The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 61 to 75.
Unique Identification Scheme (UID) & National Population Register (NPR), and Governance
https://cis-india.org/internet-governance/blog/uid-and-npr-a-background-note
<b>This post examines the UID, NPR and Governance as it exists in India. The background note gives a summary of what is the NPR, the legal grounding of NPR, its objectives, and the information which could be collected under the NPR. The post also throws light on the UID, its objectives, process of enrollment in UID, how UID is being adopted by different states in India, and finally the differences and controversies in UID and NPR.</b>
<p><i>This research was undertaken as part of the 'SAFEGUARDS' project that CIS is undertaking with Privacy International and IDRC</i>.</p>
<hr />
<h2 style="text-align: justify; ">Video</h2>
<p><iframe frameborder="0" height="315" src="http://www.youtube.com/embed/P1CdCkdKtcU" width="315"></iframe></p>
<p><i>The above video is from the "UID, NPR, and Governance" conference held on March 2, 2013 at TERI, Bangalore</i>.</p>
<hr />
<p style="text-align: justify; "><b>What is the NPR?<br /></b>In 2010, the Government of India initiated the NPR which entails the creation of the National Citizens Register. This register is being prepared at the local, sub-district, district, state and national level. The database will contain thirteen categories of demographic information and three categories of biometric data collected from all residents aged five and above. Collection of this information was initially supposed to take place during the House listing and Housing Census phase of Census 2011 during April 2010 to September 2010.<a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; "><b>What is the legal grounding of the NPR? </b><br />The NPR is legally grounded in the provisions of the Citizenship Act, 1955 and the Citizenship Rules 2003. It is <i>mandatory </i>for every usual resident in India to register in the NPR as per Section 14A of the Citizenship Act, 1955, as amended in 2004. The collection of biometrics is not accounted for in the statute or rules.</p>
<p style="text-align: justify; "><b>What are the objectives of the NPR? </b><br />The objectives of the NPR as stated by the Citizenship Act is for the creation of a National Citizen Register. The National Citizen Register is intended to assist in improving security by checking for illegal migration. Additional objectives that have been articulated include: providing services to the residents under government schemes and programmes, checking for identity frauds, and improving planning.<a href="#fn2" name="fr2">[2]</a></p>
<p style="text-align: justify; "><b>What is the process of enrollment for the NPR?</b><br />NPR enrollment is being carried out through house to house canvassing. The Office of the Registrar General and Census Commissioner, India has assigned Department of Information Technology (DIT) the responsibility of collecting and digitizing demographic data in 17 states and 2 Union Territories of India.<a href="#fn2" name="fr2">[2]</a> Collected information will then be printed and <i>displayed in the local area </i>where it is scrutinized by local officers and vetted by local bodies called ´Gram Sabha/Ward Committees´.<a href="#fn4" name="fr4">[4]</a> This process of social audit is meant to bring in transparency, equity, and ensure accuracy.</p>
<p style="text-align: justify; "><b>What information will be collected under the NPR?</b><br />The NPR database will include thirteen categories of demographic information and three categories of biometrics. The collection biometrics has not been provided for in the text of the Citizenship Rules, and is instead appears to be authorized through guidelines,<a href="#fn5" name="fr5">[5]</a> which do not have statutory backing. Currently, two iris scans, ten fingerprints, and a photograph are being collected. According to a 2010 Committee note, only the photograph and fingerprints were initially envisioned to be collected.</p>
<p style="text-align: justify; "><b>What is the Resident Identity Card? </b><br />The proposed Resident Identity card is a smart card with a micro-processor chip of 6.4 Kb capacity; the demographic and biometric attributes of each individual will be personalized in this chip. The UID number will be placed on the card as well. Currently, the government is only considering the possibility of distributing smart cards to all residents over the age of 18.<a href="#fn6" name="fr6">[6]</a></p>
<p style="text-align: justify; "><b>What is the UID?<br /></b>The Unique Identification Authority of India (UIDAI) was established in January 2009 and is part of the Planning Commission of India. UIDAI aims to provide a unique 12 digit ID number to all residents in India on a voluntary basis. The number will be known as AADHAAR. The UIDAI will own and operate a Unique Identification Number database which will contain biometric and demographic data of citizens.<a href="#fn7" name="fr7">[7]</a></p>
<p style="text-align: justify; "><b>What is the objective of the UID?<br /></b>According to the UIDAI, the UID will provide identity for individuals. The scheme has been promoted by the UIDAI as enabling a number of social benefits including improving the public distribution system, enabling financial inclusion, and improving the Mahatma Gandhi National Rural Employment Guarantee Scheme (NREGS). Despite these benefits, the UIDAI only guarantees identity, and does not guarantee rights, benefits or entitlement.<a href="#fn8" name="fr8">[8]</a></p>
<p style="text-align: justify; "><b>What is the process for enrollment in the UID?</b><br />To enroll in the UID, individuals must go to enrollment centers with the appropriate documentation. Once documents are verified and biometrics taken, individuals will receive an acknowledgment slip and their UID number will be sent in the mail.<a href="#fn9" name="fr9">[9]</a> The UIDAI will enroll up to 600 million residents in 16 States and territories.<a href="#fn10" name="fr10">[10]</a> Online registration prior to enrollment at a Center is also now being offered.</p>
<p style="text-align: justify; "><b>How is UID being adopted by different States? </b><br />The adoption of the UID by different states and platforms has been controversial as the UID is not a mandatory number, yet with states and services adopting the number for different governmental services, the UID is becoming mandatory by default. Some ways in which states are using the UID include:</p>
<ul>
<li style="text-align: justify; "><i>Gas and vehicles</i>: The UPA Government has required that citizens have a UID number for services such as purchasing cooking gas, issuing a RTI request, and registering vehicles.<a href="#fn11" name="fr11">[11]</a></li>
<li style="text-align: justify; "><i>Education</i>: The Kerala government has required that all students must have UID number in order to be tracked through the system.<a href="#fn12" name="fr12">[12] </a>This mandate was questioned by the National Commission for Protection of Child Rights.</li>
<li style="text-align: justify; "><i>First Information Reports (FIR’s)</i>: The high court in Bombay has ordered the state home department to direct all police stations in Maharashtra to record the Unique Identification (UID) numbers of accused individuals and witnesses filing a FIR.<a href="#fn13" name="fr13">[13]</a> </li>
<li style="text-align: justify; "><i>Banks</i>: The National Payment Corporation of India has collaborated UIDAI and is issuing ‘RuPay cards’ (Dhan Aadhaar cards) which will serve as ATM/micro-ATM cards. In 2011 the Bank of India had issued 250 cards.<a href="#fn14" name="fr14">[14]</a></li>
<li style="text-align: justify; "><i>Railway</i>: Railways are proposing to use the UID database for bookings and validation of passengers.<a href="#fn15" name="fr15">[15]</a></li>
<li style="text-align: justify; "><i>Social Security</i>: Commencing January 1, 2013, MGNREGA, the Rajiv Gandhi Awas Yojana (RGAY), the Ashraya housing scheme, Bhagyalakshmi and the social security and pension scheme have included the UID in the Mysore district</li>
</ul>
<p><b>Has there been duplication of UID numbers?</b><br />According to news reports:</p>
<ul>
<li style="text-align: justify; ">The UIDAI has blacklisted an operator and a supervisor in Andhra Pradesh for issuing fake UID numbers.</li>
</ul>
<ul>
<li style="text-align: justify; ">The UIDAI is looking into six complaints regarding the misuse of personal data while issuing the UID numbers to individuals.</li>
</ul>
<ul>
<li>The UIDAI has received two received complaints regarding duplication of UID numbers.<a href="#fn17" name="fr17">[17]</a></li>
</ul>
<p><b>What are the differences between the UID and NPR?<br /></b></p>
<ul>
<li style="text-align: justify; "><i>Voluntary vs. Mandatory:</i> It is compulsory for <i>all </i>Indian residents to register with the NPR, while registration with the UIDAI is considered voluntary. However, the NPR will store individuals UID number with the NPR data and place it on the Resident Indian Card. In this way and others, the UID number is becoming compulsory by various means. </li>
<li style="text-align: justify; "><i>Number vs. Register:</i> UID will issue a number, while the NPR is the prelude to the National Citizens Register. Thus, it is only a Register. Though earlier the MNIC card was implemented along the coastal area, there has been no proposal to extend the MNIC to the whole country. The smart card that is proposed under the NPR has only been raised for discussion, and there has been no official decision to issue a card.</li>
<li style="text-align: justify; "><i>Statute vs. Bill:</i> The enrollment of individuals for the NPR is legally backed by the Citizenship Act, except in relation to the collection of biometrics, while the UID as proposed a bill which has not been passed for the legal backing of the scheme. </li>
<li style="text-align: justify; "><i>Authentication vs. Identification:</i> The UID number will serve as an authenticator during transactions. It can be adopted and made mandatory by any platform. The National Resident Card will signify resident status and citizenship. It is unclear what circumstances the card will be required for use in. </li>
<li style="text-align: justify; "><i>UIDAI vs. RGI:</i> The UIDAI is responsible for enrolling individuals in the UID scheme, and the RGI is responsible for enrolling individuals in the NPR scheme. It is important to note that the UIDAI is located in the Planning Commission, but its status is unclear, as the NIC had indicated that the data held is not being held by the government. </li>
<li style="text-align: justify; "><i>Door to door canvassing vs. center enrollment</i>: Individuals will have to go to an enrollment center and register for the UID, while the NPR will carry out part of the enrollment of individuals through door to door canvassing. Note: Individuals will still have to go to centers for enrolling their biometrics for the NPR scheme. </li>
<li style="text-align: justify; "><i>Prior documentation vs. census material:</i> The UID will be based off of prior forms of documentation and identification, while the NPR will be based off of census information.</li>
<li style="text-align: justify; "><i>Online vs. Offline:</i> For authentication of an individual’s UID number, the UID will require mobile connectivity, while the NPR can perform offline verification of an individual’s card. </li>
</ul>
<p><b>What is the controversy between the UID and NPR? </b></p>
<ul>
<li style="text-align: justify; "><i>Effectiveness:</i> There is controversy over which scheme would be more effective and appropriate for different purposes. For example, the Ministry of Home Affairs has argued that the NPR would be more suited for distributing subsidies than the UID, as the NPR has data linking each individual to a household.<a href="#fn18" name="fr18">[18]</a></li>
<li style="text-align: justify; "><i>Legality of sharing data</i>: Both the legality of the UID and NPR collecting data and biometrics has been questioned. For example, it has been pointed out that the collection of biometric information through the NPR, is beyond the scope of subordinate legislation. Especially as this appears to be left only to guidelines.<a href="#fn19" name="fr19">[19]</a> Collection of any information under the UID scheme is being questioned as the Bill has not been approved by the Parliament.</li>
<li style="text-align: justify; "><i>Accuracy</i>: The UIDAI's use of multiple registrars and enrolment agencies, the reliance on 'secondary information' via existing ID documents for enrollment in the UID, and the original plan to enroll individuals via the 'introducer' system has raised by Home Minister Chidambaram in January 2012 about how accurate the data collected by the UID is is that will be collected.<a href="#fn20" name="fr20">[20]</a> To this extent, the UIDAI has changed the introducer system to a ‘verifier’ system. In this system, Government officials verify individuals and their documents prior to enrolling them.</li>
<li style="text-align: justify; "><i>Biometrics</i>: Though biometrics are mandatory for the UID scheme, according to information on the NPR website, if an individual has already enrolled with the UID, they will not need to provide their biometrics again for the NPR. Application of this standard has been haphazard as some individuals have been required to provide biometrics for both the UID and the NPR, and others have not been required to provide biometrics for the NPR.<a href="#fn21" name="fr21">[21]</a></li>
</ul>
<p><b>What court cases have been filed against the UID?<br /></b>The following cases are currently filed in courts around the country:</p>
<ul>
<li><i>Supreme Court:</i></li>
</ul>
<p style="padding-left: 30px; text-align: justify; ">K S Puttaswamy, a retired judge of Karnataka High Court filed a Public Interest Litigation (PIL) in the Supreme Court challenging the legality of UIDAI.<a href="#fn22" name="fr22">[22]</a></p>
<ul style="text-align: justify; ">
<li><i>Chandigarh</i>: A petition was filed in Chandigarh by Sanjeev Pandey which sought to quash executive order passed in violation of the Motor Vehicles Act, 1988, and Central Motor Vehicle Rules, 1989 by which UID cards had been made mandatory for registration of vehicles and grant of learner/regular driving license.<a href="#fn23" name="fr23">[23]</a><span> </span></li>
<li style="text-align: justify; "><span><i>Karnataka:</i></span> <span>Mathew Thomas and Mr. VK Somasekhar have filed a civil suit in the Bangalore City Civil Courts (numbered 8181 of 2012) asking for the UID project to be stopped. The suit was dismissed, and they have appealed the case to the High Court (numbered 1780 and 1825 of 2013).</span></li>
<li style="text-align: justify; "><i>Chennai</i>: A PIL has been filed in the Madras High Court challenging the constitutional validity of the UIDAI and its issue of UID numbers.<a href="#fn24" name="fr24">[24]</a></li>
<li style="text-align: justify; "><i>Bombay</i>: In January 2012 a case was filed in the Mumbai high Court. The petitioners to the case are R. Ramkumar, G. Nagarjuna, Kamayani Mahabal, Yogesh Pawar and Vickram Crishna & Ors.</li>
</ul>
<p style="text-align: justify; "><b>What is the relationship between UID, NPR, and National Security<br /></b>The UID and the NPR have both stated improving security as an objective for the projects. To this extent, it is envisioned that the UID and the NPR could be used to track and identify individuals, and determine if they are residents of India. In the case of the NPR, a distinction will be made between residents and citizens. Yet, concerns have also been raised that these projects instead raise national security threats, given the size of the databases that will be created, the centralized nature of the databases, the sensitive nature of the information held in the databases, and the involvement of international agencies.<a href="#fn25" name="fr25">[25]</a></p>
<p style="text-align: justify; "><b>What is the relationship between UID and Big Data?<br /></b>Aspects of the UID scheme allow it to generate a large amount of data from a variety of sources. Namely, the UID scheme aims to capture 12 billion fingerprints, 1.2 billion photographs and 2.4 billion iris scans and can be adopted by any platform. This data in turn can be stored, analyzed, and used for a number of purposes by a number of stakeholders in both the government and the private sectors. This is already happening to a certain extent as in November 2012 the UID established a Public Data Portal for the UID project. According to UIDAI officials the data portal will allow for big data analysis using crowd sourcing models.<a href="#fn26" name="fr26">[26]</a></p>
<p style="text-align: justify; "><b>How is UID being used for BPL direct cash transfers?<br /></b>Registration with the UID scheme is considered essential to determine whether beneficiaries belong in the BPL category and to provide transparency to the distribution of cash. In this way, the UID requirement is thought to prevent the leakage of social security benefits and subsidies to non-intended beneficiaries, as cash will only be made available to the person identified by the UID as the intended recipient. One of the main prerequisites of a below poverty line (BPL) direct cash transfer in India has become the registration with the UIDAI and the acquisition of a UID number. For example:</p>
<ul>
<li style="text-align: justify; ">The "Cash for Food" programme requires that individuals applying for aid have a bank account, and a UID number. The money is transferred, electronically and automatically, to the bank account and the beneficiary should be able to withdraw it from a micro-ATM using the UID number.<a href="#fn27" name="fr27">[27]</a> It is important to note that micro-ATMs are not actual ATMs, but instead are handheld machines which may give information on bank balance and such, but will not dispense or maintain privacy of transaction. Most importantly, the transaction is mediated though a banking correspondent.</li>
<li style="text-align: justify; ">The government plans to cover the target BPL families and deposit USD 570 billion per year in the bank accounts of 100 million poor families by 2014.<a href="#fn28" name="fr28">[28]</a></li>
<li style="text-align: justify; ">Currently, only beneficiaries of thirteen government schemes and LPG connection holders have been identified as being entitled to register for a UID number.<a href="#fn29" name="fr29">[29]</a> Though these schemes have been identified, as of yet, adoption has happened in very few districts. </li>
</ul>
<p style="text-align: justify; "><b>What are the concerns regarding the use of biometrics in the UID and NPR scheme? <br /></b>Both the UID and the NPR rely on biometrics as a way to identify individuals. Yet, many concerns have been raised about the use of biometrics in terms of legality, effectiveness, and accuracy of the technology. With regards to the accuracy and effectiveness of biometrics – the following concerns have been raised:</p>
<ul>
<li style="text-align: justify; "><i>Biometrics are not infallible:</i> Inaccuracies can arise from variations in individuals attributes and inaccuracies in the technology. </li>
<li style="text-align: justify; "><i>Environment matters</i>: An individual’s biometrics can change in response to a number of factors including age, environment, stress, activity, and illness.</li>
<li style="text-align: justify; "><i>Population size matters</i>: Because biometrics have differing levels of stability – the larger the population is the higher the possibility for error is. </li>
<li style="text-align: justify; "><i>Technology matters:</i> The accuracy of a biometric match also depends on the accuracy of the technology used. Many aspects of biometric technology can change including: calibration, sensors, and algorithms.</li>
<li style="text-align: justify; "><i>Spoofing:</i> It is possible to spoof a fingerprint and fool a biometric reader.<a href="#fn30" name="fr30">[30]</a></li>
</ul>
<ul>
</ul>
<ul style="text-align: justify; ">
</ul>
<hr />
<p style="text-align: justify; ">[<a href="#fr1" name="fn1">1</a>]. Government of India. Ministry of Home Affairs. Office of the Registrar General & Census Commissioner. <a class="external-link" href="http://bit.ly/IiySDh">http://bit.ly/IiySDh</a></p>
<p style="text-align: justify; ">[<a href="#fr2" name="fn2">2</a>]. This is according to a 2010 Cabinet note and the official website of the NPR.</p>
<p style="text-align: justify; ">[<a href="#fr3" name="fn3">3</a>]. Department of Information Technology: http://ditnpr.nic.in/frmStatelist.aspx - These include: (1) Arunachal Pradesh (2) Assam (3) Bihar (4) Chhattisgarh (5) Haryana (6) Himachal Pradesh (7)Jammu & Kashmir (8) Jharkhand (9) Madhya Pradesh (10)Meghalaya (11)Mizoram (12)Punjab (13)Rajasthan (14)Sikkim (15)Tripura (16)Uttar Pradesh (17)Uttarakhand Union Territories:-(1) Dadra & Nagar Haveli (2) Chandigarh.</p>
<p>[<a href="#fr4" name="fn4">4</a>]. Government of India. Ministry of Home Affairs. Office of the Registrar General & Census Commissioner: <a class="external-link" href="http://bit.ly/IiySDh">http://bit.ly/IiySDh</a></p>
<p style="text-align: justify; ">[<a href="#fr5" name="fn5">5</a>]. Department of Information Technology. National Population Register. Question 22. What are the procedures to be followed for creating the NPR? The procedures to be followed for creating the NPR have been laid down in the Citizenship (Registration of Citizens and issue of National Identity Cards) Rules, 2003, and the guidelines being issued from time to time.</p>
<p style="text-align: justify; ">[<a href="#fr6" name="fn6">6</a>]. The Unique Identification Government of India. Ministry of Home Affairs. Office of the Registrar General & Census Commissioner: http://censusindia.gov.in/2011-Common/IntroductionToNpr.html Authority of India. <a class="external-link" href="http://uidai.gov.in/">http://uidai.gov.in/</a></p>
<p>[<a href="#fr7" name="fn7">7</a>]. Unique Identification Authority of India. <a class="external-link" href="http://uidai.gov.in/">http://uidai.gov.in/</a></p>
<p style="text-align: justify; ">[<a href="#fr8" name="fn8">8</a>]. The point was made by R. Ramachandran. How reliable is UID? Frontline. Volume 28- Issue 24: November 19- December 02, 2011. Available at:<a class="external-link" href="http://bit.ly/13UMiSv"> http://bit.ly/13UMiSv</a></p>
<p>[<a href="#fr9" name="fn9">9</a>]. For more information see: How to get an Aadhaar. <a class="external-link" href="http://bit.ly/R2jBOP">http://bit.ly/R2jBOP</a></p>
<p style="text-align: justify; ">[<a href="#fr10" name="fn10">10</a>]. Mazumdar. R. UIDAI targets 400 million enrolments by mid 2013, Aadhar hopes to give unique identity to some 1.2 bn residents. Economic Times. December 2012. Available at: <a class="external-link" href="http://bit.ly/ZC3Yv">http://bit.ly/ZC3Yv</a>e. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr11" name="fn11">11</a>]. Malu. B. The Aadhaar Card – What are the real intentions of the UPA Government? DNA. February 18<sup>th</sup> 2013. Available at: <a class="external-link" href="http://bit.ly/150BXRj">http://bit.ly/150BXRj</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr12" name="fn12">12</a>]. Government of Kerala. General Education Department Circular No. 52957/G2?2012/G.Edn. Available at: <a class="external-link" href="http://bit.ly/15Oiq8J">http://bit.ly/15Oiq8J</a></p>
<p style="text-align: justify; ">[<a href="#fr13" name="fn13">13</a>]. Plumber, M. Make UID numbers must in FIRs: Bombay HC. DNA. October 2011. Available at: <a class="external-link" href="http://bit.ly/tVsInl">http://bit.ly/tVsInl</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr14" name="fn14">14</a>]. Press Information Bureau. Government of India. Identity Card to Every Adult Resident of the Country under NPR; No Card being issued by UIDAI. December 2011. Available at: <a class="external-link" href="http://bit.ly/tJwZG1">http://bit.ly/tJwZG1</a></p>
<p style="text-align: justify; ">[<a href="#fr15" name="fn15">15</a>]. TravelBiz. Railways to use Aadhar database for passenger validation. February 2013. Available at: <a class="external-link" href="http://bit.ly/YcW5wl">http://bit.ly/YcW5wl</a>. Last accessed: February 28th 2013.</p>
<p>[<a href="#fr16" name="fn16">16</a>]. Vombatkere. S.G. Questions for Mr. Nilekani. The Hindu. February 2013. Available at: <a class="external-link" href="http://bit.ly/YqPlK1">http://bit.ly/YqPlK1</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr17" name="fn17">17</a>]. Economic Times. UIDAI orders probe into duplication of Aadhaar numbers.<a class="external-link" href="http://bit.ly/ZORowg"> http://bit.ly/ZORowg</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr18" name="fn18">18</a>]. Jain. B. Battle over turf muddies waters. Times of India. February 2013. Available at: <a class="external-link" href="http://bit.ly/16ud3gm">http://bit.ly/16ud3gm</a>. Last accessed: February 28th 2013</p>
<p style="text-align: justify; ">[<a href="#fr19" name="fn19">19</a>]. Rediff. Aadhaar’s allocation is Parliament’s contempt. February 2013. Available at: <a class="external-link" href="http://bit.ly/Y638JS">http://bit.ly/Y638JS</a>. Last accessed: February 28th 2013.</p>
<p>[<a href="#fr20" name="fn20">20</a>]. Ibid 17.</p>
<p style="text-align: justify; ">[<a href="#fr21" name="fn21">21</a>]. Times of India. Confused over Aadhaar, Cabinet clears GoM. February 2013. Available at <a class="external-link" href="http://bit.ly/UTH2JS">http://bit.ly/UTH2JS</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr22" name="fn22">22</a>]. Times of India. Supreme Court notice to govt on PIL over Aadhar. December 2012. Available at: <a class="external-link" href="http://bit.ly/13UNs0i">http://bit.ly/13UNs0i</a>. Last accessed: February 2013.</p>
<p style="text-align: justify; ">[<a href="#fr23" name="fn23">23</a>]. The Indian Express. HC issues notice to Centre, UT over mandatory UID for license. January 2013. Available at: <a class="external-link" href="http://bit.ly/WJq43M">http://bit.ly/WJq43M</a>. Last accessed: February 28th 2013.</p>
<p>[<a href="#fr24" name="fn24">24</a>]. Economic Times. PIL seeks to scrap Nandan Nilekani’s Aadhar project. January 2012. Available at: <a class="external-link" href="http://bit.ly/zB1H07">http://bit.ly/zB1H07</a>. Last accessed: February 28th 2013.</p>
<p>[<a href="#fr25" name="fn25">25</a>]. Times of India. UID poses national security threat: BJP. January 2012. Available at:<a class="external-link" href="http://bit.ly/WeM6KA"> http://bit.ly/WeM6KA</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr26" name="fn26">26</a>]. Zeenews. UIDAI launches Public Data Portal for Aadhaar. November 8th 2012. Available at: <a class="external-link" href="http://bit.ly/T9NdX3">http://bit.ly/T9NdX3</a>. Last Accessed: November 12th 2012.</p>
<p style="text-align: justify; ">[<a href="#fr27" name="fn27">27</a>]. Punj, S. Wages of Haste: Implementing the cash transfer scheme is proving a challenge. January 2013. Available at: <a class="external-link" href="http://bit.ly/1024Dwo">http://bit.ly/1024Dwo</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr28" name="fn28">28</a>]. The International Business Times. India to Roll Out World’s Biggest Direct Cash Transfer Scheme for the Poor. November 2012. Available at: <a class="external-link" href="http://bit.ly/UYbtw4">http://bit.ly/UYbtw4</a>. Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr29" name="fn29">29</a>]. Mid Day. Do not register for Aadhaar card before March 15: UID in –charge. February 2013. Available at: <a class="external-link" href="http://bit.ly/Xymx9d.">http://bit.ly/Xymx9d.</a> Last accessed: February 28th 2013.</p>
<p style="text-align: justify; ">[<a href="#fr30" name="fn30">30</a>]. These points were raised in the following frontline article Ibid: Ramachandran, R. How reliable is UID? Frontline. Volume 28 – Issue 24 November 19th – December 2nd 2011. Available at: <a class="external-link" href="http://bit.ly/13UMiSv">http://bit.ly/13UMiSv</a>. Last accessed February 28th 2013.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/uid-and-npr-a-background-note'>https://cis-india.org/internet-governance/blog/uid-and-npr-a-background-note</a>
</p>
No publisherelonnaiVideoInternet GovernancePrivacy2014-04-30T05:03:51ZBlog EntryUnique ID System: Pros and Cons
https://cis-india.org/internet-governance/unique-id-system-pros-and-cons
<b>On September 16, 2011, the Citizen’s Voluntary Initiative for the City and Centre for Advocacy and Research organized a public consultation titled “Unique ID System: Pros and Cons” in Bangalore. The consultation was on the utility and impact of the UID system in India and featured a panel discussion with T. Prabhakar, public relations officer, e-governance, Ashok Dalwai, UIDAI regional deputy director, Somashekar V.K., managing trustee of Grahak Shakti and Col. Mathew Thomas, civic activist and retired army officer.</b>
<p>Col. Mathew Thomas began his presentation by a comparative analysis of the Indian and the British experience in providing a unique identity to its citizens. In Britain, this initiative was labelled as ‘intrusive bullying’ and ‘an assault on personal liberties’. Additionally, the government recognized that they must conduct their business as servants of the public and not as their masters. The project was terminated on the grounds that it could not achieve the claimed objectives, and it was dangerous costly.</p>
<p>Nevertheless, the unique identification (UID) system in India is being perscribed as a prestigious project that will eliminate identity fraud, financial exclusion, enhance accessibility for the poor, enable the government to better manage welfare schemes and target corruption in social programs such as the National Rural Employment Guarantee Act (NREGA), the public distribution system (PDS), public health and financial inclusion.</p>
<p>Col. Mathew Thomas chronicled ID schemes. He explained that the advent and growth of information technology increased the availability of technology, which led to a commercial interest to exploit technology for profit. Technological solutions were heavily marketed, however, it is a mistaken belief that there is a technological fix to every problem (technology could solve any problem). Post 9/11 paranoia resulted in the notion that ID cards were the best possible counter measure to terrorism. “The inherent ridiculousness of this notion is that militants do not come with ID cards, but with AK-47s, and possession of ID cards or citizenship does not prevent one from becoming a terrorist”, says Mathew Thomas. National ID cards do not stop or deter terrorist actions.</p>
<p>India’s history with the UID project can be traced to the recommendations made by the Kargil Review Committee chaired by K. Subrahmanyam.The Committee recommended the issuing of ID cards to people in border areas to prevent infiltration and extend the system to the whole country to combat terrorism. Consequently, in 2003 the Citizenship Act of 1955 was amended by the NDA Government so as to compulsorily register all citizens into a “National Population Register” (NPR) and issue a Multi-purpose National Identity Card (MNIC). The NPR database will be inked to the UID. Subsequently, the UPA Government promoted the UID, as a pro-poor project.</p>
<p>Col. Mathew Thomas discussed the various questionable aspects of the UID project: its legality, financial prudence, ethics and its uses and abuses.</p>
<h3>UID and Legality</h3>
<p>Firstly, there is no law governing the functioning of the Unique Identification Authority of India (UIDAI). The illegal implementation of the UID is a complete insult to the Parliament and citizens, considering that the National Identification Authority of India Bill 2010 was drafted long after the implementation of the UID commenced. </p>
<h3>UID and Financial Prudence</h3>
<p>The high-level of apprehension surrounding the UID project stems from the fact that a project of this magnitude, cost and impact on the entire population would be undertaken without a feasibility study and a cost-benefit analysis. There exist two studies: one by the London School of Economics, regarding the UK project, and another by the Indian Institute of Management Ahmedabad, on UID in India. Both have concluded that such schemes are unworkable and too costly.</p>
<h3>UID and Ethics</h3>
<p>Ethical questions related to the UID are regarding its history, participation and ubiquity. Firstly, the UIDAI website is silent on the history prior to 2006. It fails to mention the significant historical roots of the UID, specifically, the Kargil War and the National Population Registry. Second, the UID has been promoted as a pro-poor project, whereas huge possibilities for commercial exploitation exist. Lastly, the UIDAI asserts that enrollment for the UID is ‘voluntary’. Although participation in the UID scheme is supposed to be voluntary, service providers can make it compulsory, thereby making it ubiquitous. A subtle campaign is being carried on, hinting at denial of benefits and services to those without UID.</p>
<h3>Uses and Abuses</h3>
<p>UID claims to transform governance, make ‘Bharath’ part of the growth process, plug ‘leakages’ & ‘slippages’ in welfare schemes, bring about all round prosperity and put India on a ‘fast-track’ growth by becoming the pivot around which all anti-poverty measures will rotate. One can conclude that UID is a panacea or a ‘one size fits all’ solution. Mathew Thomas questioned how these ambitions can be achieved by fingerprinting and scanning the irises of 1.2 billion people and storing the data for use by agencies responsible for the delivery of services.</p>
<p>These claims revolve around the assumptions that a lack of identity denies people welfare benefits; denies access to opportunities and services; and that a unique identification and de-duplication using biometrics would prevent “leakages”, “slippages” and in effect, all corruption. These assumptions need to be tested and verified so as to ensure validity.</p>
<h3>The Public Distribution System and UID</h3>
<p>Col. Mathew Thomas examined the PDS to analyze the use and claims of UID. He described the supply and demand of the PDS. The ‘supply’ side involves the fixing of minimum support prices, procurement by the centre and state governments, transport to FCI and state storages, distribution by centre to states and distribution by states to fair-price (ration) shops. All of the stages are affected by corruption and surprisingly UID beneficiaries have no role in any of the aforementioned stages.</p>
<p>‘Leakages’ in the supply process could potentially occur during the fixing of the minimum support prices (if deals exist with large farmers), during procurement (if they lift less quantity than what was paid for) and during accounting and storage (if they write off larger quantities than the actual damage; write off against bogus ration-cards; and show more quantity in storage and shops than is actually there).</p>
<p>The ‘demand’ process of the PDS system requires for state governments to decide on the eligibility of BPL people, issue ration cards, allocate ration-card holders to specific ration shops and requires the ration-card holders go to designated shops and collect entitlements. Corruption is possible, probable and happens in this discretionary decision-making. However, the only stage at which UID would find some use, if at all, is when ration-card holders collect rations.</p>
<p>Col. Mathew Thomas provided an excellent example of the government’s lopsided priorities. He describes the UID in PDS as the story of the ‘fence eating the corn’. The ‘fence’ then says, “let’s brand the cattle to find who is stealing the corn!”</p>
<p>The practicality of utilizing UID for authentication in the PDS system is a huge conundrum. Considering that the process to authenticate at ration shops requires all shops to have scanners (approximately six lakhs) which must be connected to a network and power at all the time.</p>
<p>Another problem surrounds the collection of ration. Ration-card holders do not always go to collect rations. There could be occasions where one family member goes for collection or one person collects rations for a number of families. The worst part of the UID application to the PDS system is that the procedure puts the BPL person at the mercy of the ration-shop keeper. He could simply deny rations, saying, “Authentication failed”.</p>
<p>The potential abuses of the UID could arise from the large collection of fingerprints that will be with various government officials and private agencies which could be used to foist false criminal cases against innocent people, forge title deeds, sale deeds, promissory notes wills, etc., and could target individuals and communities.</p>
<p>Col. Mathew Thomas concluded by explaining the main risks of any centralized database, it can be hacked and can crash. Professor Ian Angle, of the London School of Economics, has said that the UID will be "Olympic games of hacking", providing people with the biggest challenge to hack through.</p>
<p><img src="https://cis-india.org/home-images/uid.jpg/image_preview" alt="UID" class="image-inline image-inline" title="UID" /></p>
<p>Making a point: (From left) Public Relations Officer, e-governance, T. Prabhakar; UIDAI Regional Deputy Director Ashok Dalwai; Managing Trustee of Grahak Shakti Somashekar V.K.; and civic activist Mathew Thomas at a panel discussion in Bangalore on Friday. — photo: V. Sreenivasa Murthy.</p>
<p>Photo Source: From the <strong>Hindu</strong>, September 17, 2011, <a class="external-link" href="http://goo.gl/gCnqK">http://goo.gl/gCnqK</a></p>
<hr />
<p>Note: Unfortunately, the other presentations were conducted in Kannada and could not be understood by the author of this blog. </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/unique-id-system-pros-and-cons'>https://cis-india.org/internet-governance/unique-id-system-pros-and-cons</a>
</p>
No publisherNatasha VazInternet GovernancePrivacy2012-02-29T11:28:58ZBlog EntryUNESCAP Google AI Meeting
https://cis-india.org/internet-governance/news/unescap-google-ai-meeting
<b>Arindrajit was a panelist at the event on AI in public service delivery hosted by UNESCAP Bangkok on August 29, 2018. The event was co-organized by Economic and Social Commission for Asia and the Pacific and Google.</b>
<p style="text-align: justify; ">The discussion centered around the two questions (1) Is AI different from other technological advancements in the past and (2) Recommendations for policy-makers to enhance AI in Public Service Delivery.The other panelists were Dr. Urs Gasser (Berkman), Vidushi Marda ( Art.19), Malavika Jayaram (Digital Asia Hub) and Jake Lucchi ( Google) The panel was a platform to discuss some of our findings in our case studies on healthcare and agriculture, which we will receive comments on and will get published in November.<br /><br /></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/unescap-google-ai-meeting'>https://cis-india.org/internet-governance/news/unescap-google-ai-meeting</a>
</p>
No publisherAdminInternet GovernanceArtificial IntelligencePrivacy2018-09-20T15:47:42ZNews ItemUnderstanding Surveillance and Privacy in India
https://cis-india.org/internet-governance/news/understanding-privacy-and-surveillance-in-india
<b>Bhairav Acharya delivered a lecture at the Jamia Millia Islamia in New Delhi on August 28, 2014. </b>
<p style="text-align: justify; "><b>Abstract</b><br />While privacy seems intuitive to most people, its legal codification and protection is complex. This is because varying expectations of privacy exist in different social contexts demanding different forms and degrees of protection. In India, an unambiguous and enforceable constitutional right to privacy does not exist. The Supreme Court of India has, intermittently and unconvincingly, recognised a limited right to privacy in certain situations. Recent debates on privacy focus primarily on two areas: surveillance, and data protection. The interception of communications – phone calls, emails, and letters, – which is a type of surveillance, is statutorily regulated in India in an uneven way. A colonial law permits and regulates wiretaps in India. A derivative law governs emails and electronic communications. Both these laws suffer serious shortcomings. Indian law permits executive authorisations – by bureaucrats – of wiretaps without an independent audit and oversight mechanism. No legal provisions exist to redress improper wiretaps or information leaks – the Radia tapes controversy illustrates this. These lacunae remain unaddressed even as large-scale techno-utopian projects, such as the Central Monitoring System, move forward. However, the recent governmental push for privacy law does not stem from surveillance concerns but from international commerce in personal data. There is also a growing domestic constituency that is alarmed by the state’s collection of personal data without regulatory safeguards.</p>
<p style="text-align: justify; "><b>About the Speaker</b><br />Bhairav Acharya is a constitutional lawyer in India who joined the Bar in 2004 after graduating from the National Law School of India University, Bangalore. From 2004 - 2009, he was the Deputy Director of the Public Interest Legal Support and Research Centre (PILSARC), an organisation established to provide institutional legal support and credible research to popular movements, and to ideas and communities marginalised by law. He headed a UNHCR project to draft a refugee protection law for India and is a member of the NHRC’s National Experts Group on Refugee Law. He litigated – mostly constitutional law – in the chambers of a senior counsel in the Supreme Court of India, where he became especially interested in free speech law. From 2009 - 2010, he advised a leading Indian multinational information technology major on privacy law and data protection. At present, he independently advises the Centre for Internet and Society, Bangalore, on privacy law, and is drafting a proposed privacy statute to regulate data protection and surveillance in India to provide a participatory and consensus - based legal submission to the Indian government.</p>
<p style="text-align: justify; "><b>Event Details</b><br />Venue: CCMG Network Governance Lab,<br />Date: Thursday, August 28, 2014<br />Time: 11.30 a.m.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/understanding-privacy-and-surveillance-in-india'>https://cis-india.org/internet-governance/news/understanding-privacy-and-surveillance-in-india</a>
</p>
No publisherpraskrishnaInternet GovernancePrivacy2014-09-08T06:08:49ZNews ItemUnderstanding Aadhaar and its New Challenges, May 26-27, 2016
https://cis-india.org/internet-governance/events/understanding-aadhaar-and-its-new-challenges-may-26-27-2016
<b>A workshop on “Understanding Aadhaar and its New Challenges” is being organised by the Centre for Studies in Science Policy, Jawaharlal Nehru University, and the Centre for Internet and Society, during May 26-27. It is also supported by the Centre for Communication Governance at NLU Delhi, Free Software Movement of India, Knowledge Commons, PEACE, and Center for Advancement of Public Understanding of Science & Technology. This is a legal and technical workshop to be attended by various key researchers and practitioners to discuss the current status of the implementation of the project, in the context of the passing of the Act and the various ongoing cases.</b>
<p> </p>
<h1>Workshop Programme</h1>
<h3>First Day, May 26</h3>
<table>
<tbody>
<tr>
<td>9:00-9:30</td>
<td><strong>Registration</strong></td>
</tr>
<tr>
<td>9:30-10:00</td>
<td>Prof. Dinesh Abrol - <em>Welcome</em><br />Self-introduction and expectations of participants<br />Dr. Usha Ramanathan - <em>Overview of the Workshop</em></td>
</tr>
<tr>
<td>10:00-11:00</td>
<td><strong>Current Status of Aadhaar</strong><br />Dr. Usha Ramanathan, Legal Researcher, New Delhi - <em>What the 2016 Law Says, and How it Came into Being</em><br />S. Prasanna, Advocate, New Delhi - <em>Status and Force of Supreme Court Orders on Aadhaar</em><br />Discussion</td>
</tr>
<tr>
<td>11:00-11:30</td>
<td><strong>Tea Break</strong></td>
</tr>
<tr>
<td>11:30-13:30</td>
<td><strong>Direct Benefits Transfers</strong><br />Prof. Reetika Khera, Indian Institute of Technology, Delhi - <em>Welfare Needs Aadhaar like a Fish Needs a Bicycle</em><br />Prof. Ram Kumar, Tata Institute of Social Sciences, Mumbai - <em>Aadhaar and the Social Sector: A critical analysis of the claims of benefits and inclusion</em><br />Ashok Rao, Delhi Science Forum - <em>Cash Transfers Study</em><br />Discussion</td>
</tr>
<tr>
<td>13:30-14:30</td>
<td><strong>Lunch</strong></td>
</tr>
<tr>
<td>14:30-16:00</td>
<td><strong>Aadhaar: Science, Technology, and Security</strong><br />Prof. Subashis Banerjee, Deptt of Computer Science & Engineering, IIT, Delhi - <em>Privacy and Security Issues Related to the Aadhaar Act</em><br />Pukhraj Singh, former National Cyber Security Manager, Aadhaar, New Delhi - <em>Aadhaar: Security and Surveillance Dimensions</em><br />Discussion</td>
</tr>
<tr>
<td>16:00-16:30</td>
<td><strong>Tea Break</strong></td>
</tr>
<tr>
<td>16:30-17:30</td>
<td><strong>Aadhaar - International Dimensions</strong><br />Prof. Chinmayi Arun, Center for Communication Governance, National Law University, Delhi - <em>Biometrics and Mandatory IDs in other parts of the world</em><br />Dr. Gopal Krishna, Citizens Forum for Civil Liberties - <em>International Dimensions of Aadhaar
</em><br />Discussion</td>
</tr>
<tr>
<td>17:30-18:00</td>
<td><strong>High Tea</strong></td>
</tr>
<tr>
<td>18:00-19:00</td>
<td><strong>Video Presentations</strong></td>
</tr>
</tbody>
<tbody></tbody>
</table>
<h3>Second Day, May 27</h3>
<table>
<tbody>
<tr></tr>
<tr>
<td>9:30-11:00</td>
<td><strong>Privacy, Surveillance, and Ethical Dimensions of Aadhaar</strong><br />Prabir Purkayastha, Free Software Movement of India, New Delhi - <em>Surveillance Capitalism and the Commodification of Personal Data</em><br />Arjun Jayakumar, SFLC - <em>Surveillance Projects Amalgamated</em><br />Col Mathew Thomas, Bengaluru
- <em>The Deceit of Aadhaar</em><br />Discussion</td>
</tr>
<tr>
<td>11:00-11:30</td>
<td><strong>Tea Break</strong></td>
</tr>
<tr>
<td>11:30-10:30</td>
<td><strong>Aadhaar: Broad Issues - I</strong><br />Prof. G Nagarjuna, Homi Bhabha Center for Science Education, Tata Institute of Fundamental Research, Mumbai - <em>How to prevent linked data in the context of Aadhaar</em><br />Dr. Anupam Saraph, Pune - <em>Aadhaar and Moneylaundering</em><br />Discussion</td>
</tr>
<tr>
<td>13:00-13:30</td>
<td><strong>Video Presentations</strong></td>
</tr>
<tr>
<td>13:30-14:30</td>
<td><strong>Lunch</strong></td>
</tr>
<tr>
<td>14:30-15:30</td>
<td><strong>Aadhaar: Broad Issues - II</strong><br />Prof. MS Sriram, Visiting Faculty, Indian Institute of Management, Bangalore - <em>Financial lnclusion</em><br />Nikhil Dey, MKSS, Rajasthan (TBC) - <em>Field witness: Technology on the Ground</em><br />Prof. Himanshu, Centre for Economic Studies & Planning, JNU - <em>UID Process and Financial Inclusion</em><br />Discussion</td>
</tr>
<tr>
<td>15:30-16:00</td>
<td><strong>Conclusion</strong></td>
</tr>
</tbody>
<tbody></tbody>
</table>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/events/understanding-aadhaar-and-its-new-challenges-may-26-27-2016'>https://cis-india.org/internet-governance/events/understanding-aadhaar-and-its-new-challenges-may-26-27-2016</a>
</p>
No publishersumandroUIDBig DataPrivacyInternet GovernanceAadhaarBiometrics2016-05-26T10:29:43ZEventUnbundling Issues of Privacy, Data Security, Identity Matrics, for Financial Inclusion
https://cis-india.org/internet-governance/news/unbundling-issues-of-privacy-data-security-identity-matrics-for-financial-inclusion
<b>This event was organized by Indicus Foundation and MicroSave on December 10, 2015 at the Metropolitan Hotel and Spa, New Delhi. Sunil Abraham was a speaker.</b>
<p style="text-align: justify; ">While the initiative towards financial inclusion has gathered new impetus with the PMJDY and the accelerated roll out of benefits, there is also a parallel narrative of concerns over the legality and fundamental constitutionality of identity verification, which is a centre piece for delivery of financial benefits and services. These divergent narratives have now reached the Supreme Court.</p>
<p style="text-align: justify; ">At one end of the spectrum are the voices that avow the power of biometric technology to irrepudiately establish biological identity; at the other, the alarmism over targeting, concentration and misuse of personal information contained in the world’s biggest personal database. There is also a third extreme position of whether Indian citizens are entitled to the right to privacy constitutionally, and whether the right to privacy includes the right to refuse a national identity number or metric altogether. That India has yet to enact a Privacy Bill and the National Identity Authority Bill on which rests the statutory basis for UIDAI and Aadhaar only adds to the quagmire.</p>
<p style="text-align: justify; ">Several issues lie intertwined in this miasma: Privacy as an absolute right; Definition and Limits of Personal Information and Sensitive Personal Information; Consent protocols over use of personal information; Data Security; Appropriate and inclusive technology platforms; and Responsibilities and Liabilities governing the use of personal information for bonafide purposes. These straddle multiple domains: data accuracy and irrepudiability; storage, security and encryption; and sharing of information for transaction processing including across national boundaries. Unfortunately, all of these tend to get lumped together in the public debate.</p>
<p style="text-align: justify; ">The aim of this workshop is to unbundle the issues and understand each of them from the perspective of financial inclusion, to be able to answer these questions:</p>
<ul>
<li>How essential and critical is a unified Identity metric for digital financial transactions? How essential is that such a metric be biometric?</li>
<li>To what extent does the centralised storage of biometric data represent risks of personal safety and national security, compared to the information on election voter lists, passport offices, census data, and bank accounts?</li>
<li>What are the possible sources of transactional risk and security breaches in data sharing, and what are the international best practices?</li>
<li>Is the present Aadhaar architecture robust enough to: address all the genuine and reasonable concerns over leakage and misuse of sensitive personal information; and to ensure that no genuine identity holder is turned away from a service, entitlement or benefit to which (s)he has a right or claim?</li>
</ul>
<p>In this direction, we have the privilege to interact in this workshop with experts from The Centre for Internet and Society, and Data Security Council of India who have been at the forefront of the discussions on privacy and data security aspects of technology based innovations including for financial inclusion.</p>
<p><a href="https://cis-india.org/internet-governance/blog/icfi-workshop" class="internal-link">Download the Workshop Schedule here</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/unbundling-issues-of-privacy-data-security-identity-matrics-for-financial-inclusion'>https://cis-india.org/internet-governance/news/unbundling-issues-of-privacy-data-security-identity-matrics-for-financial-inclusion</a>
</p>
No publisherpraskrishnaInternet GovernancePrivacy2016-01-03T10:45:19ZNews ItemUN Special Rapporteur on the Right to Privacy Consultation on 'Privacy and Gender'
https://cis-india.org/internet-governance/news/un-special-rapporteur-on-the-right-to-privacy-consultation-on-privacy-and-gender
<b>Ambika Tandon was a speaker at the Consultation on Privacy and Gender organised by the UN Special Rapporteur on the right to privacy held at New York University, New York on October 30 - 31, 2019. </b>
<p style="text-align: justify; ">The consultation was held to receive feedback on the report on privacy and gender towards which Pallavi, Aayush, Pranav and Ambika sent comments. Ambika was a speaker in t<span>he session 'The Body: as Data, as Identity, as </span><span>Money Maker', chaired by Eva Blum-Dumontet from Privacy </span><span>International, with co-panelists Anja Kovacs, Director, Internet </span><span>Democracy Project, and Joana Varon, Director, Coding Rights.</span></p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/un-special-rapporteur-on-the-right-to-privacy-consultation-on-privacy-and-gender'>https://cis-india.org/internet-governance/news/un-special-rapporteur-on-the-right-to-privacy-consultation-on-privacy-and-gender</a>
</p>
No publisherAdminInternet GovernancePrivacy2019-11-02T06:39:25ZNews ItemUK’s Interception of Communications Commissioner — A Model of Accountability
https://cis-india.org/internet-governance/blog/uk-interception-of-communications-commissioner-a-model-of-accountability
<b>The United Kingdom maintains sophisticated electronic surveillance operations through a number of government agencies, ranging from military intelligence organizations to police departments to tax collection agencies. However, all of this surveillance is governed by one set of national laws outlining specifically what surveillance agencies can and cannot do.</b>
<p style="text-align: justify; ">The primary law that governs government investigations is the Regulation of Investigatory Powers Act 2000, abbreviated as RIPA 2000.</p>
<p style="text-align: justify; ">To ensure that this law is being followed and surveillance operations in the United Kingdom are not conducted illegally, the RIPA 2000 Part I establishes an Interception of Communications Commissioner, who is tasked with inspecting the surveillance operations, assessing their legality, and compiling an annual <a href="http://www.iocco-uk.info/docs/2013%20Annual%20Report%20of%20the%20IOCC%20Accessible%20Version.pdf">report</a> to for the Prime Minister.</p>
<p style="text-align: justify; ">On April 8, 2014 the current Commissioner, Rt Hon. Sir Anthony May, laid the 2013 annual report before the House of Commons and the Scottish Parliament. In its introduction, the report notes that it is responding to concerns raised as a result of Edward Snowden’s actions, especially misuse of powers by intelligence agencies and invasion of privacy. The report also acknowledges that the laws governing surveillance, and particularly RIPA 2000, are difficult for the average citizen to understand, so the report includes a narrative outline of relevant provisions in an attempt to make the legislation clear and accessible. However, the report points out that while the Commissioner had complete access to any documents or investigative records necessary to construct the report, the Commissioner was unable to publish surveillance details indiscriminately, due to confidentiality concerns in a report being issued to the public. (It is worth noting here that though the Commissioner is one man, he has an entire agency working under him, so it is possible that he himself did not do or write all of that the report attributes to him). As a whole, the report outlines a series of thorough audits of surveillance operations, and reveals that the overwhelming majority of surveillance in the UK is conducted entirely legally, and that the small minority of incorrectly conducted surveillance appears to be unintentional. Looking beyond the borders of the United Kingdom, the report represents a powerful model of a government initiative to ensure transparency in surveillance efforts across the globe.</p>
<h3 style="text-align: justify; ">The Role of the Commissioner</h3>
<p style="text-align: justify; ">The report begins in the first person, by outlining the role of the Commissioner. May’s role, he writes, is primarily to audit the interception of data, both to satisfy his own curiosity and to prepare a report for the Prime Minister. Thus, his primary responsibility is to review the lawfulness of surveillance actions, and to that end, his organization possesses considerable investigative powers. He is also tasked with ensuring that prisons are legally administrated, though he makes this duty an afterthought in his report.</p>
<p style="text-align: justify; ">Everyone associated with surveillance or interception in the government must disclose whatever the commissioner asks for. In short, he seems well equipped to carry out his work. The Commissioner has a budget of £1,101,000, almost all of which, £948,000 is dedicated to staff salaries.</p>
<p style="text-align: justify; ">The report directly addresses questions about the Commissioner’s ability to carry out his duties. Does the Commissioner have full access to whatever materials or data it needs to conduct its investigations, the report asks, and it answers bluntly, yes. It is likely, the report concludes, that the Commissioner also has sufficient resources to adequately carry out his duties. Yes, the Commissioner is fully independent from other government interests; the commissioner answers his own question. Finally, the report asks if the Commissioner should be more open in his reports to the public about surveillance, and he responds that the sensitivity of the material prohibits him from disclosing more, but that the report adequately addresses public concern regardless. There is a degree to which this question and answer routine seems self-congratulatory, but it is good to see that the Commissioner is considering these questions as he carries out his duties.</p>
<h3 style="text-align: justify; ">Interception of Communications</h3>
<p style="text-align: justify; ">The report first goes into detail about the Commissioner’s audits of communications interception operations, where interception means wiretapping or reading the actual content of text messages, emails, or other communications, as opposed to the metadata associated with communications, such as timestamps and numbers contacted. In this section, the report outlines the steps necessary to conduct an interception, outlining that an interception requires a warrant, and only a Secretary of State (one of five officials) can authorize an interception warrant. Moreover, the only people who can apply for such warrants are the directors of various intelligence, police, and revenue agencies. In practice, the Secretaries of State have senior staff that read warrant applications and present those they deem worthy to the Secretary for his or her signature, as their personal signature is required for authorization.</p>
<p style="text-align: justify; ">For a warrant to be granted, it must meet a number of criteria. First, interception warrants must be <i>necessary</i> in the interests of national security, to prevent or detect serious crime, or to safeguard economic wellbeing of the UK. Additionally, a warrant can be granted if it is necessary for similar reasons in other countries with mutual assistance agreements with the UK. Warrants must be <i>proportionate </i>to the ends sought. Finally, interception warrants for communications inside the UK must specify either a person or a location where the interception will take place. Warrants for communications outside of the UK require no such specificity.</p>
<p style="text-align: justify; ">In 2013, 2760 interception warrants were authorized, 19% fewer warrants than in 2012. The Commissioner inspected 26 different agencies and examined 600 different warrants throughout 2013. He gave inspected agencies a report on his findings after each inspection, so they could see whether or not they were following the law. He concluded that the agencies that undertake interception “do so lawfully, conscientiously, effectively, and in our national interest.” Thus, all warrants adequately meet the application and authorization requirements outlined in RIPA 2000.</p>
<h3 style="text-align: justify; ">Communications Data</h3>
<p style="text-align: justify; ">The report goes on to discuss communications data collection, where communications data refers to metadata–not the content of the communications itself, but data associated with it, such as call durations, or a list of email recipients. The Commissioner explains that metadata is easier to obtain than an interception warrant. Designated officials in their respective surveillance organization read and grant metadata warrant applications, instead of one of the Secretaries of State who could grant interception warrants. Additionally, the requirements for a metadata warrant are looser than for interception warrants. Metadata warrants must still be necessary, but necessary for a broader range of causes, ranging from collecting taxes, protecting public health, or for <i>any</i> purpose specified by a Secretary of State.</p>
<p style="text-align: justify; ">The relative ease of obtaining a metadata warrant is consistent with a higher number of warrants approved. In 2013, 514,608 metadata warrants were authorized, down from 570,135 in 2012. Local law enforcement applied for 87.5% of those warrants while intelligence agencies accounted for 11.5%. Only a small minority of requests was sent from the revenue office or other departments.</p>
<p style="text-align: justify; ">The purposes of these warrants were similarly concentrated. 76.9% of metadata warrants were issued for prevention or detection of crime. Protecting national security justified 11.4% of warrants and another 11.4% of warrants were issued to prevent death or injury. 0.2% of warrants were to identify people who had died or otherwise couldn’t identify themselves, 0.11% of warrants were issued to protect the economic wellbeing of the United Kingdom, and 0.02% of warrants were associated with tax collection. The Commissioner identified less than 0.01% of warrants as being issued in a miscarriage of justice, a very low proportion.</p>
<p style="text-align: justify; ">The Commissioner inspected metadata surveillance efforts, conducting 75 inspections in 2013, and classified the practices of those operations inspected as good, fair or poor. 4% of operations had poor practices. He noticed two primary errors. The first was that data was occasionally requested on an incorrect communications address, and the second was that he could not verify that some metadata was not being stored past its useful lifetime. May highlighted that RIPA 2000 does not give concrete lengths for which data should be stored, as Section 15(3) states only that data must be deleted “as soon as there are no longer grounds for retaining it as necessary for any of the authorized purposes.” He noted that he was only concerned because some metadata was being stored for longer periods than associated interception data. As May put it, “I have yet to satisfy myself fully that some of these periods are justified and in those cases I required the agencies to shorten their retention periods or, if not, provide me with more persuasive reasons.” The Commissioner seems determined that this practice will either be eliminated or better justified to him in the near future.</p>
<h3 style="text-align: justify; ">Indian Applications</h3>
<p style="text-align: justify; ">The United Kingdom’s Interception of Communications Commissioner has similar powers to the Indian Privacy Commissioner suggested by the <a href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf">Report</a> of the Group of Experts on Privacy. Similar to the United Kingdom, it is recommended that a Privacy Commissioner in India have investigative powers in the execution of its charter, and that the Privacy Commissioner represent citizen interests, ensuring that data controllers are in line with the stipulated regulations. The Report also broadly states that “with respect to interception/access, audio & video recordings, the use of personal identifiers, and the use of bodily or genetic material, the Commissioner may exercise broad oversight functions.” In this way, the Report touches upon the need for oversight of surveillance, and suggests that this responsibility may be undertaken by the Privacy Commissioner, but does not clearly place this responsibility with the Privacy Commissioner. This raises the question of if India should adopt a similar model to the United Kingdom – and create a privacy commissioner – responsible primarily for overseeing and enforcing data protection standards, and a separate surveillance commissioner – responsible for overseeing and enforcing standards relating to surveillance measures. When evaluating the different approaches there are a number of considerations that should be kept in mind:</p>
<ol>
<li style="text-align: justify; ">Law enforcement and security agencies are the exception to a number of data protection standards including access and disclosure.</li>
<li style="text-align: justify; ">There is a higher level of ‘sensitivity’ around issues relating to surveillance than data protection and each needs to be handled differently. </li>
<li style="text-align: justify; ">The ‘competence’ required to deliberate on issues related to data protection is different then the ‘competence’ required deliberating on issues related to surveillance.</li>
</ol>
<p style="text-align: justify; ">Additionally, this raises the question of whether India needs a separate regulation governing data protection and a separate regulation governing surveillance.</p>
<h3 style="text-align: justify; ">Allegations of Wrongdoing</h3>
<p style="text-align: justify; ">It is worth noting that though May describes surveillance operations conducted in compliance with the law, many other organizations have accused the UK government of abusing their powers and spying on citizens and internet users in illegal ways. The GCHQ, the government’s communications surveillance center has come under particular fire. The organization has been accused indiscriminate spying and introducing malware into citizen’s computers, among other things. Led by the NGO Privacy International, internet service providers around the world have <a href="http://www.theguardian.com/world/2014/jul/02/isp-gchq-mass-surveillance-privacy-court-claim">recently</a> lodged complaints against the GCHQ, alleging that it uses malicious software to break into their networks. Many of these <a href="http://www.theguardian.com/uk-news/2014/may/13/gchq-spy-malware-programme-legal-challenge-privacy-international">complaints</a> are based on the information brought to light in Edward Snowden’s document leaks. Privacy International alleges that malware distributed by GCHQ enables access to any stored content, logging keystrokes and “the covert and unauthorized photography or recording of the user and those around him,” which they claim is similar to physically searching through someone’s house unbeknownst to them and without permission. They also accuse GCHQ malware of leaving devices open to attacks by others, such as identity thieves.</p>
<p style="text-align: justify; ">Snowden’s files also indicate a high level of collaboration between GCHQ and the NSA. According to the <a href="http://www.theguardian.com/uk-news/2013/aug/02/gchq-accused-selling-services-nsa">Guardian</a>, which analyzed and reported on many of the Snowden files, the NSA has in past years paid GCHQ to conduct surveillance operations through the US program called Prism. Leaked documents <a href="http://www.theguardian.com/uk-news/2013/aug/02/gchq-accused-selling-services-nsa">report</a> that the British intelligence agency used Prism to generate 197 intelligence reports in the year to May 2012. Prism is not mentioned at all in the Interception of Communications Commissioner’s report. In fact, while the report’s introduction explains that it will attempt to address details revealed in Snowden’s leaked documents, very little of what those documents indicate is later referenced in the report. May ignores the plethora of accusations of GCHQ wrongdoing.</p>
<p style="text-align: justify; ">Thus, while May’s tone appears genuine and sincere, the details of his report do little to dispel fears of widespread surveillance. It is unclear whether May is being totally forthcoming in his report, especially when he devotes so little energy to directly responding to concerns raised by Snowden’s leaks.</p>
<h3 style="text-align: justify; ">Conclusion</h3>
<p style="text-align: justify; ">May wrapped up his report with some reflections on the state of surveillance in the United Kingdom. He concluded that RIPA 2000 protects consumers in an internet age, though small incursions are imaginable, and especially lauds the law for it’s technological neutrality. That is, RIPA 2000 is a strong law because it deals with surveillance in general and not with any specific technologies like telephones or Facebook, use of which changes over time. The Commissioner also was satisfied that powers were not being misused in the United Kingdom. He reported that there have been a small number of unintentional errors, he noted, and some confusion about the duration of data retention. However, any data storage mistakes seemed to stem from an unspecific law.</p>
<p style="text-align: justify; ">Despite May’s report of surveillance run by the books, other UK groups have accused GCHQ, the government’s communications surveillance center, of indiscriminate spying and introducing malware into citizen’s computers. <a href="https://www.privacyinternational.org/press-releases/privacy-international-files-legal-challenge-against-uk-government-over-mass">Privacy International has submitted a claim arguing that a litany of malware is employed by the GCHQ to log detailed personal data such as keystrokes.</a> The fact that May’s report does little to disprove these claims casts the Commissioner in an uncertain light. It is unclear whether surveillance is being conducted illegally or, as the report suggests, all surveillance of citizens is being conducted as authorized.</p>
<p style="text-align: justify; ">Still, the concept of a transparency report and audit of a nation’s surveillance initiatives report is a step towards government accountability done right, and should serve as a model for enforcement methods in other nations. May’s practice of giving feedback to the organizations he inspects allows them to improve, and the public report he releases serves as a deterrent to illegal surveillance activity. The Interception of Communications Commissioner–provided he reports truthfully and accurately–is what gives the safeguards built into the UK’s interception regime strength and accountability. In other nations looking to establish privacy protections, a similar role would make their surveillance provisions balanced with safeguards and accountability to ensure that the citizens fundamental rights–including the right to privacy–are not compromised.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/uk-interception-of-communications-commissioner-a-model-of-accountability'>https://cis-india.org/internet-governance/blog/uk-interception-of-communications-commissioner-a-model-of-accountability</a>
</p>
No publisherjoeInternet GovernancePrivacy2014-07-24T06:08:53ZBlog EntryUK DNA Database and the European Court of Human Rights: Lessons that India can Learn from Its Mistakes
https://cis-india.org/internet-governance/uk-dna-database-and-european-court-of-human-rights-lessons-that-india-can-learn-from-mistakes
<b>On September 24, 2012, the Centre for Internet & Society in collaboration with the Alternative Law Forum invites the public to a talk with international experts, Helen Wallace from GeneWatch, UK and Jeremy Gruber from the Council for Responsible Genetics in the United States. The meeting will be held at the Centre for Internet & Society office in Bangalore from 5.00 p.m. to 7.30 p.m.</b>
<p style="text-align: justify; ">The UK National DNA Database was the first to be established, in 1995, and is the largest per capita in the world. A major DNA expansion programme began in 2000 but is now being rolled back by the implementation of a new Protection of Freedoms Act, following a judgment against the UK government by the European Court of Rights. The lessons for the UK experience for the DNA Bill in India will be discussed, including the need for safeguards to protect privacy and rights, maintain public trust in police use of DNA, and prevent miscarriages of justice.</p>
<hr />
<h3 style="text-align: justify; ">Dr. Helen Wallace</h3>
<p style="text-align: justify; ">Dr. Helen Wallace is Director of GeneWatch UK, a not-for-profit organisation which aims to engage members of the public in ensuring that genetic science and technologies are used in the public interest. She is the author of numerous articles and book chapters on the social and ethical issues raised by DNA databases and is widely quoted in the UK press. Helen provided expert evidence to the applicants in the case of <i>S. and Marper v. the UK</i> at the European Court of Human Rights, in which the Court ruled unanimously that the indefinite retention of innocent people's DNA database records was in breach of the European Convention on Human Rights. She has supplied both oral and written evidence on this issue to numerous parliamentary committees including the Scottish Parliament’s Justice Committee and the UK Science and Technology, Home Affairs and Constitutional Committees, as well as the scrutiny committee for the Protection of Freedoms Act, 2012. This new Act requires the removal of about a million innocent people's records from the UK National DNA Database and the destruction of all stored biological samples.</p>
<hr />
<h3 style="text-align: justify; ">Jeremy Gruber</h3>
<p style="text-align: justify; ">Jeremy Gruber is the President and Executive Director of Council for Responsible Genetics. Jeremy joined CRG in March 2009. Previously he served as the legal director of the National Workrights Institute, a human rights organization dedicated to the rights of American workers. Prior to that he served as the field director for the ACLU’s National Taskforce on Civil Liberties in the Workplace. Jeremy has worked for over a decade on genetic non-discrimination legislation at the state and Federal level. He helped author and pass numerous state laws on genetic non-discrimination. Jeremy is a founder and executive committee member of the Coalition for Genetic Fairness, a group of 500 organizations that advocated for genetic non-discrimination legislation on Capitol Hill and played a major role in the recently passed Genetic Information Non-Discrimination Act (GINA) by Congress. He worked closely with members of Congress and staff on GINA language as well as strategy and support. He is a prolific writer on privacy issues and is often consulted by state legislatures. He is regularly featured in print, radio and television. Jeremy holds a Juris Doctor (J.D.) from St. John’s University School of Law and a B.A. in Politics from Brandeis University.</p>
<hr />
<p style="text-align: justify; "><span class="visualHighlight"><a href="https://cis-india.org/internet-governance/indian-draft-dna-profiling-act.pdf" class="internal-link">Overview and Concerns Regarding the Indian Draft DNA Profiling Act</a></span></p>
<h3 style="text-align: justify; ">Forensic DNA: A Human Rights Challenge</h3>
<p><iframe frameborder="0" height="315" src="http://www.youtube.com/embed/JwSdJ0dUH7E" width="315"></iframe><br />The <a class="external-link" href="http://www.youtube.com/watch?feature=player_embedded&v=JwSdJ0dUH7E">above video</a> was originally posted in YouTube</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/uk-dna-database-and-european-court-of-human-rights-lessons-that-india-can-learn-from-mistakes'>https://cis-india.org/internet-governance/uk-dna-database-and-european-court-of-human-rights-lessons-that-india-can-learn-from-mistakes</a>
</p>
No publisherpraskrishnaEvent TypeInternet GovernancePrivacy2012-09-17T03:40:07ZEventUIDAI's Virtual ID, limited KYC does little to protect Aadhaar data already collected, say critics
https://cis-india.org/internet-governance/news/uidais-virtual-id-limited-kyc-does-little-to-protect-aadhaar-data-already-collected-say-critics
<b>Aadhaar-issuing body, Unique Identification Authority of India (UIDAI), had barely started patting itself on the back for introducing the Virtual ID concept, what CEO Ajay Bhushan Pandey called "one of biggest recent innovations in this field", when detractors came crawling out of the woodwork, all guns blazing.</b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="http://www.businesstoday.in/current/economy-politics/uidais-virtual-id-limited-kyc-little-protect-aadhaar-data-collected-critics/story/267924.html">Business Today</a> on January 12, 2018.</p>
<hr />
<p style="text-align: justify; "><span>"Under compulsion, millions of persons have already shared Aadhaar number with many service providers. New security layer is like locking the stable after horses have bolted," tweeted P. Chidambaram, Congress veteran and former finance minister. This is not just an opposition party member taking potshots at the government. As of last month, close to 14 crore out of about 30 crore Permanent Account Numbers (PANs) had already been linked to Aadhaar and 70% of the estimated 100 crore bank accounts had been seeded. This will be the case for insurance policies as well as all government-sponsored welfare schemes and services since the Supreme Court ruling to extend the deadline for mandatory Aadhaar linking came just a fortnight before the government's December 21 deadline. So how does the new two-tier security system protect all that Aadhaar data already collected by sundry agencies?</span></p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">The short answer is that it does not. According to media reports, banks and other service providers have not been asked to delete stored Aadhaar data from their databases. The only directive is to enforce the new security system within the June 1 deadline. In the absence of a legal mandate, agencies can very well choose to retain any Aadhaar data previously collected on their servers, leaving it open to any number of security breaches in the future.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<div id="_mcePaste" style="text-align: justify; ">So, it would appear that the new VID and limited KYC norms are good ideas, just too late in arriving. Only procrastinators putting off linking Aadhaar to essential services stand to gain, unless the government decides to revoke all existing Aadhaar cards and issue fresh 12-digit unique identification numbers post June 1.</div>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">Where the new security system definitely scores is on the privacy front. To remind you, VID a temporary, 16-digit, randomly-generated number that an Aadhaar holder can use for authentication or KYC services along with his/her fingerprint instead in lieu of the Aadhaar number. The VID together with biometrics of the user would give any authorized agency, say, a mobile company, limited details like name, address and photograph, which are enough for any verification. You can generate/replace Virtual IDs on the UIDAI website, Aadhaar mobile app and at enrolment centres.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">Since the system-generated VID will be mapped to an individual's Aadhaar number at the back end, it will do away with the need for the user to share Aadhaar number with sundry service agencies. This will, in turn, reduce the collection of Aadhaar numbers by various agencies. VIDs being temporary cannot be de-duplicated and as an added precaution, agencies that undertake authentication will not be allowed to generate VIDs on behalf of Aadhaar holders.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">Furthermore, under limited KYC, UIDAI will evaluate all Authentication User Agencies (AUAs) and split them into two categories: Global AUAs and Local AUAs. Only agencies whose services, by law, require them to store the Aadhaar number-qualified as Global AUAs-will enjoy access to full demographic details of an individual. All the remaining AUAs will be branded as Local AUAs and will neither get access to full KYC, nor can they store the Aadhaar number on their systems. Instead, they will get a tokenised number issued by UIDAI to identify their customers. The 72 character alphanumeric 'UID Token' for your Aadhaar number will reportedly be different for every authentication body you approach so agencies will no longer be able to merge databases, thus enhancing privacy substantially.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">However, there's a problem here, too. As Pranesh Prakash, Policy Director of Bengaluru-based Centre for Internet and Society, told The Hindu, "unless all entities are required to use VIDs or UID tokens, and are barred from storing Aadhaar numbers, the new measures won't really help."</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">In a recent online survey, conducted by social engagement platform LocalCircles, 52% of 15,000 respondents said they feared that their Aadhaar data might not be safe from unauthorised access by hackers and information sellers. The UIDAI's latest move does little to allay this doubt.</p>
<p style="text-align: justify; ">"Under compulsion, millions of persons have already shared Aadhaar number with many service providers. New security layer is like locking the stable after horses have bolted," tweeted P. Chidambaram, Congress veteran and former finance minister. This is not just an opposition party member taking potshots at the government. As of last month, close to 14 crore out of about 30 crore Permanent Account Numbers (PANs) had already been linked to Aadhaar and 70% of the estimated 100 crore bank accounts had been seeded. This will be the case for insurance policies as well as all government-sponsored welfare schemes and services since the Supreme Court ruling to extend the deadline for mandatory Aadhaar linking came just a fortnight before the government's December 21 deadline. So how does the new two-tier security system protect all that Aadhaar data already collected by sundry agencies?</p>
<p style="text-align: justify; ">The short answer is that it does not. According to media reports, banks and other service providers have not been asked to delete stored Aadhaar data from their databases. The only directive is to enforce the new security system within the June 1 deadline. In the absence of a legal mandate, agencies can very well choose to retain any Aadhaar data previously collected on their servers, leaving it open to any number of security breaches in the future.</p>
<p style="text-align: justify; ">So, it would appear that the new VID and limited KYC norms are good ideas, just too late in arriving. Only procrastinators putting off linking Aadhaar to essential services stand to gain, unless the government decides to revoke all existing Aadhaar cards and issue fresh 12-digit unique identification numbers post June 1.</p>
<p style="text-align: justify; ">Where the new security system definitely scores is on the privacy front. To remind you, VID a temporary, 16-digit, randomly-generated number that an Aadhaar holder can use for authentication or KYC services along with his/her fingerprint instead in lieu of the Aadhaar number. The VID together with biometrics of the user would give any authorized agency, say, a mobile company, limited details like name, address and photograph, which are enough for any verification. You can generate/replace Virtual IDs on the UIDAI website, Aadhaar mobile app and at enrolment centres.</p>
<p style="text-align: justify; ">Since the system-generated VID will be mapped to an individual's Aadhaar number at the back end, it will do away with the need for the user to share Aadhaar number with sundry service agencies. This will, in turn, reduce the collection of Aadhaar numbers by various agencies. VIDs being temporary cannot be de-duplicated and as an added precaution, agencies that undertake authentication will not be allowed to generate VIDs on behalf of Aadhaar holders.</p>
<p style="text-align: justify; ">Furthermore, under limited KYC, UIDAI will evaluate all Authentication User Agencies (AUAs) and split them into two categories: Global AUAs and Local AUAs. Only agencies whose services, by law, require them to store the Aadhaar number-qualified as Global AUAs-will enjoy access to full demographic details of an individual. All the remaining AUAs will be branded as Local AUAs and will neither get access to full KYC, nor can they store the Aadhaar number on their systems. Instead, they will get a tokenised number issued by UIDAI to identify their customers. The 72 character alphanumeric 'UID Token' for your Aadhaar number will reportedly be different for every authentication body you approach so agencies will no longer be able to merge databases, thus enhancing privacy substantially.</p>
<p style="text-align: justify; ">However, there's a problem here, too. As Pranesh Prakash, Policy Director of Bengaluru-based Centre for Internet and Society, told The Hindu, "unless all entities are required to use VIDs or UID tokens, and are barred from storing Aadhaar numbers, the new measures won't really help."</p>
<p style="text-align: justify; ">In a recent online survey, conducted by social engagement platform LocalCircles, 52% of 15,000 respondents said they feared that their Aadhaar data might not be safe from unauthorised access by hackers and information sellers. The UIDAI's latest move does little to allay this doubt.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/uidais-virtual-id-limited-kyc-does-little-to-protect-aadhaar-data-already-collected-say-critics'>https://cis-india.org/internet-governance/news/uidais-virtual-id-limited-kyc-does-little-to-protect-aadhaar-data-already-collected-say-critics</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-16T23:51:44ZNews ItemUIDAI servers or third parties, Aadhaar leaks are dangerous: Experts
https://cis-india.org/internet-governance/news/business-standard-mayank-jain-march-27-2018-uidai-servers-or-third-parties-aadhaar-leaks-are-dangerous-experts
<b>Even though the UIDAI has denied these reports, its arguments rest on shaky grounds, according to experts.</b>
<p style="text-align: justify; ">The article by Mayank Jain was published in <a class="external-link" href="http://www.business-standard.com/article/current-affairs/uidai-servers-or-third-parties-aadhaar-leaks-are-dangerous-experts-118032601008_1.html">Business Standard</a> on March 27, 2018. Pranesh Prakash was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The government has told the Supreme Court that the Aadhaar data “remains safely behind 13-feet high walls” and it will take “the age of the universe” to break one key in the Unique Identification Authority of India’s (UIDAI’s) encryption.</p>
<p style="text-align: justify; ">Even if this claim is taken at face value, experts suggest leaks from third-party databases seeded with Aadhaar numbers are equally dangerous and the UIDAI is responsible for the damage. <span>The most recent case came from a report published online and it said random numbers could provide access to the Aadhaar data, which also includes people’s financial information, from a state-owned company’s database. </span><span>Even though the UIDAI has denied these reports, its arguments rest on shaky grounds, according to experts.“There is no truth in this story as there has been absolutely no breach of the UIDAI’s Aadhaar database.</span></p>
<p style="text-align: justify; ">Aadhaar remains safe and secure,” the UIDAI said on Twitter shortly after the story broke on ZDNet.The authority added even if the report was taken to be true, “it would raise security concerns on the database of that Utility Company and has nothing to do with the security of the UIDAI’s Aadhaar database”.This has been the authority’s defence in several such cases but those in the know of things say it doesn’t hold water simply because the Aadhaar data is not concentrated in the UIDAI’s complexes anymore and has spread across various databases.“Publishing this by the state entities is a violation under the Aadhaar Act.</p>
<p style="text-align: justify; ">Even if you publish your Aadhaar number, it is a violation of the law,” said Pranesh Prakash, policy director at the Centre for Internet and Society.“Saying that the UIDAI has not been compromised is thoroughly insufficient because for customers, it doesn’t matter if the leak comes from servers operated by the UIDAI or from others holding copies of the UIDAI database.”Prakash said it should be the authority’s responsibility to help others comply with the law and prevent data leaks.</p>
<p style="text-align: justify; ">He gave the example of biometric leaks from Gujarat government servers and how criminals used them to forge fingerprints.The possibility of data leaks was demonstrated when Robert Baptiste, purportedly a French app developer, announced on Twitter how he got access to thousands of scanned Aadhaar card copies through simple Google searches.In an interview to Business Standard, Baptiste said the major threat was data handling by third parties, which could lead to identity theft.Even the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, has provisions that debar making public citizens’ Aadhaar-related information public unless required for certain purposes.</p>
<p style="text-align: justify; ">“Whoever intentionally discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication to any person not authorised under this Act” can be in jail for three years and pay a fine of ~10,000 under the Act.A lawyer appearing on the petitioners’ side in the ongoing Supreme Court case on the constitutional validity of Aadhaar said only the UIDAI had the powers to file cases against people who published Aadhaar information. Hence everyone else is helpless despite the leaks.</p>
<p style="text-align: justify; ">The UIDAI’s argument that Aadhaar information can’t be misused is duplicitous because the regulations under the Aadhaar Act assure individuals that if biometric authentication fails, they should have other means of identifying themselves, says Kiran Jonnalagadda, founder of HasGeek.“So the regulations guarantee that anyone in possession of stolen identity information will be able to misuse it without biometric authentication,” he said.Prakash agreed with this. He said demographic authentication, which is an acceptable authentication method under the Aadhaar Act, was prone to misuse as long as Aadhaar numbers remained public.“Aadhaar is used as just a piece of paper, unlike security features embedded in passports or even permanent account number cards. Thus, demographic authentication merely involves providing Aadhaar numbers and details like addresses, which can be used even for things like getting entry into an airport by just printing a ticket and having a fake Aadhaar,” he said.</p>
<p style="text-align: justify; "><em>Queries sent to the UIDAI were not answered till the time of going to press</em></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/business-standard-mayank-jain-march-27-2018-uidai-servers-or-third-parties-aadhaar-leaks-are-dangerous-experts'>https://cis-india.org/internet-governance/news/business-standard-mayank-jain-march-27-2018-uidai-servers-or-third-parties-aadhaar-leaks-are-dangerous-experts</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-03-27T02:16:55ZNews ItemUIDAI remains silent on #Aadhaarleaks of 13 crore users through government portals
https://cis-india.org/internet-governance/news/newslaundry-shruti-menon-may-2-2017-uidai-remains-silent-on-aadhaar-leaks-of-users-through-govt-portals
<b>As the arguments for making Aadhaar mandatory go on, is there any way to stem the leaks and identify who exactly has all this information.</b>
<p style="text-align: justify; ">The blog post by Shruti Menon was <a class="external-link" href="https://www.newslaundry.com/2017/05/02/uidai-remains-silent-on-aadhaarleaks-of-13-crore-users-through-government-portals">published by Newslaundry</a> on May 2, 2017</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The verdict on linking Aadhaar with Permanent Account Number (PAN) and making it mandatory for filing income tax returns (ITRs) will be out soon. Attorney General Mukul Rohatgi had a tough challenge ahead of him in the Supreme Court as the state presented its argument today. Rohatgi defended the <a href="http://www.livemint.com/Politics/3FcQ9lHm7TWX5B0Hn7ZXiO/Aadhaar-to-be-mandatory-for-income-tax-returns-getting-PAN.html" target="_blank">amendment in income tax law</a> allowing this after senior lawyer Shyam Divan made a <a href="http://www.livemint.com/Politics/sN0S5mYYx641tgrctGf03H/Shyam-Divan-concludes-arguments-in-Aadhaar-case-in-Supreme-C.html" target="_blank">strong case</a> against it on April 26 and 27. Divan became a hero to many overnight after he presented compelling arguments against the amendment citing facets of right to privacy - informational self-determination, personal autonomy, and bodily integrity - as he did so. Though the court has <a href="https://www.thequint.com/opinion/2017/05/01/aadhaar-case-privacy-and-bodily-integrity" target="_blank">refused to entertain</a> arguments pertaining to privacy, he managed to argue these concerns without couching them under right to privacy laws.</p>
<p style="text-align: justify; ">Advocate Gautam Bhatia posted <a href="https://barandbench.com/aadhar-hearing-number-tagging-nazi-concentration-camps/" target="_blank">minute-by-minute developments from the courtroom</a>, and soon, #ThankYouMrDivan became one of the top trends on Twitter.</p>
<p style="text-align: justify; ">A day before the state presented its arguments, the Centre for Internet and Society (CIS) published a <a href="http://cis-india.org/internet-governance/information-security-practices-of-aadhaar-or-lack-thereof-a-documentation-of-public-availability-of-aadhaar-numbers-with-sensitive-personal-financial-information-1" target="_blank">report </a>titled “Information, Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information” late on Monday. Authored by Amber Sinha and Srinivas Kodali, the report documents the leaks of over 13 crore Aadhaar numbers and resulting information of beneficiaries through four government portals-two at the centre and two at the state. “We are primarily talking of lack of standards and data fact-checking, storage and how all of this information- account numbers, phone numbers plus, Aadhaar numbers- in public domain increases the nature of risk of the backbone of digital payments,” Kodali told <i>Newslaundry. </i></p>
<p style="text-align: justify; ">The four portals studied by the two are National Social Assistance Programme (NSAP), National Rural Employment Guarantee Act (NREGA) and two databases of Andhra Pradesh- NREGA and their scheme called Chandranna Bima. The report claims that the aforementioned public portals compromised personally identifiable information (PII) including “Aadhaar numbers and financial details such as bank account numbers” of 13 crore people due to a lack of security controls.</p>
<p style="text-align: justify; ">“While the details were masked for public view, someone with login access could get the details,” the report read. “When one of the url query parameters of the website showing the masked personal details was modified from ‘nologin’ to ‘login’, that is, control access to login based pages were allowed providing unmasked details without the need for a password.” What this essentially means is that these portals allow people to explore lists organised by states, districts, area, sub-district, and municipalities which contain the personal information of the people who are enrolled into the schemes.</p>
<p style="text-align: justify; ">The report also cites legal framework under the Aadhaar Act that allows the government or private entities to store Aadhaar numbers on the grounds that they won’t be used for purposes other than those listed in the act. CIS’s study, however, reveals that information pertaining to religion, caste, race, tribe or even income is sometimes collected and published on such portals with little in the way of security checks.</p>
<p style="text-align: justify; ">Speaking to <i>Newslaundry,</i> Anupam Saraph, professor and former governance and IT advisor to Goa’s Chief Minister, Manohar Parrikar, said that the data exposed could be significantly more than what the report shows. “Many more Aadhaar numbers have been exposed on websites relating to Pension Schemes, PDS, Ministry of Water and Sanitation, Ministry of Human Resource Development, Scholarships, Schools, Colleges, Universities, Kendriya Sainik board, PM Avas Yojana to name a few,” he said. “Besides this Registrars to the UIDAI (State Governments and various ministries of the Central government, some Public Sector undertakings) were allowed to retain the Aadhaar number, demographic and biometric data (associated with the Aadhaar number). While this may not be exposed on websites, it is unsecured and possibly accessible to data brokers within and outside government,” said Saraph who has designed delivery channels and ID schemes for better governance.</p>
<p style="text-align: justify; ">What’s worth noting is that the people whose data has been breached are unaware that their information is available on public platforms and vulnerable to data theft. “It is UIDAI’s [Unique Identification Authority of India] job to investigate and inform them,” Kodali told <i>Newslaundry. “</i>At some point of time, everybody is going to have everybody’s information,” he added.</p>
<p style="text-align: justify; ">Currently, the government has an <a href="https://data.gov.in/" target="_blank">open data portal</a>. It describes itself as a platform “intended to be used by Government Ministries/Departments and their organisation to publish datasets, documents, services, tools and applications collected by them for public use”.</p>
<p style="text-align: justify; ">So is it feasible to have open data portals for transparency and accountability? “Having certain government data being publicly accessible is certainly desirable.” Saraph continued that the problem was, data on public expenditure should ideally be openly accessible but it’s also where the most leakage occurs. “Making Aadhaar mandatory is meaningless,” he said, as India does not have a policy on open data portals yet, which can subject Aadhaar data to “misuse”.</p>
<p style="text-align: justify; ">Given that the UIDAI is responsible for investigating and making people aware of any data breach or theft, they have remained silent for an oddly long time. It is unclear whether the UIDAI is itself aware of who has accessed the data that is insecurely published on these government portals. “They’re letting everybody collect this information but they were not aware themselves that who had access to this information, that’s the main problem,” Kodali said. While the Aadhaar ecosystem was to ensure social inclusion and transparency, in its current form, the system looks so opaque that the people who are running it may not be aware themselves of what is going on.</p>
<p style="text-align: justify; "><b>What does it mean to have access to someone else’s Aadhaar?</b></p>
<p style="text-align: justify; ">With an increasing number of social welfare schemes being linked to Aadhaar, it was touted as an attempt to remove the middlemen, frauds and corruption with the government. According to the report, "A cumulative amount of Rs 1,78,694.75 has been transferred using DBT for 138 schemes under 27 ministries since 2013. Various financial frameworks like Aadhaar Payments Bridge (APB) and Aadhaar Enabled Payment Systems (AePS) have been built by National Payment Corporation of India to support DBT and also to allow individuals use Aadhaar for payments."</p>
<p style="text-align: justify; ">Given that such systems are in place to ensure easier and accessible banking, research shows that the Aadhaar seeding process led to government portals putting personal information of so many people under various schemes in the "absence of information security practices to handle so much PII", as per the research. This is not only a breach of privacy but also makes a person vulnerable to financial fraud in cases where their bank details are public. "One of the prime examples is individuals receiving phone calls from someone claiming to be from the bank. Aadhaar data makes this process much easier for fraud and increases the risk around transactions," the report reads.</p>
<p style="text-align: justify; "><b>UIDAI on silent mode</b></p>
<p style="text-align: justify; ">Unfortunately, UIDAI has not addressed this concern, let alone acknowledge it. It has been cracking down on people by filing first information reports (FIRs) against those tracking and exposing the vulnerabilities of the Aadhaar system. Recently, UIDAI’s Chief Executive Officer (CEO), ABP Pandey was accused of blocking twitter handles of prominent security researchers and analysts who have been extensively reporting about vulnerabilities in the Aadhaar system.</p>
<p style="text-align: justify; ">One of the handles was blocked was Saraph’s. “I do not know why they blocked me. I have been vocal about the problems associated with the UID and its use,” he said<i>. </i>He added that he served several <a href="http://www.moneylife.in/article/resisting-violations-of-the-supreme-court-orders-on-aadhaar/49121.html," target="_blank">notices</a> of contempt of court to the CEO of UIDAI and has been questioning the verification and audit of UID database. “Perhaps [he] was annoyed with my efforts to make them accountable and responsible,” he said.</p>
<p style="text-align: justify; ">On April 18, however, in a response to Right to Information (RTI) query filed by Sushil Kambampati, UIDAI denied having blocked any twitter handles. Almost immediately, it was called out on twitter for ‘lying’ in the RTI response as many users claimed it had.</p>
<p style="text-align: justify; ">Saraph declared that such a move, the blocking of users asking questions, was indicative of UIDAI’s cluelessness. Apar Gupta, a Delhi-based lawyer working on cyber security, had told <i>Newslaundry </i>that it was unethical and unconstitutional of government bodies (such as the UIDAI) to block people. He reiterated that in one of his tweets recently.</p>
<p style="text-align: justify; ">Today, however, the Pandey’s individual twitter profile no longer exists. It has now been changed to “ceo_office”. CIS’s report states that the UIDAI has been pushing for more databases to get in sync with Aadhaar, but with little or no accountability. “While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take a little responsibility in ensuring the security and privacy of such data,” the report reads. Kodali, however, told <i>Newslaundry </i>that the report was not aimed at questioning the security of such seeding. “We’re not saying it is not really secure but we’re just saying it increases the risk factors,” he said.</p>
<p style="text-align: justify; ">UIDAI has also not responded to several queries filed by vulnerability testers.</p>
<p style="text-align: justify; "><i>Newslaundry </i>reached out to the UIDAI with the following questions:</p>
<ol style="text-align: justify; ">
<p> </p>
<li><i> According to the report published, four government portals have personally identifiable information of about 13 crore people including their Aadhaar numbers and bank account details. What is being done about this?</i></li>
<p> </p>
<li><i> If a person's privacy has been breached, what are the steps UIDAI would take for redressal?</i></li>
<p> </p>
<li><i> Is UIDAI investigating the 13 crore Aadhaar leaks?</i></li>
<p> </p>
<li><i> The report states "When one of the url query parameters of website showing the masked personal details was modified from “nologin” to “login”, that is control access to login based pages were allowed providing unmasked details without the need for a password." Is this true, and if so, what is your statement?</i></li>
<p> </p>
<li><i> How do you ensure data security on open data portals?</i></li>
</ol>
<p style="text-align: justify; ">This piece will be updated if and when they respond.</p>
<p style="text-align: justify; ">While UIDAI remains silent, A-G Rohatgi argued today that close to 10 lakh PAN cards were found to be fake. "Are they propagating a general public interest or propagating the fraud (fake PANs) which is going in," he said at the court today while suggesting that Aadhaar was the only way of preventing fake or duplicate cards.</p>
<p style="text-align: justify; ">Senior advocate Arvind Datar, who is also appearing for one of the three petitioners in the case said that the government could not take away his right to chose whether or nor to have an Aadhaar. "The Supreme Court had directed them that they cannot make it mandatory. The mandate of the Supreme Court can not be undone. My right of not to have an Aadhaar can not be taken away indirectly."</p>
<p style="text-align: justify; ">Though there are problems with the Aadhaar system and apparently very little redressal at the citizen’s end, Aadhaar is here to stay. As Divan and Rohatgi argue the constitutionality of making Aadhaar mandatory at the Supreme Court, the pertinent question that only the UIDAI can answer is whether they are technologically capable of keeping data secure given how aggressively Aadhaar linkage is being promoted.</p>
<p style="text-align: justify; ">However, Rohatgi's argument in court today, according to a Business Standard report was that the government cannot destroy the Aadhaar cards of people even after their death. Instead of being reassuring, this only seems to increase the possibilities for identity theft, as if there is little in the way of redressal mechanisms in life, what choices do the dead have?</p>
<p style="text-align: justify; "><b>The author can be contacted on Twitter <a href="https://twitter.com/shrutimenon10" target="_blank">@shrutimenon10</a>.</b></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/newslaundry-shruti-menon-may-2-2017-uidai-remains-silent-on-aadhaar-leaks-of-users-through-govt-portals'>https://cis-india.org/internet-governance/news/newslaundry-shruti-menon-may-2-2017-uidai-remains-silent-on-aadhaar-leaks-of-users-through-govt-portals</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-05-20T11:06:16ZNews ItemUIDAI puts posers to CIS over Aadhaar data leak claim
https://cis-india.org/internet-governance/news/financial-express-may-19-2017-pti-uidai-puts-posers-to-cis-over-aadhaar-data-leak-claim
<b>Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were "leaked" and provide details of servers where they are stored.</b>
<p style="text-align: justify; ">The article originally published by PTI was also <a class="external-link" href="http://www.financialexpress.com/economy/uidai-puts-posers-to-cis-over-aadhaar-data-leak-claim/675814/">published by the Financial Express</a> on May 19, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were “leaked” and provide details of servers where they are stored. In a precursor to initiating a probe into the matter, the Unique Identification Authority of India (UIDAI) also wants CIS to clarify just how much of such “sensitive data” are still with it or anyone else. The UIDAI — which has vehemently denied any breach of its database — shot off a letter to CIS yesterday asking for the details, including the servers where the downloaded “sensitive data” are residing and information about usage or sharing of such data.</p>
<p style="text-align: justify; ">Underscoring the importance of bringing to justice those involved in “hacking such sensitive information”, the UIDAI sought CIS’ “assistance” in this regard and has given it time till May 30 to revert on the issue. “Your report mentions 13 crore people’s data have been leaked. Please specify how much (of) this data have been downloaded by you or are in your possession, or in the possession of any other persons that you know,” the UIDAI said in its communication to CIS.</p>
<p style="text-align: justify; ">Interestingly, in what market watchers described as an apparent flip-flop, CIS has now clarified that there was no leak’ or ‘breach’ of Aadhaar numbers, but rather ‘public disclosure’. Meanwhile, the UIDAI has quoted sections of the Information Technology Act, 2000, and the Aadhaar Act to emphasise that violation of the clauses are punishable with rigorous imprisonment of up to 10 years. “While your report suggests that there is a need to strengthen IT security of the government websites, it is also important that persons involved in hacking such sensitive information are brought to justice for which your assistance is required under the law,” it said.</p>
<p style="text-align: justify; ">The UIDAI has also sought technical details on how access was gained for the National Social Assistance Programme (NSAP) site — one of the four portals where the alleged leak happened. When contacted, UIDAI CEO Ajay Bhushan Pandey said, “We do not comment on individual matters.” The UIDAI has also asked for details of systems that were involved in downloading and storing of the sensitive data so that forensic examination of such machines can be conducted to assess the quantum and extent of damage to privacy of data.</p>
<p style="text-align: justify; ">The UIDAI letter comes after a CIS’ report early this month which claimed that Aadhaar numbers and personal information of as many as 135 million Indians could have been leaked from four government portals due to lack of IT security practices. “Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million,” the report had said.</p>
<p style="text-align: justify; ">However, in a apparent course correction on May 16, a day before the UIDAI’s letter went out — CIS updated its report and clarified that although the term ‘leak’ was originally used 22 times in its report, it is “best characterised as an illegal data disclosure or publication and not a breach or a leak”. CIS has also claimed that some of its findings were “misunderstood or misinterpreted” by the media, and that it never suggested that the biometric database had been breached. “We completely agree with both Dr Pandey (UIDAI CEO) and Sharma (Trai Chairman R S Sharma) that CIDR (Aadhaar central repository) has not been breached, nor is it suggested anywhere in the report,” CIS said in its latest update.</p>
<div class="youmaylike" style="text-align: justify; "></div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/financial-express-may-19-2017-pti-uidai-puts-posers-to-cis-over-aadhaar-data-leak-claim'>https://cis-india.org/internet-governance/news/financial-express-may-19-2017-pti-uidai-puts-posers-to-cis-over-aadhaar-data-leak-claim</a>
</p>
No publisherpraskrishnaUIDAIAadhaarInternet GovernancePrivacy2017-05-19T09:28:33ZNews ItemUIDAI Practices and the Information Technology Act, Section 43A and Subsequent Rules
https://cis-india.org/internet-governance/blog/uid-practices-and-it-act-sec-43-a-and-subsequent-rules
<b>UIDAI practices and section 43A of the IT Act are analyzed in this post.</b>
<p style="text-align: justify; ">In the 52<sup>nd</sup> Report on Cyber Crime, Cyber Security, and the Right to Privacy – in evidence provided, the Department of Electronics and Information Technology stated <i>“...Section 43A and the rules published under that Section cover the entire privacy in case of digital data. These are being followed by UIDAI also and other organisations...”</i> (pg.46) <a href="#fn1" name="fr1">[1]</a></p>
<p style="text-align: justify; ">This blog post explains the requirements found under Section 43A of the Information Technology Act 2000 and the subsequent Information Technology “ Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011<a href="#fn2" name="fr2">[2]</a> and analyses publicly available documents from the UIDAI website<a href="#fn3" name="fr3">[3]</a> as well as the UIDAI enrolment form<a href="#fn4" name="fr4">[4]</a> to demonstrate the ways in which:</p>
<ul>
<li style="text-align: justify; ">UIDAI practices <b>are </b>in line with section 43A and the Rules, </li>
<li style="text-align: justify; ">UIDAI practices <b>are not</b> in line with section 43A and the Rules, </li>
<li style="text-align: justify; ">UIDAI practices <b>are partially</b> in with section 43A and the Rules </li>
<li style="text-align: justify; "><b>Where more information</b> is needed to draw a conclusion. </li>
</ul>
<h3>Applicability and Scope</h3>
<p>Section 43A of the Information Technology Act 2008 and subsequent Rules apply only to Body Corporate and to digital information.</p>
<p>Body Corporate under the Information Technology Act 2008 is defined as:</p>
<p style="text-align: justify; "><i> “Any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities” </i></p>
<p style="text-align: justify; "><b>UIDAI Practices - not in line</b>: The UIDAI is not a body corporate. The UIDAI is an attached office under the aegis of the Planning Commission that was set up by an executive order.<a href="#fn5" name="fr5">[5]</a></p>
<p style="text-align: justify; ">The UIDAI collects, processes, stores, and shares both digital and non-digital information. As section 43A and subsequent Rules apply only to digital information, there is not sufficient protection provided over all the information collected, processed, stored, and used by the UIDAI.</p>
<h3 style="text-align: justify; ">Privacy Policy on Website</h3>
<p>Rule 4 requires body corporate to provide a privacy policy on their website. The privacy policy must include:</p>
<ul>
<li>Clear and easily accessible statements of its practices and policies</li>
<li>Type of personal or sensitive personal data or information collected</li>
<li>Purpose of collection and usage of such information </li>
<li>Disclosure of information including sensitive personal information </li>
<li>Reasonable security practices and procedures as provided under rule 8</li>
</ul>
<p><b>UIDAI Practices - Partially in Line</b></p>
<ul>
<li style="text-align: justify; ">Though the UIDAI has placed a privacy policy<a href="#fn6" name="fr6">[6]</a> on their website, the privacy policy only addresses the use of website and does not comprehensively provide clear and accessible statements about all of the UIDAI’s practices and policies.</li>
<li style="text-align: justify; ">The UIDAI privacy policy does not state the specific types of personal or sensitive data that could be collected, but instead states <i>“As a general rule, this website does not collect Personal Information about you when you visit the site. You can generally visit the site without revealing Personal Information, unless you choose to provide such information.”</i><br /><br />Features on the UIDAI website that require individuals to provide personal information and sensitive personal information include: Booking an appointment, checking aadhaar status, enrolling for e-aadhaar, enrolling for aadhaar, updating aadhaar data. Types of information required for these services include: mobile number, name, address, gender, date of birth, and enrolment ID.<a href="#fn7" name="fr7">[7]</a><br /><br />The privacy policy goes on to state: <i> “If you are asked for any other Personal Information you will be informed how it will be used if you choose to give it. If at any time you believe the principles referred to in this privacy statement have not been followed, or have any other comments on these principles, please notify the webmaster through the Contact Us page. Note: The use of the term "Personal Information" in this privacy statement refers to any information from which your identity is apparent or can be reasonably ascertained.”</i></li>
<li style="text-align: justify; ">The UIDAI privacy policy does explain the purpose for collection of information on the website and the use of collected information.</li>
<li style="text-align: justify; ">The UIDAI privacy policy does not address the possibility of disclosure of information collected by the UIDAI from the use of its website, except in the case of when an individual provides his/her email at which point the privacy policy states<i> “Your e-mail address will not be used for any other purpose, and will not be disclosed without your consent.”</i></li>
<li style="text-align: justify; ">The UIDAI privacy policy does not provide information about the security practices adopted by the UIDAI. </li>
</ul>
<h3 style="text-align: justify; ">Consent<i> </i></h3>
<p>Rule 5 requires that prior to the collection of sensitive personal data, the body corporate must obtain consent, either in writing or through fax regarding the purpose of usage before collection of such information.</p>
<p style="text-align: justify; "><b>UIDAI Practices - in Line</b><br />The UIDAI collects written consent from individuals through the enrolment form for the issuance of an Aadhaar number.</p>
<h3 style="text-align: justify; ">Collection Limitation</h3>
<p>Rule 5 (2) requires that body corporate only collect sensitive personal data if it is connected to a lawful purpose and if it is considered necessary for that purpose.</p>
<p style="text-align: justify; "><b>UIDAI Practices - in Line</b><br />The Aadhaar enrolment form requires only the necessary sensitive personal data for the issuance of an Aadhaar number. Individuals are given the option to provide banking and financial information.</p>
<h3 style="text-align: justify; ">Notice During Direct Collection</h3>
<p style="text-align: justify; ">Rule 5(3) requires that while collecting information directly from an individual the body corporate must provide the following information:</p>
<ul>
<li>The fact that the information is being collected</li>
<li>The purpose for which the information is being collected</li>
<li>The intended recipients of the information </li>
<li>The name and address of the agency that is collecting the information</li>
<li>The name and address of the agency that will retain the information</li>
</ul>
<p><b>UIDAI Practices - Partially in Line<br /></b>The Aadhaar enrolment form does not provide the following information:<b> </b></p>
<ul>
<li>The intended recipients of the information</li>
<li>The name and address of the agency collecting the information </li>
<li>The name and address of the agency that will retain the information </li>
</ul>
<h3>Retention Limitation</h3>
<p style="text-align: justify; ">Rule 5(4) requires that body corporate must retain sensitive personal data only for as long as it takes to fulfil the stated purpose or otherwise required under law.</p>
<p style="text-align: justify; "><b>UIDAI Practices - Unclear</b><br />It is unclear from publicly available information what the UIDAI retention practices are.</p>
<h3 style="text-align: justify; ">Use Limitation</h3>
<p>Rule 5(5) requires that information must be used for the purpose that it was collected for.</p>
<p><b>UIDAI Practices - Unclear<br /></b>It is unclear from publicly available information if the UIDAI is using collected information only for the purpose for which it was collected for. <b> </b></p>
<h3>Right to Access and Correct<b> </b></h3>
<p>Rule 5(6) requires body corporate to provide individuals with the ability to review the information they have provided and access and correct personal or sensitive personal information.</p>
<p style="text-align: justify; "><b>UIDAI Practices - Partially in Line<br /></b>Though the UIDAI provides individuals with the ability to access and correct personal information, as stated on the enrolment form, correction is free only if changed within 96 hours of enrolment. Additionally, as stated on the enrolment form, if an individual chooses to allow for the UIDAI to facilitate the opening of a bank account and link present bank accounts to the UID number, this information, after being provided, cannot be corrected. The UIDAI website has a portal for updating information, but only name, address, gender, data of birth, and mobile number can be updated through this method.<b> </b><a href="#fn9" name="fr9">[9]</a></p>
<h3 style="text-align: justify; ">Right to ‘Opt Out’ and Withdraw Consent</h3>
<p style="text-align: justify; ">Rule 5(7) requires that body corporate must provide individuals with the option of 'opting out' of providing data or information sought. Individuals also have the right to withdraw consent at any point of time. Body corporate has the right to withdraw services if consent is withdrawn.</p>
<p style="text-align: justify; "><b>UIDAI Practices - Partially in Line<br /></b>The UID enrolment form provides individuals with one ‘optional’ field - the option of having the UIDAI open a bank account and link it to the individuals UID number or having the UIDAI link present bank accounts to individuals UID number. No other option to ‘opt out’ or withdraw consent is present on the enrolment form or the UIDAI privacy policy, terms of use, or website.</p>
<h3 style="text-align: justify; ">Security of Information</h3>
<p style="text-align: justify; ">Rule 8 requires that body corporate must secure information in accordance with the ISO 27001 standard. These practices must be audited on an annual basis or when the body corporate undertakes a significant up gradation of its process and computer resource.</p>
<p style="text-align: justify; "><b>UIDAI Practices - Unclear<br /></b>The security practices adopted by the UIDAI are not mentioned in the website privacy policy, on the website, or on the enrolment form, thus it is unclear from publicly available information if the UID is compliant with ISO 27001 standards. Though the UIDAI has been functioning since 2010, and it is unclear from publicly available information if annual audits of the UIDAI security practices have been undertaken.<b> </b></p>
<h3 style="text-align: justify; ">Disclosure with Consent<b> </b></h3>
<p style="text-align: justify; ">Rule 6 requires that body corporate must have consent before disclosing sensitive personal data to any third person or party, except in the case with Government agencies for the purpose of verification of identity, prevention, detection, investigation, including cyber incidents and prosecution and punishment of offenses, on receipt of a written request. <b> </b></p>
<p style="text-align: justify; "><b>UIDAI Practices - Partially in Line</b><br />In the enrolment form, consent for disclosure is stated as<i> ‘‘I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services.” </i>This is a blanket statement and allows for all future possibilities of sharing and disclosure of information provided with any organization that the UIDAI deems as ‘engaged in the delivery of welfare services’.</p>
<p style="text-align: justify; ">The UIDAI privacy policy only addresses the disclosure of an individual’s email address with consent. Though not directly addressing disclosure, the UIDAI privacy policy also states <i>“</i><i> </i><i>We will not identify users or their browsing activities, except when a law enforcement agency may exercise a warrant to inspect the service provider's logs.”</i></p>
<h3 style="text-align: justify; ">Prohibition on Publishing and Further Disclosure</h3>
<p style="text-align: justify; ">Rule 6(3) and 6(4) prohibit the body corporate from publishing sensitive personal data or information. Similarly, organizations receiving sensitive personal data are not allowed to disclose it further.</p>
<p style="text-align: justify; "><b>UIDAI Practices - in Line</b><br />The UDAI does not publish sensitive personal data. It is unclear what practices and standards registrars and enrolment agencies are functioning under.</p>
<h3 style="text-align: justify; ">Requirements for Transfer of Sensitive Personal Data</h3>
<p style="text-align: justify; ">Rule 7 requires that body corporate may transfer sensitive personal data into another jurisdiction only if the country ensures the same level of protection.</p>
<p style="text-align: justify; "><b>UIDAI Practices - Unclear<br /></b>It is unclear from publicly available information if information collected by the UIDAI is transferred outside of India. <b></b></p>
<h3 style="text-align: justify; ">Establishment of Grievance Officer<b></b></h3>
<p style="text-align: justify; ">Rule 5(9) requires that body corporate must establish a grievance officer and the details must be posted on the body corporates website and grievances must be addressed within a month of receipt. <b></b></p>
<p style="text-align: justify; "><b>UIDAI Practices - in Line<br /></b>The website of the UIDAI provides details of a grievance officer that individuals can contact.<a href="#fn10" name="fr10">[10]</a> It is unclear from publicly available information if grievances are addressed within a month.</p>
<hr />
<p>[<a href="#fr1" name="fn1">1</a>]. <a class="external-link" href="http://164.100.47.134/lsscommittee/Information%20Technology/15_Information_Technology_52.pdf">http://164.100.47.134/lsscommittee/Information%20Technology/15_Information_Technology_52.pdf</a></p>
<p>[<a href="#fr2" name="fn2">2</a>]. <a class="external-link" href="http://dispur.nic.in/itact/it-procedures-sensitive-personal-data-rules-2011.pdf">http://dispur.nic.in/itact/it-procedures-sensitive-personal-data-rules-2011.pdf</a></p>
<p>[<a href="#fr3" name="fn3">3</a>]. <a class="external-link" href="http://uidai.gov.in/">http://uidai.gov.in/</a></p>
<p>[<a href="#fr4" name="fn4">4</a>]. <a class="external-link" href="http://www.jharkhand.gov.in/marpdf/Aadhar-enrolmentform.pdf">http://www.jharkhand.gov.in/marpdf/Aadhar-enrolmentform.pdf</a></p>
<p>[<a href="#fr5" name="fn5">5</a>]. <a class="external-link" href="http://uidai.gov.in/organization-details.html">http://uidai.gov.in/organization-details.html</a></p>
<p>[<a href="#fr6" name="fn6">6</a>]. <a class="external-link" href="http://uidai.gov.in/privacy-policy.html">http://uidai.gov.in/privacy-policy.html</a></p>
<p>[<a href="#fr7" name="fn7">7</a>]. <a class="external-link" href="http://resident.uidai.net.in/home">http://resident.uidai.net.in/home</a></p>
<p>[<a href="#fr8" name="fn8">8</a>]. <a class="external-link" href="http://www.jharkhand.gov.in/marpdf/Aadhar-enrolmentform.pdf">http://www.jharkhand.gov.in/marpdf/Aadhar-enrolmentform.pdf</a></p>
<p>[<a href="#fr9" name="fn9">9</a>]. <a class="external-link" href="https://ssup.uidai.gov.in/web/guest/ssup-home">https://ssup.uidai.gov.in/web/guest/ssup-home</a></p>
<p>[<a href="#fr10" name="fn10">10</a>]. <a class="external-link" href="http://uidai.gov.in/contactus.html">http://uidai.gov.in/contactus.html</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/uid-practices-and-it-act-sec-43-a-and-subsequent-rules'>https://cis-india.org/internet-governance/blog/uid-practices-and-it-act-sec-43-a-and-subsequent-rules</a>
</p>
No publisherelonnaiUIDInternet GovernancePrivacy2014-03-06T07:00:21ZBlog EntryUIDAI introduces new two-layer security system to improve Aadhaar privacy
https://cis-india.org/internet-governance/news/economic-times-january-11-2018-uidai-introduces-new-two-layer-security-system-to-improve-aadhaar-privacy
<b>The Unique Identification Authority of India (UIDAI) has introduced a system of virtual authentication for citizens enrolled on its database and limited the access available to service providers in a move aimed at allaying widespread concern over security breaches that have dogged the world's largest repository of citizen data. </b>
<p style="text-align: justify; ">The article was published in <a class="external-link" href="https://economictimes.indiatimes.com/news/economy/policy/uidai-introduces-new-two-layer-security-system-to-improve-aadhaar-privacy/articleshow/62442873.cms">Economic Times</a> on January 11, 2018.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">In one of the most significant security upgrades by the eightyear old agency, the UIDAI announced the creation of a "virtual ID" which can be used in lieu of the 12-digit Aadhaar number at the time of authentication for any service.</p>
<p style="text-align: justify; ">The UIDAI has also limited access to stored personal information and mandated the use of unique tokens through which authenticating agencies can access required data. It claims that the measures will strengthen privacy and also prevent combining of databases linked to Aadhaar.</p>
<p style="text-align: justify; ">ET was the first to report about the UIDAI plan to introduce virtual numbers to address security concerns in its November 20 edition last year.</p>
<p style="text-align: justify; ">A top government official told ET that UIDAI has been working on this technology since July of 2016. "This is going to be one of the biggest innovations ever, people can change their virtual ID whenever they want or after every authentication or every 10 seconds." He added that this will silence most critics of Aadhaar.</p>
<div id="_mcePaste" style="text-align: justify; "></div>
<p id="_mcePaste" style="text-align: justify; ">"The Aadhaar number being the permanent ID for life, there is need to provide a mechanism to ensure its continued use while optimally protecting the collection and storage in many databases," the UIDAI said in a notification on Wednesday while announcing the new measures.</p>
<h3 style="text-align: justify; ">More Needed to be Done: Experts</h3>
<p style="text-align: justify; ">"The collection and storage of Aadhaar number by various entities has heightened privacy concerns," it stated.</p>
<p style="text-align: justify; ">Under the new regime, for every Aadhaar number, the authority will issue a 16-digit virtual identity number which will be "temporary and revocable at any time."</p>
<p style="text-align: justify; ">This virtual ID can be generated only by the individual Aadhaar holder and can be replaced by a new one after a minimum validity period.</p>
<p style="text-align: justify; ">In addition, while some Authentication User Agencies (AUA) — categorised by the UIDAI as 'Global' — will have access to all the details or the e-KYC of a specific Aadhaar number, all other agencies will only have access to limited data through the virtual identity number.</p>
<p style="text-align: justify; ">"So this is a very very significant thing and I think this is a great step forward," said Nandan Nilekani, former chairman of UIDAI, in an interview to television channel ET Now on Wednesday.</p>
<p style="text-align: justify; ">Nilekani, widely regarded as the architect of Aadhaar, said that through these new security measures the possibility of the Aadhaar number being stored in many databases also goes away.</p>
<p style="text-align: justify; ">It will make a huge difference in allaying the concerns and it really "eliminates all the arguments against Aadhaar," he told ET Now.</p>
<p style="text-align: justify; ">Last week, Chandigarh-based daily The Tribune reported that demographic data from the Aadhaar database could be accessed for as little as Rs 500. The expose led to the UIDAI barring over 5,000 officials from accessing its portal through login ids and passwords. It also introduced biometric authentication for future access, as reported by ET on Tuesday.</p>
<p style="text-align: justify; ">The widespread fear of misuse of demographic data is heightened by the fact that India still does not have a data protection legislation. The country's apex court is scheduled to resume its hearing on the validity of the Aadhaar scheme next week on January 17.</p>
<p style="text-align: justify; ">Kamlesh Bajaj, former CEO of the Data Security Council of India said by limiting access to only those agencies mandated by law, the UIDAI has ensured that "someone will not be able to combine database. It's a positive development in my view and technologically feasible," he said</p>
<h3 style="text-align: justify; ">Expert Views</h3>
<p style="text-align: justify; ">Privacy experts and activists were of the view that more needs to be done to ensure foolproof security for critical personal information.</p>
<p style="text-align: justify; ">The Bengaluru-based research organisation Centre for Internet and Society has suggested that all the Aadhaar seeding with all the existing databases should be revoked. "Until then, it is one step ahead and but not enough," said Sunil Abraham, executive director of CIS.</p>
<p style="text-align: justify; ">To enable a speedy rollout of the new safety standards, the UIDAI plans to release the required technical updates by March 1, 2018 and all the Authentication agencies using the Aadhaar database will need to upgrade their systems latest by June 1, 2018.</p>
<p style="text-align: justify; ">In its circular, UIDAI has also said that agencies not allowed to use or store the Aadhaar number should make changes inside their systems to replace Aadhaar number within their databases with UID Token.</p>
<p style="text-align: justify; ">"Unless there is complete revocation, some database with Aadhaar numbers will still float around and secondly there is no reason why some data controllers should be trusted, the tokenisation should be implemented for everyone," said CIS's Abraham.</p>
<p style="text-align: justify; ">The circular said that authentication using virtual ID will be performed in the same manner as the Aadhaar number and people can generate or retrieve their virtual numbers (in case they forget) at the UIDAI's resident portal, Aadhaar Enrolment Centers, or through the Aadhaar mobile application.</p>
<p style="text-align: justify; ">In addition to the virtual numbers, UIDAI will also provide "unique tokens" to each agency against an Aadhaar number to ensure that they are to establish the uniqueness of beneficiaries in their database such as for distributing government subsidies under cooking gas or scholarships.</p>
<p style="text-align: justify; ">Activists argue that most service providers — even digital ones — work with a paper ID card system. "They don't cross-check it with the UIDAI database. UIDAI is not issuing virtual ids for paper cards, and a new category of so called Global AUAs are exempted from using the virtual ids, so citizens are not protected almost anywhere that they need to use Aadhaar," said Kiran Jonnalagadda, co-founder of the Internet Freedom Foundation, who said the change doesn't help enough to secure the ecosystem.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/economic-times-january-11-2018-uidai-introduces-new-two-layer-security-system-to-improve-aadhaar-privacy'>https://cis-india.org/internet-governance/news/economic-times-january-11-2018-uidai-introduces-new-two-layer-security-system-to-improve-aadhaar-privacy</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-16T23:08:34ZNews Item