the primary arguments made by proponents of Aadhaar has been that it would be useful in providing services to marginalized sections of the society who currently do not have identification cards and consequently, are not able to receive state sponsored services, benefits and subsidies. The report points that the project would not be able to achieve this as no statistical data on the marginalized sections of the society are being used to by UIDAI to provide coverage to them. The introducer systems which was supposed to provide Aadhaar numbers to those without any form of identification, has been used to enroll only 0.03% of the total number of people registered. Further, the <a href="http://uidai.gov.in/UID_PDF/Committees/Biometrics_Standards_Committee_report.pdf">Biometrics Standards Committee of UIDAI</a> has itself acknowledged the issues caused due to a high number of manual laborers in India which would lead to sub-optimal fingerprint scans. A <a href="http://www.4gid.com/De-dup-complexity%20unique%20ID%20context.pdf">report by 4G Identity Solutions</a> estimates that while in any population, approximately 5% of the people have unreadable fingerprints, in India it could lead to a failure to enroll up to 15% of the population. In this manner, the project could actually end up excluding more people.</p>
<p dir="ltr">The Report also pointed to a lack of cost-benefit analysis done before going ahead with scheme of this scale. It makes a reference to the <a href="http://eprints.lse.ac.uk/684/1/identityreport.pdf">report</a> by the London School of Economics on the UK Identity Project which was shelved due to a) huge costs involved in the project, b) the complexity of the exercise and unavailability of reliable, safe and tested technology, c) risks to security and safety of registrants, d) security measures at a scale that will result in substantially higher implementation and operational costs and e) extreme dangers to rights of registrants and public interest. The Committee Report insisted that such global experiences remained relevant to the UID project and need to be considered. However, the new Bill has not been drafted with a view to address any of these issues.</p>
<p dir="ltr">The Committee comes down heavily on the irregularities in data collection by the UIDAI. They raise doubts about the ability of the Registrars to effectively verify the registrants and a lack of any security audit mechanisms that could identify issues in enrollment. Pointing to the news reports about irregularities in the process being followed by the Registrars appointed by the UIDAI, the Committee deems the MoUs signed between the UIDAI and the Registrars as toothless. The involvement of private parties has been under question already with many questions being raised over the lack of appropriate safeguards in the contracts with the private contractors.</p>
<span id="docs-internal-guid-0c1d0148-595b-32fa-49d2-8f6a347a4c00">Perhaps the most significant observation of the Committee was that any scheme that facilitates creation of such a massive database of personal information of the people of the country and its linkage with other databases should be preceded by a comprehensive data protection law. By stating this, the Committee has acknowledged that in the absence of a privacy law which governs the collection, use and storage of the personal data, the UID project will lead to abuse, surveillance and profiling of individuals. It makes a reference to the Privacy Bill which is still at only the draft stage. The current data protection framework in the Section 43A rules under the Information Technology Act, 2000 are woefully inadequate and far too limited in their scope. While there are some protection built into Chapter VI of the new bill, these are nowhere as comprehensive as the ones articulated in the Privacy Bill. Additionally, these protections are subject to broad exceptions which could significantly dilute their impact.</span>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/aadhaar-bill-fails-to-incorporate-suggestions-by-the-standing-committee'>https://cis-india.org/internet-governance/blog/aadhaar-bill-fails-to-incorporate-suggestions-by-the-standing-committee</a>
</p>
No publisheramberUIDAadhaarInternet GovernancePrivacy2016-03-10T15:58:57ZBlog EntryAadhaar Bill 2016 Evaluated against the National Privacy Principles
https://cis-india.org/internet-governance/aadhaar-bill-2016-evaluated-against-the-national-privacy-principles
<b>In this infographic, we evaluate the privacy provisions of the Aadhaar Bill 2016 against the national privacy principles developed by the Group of Experts on Privacy led by the Former Chief Justice A.P. Shah in 2012. The infographic is based on Vipul Kharbanda’s article 'Analysis of Aadhaar Act in the Context of A.P. Shah Committee Principles,' and is designed by Pooja Saxena, with inputs from Amber Sinha.</b>
<p> </p>
<h4>Download the infographic: <a href="https://github.com/cis-india/website/raw/master/infographics/CIS_Aadhaar-2016-Vs-Privacy-Principles_v.1.0.pdf">PDF</a> and <a href="https://github.com/cis-india/website/raw/master/infographics/CIS_Aadhaar-2016-Vs-Privacy-Principles_v.1.0.png">PNG</a>.</h4>
<p> </p>
<p><strong>License:</strong> It is shared under Creative Commons <a href="https://creativecommons.org/licenses/by/4.0/">Attribution 4.0 International</a> License.</p>
<p> </p>
<img src="https://github.com/cis-india/website/raw/master/infographics/CIS_Aadhaar-2016-Vs-Privacy-Principles_v.1.0.png" alt="Aadhaar Bill 2016 Evaluated against the National Privacy Principles" />
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/aadhaar-bill-2016-evaluated-against-the-national-privacy-principles'>https://cis-india.org/internet-governance/aadhaar-bill-2016-evaluated-against-the-national-privacy-principles</a>
</p>
No publisherPooja Saxena and Amber SinhaUIDBig DataPrivacyInternet GovernanceInfographicDigital IndiaAadhaarBiometrics2016-03-21T08:38:34ZBlog EntryAadhaar Bill 2016 & NIAI Bill 2010 - Comparing the Texts
https://cis-india.org/internet-governance/blog/aadhaar-bill-2016-niai-bill-2010-text-comparison
<b>This is a quick comparison of the texts of the Aadhaar Bill 2016 and the National Identification Authority of India Bill 2010. The new sections in the former are highlighed, and the deleted sections (that were part of the latter) are struck out.</b>
<p> </p>
<iframe src="http://cis-india.github.io/aadhaar-bill-2016/" frameborder="0" height="500px" width="100%"> </iframe>
<p> </p>
<p>Source: <a href="http://cis-india.github.io/aadhaar-bill-2016/">http://cis-india.github.io/aadhaar-bill-2016/</a></p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/aadhaar-bill-2016-niai-bill-2010-text-comparison'>https://cis-india.org/internet-governance/blog/aadhaar-bill-2016-niai-bill-2010-text-comparison</a>
</p>
No publishersumandroUIDAadhaarBig DataPrivacy2016-03-09T11:25:01ZBlog Entry