The Centre for Internet and Society
https://cis-india.org
These are the search results for the query, showing results 181 to 195.
Aadhaar by Numbers
https://cis-india.org/internet-governance/news/aadhaar-by-numbers
<b>Sunil Abraham will be addressing a public seminar at an event organized by National Institute of Public Finance and Policy (NIPFP) in New Delhi on Friday, April 29, 2016. </b>
<p style="text-align: justify; ">This talk will reflect on several aspects of the Aadhaar project from a technical perspective. First, there will be a reflection on biometrics as a unique, identification and authentication technology. Second, there will be a critique of open washing by the UIDAI through their adoption of free software and open standards and finally there will be an analysis of alternative technical solutions and architecture which will allow India to harvest the benefits of identity management without the harms and risks of centralized biometrics.</p>
<h3 style="text-align: justify; ">Sunil Abraham</h3>
<p style="text-align: justify; ">Sunil Abraham (an Ashoka Fellow) is the executive director of the Centre for Internet and Society (CIS), Bangalore/New Delhi. CIS is a 7 year old policy and academic research organisation that focuses on accessibility, access to knowledge, internet governance and telecommunications. He is also the founder and director of Mahiti, a 17 year old social enterprise that aims to reduce the cost and complexity of ICTs for the voluntary sector by using free software. Starting 2004, for 3 years, Sunil also managed the International Open Source Network, a project of UNDP's APDIP, serving 42 countries in the Asia-Pacific region. Sunil currently serves on the advisory boards of OSF – Information Programme, Mahiti and Samvada.</p>
<hr />
<p style="text-align: justify; ">The talk reflected on several aspects of the Aadhaar project from a technical perspective. First, there is a reflection on biometrics as a unique, identification and authentication technology. Second, there is a critique of open washing by the UIDAI through their adoption of free software and open standards and finally there is an analysis of alternative technical solutions and architecture which will allow India to harvest the benefits of identity management without the harms and risks of centralized biometrics.</p>
<h3>Video</h3>
<p><iframe frameborder="0" height="315" src="https://www.youtube.com/embed/Y9uOBAqjIMg" width="560"></iframe></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/aadhaar-by-numbers'>https://cis-india.org/internet-governance/news/aadhaar-by-numbers</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-09-11T16:36:58ZNews Item"Will the Magic Number Deliver?" - Roundtable on Aadhaar at CSLG, JNU, April 26
https://cis-india.org/internet-governance/news/will-the-magic-number-deliver-aadhaar-cslg-26042016
<b>The Centre for the Study of Law and Governance (CSLG), Jawaharlal Nehru University (JNU), will organise a roundtable discussion on Tuesday, April 26, to discuss the Aadhaar project and Act. Along with Rajeev Chandrasekhar, Prasanna S, Apar Gupta, and Chirashree Dasgupta, Sumandro Chattapadhyay will be one of the discussants. It will take place in the CSLG Conference Room at 6 pm.</b>
<p> </p>
<h3>Discussion Note</h3>
<p>The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, was enacted by the Parliament on March 16. Thereafter it has been notified on March 26.</p>
<p>The Act empowers the UIDAI (Unique Identification Authority of India) to collect biometric and demographic information of residents to provide them with a unique number. This unique number is to be used for enumeration, identification and targeting of beneficiaries of government subsidies and services.</p>
<p>Since the creation of the UIDAI as an executive authority in 2009, this process of enumeration has been ongoing. Recently, it was announced that more than 100 crore residents have been given their aadhaar cards. Alongside, however, legal challenges have continued in the Supreme Court.</p>
<p>Given this context, this Roundatable Discussion will focus on the following set of questions (among others):</p>
<ul><li>
<p>Can the Aadhaar Number enable better delivery of government subsidies and services?</p>
</li>
<li>
<p>How does the Act ensure data protection?</p>
</li>
<li>
<p>Is there a right to privacy in India? What are the implications in the context of Aadhaar?</p>
</li>
<li>
<p>Does the Act ensure public access to statutory remedies in case of violations?</p>
</li>
<li>
<p>Did the Aadhaar Bill fulfil the requirements of a money bill?</p>
</li></ul>
<p> </p>
<h3>Discussion Format</h3>
<p>Setting the Theme - Short Introduction to the Topic by Natasha Goyal</p>
<p>Speakers' comments, 15 minutes each, consecutive, no power points</p>
<ul><li>
<p><a href="https://twitter.com/rajeev_mp">Rajeev Chandrasekhar</a>, Member of Parliament, Rajya Sabha</p>
</li>
<li>
<p><a href="https://twitter.com/ajantriks">Sumandro Chattapadhyay</a>, the Centre for Internet and Society</p>
</li>
<li>
<p><a href="https://twitter.com/prasanna_s">Prasanna S</a>, Lawyer</p>
</li>
<li>
<p><a href="https://twitter.com/aparatbar">Apar Gupta</a>, Advocate, Delhi High Court</p>
</li>
<li>
<p><a href="http://www.jnu.ac.in/FacultyStaff/ShowProfile.asp?SendUserName=chirashree">Dr. Chirashree Dasgupta</a>, Centre for the Study of Law and Governance</p>
</li></ul>
<p>Open Session (Moderated Q and A)</p>
<p>Followed by Tea</p>
<h3>Directions to Venue</h3>
<p>From JNU main gate, proceed straight until you get to a T-junction. Turn left. Continue until you reach a second T-junction. Turn right. Follow the road for just 0.7 km until you see a bus stop labelled “Paschimmabad.” About 50 m past the bus stop turn right at a sign that reads: “Centre for the Study of Law and Governance”. The CSLG building is on the right. The conference room is on the first floor.</p>
<h3>Poster</h3>
<img src="http://cis-india.org/internet-governance/news/will-the-magic-number-deliver-aadhaar-cslg-26042016/leadImage" alt="CSLG Roundtable Discussion - Will the Magic Number Deliver? - April 26, 6 pm" />
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/will-the-magic-number-deliver-aadhaar-cslg-26042016'>https://cis-india.org/internet-governance/news/will-the-magic-number-deliver-aadhaar-cslg-26042016</a>
</p>
No publishersumandroUIDPrivacyDigital IndiaAadhaarBiometrics2016-04-20T10:49:58ZEventPMO’s no to smart cards, insists on Aadhaar
https://cis-india.org/internet-governance/news/the-hindu-april-10-2016-somesh-jha-pmo-no-to-smart-cards-insists-aadhaar
<b>The government has decided to stop issuing new smart cards to beneficiaries of government schemes as Aadhaar is now backed by a law. </b>
<p style="text-align: justify; ">The article by Somesh Jha was published in the Hindu on April 10, 2016. Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; ">The Prime Minister’s Office (PMO) has issued strict instructions to the Information Technology Ministry to ensure that States and the Central governmentstop issuing smart cards for new programmes for beneficiaries, and to rely on the Aadhaar-based Direct Benefit Transfer platform instead.</p>
<p style="text-align: justify; ">The move will impact ministries such as Labour, Social Justice and Health, which are in the process or have already rolled out smart cards.</p>
<p style="text-align: justify; ">The government had said earlier that over 100 crore people, constituting 93 per cent of the adult population, had a unique identification (UID) number under the Aadhaar platform.</p>
<p style="text-align: justify; ">“The undersigned is directed to request the department to examine the need for state and central government departments to issue separate smart cards in the light of the near universal coverage of Aadhaar and the delivery of the most public welfare benefits through Aadhaar enabled platforms,” according to a directive issued by Gulzar N, Director, PMO, to Aruna Sharma, Secretary, Department of Electronics and Information Technology.</p>
<p style="text-align: justify; ">“The undersigned is also directed to request the department to prepare policy on the delivery of various public services using Aadhaar, Jan Dhan Yojana and existing platforms without the issuance of new smart cards.”</p>
<p style="text-align: justify; ">Last month, Union Minister for Social Justice and Empowerment Thaawar Chand Gehlot had announced that all differently abled persons would soon get a unique identity card to avail welfare schemes. .</p>
<p style="text-align: justify; ">State governments had also planned to use smart card technology for welfare schemes. For instance, Odisha was mulling smart cards for construction workers in the State.</p>
<p style="text-align: justify; ">The PMO sent a separate communiqué to Labour Secretary Shankar Aggarwal in the context of a proposal to issue 40 crore smart cards to informal sector workers, called the Unorganised Workers’ Identification Number (U-WIN). The UWIN cards were to be used by these workers to access benefits under schemes such as Rashtriya Swasthya Bima Yojana , Aam Aadmi Bima Yojana , Atal Pension Yojana, Pradhan Mantri Suraksha Bima Yojana and Jeevan Jyoti Bima Yojana.</p>
<p style="text-align: justify; ">The PMO rejected the proposal noting that Aadhaar would act as a “universal unique identifier for each citizen.”</p>
<p style="text-align: justify; ">“Adding a UWIN number would not only duplicate work, but also introduce further problems in linking up with other databases which have already been linked with Aadhaar,” said the missive reviewed by The Hindu.</p>
<p style="text-align: justify; ">However, experts are sceptical of the government’s move.</p>
<p style="text-align: justify; ">“Smart cards are always better than biometrics. If that was not the case, the global financial infrastructure today will be working on biometrics and not on smart cards,” said Sunil Abraham, executive director of The Centre for Internet and Society.</p>
<p style="text-align: justify; ">“Why are these banks working on smart cards? Smart cards work using cryptography, which is more fool-proof than biometrics. Biometrics allow for remote, covert and non-consensual identification,” Mr. Abraham said.</p>
<p style="text-align: justify; ">Smart card vendors, however, said the move may not impact their market. “The demand for smart cards is massive in all the other segments such as for use in debit and credit cards or driving licenses and vehicle registration numbers,” said Deven Mehta, managing director of the Mumbai-based Smart Card IT Solutions.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/the-hindu-april-10-2016-somesh-jha-pmo-no-to-smart-cards-insists-aadhaar'>https://cis-india.org/internet-governance/news/the-hindu-april-10-2016-somesh-jha-pmo-no-to-smart-cards-insists-aadhaar</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-04-20T02:19:18ZNews ItemThe Last Chance for a Welfare State Doesn’t Rest in the Aadhaar System
https://cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system
<b>Boosting welfare is the message, which is how Aadhaar is being presented in India. The Aadhaar system as a medium, however, is one that enables tracking, surveillance, and data monetisation. This piece by Sumandro Chattapadhyay was published in The Wire on April 19, 2016.</b>
<p> </p>
<p><em>Originally published in and cross-posted from <a href="http://thewire.in/2016/04/19/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system-30256/">The Wire</a>.</em></p>
<hr />
<p>Once upon a time, a king desired that his parrot should be taught all the ancient knowledge of the kingdom. The priests started feeding the pages of the great books to the parrot with much enthusiasm. One day, the king asked the priests if the parrot’s education has completed. The priests poked the belly of the parrot but it made no sound. Only the rustle of undigested pages inside the belly could be heard. The priests declared that the parrot is indeed a learned one now.</p>
<p>The fate of the welfare system in our country is quite similar to this parrot from Tagore’s parable. It has been forcefully fed identification cards and other official documents (often four copies of the same) for years, and always with the same justification of making it more effective and fixing the leaks. These identification regimes are in effect killing off the welfare system. And some may say that that has been the actual plan in any case.</p>
<p>The Aadhaar number has been recently offered as <a href="http://indianexpress.com/article/opinion/columns/aadhaar-project-uidai-last-chance-for-a-welfare-state/">the ‘last chance’ for the ailing welfare system</a> – a last identification regime that it needs to gulp down to survive. This argument wilfully overlooks the acute problems with the Aadhaar project.</p>
<p>Firstly, the ‘last chance’ for a welfare state in India is not provided by implementing a new and improved identification regime (Aadhaar numbers or otherwise), but by enabling citizens to effectively track, monitor, and ensure delivery of welfare, services, and benefits. This ‘opening up’ of the welfare bureaucracy has been most effectively initiated by the Right to Information Act. Instead of a centralised biometrics-linked identity verification platform, which gives the privilege of tracking and monitoring welfare flows only to a few expert groups, an effective welfare state requires the devolution of such privilege and responsibility.</p>
<p>We should harness the tracking capabilities of electronic financial systems to disclose how money belonging to the Consolidated Fund of India travel around state agencies and departmental levels. Instead, the Aadhaar system effectively stacks up a range of entry barriers to accessing welfare – from malfunctioning biometric scanners, to connectivity problems, to the burden of keeping one’s fingerprint digitally legible under all labouring and algorithmic circumstances.</p>
<p>Secondly, authentication of welfare recipients by Aadhaar number neither make the welfare delivery process free of techno-bureaucratic hurdles, nor does it exorcise away corruption. Anumeha Yadav has recently documented the emerging <a href="http://scroll.in/article/805909/in-rajasthan-there-is-unrest-at-the-ration-shop-because-of-error-ridden-aadhaar">‘unrest at the ration shop’ across Rajasthan</a>, as authentication processes face technical and connectivity delays, people get ‘locked out’ of public services for not having or having Aadhaar number with incorrect demographic details, and no mechanisms exist to provide rapid and definitive recourse.</p>
<p>RTI activists at the <a href="http://www.snsindia.org/">Satark Nagrik Sangathan</a> have highlighted that the Delhi ration shops, using Aadhaar-based authentication, maintain only two columns of data to describe people who have come to the shop – those who received their ration, and those who did not (without any indication of the reason). This leads to erasure-by-design of evidence of the number of welfare-seekers who are excluded from welfare services when the Aadhaar-based authentication process fails (for valid reasons, or otherwise).</p>
<p>Reetika Khera has made it very clear that using Aadhaar Payments Bridge to directly transfer cash to a beneficiary’s account, in the best case scenario, <a href="http://www.epw.in/journal/2013/05/commentary/cost-benefit-analysis-uid.html">may only take care of one form of corruption</a>: deception (a different person claiming to be the beneficiary). But it does not address the other two common forms of public corruption: collusion (government officials approving undue benefits and creating false beneficiaries) and extortion (forceful rent seeking after the cash has been transferred to the beneficiary’s account). Evidently, going after only deception does not make much sense in an environment where collusion and extortion are commonplace.</p>
<p>Thirdly, the ‘relevant privacy question’ for Aadhaar is not limited to how UIDAI protects the data collected by it, but expands to usage of Aadhaar numbers across the public and private sectors. The privacy problem created by the Aadhaar numbers does begin but surely not end with internal data management procedures and responsibilities of the UIDAI.</p>
<p>On one hand, the Aadhaar Bill 2016 has reduced the personal data sharing restrictions of the NIAI Bill 2010, and <a href="http://scroll.in/article/806297/no-longer-a-black-box-why-does-the-revised-aadhar-bill-allow-sharing-of-identity-information">has allowed for sharing of all data except core biometrics (fingerprints and iris scan)</a> with all agencies involved in authentication of a person through her/his Aadhaar number. These agencies have been asked to seek consent from the person who is being authenticated, and to inform her/him of the ways in which the provided data (by the person, and by UIDAI) will be used by the agency. In careful wording, the Bill only asks the agencies to inform the person about “alternatives to submission of identity information to the requesting entity” (Section 8.3) but not to provide any such alternatives. This facilitates and legalises a much wider collection of personal demographic data for offering of services by public agencies “or any body corporate or person” (Section 57), which is way beyond the scope of data management practices of UIDAI.</p>
<p>On the other hand, the Aadhaar number is being seeded to all government databases – from lists of HIV patients, of rural citizens being offered 100 days of work, of students getting scholarships meant for specific social groups, of people with a bank account. Now in some sectors, such as banking, inter-agency sharing of data about clients is strictly regulated. But we increasingly have non-financial agencies playing crucial roles in the financial sector – from mobile wallets to peer-to-peer transaction to innovative credit ratings. Seeding of Aadhaar into all government and private databases would allow for easy and direct joining up of these databases by anyone who has access to them, and not at all by security agencies only.</p>
<p>When it becomes publicly acceptable that <a href="http://indianexpress.com/article/opinion/columns/aadhaar-project-uidai-last-chance-for-a-welfare-state/">the <em>money bill route</em> was a ‘remedial’ instrument to put the Rajya Sabha ‘back on track’</a>, one cannot not wonder about what was being remedied by avoiding a public debate about the draft bill before it was presented in Lok Sabha. The answer is simple: <em>welfare is the message, surveillance is the medium</em>.</p>
<p>Acceptance and adoption of all medium requires a message, a content. The users are interested in the message. The message, however, is not the business. Think of Free Basics. Facebook wants people with none or limited access to internet to enjoy parts of the internet at zero data cost. Facebook does not provide the content that the users consume on such internet. The content is created by the users themselves, and also provided by other companies. Facebook own and control the medium, and makes money out of all content, including interactions, passing through it.</p>
<p>The UIDAI has set up a biometric data bank and related infrastructure to offer authentication-as-a-service. As the Bill clarifies, almost all agencies (public or private, national or global) can use this service to verify the identity of Indian residents. Unlike Facebook, the content of these services do not flow through the Aadhaar system. Nonetheless, Aadhaar keeps track of all ‘authentication records’, that is records of whose identity was authenticated by whom, when, and where. This database is gold (data) mine for security agencies in India, and elsewhere. Further, as more agencies use authentication based on Aadhaar numbers, it becomes easier for them to combine and compare databases with other agencies doing the same, by linking each line of transaction across databases using Aadhaar numbers.</p>
<p>Welfare is the message that the Aadhaar system is riding on. The message is only useful for the medium as far as it ensures that the majority of the user population are subscribing to it. Once the users are enrolled, or on-boarded, the medium enables flow of all kinds of messages, and tracking and monetisation (perhaps not so much in the case of UIDAI) of all those flows. It does not matter if the Aadhaar system is being introduced to remedy the broken parliamentary process, or the broken welfare distribution system. What matters is that the UIDAI is establishing the infrastructure for a universal surveillance system in India, and without a formal acknowledgement and legal framework for the same.</p>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system'>https://cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system</a>
</p>
No publishersumandroUIDData SystemsPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-04-19T13:18:42ZBlog EntryWhy is the UIDAI cracking down on individuals that hoard Aadhaar data?
https://cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-april-13-2016-why-is-uidai-cracking-down-on-individuals-that-hoard-aadhaar-data
<b>Private firms' offer to print Aadhaar details on plastic card a breach of law.</b>
<p style="text-align: justify; ">The article by Alnoor Peermohamed was published by <a class="external-link" href="http://www.business-standard.com/article/economy-policy/why-is-the-uidai-cracking-down-on-individuals-that-hoard-aadhaar-data-116041200400_1.html">Business Standard </a>on April 13, 2016. Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; ">The billion-strong citizen identification system, Aadhaar, has given rise to businesses keen on illegal harnessing of this private data, say the authorities.<br /><br /> Outfits are offering services to print the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Aadhaar" target="_blank"><span>Aadhaar </span></a>details on plastic cards, something the Union information technology ministry warned against on Monday. These entities charge anywhere between Rs 50 and Rs 600, and are listed on e-commerce websites, apart from own online presence.<br /><br /> Under the Aadhaar law, collecting and storing of the data by private companies without the user’s consent is a crime. Monday’s warning from the ministry to e-commerce marketplaces such as Amazon, Flipkart and eBay to disallow merchants from collecting and printing such details was a result of this.<br /><br /> This newspaper could not find any listings of Aadhaar printing services on Flipkart but there was one on Amazon (taken down) and no less than five such listings on eBay.<br /><br /> PrintMyAadhaar is one of the more well organised outfits operating in this space. “Get your E-Aadhaar printed on a PVC card for easier handling,” reads their website. Users are prompted to fill their Aadhaar details on the website, pay Rs 50 and have the card sent to their houses. PrintMyAadhaar even offers discounts for bulk orders.<br /><br /> “Collecting such information or unauthorised printing of an Aadhaar card or aiding such persons in any manner may amount to a criminal offence, punishable with imprisonment under the Indian Penal Code and also Chapter VI of The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016,” read the statement from the ministry.<br /><br /> Currently, Aadhaar stores a person’s name, date of birth, sex and address, apart from their biometric data.<br /><br /> While the biometric data isn’t available to these PDF printing shops, the rest of the information is, according to Srikanth Nadhamuni, chief executive officer of Khosla Labs and a former head of technology at the Unique Identification Authority of India. However, collecting this data poses no security risk to the Aadhaar infrastructure, he added.<br /><br /> “Allowing somebody to accumulate large amounts of data from Aadhaar users in general is not a good practice. We should ensure that the Aadhaar details of people remain private and it should only be up to the discretion of the end-user to share this,” said Nadhamuni.<br /><br /> Some security experts say Aadhaar does pose a security risk, as it makes available an individual's details in the public domain. Several institutions are treating Aadhaar just like any other proof of identity.<br /><br /> “Transactions that should have been conducted using biometric authentication are being conducted just by presentation of paper documents. What is happening most commonly is that people are giving a printout or photocopy of their Aadhaar acknowledgement as their proof of identity to get a SIM card. The risk here is that somebody can get a mobile number against your name,” said Sunil Abraham, executive director of the non-profit Centre for Internet and Society.<br /><br /> He says the other technical issue with Aadhaar is the lack of a smart card that stores a person’s information, as in a digital signature. Due to the lack of this, people don’t know what information to keep private and what to make public. Conventional security techniques would have had a person keeping their PIN private (as with a bank account). If this personal PIN would have been saved on a smart card, which users wouldn’t have had much to worry about.<br /><br /> “In the case of Aadhaar, the authentication factor and the identification factor are in the public domain, because many people might have your UID number and people release their biometric data everywhere. Due to this broken technological solution, we are now through policy putting band-aids, saying people should not disclose their UID number unnecessarily,” added Abraham.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-april-13-2016-why-is-uidai-cracking-down-on-individuals-that-hoard-aadhaar-data'>https://cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-april-13-2016-why-is-uidai-cracking-down-on-individuals-that-hoard-aadhaar-data</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-04-17T16:16:26ZNews ItemAadhaar Act and its Non-compliance with Data Protection Law in India
https://cis-india.org/internet-governance/blog/aadhaar-act-and-its-non-compliance-with-data-protection-law-in-india
<b>This post compares the provisions of the Aadhaar Act, 2016, with India's data protection regime as articulated in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.</b>
<p> </p>
<h4>Download the file: <a href="https://cis-india.org/internet-governance/blog/aadhaar-act-43a-it-rules" class="internal-link">PDF</a>.</h4>
<hr />
<p style="text-align: justify;">Amidst all the hue and cry, the Aadhaar Act 2016, which was introduced with the aim of providing statutory backing to the use of Aadhaar, was passed in the Lok Sabha in its original form on March 16, 2016, after rejecting the recommendations made by Rajya Sabha <a name="_ftnref1"></a> . Though the Act has been vehemently opposed on several grounds, one of the concerns that has been voiced is regarding privacy and protection of the demographic and biometric information collected for the purpose of issuing the Aadhaar number.</p>
<p style="text-align: justify;">In India, for the purpose of data protection, a body corporate is subject to section 43A of the Information Technology Act, 2000 ("<strong>IT Act</strong> ") and subsequent Rules, i.e. -The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("<strong>IT Rules</strong>"). Section 43A of the IT Act, 2000 <a name="_ftnref2"></a> holds a body corporate, which is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, liable to compensate the affected person and pay damages.</p>
<p style="text-align: justify;">Rule 3 of the IT Rules enlists personal information that would amount to Sensitive personal data or information of a person and includes the biometric information. Even the Aadhaar Act states under section 30 that the biometric information collected shall be deemed as "sensitive personal data or information", which shall have the same meaning as assigned to it in clause (iii) of the Explanation to section 43A of the IT Act; this reflects that biometric data collected in the Aadhaar scheme will receive the same level of protection as is provided to other sensitive personal data under Indian law. This implies that, the agencies contracted by the UIDAI (and not the UIDAI itself) to perform functions like collection, authentication, etc. like the Registrars, Enrolling Agencies and Requesting Entities, which meet the criteria of being a 'body corporate' as defined in section 43A, <a name="_ftnref3"></a> could be held responsible under this provision, as well as the Rules, to ensure security of the data and information of Aadhaar holder and could potentially be held liable for breach of information that results in loss to an individual if it can be proven that they failed to implement reasonable security practices and procedures.</p>
<p style="text-align: justify;">In light of the fact that some actors in the Aadhaar scheme could be held accountable and liable under section 43A and associated Rules, this article compares the regulations regarding data security as found in section 43A and IT Rules 2011 with the provisions of Aadhaar Act 2016, and discusses the implications of the differences, if any.</p>
<h3>1. Compensation and Penalty</h3>
<p style="text-align: justify;"><strong>Section 43A:</strong> Section 43A of the IT Act, 2000 (Amended in 2008) provides for compensation for failure to protect data. It states that a body corporate, which is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, is liable to compensate the affected person and pay damages not exceeding five crore rupees.</p>
<p style="text-align: justify;"><strong>Aadhaar</strong> <strong>Act :</strong> Chapter VII of the Act provides for offences and penalties, but does not talk about damages to the affected party.</p>
<ul style="text-align: justify;">
<li>Section 37 states that intentional disclosure or dissemination of identity information, to any person not authorised under the Aadhaar Act, or in violation of any agreement entered into under the Act, will be punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company). </li>
<li>Section 38 prescribes penalty with imprisonment up to three years and a fine not less than ten lakh rupees in case any of the acts listed under the provision are performed without authorisation from the UIDAI. </li>
<li>Section 39 prescribes penalty with imprisonment for a term which may extend to three years and fine which may extend to ten thousand rupees for tampering with data in Central Identities Data Repository. </li>
<li>Section 40 holds a requesting entity liable for penalty for use of identity information in violation of Section 8 (3) with imprisonment up to three years and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company). </li>
<li>Section 41 holds a requesting entity or enrolling agency liable for penalty for violation of Section 8 (3) or Section 3 (2) with imprisonment up to one year and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company). </li>
<li>Section 42 provides general penalty for any offence against the Act or regulations made under it, for which no specific penalty is provided, with imprisonment up to one year and/or a fine up to twenty five thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company). </li></ul>
<p style="text-align: justify;">Though the Aadhaar Act prescribes penalty in case of unauthorised access, use or any other act contravening the Regulations, it fails to guarantee protection to the information and does not provide for compensation in case of violation of the provisions.</p>
<h3>2. Privacy Policy</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 4 requires a body corporate to provide a privacy policy on their website, which is easily accessible, provides for the type and purpose of personal, sensitive personal information collected and used, and Reasonable security practices and procedures.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Though in practise the contracting agencies (the body corporates under the Aadhaar ecosystem) may maintain a privacy policy on their website, the Aadhaar Act does not require a privacy policy for the UIDAI or other actors.</p>
<p style="text-align: justify;"><strong>Implications:</strong> Because contracting agencies will be covered by the IT Rules if they are 'body corporates', the requirement to maintain a privacy policy will be applicable to them.</p>
<h3>3. Consent</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5 requires that prior to the collection of sensitive personal data, the body corporate must obtain consent, either in writing or through fax regarding the purpose of usage before collection of such information.</p>
<p style="text-align: justify;"><strong>Aadhaar Act: </strong> The Act is silent regarding consent being acquired in case of the enrolling agency or registrars. However, section 8 provides that any requesting entity will take consent from the individual before collecting his/her Aadhaar information for authentication purposes, though it does not specify the nature (written/through fax).</p>
<p style="text-align: justify;"><strong>Implications:</strong> If the enrolling agency is a body corporate, they will also be required to take consent prior to collecting and processing biometrics. It is possible that since the Aadhaar Act envisages a scheme which is quasi-compulsory in nature, a consent provision was deliberately left out. This circumstance would give the enrolling agencies an argument against taking consent, by saying that the Aadhaar Act is a specific legislation which is also later in point of time than the IT Rules, and a deliberate omission of consent coupled with the compulsory nature of the Aadhaar scheme would mean that they are not required to take consent of the individuals before enrolment.</p>
<h3>4. Collection Limitation</h3>
<p style="text-align: justify;"><strong>IT Rules: </strong> Rule 5 (2) requires that a body corporate should only collect sensitive personal data if it is connected to a lawful purpose and is considered necessary for that purpose.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Section 3(1) of the Act states that every resident shall be entitled to obtain an aadhaar number by submitting his demographic information and biometric information by undergoing the process of enrolment.</p>
<h3>5. Notice</h3>
<p style="text-align: justify;"><strong>IT Rules: </strong> Rule 5(3) requires that while collecting information directly from an individual, the body corporate must provide the following information:</p>
<ul style="text-align: justify;">
<li>The fact that information is being collected</li>
<li>The purpose for which the information is being collected</li>
<li>The intended recipients of the information</li>
<li>The name and address of the agency that is collecting the information</li>
<li>The name and address of the agency that will retain the information</li></ul>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Section 3 of the Act states that at the time of enrolment and collection of information, the enrolling agency shall notify the individual as to how their information will be used; what type of entities the information will be shared with; and that they have a right to see their information and also tell them how they can see their information. However, the Act is silent regarding notice of name and address of the agency collecting and retaining the information.</p>
<h3>6. Retention Limitation</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5(4) requires that body corporate must retain sensitive personal data only for as long as it takes to fulfil the stated purpose or otherwise required under law.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> The Act is silent regarding this and does not mention the duration for which the personal information of an individual shall be retained by the bodies/organisations contracted by UIDAI.</p>
<h3>7. Purpose Limitation</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5(5) requires that information must be used for the purpose that it was collected for.</p>
<p style="text-align: justify;"><strong>Aadhaar Act<a name="move447203643"></a></strong> Section 57 contravenes this and states that the Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies. Section 8 of the Act states that for the purpose of authentication, a requesting entity is required to take consent before collection of Aadhaar information and use it only for authentication with the CIDR. Section 29 of the Act states that the core biometric information collected will not be shared with anyone for any reason, and must not be used for any purpose other than generation of Aadhaar numbers and authentication. Also, the Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual's consent.</p>
<p style="text-align: justify;"><a name="move4472036436"></a> Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies.</p>
<h3>8. Right to Access and Correct</h3>
<p style="text-align: justify;"><strong>IT Rules :</strong> Rule 5(6) requires a body corporate to provide individuals with the ability to review the information they have provided and access and correct their personal or sensitive personal information.</p>
<p style="text-align: justify;"><strong>Aadhaar Act :</strong> The Act provides under section 3 that at the time of enrolment, the individual needs to be informed about the existence of a right to access information, the procedure for making requests for such access, and details of the person or department in-charge to whom such requests can be made. Section 28 of the Act provides that every aadhaar number holder may access his identity information except core biometric information. Section 32 provides that every Aadhaar number holder may obtain his authentication record. Also, if the demographic or biometric information about any Aadhaar number holder changes, is lost or is found to be incorrect, they may request the UIDAI to make changes to their record in the CIDR.</p>
<h3>9. Right to 'Opt Out' and Withdraw Consent</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5(7) requires that the individual must be provided with the option of 'opting out' of providing data or information sought by the body corporate. Also, they must have the right to withdraw consent at any point of time.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> The Aadhaar Act does not provide an opt- out provision and also does not provide an option to withdraw consent at any point of time. Section 7 of the Aadhaar Act actually implies that once the Central or State government makes aadhaar authentication mandatory for receiving a benefit then the individual has no other option but to apply for an Aadhaar number. The only concession that is made is that if an Aadhaar number is not assigned to an individual then s/he would be offered some alternative viable means of identification for receiving the benefit.</p>
<h3>10. Grievance Officer</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 5(9) requires that body corporate must designate a grievance officer for redressal of grievances, details of which must be posted on the body corporate's website and grievances must be addressed within a month of receipt.</p>
<p style="text-align: justify;"><strong>Aadhaar Act</strong>: The Aadhaar Act does not provide for any such mechanism for grievance redressal by the registrars, enrolling agencies or the requesting entities. However, since the contracting agencies will also get covered by the IT Rules if they are 'body corporates', the requirement to designate a grievance officer would be applicable to them as well due to the IT Rules.</p>
<h3>11. Disclosure with Consent, Prohibition on Publishing and Further Disclosure</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 6 requires that body corporate must have consent before disclosing sensitive personal data to any third person or party, except in the case with Government agencies for the purpose of verification of identity, prevention, detection, investigation, on receipt of a written request. Also, the body corporate or any person on its behalf shall not publish the sensitive personal information and the third party receiving the sensitive personal information from body corporate or any person on its behalf shall not disclose it further.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Regarding the requesting entities, the Act provides that they shall not disclose the identity information except with the prior consent of the individual to whom the information relates. The Act also states that the Authority shall take necessary measures to ensure confidentiality of information against disclosures. However, as an exception under section 33, the UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. The Act also allows disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose. The Act is silent on the issue of obtaining consent of the individual under these exceptions. Additionally, the Act also states that the Aadhaar number or any core biometric information collected or created regarding an individual under the Act shall not be published, displayed or posted publicly, except for the purposes specified by regulations.</p>
<h3>12. Requirements for Transfer of Sensitive Personal Data</h3>
<p style="text-align: justify;"><strong>IT Rules :</strong> Rule 7 requires that body corporate may transfer sensitive personal data into another jurisdiction only if the country ensures the same level of protection and may be allowed only if it is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and provider of information or where such person has consented to data transfer.</p>
<p style="text-align: justify;"><strong>Aadhaar Act :</strong> The Act is silent regarding transfer of personal data into another jurisdiction by the any of the contracting bodies like the Registrar, Enrolling agencies or the requesting entities. However, if these agencies satisfy the requirement of being "body corporates" as defined under section 43A, then the above requirement regarding transfer of data to another jurisdiction under IT Rules would be applicable to them. However, considering the sensitive nature of the data involved, the lack of a prohibition of transferring data to another jurisdiction under the Aadhaar Act appears to be a serious lacuna.</p>
<h3>13. Security of Information</h3>
<p style="text-align: justify;"><strong>IT Rules:</strong> Rule 8 requires that the body corporate must secure information in accordance with the ISO 27001 standard or any other best practices notified by Central Government. These practices must be audited annually or when the body corporate undertakes a significant up gradation of its process and computer resource.</p>
<p style="text-align: justify;"><strong>Aadhaar Act:</strong> Section 28 of the Act states that the UIDAI must ensure the security and confidentiality of identity information and authentication records. It also states that the Authority shall adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons. However, it does not mention which standards/measures have to be adopted by all the actors in Aadhaar ecosystem for ensuring the security of information, though it can be argued that if the contractors employed by the UIDAI are body corporate then the standards prescribed under the IT Rules would be applicable to them.</p>
<h3>Implications of the Differences for Body Corporates in Aadhaar Ecosystem</h3>
<p style="text-align: justify;">An analysis of the Rules in comparison to the data protection measures under the Aadhaar Act shows that the requirements regarding protection of personal or sensitive personal information differ and are not completely in line with each other. <a name="move446519928"></a></p>
<p style="text-align: justify;">Though the Aadhaar Act takes into account the provisions regarding consent of the individual, notice, restriction on sharing, etc., the Act is silent regarding many core measures like sharing of information across jurisdictions, taking consent before collection of information, adoption of security measures for protection of information, etc. which a body corporate in the Aadhaar ecosystem must adopt to be in compliance with section 43A of the IT Act. It is therefore important that the bodies collecting, handling, sharing the personal information and are governed by the Aadhaar Act, must adhere to section 43A and the IT Rules 2011. However, applicability of Aadhaar Act as well as section 43A and IT Rules 2011 would lead to ambiguity regarding interpretation and implementation of the Law. The differences must be duly taken into account and more clarity is required to make all the bodies under this Legislation like the enrolling agencies, Registrars and the Requesting Entities accountable under the correct provisions of Law. However, having two separate legislations governing the data protection standards in the Aadhaar scheme seems to have been overlooked. A harmonized and overarching privacy legislation is critical to avoid unclarity in the applicability of data protection standards and would also address many privacy concerns associated to the scheme.</p>
<h3>Appendix I</h3>
<p style="text-align: justify;">The Rajya Sabha had proposed five amendments to the Aadhaar Act 2016, which are as follows:</p>
<p style="text-align: justify;"><strong>i. Opt-out clause:</strong> A provision to allow a person to "opt out" of the Aadhaar system, even if already enrolled.</p>
<p style="text-align: justify;"><strong>ii. Voluntary:</strong> To ensure that if a person chooses not to be part of the Aadhaar system, he/she would be provided "alternate and viable" means of identification for purposes of delivery of government subsidy, benefit or service.</p>
<p style="text-align: justify;"><strong>iii.</strong> Amendment restricting the use of Aadhaar numbers only for targeting of government benefits or service and not for any other purpose.</p>
<p style="text-align: justify;"><strong>iv.</strong> Amendment seeking change of the term "national security" to "public emergency or in the interest of public safety" in the provision specifying situations in which disclosure of identity information of an individual to certain law enforcement agencies can be allowed.</p>
<p style="text-align: justify;"><strong>v. Oversight Committee:</strong> The oversight committee , which would oversee the possible disclosure of information, should include either the Central Vigilance Commissioner or the Comptroller and Auditor-General.</p>
<p><strong>Sources:</strong></p>
<ul>
<li> <a href="http://indianexpress.com/article/india/india-news-india/rajya-sabha-returns-aadhar-bill-to-lok-sabha-with-oppn-amendments/"> http://indianexpress.com/article/india/india-news-india/rajya-sabha-returns-aadhar-act-to-lok-sabha-with-oppn-amendments/ </a> </li>
<li> <a href="http://thewire.in/2016/03/16/three-rajya-sabha-amendments-that-will-shape-the-aadhaar-debate-24993/"> http://thewire.in/2016/03/16/three-rajya-sabha-amendments-that-will-shape-the-aadhaar-debate-24993/</a><br /><br /></li></ul>
<h3>Appendix II - Section 43A: Compensation for Failure to Protect Data</h3>
<p style="text-align: justify;">Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.</p>
<p style="text-align: justify;">For the purposes of this section:</p>
<ul>
<li>"body corporate" means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;</li>
<li>"reasonable security practices and procedures" means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;</li>
<li>"sensitive personal data or information" means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.'.<br /><br /></li></ul>
<p style="text-align: justify;">The term 'body corporate' has been defined under section 43A as "any company and includes a firm, sole proprietorship or other association of individuals <em>engaged in commercial or professional activities</em>"</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/aadhaar-act-and-its-non-compliance-with-data-protection-law-in-india'>https://cis-india.org/internet-governance/blog/aadhaar-act-and-its-non-compliance-with-data-protection-law-in-india</a>
</p>
No publishervanyaUIDPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-04-18T11:43:02ZBlog EntryFAQ on the Aadhaar Project and the Bill
https://cis-india.org/internet-governance/blog/aadhaar-project-and-bill-faq
<b>This FAQ attempts to address the key questions regarding the Aadhaar/UIDAI project and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 (henceforth, Bill). This is neither a comprehensive list of questions, nor does it contain fully developed answers. We will continue to add questions to this list, and edit/expand the answers, based on our ongoing research. We will be grateful to receive your comments, criticisms, evidences, edits, suggestions for new answers, and any other responses. These can either be shared as comments in the document hosted on Google Drive, or via tweets sent to the information policy team at @CIS_InfoPolicy. </b>
<p> </p>
<h4>To comment on and/or download the file, click <a href="https://docs.google.com/document/d/1ib5bQUgZZ7PABurMHlzmfwZK6932DFQI6hUlad-vwfI/edit?usp=sharing" target="_blank">here</a>.</h4>
<hr />
<iframe src="https://docs.google.com/document/d/1ib5bQUgZZ7PABurMHlzmfwZK6932DFQI6hUlad-vwfI/pub?embedded=true" height="500" width="100%"></iframe>
<p> </p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/aadhaar-project-and-bill-faq'>https://cis-india.org/internet-governance/blog/aadhaar-project-and-bill-faq</a>
</p>
No publisherElonnai Hickok, Vanya Rakesh, and Vipul KharbandaUIDPrivacyInternet GovernanceFeaturedDigital IndiaAadhaarBiometricsHomepage2016-04-13T14:06:43ZBlog EntryIndia's biometric database crosses billion-member mark
https://cis-india.org/internet-governance/news/daily-mail-april-4-2016-afp-india-biometric-database-crosses-billion-member-mark
<b>India's biometric database notched up one billion members on Monday, as the government sought to allay concerns about privacy breaches in the world's biggest such scheme.</b>
<p style="text-align: justify; ">The <a class="external-link" href="http://www.dailymail.co.uk/wires/afp/article-3522960/Indias-biometric-database-crosses-billion-member-mark.html">news by AFP was published by Daily Mail, UK</a> on April 4, 2016. Sunil Abraham gave inputs.</p>
<hr />
<p style="text-align: justify; ">The database was set up seven years ago to streamline benefit payments to millions of poor people as well as to cut fraud and wastage. Under the scheme, called Aadhaar, almost 93 percent of India's adult population have now registered their fingerprints and iris signatures and been given a biometric ID, according to the government.</p>
<p style="text-align: justify; ">IT minister Ravi Shankar Prasad hailed it as "an instrument of good governance" at a ceremony in New Delhi marking the crossing of the one-billion member mark.</p>
<p style="text-align: justify; ">Prasad said the initiative, inherited from the previous left-leaning Congress government, had enabled millions to receive cash benefits directly rather than dealing with middlemen.</p>
<p style="text-align: justify; ">He said the government had saved 150 billion rupees ($2.27 billion) on its gas subsidy scheme alone -- by paying cash directly to biometric card holders instead of providing cylinders at subsidised rates.</p>
<p style="text-align: justify; ">He also said all adequate safeguards were in place to ensure the personal details of card holders could not be stolen or misused by authorities given access to the database.</p>
<p style="text-align: justify; ">"We have taken all measures to ensure privacy. The data will not be shared with anyone except in cases of national security," Prasad said.</p>
<p style="text-align: justify; ">His comments come after parliament passed legislation last month giving government agencies access to the database in the interests of national security.</p>
<p style="text-align: justify; ">It was passed using a loophole to circumvent the opposition in parliament, where the ruling Bharatiya Janata Party (BJP) lacks a majority in the upper house.</p>
<p style="text-align: justify; ">The way it was passed, as well as the legislation itself, raised concerns about government agencies accessing private citizens' details.</p>
<p style="text-align: justify; ">Internet experts have also raised fears about the safety of such a massive database, including hacking and theft of details.</p>
<p style="text-align: justify; ">"It was as if Indian lawmakers wrote an open letter to criminals and foreign states saying, 'we are going to collect data to non-consensually identify all Indians and we are going to store it in a central repository. Come and get it!'," Sunil Abraham, executive director of the Centre for Internet and Society, wrote in India's Frontline news magazine.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/daily-mail-april-4-2016-afp-india-biometric-database-crosses-billion-member-mark'>https://cis-india.org/internet-governance/news/daily-mail-april-4-2016-afp-india-biometric-database-crosses-billion-member-mark</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-04-07T02:54:08ZNews ItemSurveillance Project
https://cis-india.org/internet-governance/blog/frontline-april-15-2016-sunil-abraham-surveillance-project
<b>The Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better.</b>
<p style="text-align: justify; ">The article will be <a class="external-link" href="http://www.frontline.in/cover-story/surveillance-project/article8408866.ece">published in Frontline</a>, April 15, 2016 print edition.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; "><strong>Zero</strong>. The probability of some evil actor breaking into the central store of authentication factors (such as keys and passwords) for the Internet. Why? That is because no such store exists. And, what is the probability of someone evil breaking into the Central Identities Data Repository (CIDR) of the Unique Identification Authority of India (UIDAI)? Greater than zero. How do we know this? One, the central store exists and two, the Aadhaar Bill lists breaking into this central store as an offence. Needless to say, it would be redundant to have a law that criminalises a technological impossibility. What is the consequence of someone breaking into the central store? Remember, biometrics is just a fancy word for non-consensual and covert identification technology. High-resolution cameras can capture fingerprints and iris information from a distance.</p>
<p style="text-align: justify; ">In other words, on March 16, when Parliament passed the Bill, it was as if Indian lawmakers wrote an open letter to criminals and foreign states saying, “We are going to collect data to non-consensually identify all Indians and we are going to store it in a central repository. Come and get it!” Once again, how do I know that the CIDR will be compromised at some date in the future? How can I make that policy prediction with no evidence to back it up? To quote Sherlock Holmes, “Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.” If a back door to the CIDR exists for the government, then the very same back door can be used by an enemy within or from outside. In other words, the principle of decentralisation in cybersecurity does not require repeated experimental confirmation across markets and technologies.</p>
<p style="text-align: justify; "><strong>Zero</strong>. The chances that you can fix with the law what you have broken with poor technological choices and architecture. And, to a large extent vice versa. Aadhaar is a surveillance project masquerading as a development intervention because it uses biometrics. There is a big difference between the government identifying you and you identifying yourself to the government. Before UID, it was much more difficult for the government to identify you without your knowledge and conscious cooperation. Tomorrow, using high-resolution cameras and the power of big data, the government will be able to remotely identify those participating in a public protest. There will be no more anonymity in the crowd. I am not saying that law-enforcement agencies and intelligence agencies should not use these powerful technologies to ensure national security, uphold the rule of law and protect individual rights. I am only saying that this type of surveillance technology is inappropriate for everyday interactions between the citizen and the state.</p>
<p style="text-align: justify; ">Some software engineers believe that there are technical fixes for these concerns; they point to the consent layer in the India stack developed through a public-private partnership with the UIDAI. But this is exactly what Evgeny Morozov has dubbed “technological solutionism”—fundamental flaws like this cannot be fixed by legal or technical band-aid. If you were to ask the UIDAI how do you ensure that the data do not get stolen between the enrolment machine and the CIDR, the response would be, we use state-of-the-art cryptography. If cryptography is good enough for the UIDAI why is it not good enough for citizens? That is because if citizens use cryptography [on smart cards] to identify themselves to the state, the state will need their conscious cooperation each time. That provides the feature that is required for better governance without the surveillance bonus. If you really must use biometrics, it could be stored on the smart card after being digitally signed by the enrolment officer. If there is ever a doubt whether the person has stolen the smart card, a special machine can be used to read the biometrics off the card and check that against the person. This way the power of biometrics would be leveraged without any of the accompanying harms.</p>
<p style="text-align: justify; "><b>Zero</b>. This time, for the utility of biometrics as a password or authentication factor. There are two principal reasons for which the Act should have prohibited the use of biometrics for authentication. First, biometric authentication factors are irrevocable unlike passwords, PINs, digital signatures, etc. Once a biometric authentication factor has been compromised, there is no way to change it. The security of a system secured by biometrics is permanently compromised. Second, our biometrics is so easy to steal; we leave our fingerprints everywhere.</p>
<p style="text-align: justify; ">Also, if I upload my biometric data onto the Internet, I can then plausibly deny all transactions against my name in the CIDR. In order to prevent me from doing that, the government will have to invest in CCTV cameras [with large storage] as they do for passport-control borders and as banks do at ATMs. If you anyway have to invest in CCTV cameras, then you might as well stick with digital signatures on smart cards as the previous National Democratic Alliance (NDA) government proposed the SCOSTA (Smart Card Operating System Standard for Transport Application) standard for the MNIC (Multipurpose National ID Card). Leveraging smart card standards like EMV will ensure harnessing greater network effects thanks to the global financial infrastructure of banks. These network effects will drive down the cost of equipment and afford Indians greater global mobility. And most importantly when a digital signature is compromised the user can be issued a new smart card. As Rufo Guerreschi, executive director of Open Media Cluster, puts it, “World leaders and IT experts should realise that citizen freedoms and states’ ability to pursue suspects are not an ‘either or’ but a ‘both or neither’.”</p>
<p style="text-align: justify; "><b>Near zero</b>. We now move biometrics as the identification factor. The rate of potential duplicates or “False Positive Identification Rate” which according to the UIDAI is only 0.057 per cent. Which according to them will result in only “570 resident enrolments will be falsely identified as duplicate for every one million enrolments.” However, according to an article published in <i>Economic & Political Weekly</i> by my colleague at the Centre for Internet and Society, Hans Verghese Mathews, this will result in one out of every 146 people being rejected during enrolment when total enrolment reaches one billion people. In its rebuttal, the UIDAI disputes the conclusion but offers no alternative extrapolation or mathematical assumptions. “Without getting too deep into the mathematics” it offers an account of “a manual adjudication process to rectify the biometric identification errors”.</p>
<p style="text-align: justify; ">This manual adjudication determines whether you exist and has none of the elements of natural justice such as notice to the affected party and opportunity to be heard. Elimination of ghosts is impossible if only machines and unaccountable humans perform this adjudication. This is because there is zero skin in the game. There are free tools available on the Internet such as SFinGe (Synthetic Fingerprint Generator) which allow you to create fake biometrics. The USB cables on the UIDAI-approved enrolment setup can be intercepted using generic hardware that can be bought online. With a little bit of clever programming, countless number of ghosts can be created which will easily clear the manual adjudication process that the UIDAI claims will ensure that “no one is denied an Aadhaar number because of a biometric false positive”.</p>
<p style="text-align: justify; "><b>Near zero</b>. This time for surveillance, which I believe should be used like salt in cooking. Essential in small quantities but counterproductive even if slightly in excess. There is a popular misconception that privacy researchers such as myself are opposed to surveillance. In reality, I am all for surveillance. I am totally convinced that surveillance is good anti-corruption technology.</p>
<p style="text-align: justify; ">But I also want good returns on investment for my surveillance tax rupee. According to Julian Assange, transparency requirements should be directly proportionate to power; in other words, the powerful should be subject to more surveillance. And conversely, I add, privacy protections must be inversely proportionate to power—or again, in other words, the poor should be spared from intrusions that do not serve the public interest. The UIDAI makes the exact opposite design assumption; it assumes that the poor are responsible for corruption and that technology will eliminate small-ticket or retail corruption. But we all know that politicians and bureaucrats are responsible for most of large-ticket corruption.</p>
<p style="text-align: justify; ">Why does not the UIDAI first assign UID numbers to all politicians and bureaucrats? Then using digital signatures why do not we ensure that we have a public non-repudiable audit trail wherein everyone can track the flow of benefits, subsidies and services from New Delhi to the panchayat office or local corporation office? That will eliminate big-ticket or wholesale corruption. In other words, since most of Aadhaar’s surveillance is targeted at the bottom of the pyramid, there will be limited bang for the buck. Surveillance is the need of the hour; we need more CCTVs with microphones turned on in government offices than biometric devices in slums.</p>
<p style="text-align: justify; "><b>Instantiation technology </b></p>
<p style="text-align: justify; "><b>One</b>. And zero. In the contemporary binary and digital age, we have lost faith in the old gods. Science and its instantiation technology have become the new gods. The cult of technology is intolerant to blasphemy. For example, Shekhar Gupta recently tweeted saying that part of the opposition to Aadhaar was because “left-libs detest science/tech”. Technology as ideology is based on some fundamental articles of faith: one, new technology is better than old technology; two, expensive technology is better than cheap technology; three, complex technology is better than simple technology; and four, all technology is empowering or at the very least neutral. Unfortunately, there is no basis in science for any of these articles of faith.</p>
<p style="text-align: justify; ">Let me use a simple story to illustrate this. I was fortunate to serve as a member of a committee that the Department of Biotechnology established to finalise the Human DNA Profiling Bill, 2015, which was to be introduced in Parliament in the last monsoon session. Aside: the language of the Act also has room for the database to expand into a national DNA database circumventing 10 years of debate around the controversial DNA Profiling Bill, 2015. The first version of this Bill that I read in January 2013 said that DNA profiling was a “powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another … without any doubt”. In other words, to quote K.P.C. Gandhi, a scientist from Truth Labs, “I can vouch for the scientific infallibility of using DNA profiling for carrying out justice.”</p>
<p style="text-align: justify; ">Unfortunately, though, the infallible science is conducted by fallible humans. During one of the meetings, a scientist described the process of generating a biometric profile. The first step after the laboratory technician generated the profile was to compare the generated profile with her or his own profile because during the process of loading the machine with the DNA sample, some of the laboratory technician’s DNA could have contaminated the sample. This error would not be a possibility in much older, cheaper and rudimentary biometric technology for example, photography. A photographer developing a photograph in a darkroom does not have to ensure that his or her own image has not accidentally ended up on the negative. But the UIDAI is filled with die-hard techno-utopians; if you tell them that fingerprints will not work for those who are engaged in manual labour, they will say then we will use iris-based biometrics. But again, complex technologies are more fragile and often come with increased risks. They may provide greater performance and features, but sometimes they are easier to circumvent. A gummy finger to fool a biometric scanner can be produced using glue and a candle, but to fake a passport takes a lot of sophisticated technology. Therefore, it is important for us as a nation to give up our unquestioning faith in technology and start to debate the exact technological configurations of surveillance technology for different contexts and purposes.</p>
<p style="text-align: justify; "><b>One</b>. This time representing a monopoly. Prior to the UID project, nobody got paid when citizens identified themselves to the state. While the Act says that the UIDAI will get paid, it does not specify how much. Sooner or later, this cost of identification will be passed on to the citizens and residents. There will be a consumer-service provider relationship established between the citizen and the state when it comes to identification. The UIDAI will become the monopoly provider of identification and authentication services in India which is trusted by the government. That sounds like a centrally planned communist state to me. Should not the right-wing oppose the Act because it prevents the free market from working? Should not the free market pick the best technology and business model for identification and authentication? Will not that drive the cost of identification and authentication down and ensure higher quality of service for citizens and residents?</p>
<p style="text-align: justify; "><b>Competing providers</b></p>
<p style="text-align: justify; ">Competing providers can also publish transparency reports regarding their compliance with data requests from law-enforcement and intelligence agencies, and if this is important to consumers they will be punished by the market. The government can use mechanisms such as permanent and temporary bans and price regulation as disincentives for the creation of ghosts. There will be a clear financial incentive to keep the database clean. Just like the government established a regulatory framework for digital certificates in the Information Technology Act allowing for e-commerce and e-governance. Ideally, the Aadhaar Bill should have done something similar and established an ecosystem for multiple actors to provide services in this two-sided market. For it is impossible for a “small government” to have the expertise and experience to run one of the world’s largest database of biometric and transaction records securely for perpetuity.</p>
<p style="text-align: justify; ">To conclude, I support the use of biometrics. I support government use of identification and authentication technology. I support the use of ID numbers in government databases. I support targeted surveillance to reduce corruption and protect national security. But I believe all these must be put in place with care and thought so that we do not end up sacrificing our constitutional rights or compromising the security of our nation state. Unfortunately, the Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better. Our children will pay a heavy price for our folly in the years to come. To quote the security guru Bruce Schneier, “Data is a toxic asset. We need to start thinking about it as such, and treat it as we would any other source of toxicity. To do anything else is to risk our security and privacy.”</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/frontline-april-15-2016-sunil-abraham-surveillance-project'>https://cis-india.org/internet-governance/blog/frontline-april-15-2016-sunil-abraham-surveillance-project</a>
</p>
No publishersunilAadhaarInternet GovernancePrivacy2016-04-05T15:21:27ZBlog EntryWill Aadhaar Act Address India’s Dire Need For a Privacy Law?
https://cis-india.org/internet-governance/blog/the-quint-march-31-2016-nehaa-chaudhari-will-aadhaar-act-address-indias-dire-need-for-a-privacy-law
<b></b>
<p>The article was published by <a class="external-link" href="http://www.thequint.com/opinion/2016/03/30/will-aadhaar-act-address-indias-dire-need-for-a-privacy-law">Quint </a>on March 31, 2016.</p>
<hr />
<table class="plain">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/Snapshot.jpg" alt="Snapshot" class="image-inline" title="Snapshot" /></th>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">The passage of the <i>Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016</i> (will hereby be referred to as “the Act”) has led to flak for the government from <a href="http://cis-india.org/internet-governance/blog/aadhaar-bill-fails-to-incorporate-suggestions-by-the-standing-committee" rel="external"><span>privacy advocates</span></a>, academia and <a href="http://cis-india.org/internet-governance/blog/list-of-recommendations-on-the-aadhaar-bill-2016" rel="external"><span>civil society</span></a>, to name a few.</p>
<p style="text-align: justify; ">To my mind, the opposition deserves its fair share of criticism (lacking so far), for its absolute failure to engage with and act as a check on the government in the passage of the Act, and the events leading up to it.</p>
<p style="text-align: justify; ">The government’s introduction of the Act as a ‘money bill’ under Article 110 of the <a href="http://indiacode.nic.in/coiweb/welcome.html" rel="external"><span>Constitution of India</span></a> (“this/the Article”) is a mockery of the constitutional process. It renders redundant, the role of the Rajya Sabha as a check on the functioning of the Lower House.</p>
<blockquote class="quoted">Article 110 limits a ‘money bill’ only to six specific instances: covering tax, the government’s financial obligations and, receipts and payments to and from the Consolidated Fund of India, and, connected matters.</blockquote>
<p>The Act lies well outside the confines of the Article; the government’s action may attract the attention of the courts.</p>
<h2>Political One-Upmanship</h2>
<table class="plain">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/copy_of_Arun.jpg/@@images/93b5fc12-dc62-419d-8ef1-e0b188a12db9.jpeg" alt="Arun Jaitely" class="image-inline" title="Arun Jaitely" /></th>
</tr>
<tr>
<td>Finance Minister Arun Jaitley (left) listens to Reserve Bank of India (RBI) Governor Raghuram Rajan. (Photo: Reuters)</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">In the past, the Supreme Court (“the Court”) has stepped into the domain of the Parliament or the Executive when there was a complete and utter disregard for India’s constitutional scheme. In recent constitutional history, this is perhaps most noticeable in the anti-defection cases, (beginning with Kihoto Hollohan in 1992); and, in the SR Bommai case in 1994, on the imposition of the President’s rule in states.</p>
<p style="text-align: justify; ">In hindsight, although India has benefited from the Court’s action in the <i>Bommai </i>and <i>Hollohan </i>cases, it is unlikely that the passage of the Aadhaar Act as a ‘money bill’, reprehensible as it is, meets the threshold required for the Court’s intervention in Parliamentary procedure.</p>
<p>Besides, the manner of its passage, the Act warrants</p>
<ul>
<li>Censure for its <a href="http://cis-india.org/internet-governance/blog/epw-27-february-2016-hans-varghese-mathews-flaws-in-uidai-process" rel="external"><span>process</span></a></li>
<li>Its (in)<a href="http://www.thehindu.com/opinion/lead/lead-article-on-aadhaar-bill-by-chinmayi-arun-privacy-is-a-fundamental-right/article8366413.ece" rel="external"><span>compatibility with fundamental rights</span></a></li>
<li>The<a href="http://thewire.in/2016/03/10/aadhaar-bill-fails-to-incorporate-standing-committees-suggestions-24433/" rel="external"><span> failure to incorporate the suggestions</span></a> of the Yashwant Sinha-led Standing Committee to UPA’s NIDAI Bill</li>
<li>The <a href="http://economictimes.indiatimes.com/news/politics-and-nation/aadhaar-more-intrusive-than-us-surveillance-exposed-by-snowden-say-privacy-advocates/articleshow/51425678.cms" rel="external"><span>possibility of surveillance</span></a> that it presents</li>
<li>The lack of measures to protect personal information</li>
<li>Its inadequate privacy safeguards</li>
<li>The <a href="http://www.business-standard.com/article/economy-policy/aadhaar-linked-lpg-govt-says-rs-15-000-cr-saved-survey-says-only-rs-14-cr-in-fy15-116031800039_1.html" rel="external"><span>questions</span></a> around the realisation of its <a href="http://www.business-standard.com/article/economy-policy/aadhaar-enabled-e-kyc-can-save-rs-10-000-cr-over-next-5-yrs-survey-116031800760_1.html" rel="external"><span>stated purpose</span></a>.</li>
</ul>
<p>Instead, a part of the Aadhaar debate has involved political one-upmanship between the Congress and the BJP, <a href="http://www.businesstoday.in/current/policy/nda-aadhaar-is-a-far-cry-from-what-upa-proposed/story/230403.html" rel="external"><span>pitting the former’s NIDAI Bill against the latter’s Aadhaar Act</span></a>.</p>
<p>While an academic <a href="http://cis-india.org/internet-governance/blog/a-comparison-of-the-2016-aadhaar-bill-and-the-2010-nidai-bill" rel="external"><span>comparison </span></a>between the two is welcome, its use as a tool for political supremacy would be laughable, were it not deeply problematic, given the many serious concerns highlighted above.</p>
<h2>Better Than UPA Bill?</h2>
<table class="plain">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/copy2_of_PrivacyLaw.jpg/@@images/ce543cf9-a4aa-4bcd-8483-98e0c3a58148.jpeg" alt="Privacy" class="image-inline" title="Privacy" /></th>
</tr>
<tr>
<td style="text-align: center; ">The Act may have more privacy safeguards than the earlier UPA Bill. (Photo: iStockphoto)</td>
</tr>
</tbody>
</table>
<div>
<p>And while the Act may have more privacy safeguards than the earlier UPA Bill, <a href="http://economictimes.indiatimes.com/news/politics-and-nation/aadhaar-more-intrusive-than-us-surveillance-exposed-by-snowden-say-privacy-advocates/articleshow/51425678.cms" rel="external"><span>critics have argued</span></a> that they not up to the international standard, and instead, that they are plagued by opacity.</p>
<p>Additionally, despite claims that the Act is a <a href="http://scroll.in/article/805348/corex-correction-the-real-problem-with-the-recent-ban-of-344-drugs-in-india" rel="external"><span>significant improvement over the UPA Bill</span></a>, it fails to address concerns, including around the centralised storage of information, that were<a href="http://www.livemint.com/Politics/l0H1RQZEM8EmPlRFwRc26H/Govt-narrative-on-Aadhaar-has-not-changed-in-the-last-six-ye.html" rel="external"><span> raised by civil society members</span></a> and others.</p>
<p style="text-align: justify; ">Perhaps most problematically, however, the Act takes away an individual’s control of her own information. Subsidies, government benefits and services are linked to the mandatory possession of an Aadhar number (Section 7 of the Act), effectively <a href="http://www.firstpost.com/india/no-aadhaar-for-invading-privacy-uid-is-mandatory-even-though-govt-wants-you-to-believe-its-not-2681214.html" rel="external"><span>negating the ‘freedom’ </span></a>of voluntary enrollment (Section 3 of the Act). This directly contradicts the recommendations of the Justice AP Shah Committee, before whom the Unique Identification Authority of India <a href="http://scroll.in/article/804922/seven-reasons-why-parliament-should-debate-the-aadhaar-bill-and-not-pass-it-in-a-rush" rel="external"><span>had earlier stated that </span></a>enrollment in Aadhaar was voluntary.</p>
<p>To make matters worse, the individual does not have the authority to correct, modify or alter her information; this lies, instead, with the UIDAI alone (Section 31 of the Act). And the sharing of such personal information does not require a court order in all cases.</p>
<table class="plain">
<tbody>
<tr>
<th><img src="https://cis-india.org/home-images/Students.jpg/@@images/af2356b9-df1f-45b9-8a7b-8fb3321769f7.jpeg" alt="Students" class="image-inline" title="Students" /></th>
</tr>
<tr>
<td style="text-align: center; ">Kanhaiya Kumar speaking in JNU on 3 March 2016. (Photo: PTI)</td>
</tr>
</tbody>
</table>
</div>
<p> </p>
<div>It may be authorised by Executive authorities under the vague, ill-understood concept of ‘national security’, (Section 33(2) of the Act) which the Act does not define. We would do well to learn the dangers of leaving ‘national security’ open to interpretation, in the aftermath of the recent events at JNU.</div>
<div></div>
<p><br />These recent events around Aadhaar have only underscored the dire urgency for comprehensive privacy legislation in India and, the need to overhaul our data protection laws to meet our constitutional commitments along with international standards.</p>
<div style="text-align: justify; ">Meanwhile, constitutional challenges to the Aadhaar scheme are currently pending in the Supreme Court. The Court’s verdict may well decide the future of the Aadhaar Act, with the stage already set for a constitutional challenge to the legislation. The BJP’s victory in this case may be short-lived.</div>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/blog/the-quint-march-31-2016-nehaa-chaudhari-will-aadhaar-act-address-indias-dire-need-for-a-privacy-law'>https://cis-india.org/internet-governance/blog/the-quint-march-31-2016-nehaa-chaudhari-will-aadhaar-act-address-indias-dire-need-for-a-privacy-law</a>
</p>
No publishernehaaAadhaarInternet GovernancePrivacy2016-04-05T16:01:06ZBlog EntryMaking Aadhaar Mandatory: Gamechanger For Governance?
https://cis-india.org/internet-governance/news/ndtv-march-20-2016-making-aadhaar-mandatory-gamechanger-for-governance
<b>Why a programme that both the Congress and the BJP have hailed as transformational has divided Parliament this week? The Aadhaar Bill which was passed this week aims at facilitating government benefits and subsidies to citizens said Finance Minister Arun Jaitley.</b>
<p style="text-align: justify; ">Yet it became a reason for the Rajya Sabha to raise key questions. On the panel - Chandan Mitra, Rajya Sabha MP, BJP; Ajoy Kumar, Spokesperson, Congress; Tathagat Sathapathy, Lok Sabha MP, Biju Janata Dal; Rajeev Chandrashekhar, Rajya Sabha MP; Sunil Abraham, Executive Director, Centre for Internet & Society; and Shekhar Gupta, Senior Journalist.</p>
<h3 style="text-align: justify; ">Video</h3>
<p><iframe width="420" src="https://www.youtube.com/embed/BY_OPw2ErmM" frameborder="0" height="315"></iframe></p>
<hr />
<p style="text-align: justify; "><a class="external-link" href="http://www.ndtv.com/video/player/the-ndtv-dialogues/making-aadhaar-mandatory-gamechanger-for-governance/408648">Link to NDTV website</a></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/ndtv-march-20-2016-making-aadhaar-mandatory-gamechanger-for-governance'>https://cis-india.org/internet-governance/news/ndtv-march-20-2016-making-aadhaar-mandatory-gamechanger-for-governance</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-03-24T06:50:10ZNews ItemHow the government gains when private companies use Aadhaar
https://cis-india.org/internet-governance/news/scroll.in-march-24-2016-rajshekhar-anumeha-yadav-how-the-govt-gains-when-private-companies-use-aadhaar
<b></b>
<p>This blog post by M. Rajshekhar and Anumeha Yadav was published in <a href="http://scroll.in/article/805467/how-the-government-gains-when-private-companies-use-aadhaar"><span>Scroll.in</span></a> on March 24, 2016. Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; ">Last week, Rajya Sabha made a last-ditch attempt to modify the contentious Aadhaar legislation introduced by the Modi government. Since the legislation was introduced as a Money Bill, the Upper House had no powers to amend it. It could only send back the bill with recommended amendments.</p>
<p style="text-align: justify; ">One of the clauses which Rajya Sabha wished to amend related to the use of the Aadhaar number, the 12-digit unique identification number assigned after the collection of an individual’s biometrics in the form of fingerprints and iris scans.</p>
<p style="text-align: justify; ">Clause 57 said that anyone, whether an individual or a public or private organisation, could use the Aadhaar number. Rajya Sabha voted to restrict the use of the number to the government. After all, the government had justified introducing Aadhaar legislation as a Money Bill by stating that it would be used for delivering government subsidies and benefits funded out of the Consolidated Fund of India. If the delivery of government welfare is the aim of Aadhaar, why should private companies be allowed to use it?</p>
<p style="text-align: justify; ">The Rajya Sabha recommended dropping clause 57 to limit the use of Aadhaar to government agencies. But the Lok Sabha rejected its recommendation, and cleared the Bill in its original form, paving the way for private companies to use Aadhaar.</p>
<p style="text-align: justify; ">Strikingly, however, well before the Bill was cleared, a private company started advertising its services as<em> </em>“India’s 1st Aadhaar based mobile app to verify your maid, driver, electrician, tutor, tenant and everyone else instantly”<em>. </em>In an <a href="http://scroll.in/article/805201/the-future-is-here-a-private-company-claims-to-have-access-to-your-aadhaar-data"><span style="text-decoration: underline;">article</span></a> for <em>Scroll.in,</em> legal researcher Usha Ramanathan said, “A private company is advertising that it can use Aadhaar to collate information about citizens at a price. It says this openly, even as a case about the privacy of the information collected for the biometrics-linked government database is still pending in the Supreme Court.”</p>
<p><strong>LinkedIn for plumbers</strong></p>
<p>The company that owns the mobile app called TrustID believes it is not doing anything wrong.</p>
<p style="text-align: justify; ">Monika Chowdhry, who heads the marketing division of Swabhimaan Distribution Services, the company that created TrustID, defended the app, saying it offers the valuable service of verifying people's identities. “In our day to day life, we do a lot of transactions with people – like maids or plumbers. Till now, you would have to trust them on what they said about themselves and what others said about the quality of their work.” The company is solving that problem, she said. “We are saying ask the person for their Aadhaar number and name and we will immediately tell you if they are telling the truth or not,” Chowdhry said.</p>
<p style="text-align: justify; ">Chowdhry said that over time, the Aadhaar number of individuals will be used to create a private verified database of TrustIDs. “Our plan is to create a rating mechanism,” she said. Referring to the option for maid, plumbers and other service providers on the app, she added: “People like you and me, we have Linkedin and Naukri. What do these people have?”</p>
<p>How does the company use Aadhaar for verification and is there a reason to be concerned?</p>
<p><strong>Aadhaar authentication</strong></p>
<p style="text-align: justify; ">After you have logged into the TrustID app, you can choose from a dropdown menu of categories. You can send anyone's Aadhaar number, gender and name – or even biometrics – and the app claims it can verify their identity.</p>
<p> </p>
<p><figure class="cms-block-image cms-block"><img src="https://c2.staticflickr.com/2/1607/25979673596_e8c67299f5_b.jpg" /></figure></p>
<p> </p>
<p style="text-align: justify; ">The app performs Aadhaar authentication – which means it matches an Aadhaar number with the information stored against that number in the servers of the Unique Identification Authority of India. At the time an individual enrols for an Aadhaar number, they disclose their name, gender, address and give biometric scans. This information is held in a database maintained by the UID authority.</p>
<p style="text-align: justify; ">One of the criticisms of Aadhaar has been that the database of millions of people could be misused in the absence of a privacy law in India. First, there is the question about whether the biometrics are secure. Second, there are risks that accompany the uncontrolled use of unique numbers.</p>
<p style="text-align: justify; ">In response, the proponents of Aadhaar have said that the data is encrypted and secure, and can be accessed only by the authority. Those wanting to authenticate – or match – the Aadhaar number cannot directly access the database. They can simply make requests to the authority which authenticates the number for them.</p>
<p>So far, it appeared that the authority was taking Aadhaar authentication requests solely from government agencies. For instance, to pay wages to workers of the rural employment guarantee programme.</p>
<p style="text-align: justify; ">But TrustID’s example showed that private companies too have been sending authentication requests to the authority. This is not entirely surprising for those who have followed the blueprint for Aadhaar as envisioned by Nandan Nilekani, its founder. In an <a class="link-external" rel="nofollow" href="http://www.mckinsey.com/industries/public-sector/our-insights/for-every-citizen-an-identity" target="_blank"><span style="text-decoration: underline;">interview</span></a> in 2012, Nilekani spoke about creating a "thriving application system" using Aadhaar for both the public and private sector.</p>
<p style="text-align: justify; ">Chowdhary said Swabhimaan Distribution Services registered as an Aadhaar authentication agency in November 2015, and the app was launched in January 2016.</p>
<p> </p>
<p><figure class="cms-block-image cms-block"><img src="http://d1u4oo4rb13yy8.cloudfront.net/bnqkqkhrnf-1458797562.png" /></figure></p>
<p> </p>
<p style="text-align: justify; ">TrustID, or Swabhimaan, is not the only private company that has signed up as an authentication agency for Aadhaar. A quick Google search throws up the name of <a class="link-external" rel="nofollow" href="https://www.alankit.com/egovernance.aspx?id=AUA" target="_blank"><span style="text-decoration: underline;">Alankit</span></a>, which wants to “provide Aadhaar Enabled Services to its beneficiaries, clients and customers and can further verify the correctness of the Aadhaar numbers provided ” .</p>
<p style="text-align: justify; ">This shows the authority entered into agreements with private companies well before the Aadhaar law was passed in Parliament. The companies were running ahead of legislation in a space unbounded by law, and the UIDAI supported them in this.</p>
<p style="text-align: justify; ">It is unclear how many private companies were sending requests for Aadhaar authentication. <em>Scroll's</em> questions to Harish Agrawal, the deputy director general of Aadhaar's Authentication and Application Division, remained unanswered.</p>
<p style="text-align: justify; ">In an interview to <em>Business Standard</em>, ABP Pandey, the director general of the UIDAI, said, "Usually what happens is that first a law is passed and thereafter the institutions are built and operations start. Here it has happened the other way around. The operations – the enrolment – is almost complete. The organisation is also there and has been working under executive orders. Now everything has to be kind of retrofitted in to the acts and the regulations."</p>
<p><strong>Why is this problematic?</strong></p>
<p>For one, allowing private companies to use the Aadhaar number shows that the government’s stated aims of Aadhaar are misleading.</p>
<p style="text-align: justify; ">Both in the Supreme Court and in Parliament, the government has pushed for the use of Aadhaar as an instrument of welfare delivery. It justified passing Aadhaar legislation as a Money Bill by emphasising its importance to its welfare schemes. But as the case of Swabhimaan shows, Aadhaar's uses clearly go well beyond what the Bill's preamble describes as the “targeted delivery of subsidies, benefits and services, the expenditure for which is incurred from the Consolidated Fund of India.”</p>
<p style="text-align: justify; ">Two, biometrics and unique identification numbers are a qualitatively new form of private information. As such, they bring unknown risks. India does not have a privacy law, and a law defining the use of biometrics and unique numbers is yet to be created. Delhi-based lawyer Apar Gupta said, “Even the Aadhaar Bill is yet to be approved by the president. Its rules are yet to be drafted. There is not enough legal guidance on its use.”</p>
<p style="text-align: justify; ">Three, companies like Swabhimaan would be in a position to construct databases of their own. Take TrustID. When it starts retaining Aadhaar numbers, and adds ratings to them, it creates a database of its own, which amounts to creating profiles of people.</p>
<p style="text-align: justify; ">Here, as Ramanathan said, the analogy with the networking site LinkedIn doesn't work. “When I have an account on LinkedIn, I update my data,” she said. But the TrustID app generates profiles out of the ratings that others give. Even if a prospective employee shares his/her Aadhaar number, it does not amount to free consent since getting a job hinges on giving that number.</p>
<p style="text-align: justify; ">In the future, companies could use Aadhaar numbers in unknown ways, for instance, to combine multiple databases – banks, telecom companies, hospitals – to create detailed profiles of you and me that they can monetise. In effect, Aadhaar becomes a commercial instrument for private companies, and not just a mechanism for the delivery of government welfare.</p>
<p><strong>Gains for the government</strong></p>
<p style="text-align: justify; ">Sunil Abraham, the executive director of the Centre for Internet and Society, further explained the risks that arise when databases are combined. He cited the example of <a class="link-external" rel="nofollow" href="https://www.iiitd.ac.in/research/news/ocean" target="_blank"><span style="text-decoration: underline;">OCEAN</span></a>, the system created by researchers at the Indraprastha Institute of Information Technology to raise privacy awareness. OCEAN used publicly available information held by the government (voter identity card, PAN card, driving licence) to access details about citizens in Delhi. This public data was combined with people's Facebook and Twitter accounts, and the aggregated results were visualised as a family tree which showed information extending to a person’s parents, siblings and spouse.</p>
<p style="text-align: justify; ">"If a company like TrustID tied up with OCEAN, it can create a very detailed profile of an individual," said Abraham. "To continue with the example of a job-seeker, if a employer uses TrustID to verify applicants' identity or profiles, the App may combine a database like OCEAN to track that you logged into Twitter at, say 2 am on most nights. It can profile you as someone who might not turn up at work on time in the morning."</p>
<p style="text-align: justify; ">Abraham pointed out that the government too stands to gain by allowing private companies to use Aadhaar for authentication. "Use of authentication by private companies will mean UIDAI can have information on authentications performed on you, or by you, over time in the private sphere as well, say during such a job search," he said. For instance, when TrustID runs a search for your prospective employers using your Aadhaar number, the government knows you have applied for a job at certain companies. "This is unnecessary involvement of the government, giving it access to information in an area that it should not have access to."</p>
<p>Over time, such Aadhaar authentication for private services in companies, hospitals, or hotels will "help the government gain granular data on citizens", he said.</p>
<p>Perhaps that explains why the government rushed the Aadhaar Bill through Parliament, allowing little time and room for public debate.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/scroll.in-march-24-2016-rajshekhar-anumeha-yadav-how-the-govt-gains-when-private-companies-use-aadhaar'>https://cis-india.org/internet-governance/news/scroll.in-march-24-2016-rajshekhar-anumeha-yadav-how-the-govt-gains-when-private-companies-use-aadhaar</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-04-01T15:58:38ZNews ItemSeven reasons why Parliament should debate the Aadhaar bill (and not pass it in a rush)
https://cis-india.org/internet-governance/news/scroll.in-anumeha-yadav-march-24-2016-seven-reasons-why-parliament-should-debate-the-aadhaar-bill-and-not-pass-it-in-a-rush
<b>Critics say the Aadhaar Bill does not address concerns over privacy, even as government is rushing the Bill without adequate parliamentary scrutiny.</b>
<p style="text-align: justify; ">The blog post by Anumeha Yadav was published in <a class="external-link" href="http://scroll.in/article/804922/seven-reasons-why-parliament-should-debate-the-aadhaar-bill-and-not-pass-it-in-a-rush">Scroll.in</a> on March 11, 2016. Pranesh Prakash was quoted.</p>
<hr />
<p style="text-align: justify; ">Since it was launched by the United Progressive Alliance government in 2009, the Unique Identification project called Aadhaar has functioned without a legal framework. The project, which aims to assign a biometric-based number to every Indian resident, has been run under an executive order, which means Parliament has no oversight over it.</p>
<p style="text-align: justify; ">An Aadhaar Bill was introduced in 2010 but it was rejected by a parliamentary committee over legislative, security, and privacy concerns.</p>
<p style="text-align: justify; ">For long, critics have expressed concerns over collecting and centralising citizens' biometric data ‒ such as fingerprints and retina scans ‒ on a mass scale in the absence of a privacy law. The Supreme Court in several orders in 2014 and 2015 affirmed that the government cannot require people to register for an Aadhaar number and no one can be deprived of a government service for not having an Aadhaar number. The Supreme Court is now set to form a constitution bench to examine the contours of the right to privacy flowing from the government's arguments in the Aadhaar case.</p>
<p style="text-align: justify; ">Before the bench begins its work, however, the Modi government has introduced a new Bill on Aadhaar, which could override the court's orders.</p>
<p style="text-align: justify; ">The <a class="link-external" rel="nofollow" href="http://www.prsindia.org/administrator/uploads/media/AADHAAR/Aadhaar%20Bill,%202016.pdf" target="_blank"><span>Aadhaar </span></a>(Target Delivery of Financial and Other Subsidies, Benefits and Services) Bill was introduced on March 3 in Lok Sabha. Finance minister Arun Jaitley said the new Bill addresses concerns over privacy and the security and confidentiality of information.</p>
<p style="text-align: justify; ">But a close examination of the Bill shows several questions remain.</p>
<p style="text-align: justify; "><strong>1. Does the Bill make it mandatory for you to get an Aadhaar number?<br /></strong>Yes, you may have to compulsorily enrol under Aadhaar, despite the privacy concerns explained in the sections below.</p>
<p style="text-align: justify; ">Four-time member of the Lok Sabha, Bhartruhari Mahtab of the Biju Janata Dal, was on the parliamentary committee on finance that examined the previous Aadhaar Bill introduced in 2010. He said the new Aadhaar Bill does not specify that it will <em>not</em> be made mandatory.</p>
<p style="text-align: justify; ">“There is duplicity over this issue,” said Mahtab. “Nandan Nilekani [the former chairperson of the Unique Identification Authority of India] repeatedly told us in the parliamentary committee that Aadhaar is not mandatory. The Supreme Court also said, 'You cannot make it mandatory.'”</p>
<p style="text-align: justify; ">But if a service agent asks for Aadhaar mandatorily, then as a beneficiary, citizens have no option but to get an Aadhaar number, Mahtab explained. “The government, or a private company, cannot force me to get an Aadhaar number," he said. "The government should bring a law that clearly says Aadhaar is not mandatory.”</p>
<p style="text-align: justify; ">A committee of experts on privacy, chaired by Justice AP Shah, had <a class="link-external" rel="nofollow" href="http://planningcommission.nic.in/reports/genrep/rep_privacy.pdf" target="_blank"><span>recommended</span></a> in 2012 that the Bill should specify that individuals have the choice to opt-in or out-of providing their Aadhaar number, and a service should not be denied to individuals who do not provide their number. The Unique Identification Authority of India had then stated to the committee that the enrolment in Aadhaar is voluntary.</p>
<p style="text-align: justify; ">But the new Aadhaar Bill does not incorporate a categorical clause on opt-in and opt-out. Instead, it broadens the scope of Aadhaar. Jaitley said the Bill will allow the government to ask a citizen to produce an Aadhaar number to avail of any government subsidy. But section 7 of the Bill is phrased more broadly, and refers to not just subsidies but any “subsidy, benefit or service” for which expense is incurred on the Consolidated Fund of India, or the government treasury.</p>
<blockquote class="cms-block-quote cms-block" style="text-align: justify; ">
<p>7. The Central Government or, as the case may be, the State Government may, for the purpose of establishing identity of an individual as a condition for receipt of a subsidy, benefit or service for which the expenditure is incurred from, or the receipt therefrom forms part of, the Consolidated Fund of India, require that such individual undergo authentication, or furnish proof of possession of Aadhaar number or in the case of an individual to whom no Aadhaar number has been assigned, such individual makes an application for enrolment: Provided that if an Aadhaar number is not assigned to an individual, the individual shall be offered alternate and viable means of identification for delivery of the subsidy, benefit or service.</p>
</blockquote>
<p style="text-align: justify; ">As noted above, the proviso in section 7 is premised on the phrase: “if an Aadhaar number is not assigned”. This, along with language preceding in the section, indicates that a citizen may be compulsorily required to apply for enrolment.</p>
<p style="text-align: justify; ">Section 8 permits a “requesting entity” to utilise identity information for authentication with the Central Identities Data Repository. A “requesting entity” is defined under Section 2(u), and will include private entities.</p>
<p style="text-align: justify; "><strong>2. Does the Bill allow Aadhaar authorities to share your personal data?<br /></strong>Yes, in the "interest of national security", a term that remains undefined.</p>
<p style="text-align: justify; ">Both legal experts and members of Parliament have flagged the provisions in the Bill on the circumstances in which users' data, including core biometrics information, can be shared.</p>
<p style="text-align: justify; ">The debate centres over the interception provisions in section 33.</p>
<p style="text-align: justify; ">In a <a class="link-external" rel="nofollow" href="http://indianexpress.com/article/opinion/columns/aadhaar-bill-lpg-subsidy-mgnrega-paperless-govt-basis-of-a-revolution/#sthash.FJeqBNmJ.dpuf" target="_blank"><span>piece</span></a> in <em>The Indian Express</em>, Nandan Nilekani, the former chairperson of the issuing authority, stated that the Aadhaar Bill provides that no core biometric information can be shared, a principle without exception. “...Clause 29(1) is not overridden by Clause 33(2),” he noted.</p>
<p style="text-align: justify; ">However, a closer reading of the Bill shows this is not the case. Clause 33(2), in fact, does provide an exception to clause 29(1)(b):</p>
<blockquote class="cms-block-quote cms-block" style="text-align: justify; ">
<p>33(2) Nothing contained in sub-section (2) or sub-section (5) of section 28 and <strong>clause (b) of </strong><strong>sub-section (1), </strong>sub-section (2) or sub-section (3) <strong>of section 29</strong> shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security in pursuance of a direction of an officer not below the rank of Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government</p>
</blockquote>
<p style="text-align: justify; ">where, Section 29(1)(b) states:</p>
<blockquote class="cms-block-quote cms-block" style="text-align: justify; ">
<p>29. (1) No core biometric information, collected or created under this Act, shall be — (b) used for any purpose other than generation of Aadhaar numbers and authentication under this Act.</p>
</blockquote>
<p style="text-align: justify; ">Pranesh Prakash, a lawyer and policy director of the Centre for Internet and Society said: “This implies that the core biometric information, collected or created under the Aadhaar Act, may be used for purposes other than the generation of Aadhaar numbers and authentication <em>'in the interest of national security.</em>'"</p>
<p style="text-align: justify; ">Legal experts point out that the phrase “national security” is undefined in the present bill, as well as the General Clauses Act, and thus the circumstances in which an individual's information may be disclosed remains open to interpretation.</p>
<p style="text-align: justify; ">Section 33(1) permits the disclosure of an individual's demographic information (but not biometrics) following an order by a district judge. It says that no such order shall be made without giving an opportunity of hearing to the UIDAI , but <em>not to the person whose data is being disclosed</em>.</p>
<p style="text-align: justify; "><strong>3. Does the Bill protect you from interception and surveillance?<br /></strong>No, the Bill does not provide for transparency concerning covert surveillance.</p>
<p style="text-align: justify; ">Section 33(2), which permits disclosure of demographic and biometric pursuant to directions of the joint secretary in interest of national security, says such disclosures will be for three months initially, and a fresh renewal can be granted for another three months, without a limitation on the number of such renewals.</p>
<p style="text-align: justify; ">This can lead to a user being under continuous surveillance, and without any notification to the user even after the surveillance ceases, violating one of <a class="link-external" rel="nofollow" href="http://www.ohchr.org/Documents/Issues/Privacy/ElectronicFrontierFoundation.pdf" target="_blank"><span>necessary and proportionate principles on communications surveillance</span></a> related to user notification and right to effective remedy. In some countries, this principle has been incorporated in law. For example, in Canada, the law limits the time of wiretapping surveillance, and imposes an obligation to notify the person under surveillance within 90 days of the end of the surveillance, extendable to a maximum of three years at a time.</p>
<p style="text-align: justify; ">“The interception provisions are severely problematic," said Apar Gupta, a technology lawyer. "They are not open to independent scrutiny and even derogate from the already deficient practices which relate to phone tapping (Rule 419-A of the Telegraph Rules) and interception of data (Interception Rules, 2011).”</p>
<p style="text-align: justify; ">Legal scholar Usha Ramanathan pointed out that the Bill lacks provisions on giving notice to a person in case of breach of information, in case of third party use of data, or change in purpose of use of data – which were among provisions recommended by the Justice Shah Committee on Privacy in 2012.</p>
<p style="text-align: justify; "><strong>4. Does the Bill allow you to seek redress in case of breach of information?<br /></strong>Yes, but the provisions are weak.</p>
<p style="text-align: justify; ">Government officials overseeing the project said that the 2016 Bill is an improvement over the 2010 Bill as it safeguards the information of those enrolled as per sections of the Information Technology Act, 2000.</p>
<p style="text-align: justify; ">But technology law experts say the adjudicatory system for disclosure of sensitive personal data under the IT Act has structural flaws and is not functional.</p>
<p style="text-align: justify; ">“Initial complaints against the disclosure of sensitive personal data go to an adjudicating officer who is usually the IT Secretary of the state government and may not be trained in law,” said Gupta, the technology lawyer. “There is no court infrastructure and no permanent seat for such cases. The appellate body, the Cyber Appellate Tribunal, has not been made operational in the last three years. Hence, the civil remedies offered [in the Aadhaar Bill] are at best illusionary and unenforceable.”</p>
<p style="text-align: justify; "><strong>5. Does the Bill give you the right to alter your information?<br /></strong>No, it leaves you to the mercy of the Unique Identification Authority of India.</p>
<p style="text-align: justify; ">Imagine a situation where a user simply wants to change their first or last name, or say, not use their caste name. Under Section 31 of the Bill, individuals can only request the UID authority, which may do so “if it is satisfied”. There is no penalty on the authority if it fails to respond. The Bill does not provide for a user to even be able to approach a court to ask for their information relating to Aadhaar to be corrected.</p>
<p style="text-align: justify; ">International norms for data protection give individuals the right to correct and alter information, if their demographic data changes. They <a class="link-external" rel="nofollow" href="https://ico.org.uk/for-organisations/guide-to-data-protection/principle-6-rights/correcting-inaccurate-personal-data/" target="_blank"><span>provide</span></a> for individuals to have a copy of their information, and to approach courts for an order to rectify, block, erase inaccurate information.</p>
<p style="text-align: justify; ">In an <a class="link-external" rel="nofollow" href="http://www.livemint.com/Politics/l0H1RQZEM8EmPlRFwRc26H/Govt-narrative-on-Aadhaar-has-not-changed-in-the-last-six-ye.html" target="_blank"><span>interview</span></a> to <em>Mint</em>, Sunil Abraham, director of the Centre for Internet and Society, compared the rights of Aadhaar users to the rights we now take for granted as internet users. “Authentication factors [biometrics in the case of Aadhaar], commonly known as passwords, should always be revocable,” noted Abraham. “That means if the password is compromised, you should be able to change the password or at least say that this password is no longer valid.” In its current form, the Aadhaar Bill gives users no such rights.</p>
<p style="text-align: justify; "><strong>6. Is the current Bill an improvement over the previous one?<br /></strong>Not really.</p>
<p style="text-align: justify; ">The Aadhaar Bill 2016 provides that the renewals of requests for disclosure of data will be reviewed by an oversight committee consisting of the cabinet secretary and the secretaries in the department of legal affairs and the department of electronics and information technology.</p>
<p style="text-align: justify; ">This is a watered down version of the provisions in the previous Unique Identification Authority of India <a class="link-external" rel="nofollow" href="http://www.prsindia.org/uploads/media/UID/The%20National%20Identification%20Authority%20of%20India%20Bill,%202010." target="_blank"><span>2010 Bill</span></a>, said Chinmayi Arun, executive director, Centre for Communication Governance at the National Law University Delhi.</p>
<p style="text-align: justify; ">“The previous version or the 2010 Bill provided for a three-member review committee, consisting of the nominees of the prime minister, the leader of the opposition, and a third nominee of a union cabinet minister, with the restriction that these nominees could not be a member of parliament or a member of a political party,” Arun said. “This would be a more independent committee than the one proposed now, wherein there will be executive oversight for executive orders."</p>
<p style="text-align: justify; ">Regarding penalties, the previous 2010 Bill made copying, deleting, stealing, or altering information in the Central Identities Data Repository, punishable with a jail term of upto three years and a fine not less than Rs 1 crore.</p>
<p style="text-align: justify; ">Section 38 of the new Aadhaar Bill now makes the same offence punishable with a jail term of upto three years and reduces the upper limit of the fine to “not less than ten lakh rupees”.</p>
<p style="text-align: justify; "><strong>7. Finally, does the Aadhaar Bill have enough parliamentary scrutiny?<br /></strong>The government has introduced the legislation on Aadhaar in the form of a Money Bill, which means the power of the Rajya Sabha to review and amend the Bill is curtailed ‒ if the Speaker Sumitra Mahajan certifies that this is a Money Bill.</p>
<p style="text-align: justify; ">The parliamentary committee on finance under Bharatiya Janata Party MP Yashwant Sinha had rejected the previous Bill in December 2011 citing legislative, security, and privacy concerns. Despite this, two successive Prime Ministers – Manmohan Singh and Narendra Modi – have pushed ahead with Aadhaar project.</p>
<p style="text-align: justify; ">A common refrain has been that the unique biometric identity will resolve the problem of the poor in India to prove identity and overcome "one of the biggest barriers <a class="link-external" rel="nofollow" href="https://uidai.gov.in/UID_PDF/Front_Page_Articles/Documents/Strategy_Overveiw-001.pdf" target="_blank"><span>preventing the poor</span></a> from accessing benefits and subsidies." But last April, the UIDAI in <a class="link-external" rel="nofollow" href="http://i1.wp.com/128.199.141.55/wp-content/uploads/2015/06/Enrolment-through-introducer.jpg" target="_blank"><span>response</span></a> to an RTI application revealed that of 83.5 crore Aadhaar numbers issued till then, 99.97% were issued to people who already had at least two existing identification documents, only 0.21 million (<a class="link-external" rel="nofollow" href="http://thewire.in/2015/06/03/most-aadhar-cards-issued-to-those-who-already-have-ids-3108/" target="_blank"><span>0.03%</span></a>) used the "introducer system" that provides an exception to those lacking identity proof.</p>
<p style="text-align: justify; ">More recently, there has been no public consultation by the government over the latest Bill.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/scroll.in-anumeha-yadav-march-24-2016-seven-reasons-why-parliament-should-debate-the-aadhaar-bill-and-not-pass-it-in-a-rush'>https://cis-india.org/internet-governance/news/scroll.in-anumeha-yadav-march-24-2016-seven-reasons-why-parliament-should-debate-the-aadhaar-bill-and-not-pass-it-in-a-rush</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-03-24T02:25:24ZNews ItemDebate: Five Aadhaar Myths that Don’t Stand Up to Scrutiny
https://cis-india.org/internet-governance/news/the-wire-march-23-2016-reetika-khera-debate-five-aadhaar-myths-that-dont-stand-up-to-scrutiny
<b>We need to reboot the Aadhaar debate by asking why we want to create a centralised biometric database of Indian residents in the first place.</b>
<p style="text-align: justify; ">The article by Reetika Khera was published <a class="external-link" href="http://thewire.in/2016/03/23/rebooting-the-aadhaar-debate-25578/">in the Wire</a> on March 23, 2016.</p>
<hr />
<p style="text-align: justify; ">A recent article, ‘<span><a href="http://thewire.in/2016/03/14/aadhaar-identification-simplified-myths-busted-24713/" target="_blank"><span>Identification simplified, myths busted’</span></a>,</span><span> by Piyush Peshwani and Bhuwan Joshi (hereafter, Peshwani & Joshi) makes some questionable claims about the UID project. Peshwani & Joshi’s strategy appears to be to ignore those questions to which they do not have an answer (e.g., that Aadhaar is mostly redundant as far as NREGA, PDS, etc., are concerned). For others, they cherry-pick ‘facts’ without acknowledging the debates surrounding those facts. Here is a selection.</span></p>
<p style="text-align: justify; "><strong>#1: To get Aadhaar, you need a Proof of ID (PoID) and Proof of address (PoA)</strong></p>
<p style="text-align: justify; "><span>Peshwani & Joshi: “For many, Aadhaar is perhaps the first document of their existence – a robust proof of their identity and address that can be verified online. No more closed doors for them!”</span></p>
<p style="text-align: justify; "><span>Peshwani & Joshi: “The </span><a href="https://uidai.gov.in/UID_PDF/Committees/UID_DDSVP_Committee_Report_v1.0.pdf" target="_blank"><span><span>Demographic Data Standards and Verification Procedures committee</span></span></a><span> prescribes a list of valid 18 proof of identity and 33 valid proof of address documents for getting an Aadhaar.”</span></p>
<p style="text-align: justify; "><strong>Fact</strong><span>: In fact, 99.97% of those who have Aadhaar, used PoID and PoA to get it. For those who have neither, there is an “introducer system”, but according to a reply to an RTI request, </span><a href="http://thewire.in/2015/06/03/most-aadhar-cards-issued-to-those-who-already-have-ids-3108/" target="_blank"><span><span>only 0.03% of those who have the Aadhaar number</span></span></a><span> used this route.</span></p>
<p style="text-align: justify; "><span>As far as closed doors are concerned, Aadhaar does not guarantee any benefits: work through NREGA, widow or old-age pensions or PDS rations. There are separate eligibility conditions for those programmes which continue to apply.</span></p>
<p style="text-align: justify; "><strong>#2 On costs</strong></p>
<p style="text-align: justify; "><span>Peshwani & Joshi: “Does it justify the cost? Yes, absolutely, </span><a href="http://indianexpress.com/article/india/india-news-india/aadhaar-id-saving-indian-govt-about-usd-1-bln-per-annum-kaushik-basu/" target="_blank"><span><span>according to the World Bank</span></span></a><span>, which said the initiative is estimated to be saving the Indian government about $1 billion annually by thwarting corruption, even as it underlined that digital technologies promote inclusion, efficiency and innovation.” </span></p>
<p style="text-align: justify; "><strong>Fact</strong><span>: Savings due to the use of Aadhaar have been disputed. The government has claimed it has saved Rs. 14,672 crore on LPG subsidies due to Aadhaar while they are likely lower – by a factor of 100 (see </span><em><a href="http://www.business-standard.com/article/economy-policy/aadhaar-linked-lpg-govt-says-rs-15-000-cr-saved-survey-says-only-rs-14-cr-in-fy15-116031800039_1.html"><span><span>Business Standard</span></span></a></em><span> or </span><em><a href="http://blogs.wsj.com/indiarealtime/2016/03/21/is-the-indian-government-saving-as-much-as-it-says-on-gas-subsidies/" target="_blank"><span><span>Wall Street Journal</span></span></a></em><span>). </span></p>
<p style="text-align: justify; "><span>Peshwani & Joshi: “Even before the World Bank’s endorsement of Aadhaar, the Delhi-based National Institute of Public Finance and Policy (NIPFP) conducted a </span><a href="http://planningcommission.nic.in/reports/genrep/rep_uid_cba_paper.pdf" target="_blank"><span><span>detailed cost-analysis study on Aadhaar</span></span></a><span> in 2012… the study found that the Aadhaar project would yield an internal rate of return in real terms of 52.85% to the government.”</span></p>
<p style="text-align: justify; "><strong>Fact</strong><span>: The NIPFP cost-benefit was based on </span><a href="http://www.epw.in/journal/2013/05/commentary/cost-benefit-analysis-uid.html" target="_blank"><span><span>unrealistic assumptions</span></span></a><span> – e.g., estimates of leakages that Aadhaar could plug were available for only two out of seven schemes; for the rest, they assumed leakage rates which are termed ‘conservative’, but are actually not.</span></p>
<p style="text-align: justify; "><span>In their response, the NIPFP </span><span>team</span><span> <a href="http://www.epw.in/journal/2013/10/discussion/response-cost-benefit-analysis-uid.html" target="_blank"><span>admitted</span></a> that “a full-fledged cost benefit analysis of Aadhaar is difficult” because “many gains from Aadhaar are difficult to quantify because they are intangible” and, “even if in specific schemes there may be tangible benefits, the information available on those schemes does not permit a precise quantification of those benefits.” </span></p>
<p style="text-align: justify; "><span>They went on to say that “The study has steered away from relying exclusively on analyses of isolated and small sample sets”. What evidence did the NIPFP study rely on? “For ASHAs, Janani Suraksha Yojana and scholarships, no analysis, large or small has been used. For the Indira Awaas Yojana, the three analyses relied on exclusively are a <em>Times of India</em> news report, a press release based on a discussion in Parliament and a “Scheme Brief” by the Institute for Financial Management and Research (IFMR). Interestingly, the corruption estimate in the IFMR brief cross-refers to the Times of India article (apart from a CAG report)!” (</span><a href="http://www.epw.in/journal/2013/10/discussion/nipfp-response.html" target="_blank"><span><span>Khera, 2013</span></span></a><span>)</span></p>
<p style="text-align: justify; "><strong>#3 De-duplication</strong></p>
<p style="text-align: justify; "><span>Peshwani & Joshi: “Aadhaar means no fake, ghost or duplicate beneficiaries. Double-dipping will become more and more difficult with Aadhaar, a number that is well de-duplicated with the use of biometrics.”</span></p>
<p style="text-align: justify; "><strong>Fact</strong><span>: De-duplication is one possible contribution of Aadhaar – but that needs biometrics, not a centralised biometric database. Local biometrics (used extensively in Andhra Pradesh before UID) mean that biometric data is stored by the concerned government department or on the local e-POS machine’s memory chip. It has the advantage that connectivity is not required (you are authenticated by the machine), errors and corrections can be correctly locally, making it more practical. The distinction between a local and centralised database is important (see #5 below). </span></p>
<p style="text-align: justify; "><span>Further, no one has a reliable estimate of the duplication problem. Two government estimates of duplicates exist: the </span><a href="http://petroleum.nic.in/docs/dhande.pdf" target="_blank"><span><span>Dhande committee</span></span></a><span> for LPG (2%) and in </span><a href="http://scroll.in/article/747904/how-the-government-got-the-supreme-courts-approval-to-link-subsidy-schemes-with-aadhaar" target="_blank"><span><span>NREGA job cards</span></span></a><span> from the Government of Andhra Pradesh (also 2%).</span></p>
<p style="text-align: justify; "><strong>#4 Exclusion</strong></p>
<p style="text-align: justify; "><span>Peshwani & Joshi: “As far as exclusion in delivery of other services due to biometric authentication accuracy is concerned, it is important to go beyond scratching the surface.”</span></p>
<p style="text-align: justify; "><strong>Fact</strong><span>: When the </span><a href="http://www.governancenow.com/news/regular-story/ap-detects-glitches-aadhaar-linked-pds-distribution" target="_blank"><span><span>PDS was integrated with Aadhaar</span></span></a><span>: “The Andhra Pradesh Food and Civil Supplies Corporation found that…nearly one-fifth ration card holders did not buy their ration.” Further, “When the government delved deeper in the issue, it was found that out of the 790 cases interviewed for the study, 400 reported exclusion. Out of the excluded cases, 290 were due to fingerprint mismatch and 93 were because of Aadhaar card mismatch. The remaining 17 cases were due to failure of E-PoS.” More </span><a href="http://www.thehindu.com/opinion/op-ed/to-pass-biometric-identification-apply-vaseline-or-boroplus-on-fingers-overnight/article4200738.ece"><span><span>here</span></span></a><span>. </span></p>
<p style="text-align: justify; "><span>Moreover, Peshwani & Joshi pick one definition of ‘exclusion’ (due to biometric failure) when in fact, exclusion has a broader meaning. For instance, “In </span><a href="http://www.ideasforindia.in/article.aspx?article_id=1599#sthash.dE8SWEik.dpuf" target="_blank"><span><span>Chitradurga (Karnataka)</span></span></a><span>, Rs.100-150 million in wages from 2014-15 were held up for a year. When payments were being processed, their job cards could not be traced in NREGAsoft. Upon enquiry, the district administration learnt field staff had deleted them to achieve ‘100% </span><i><span>Aadhaar-</span></i><span>seeding’.”</span></p>
<p style="text-align: justify; "><strong>#5 Profiling and privacy violations</strong></p>
<p style="text-align: justify; "><span>Peshwani & Joshi: “A prominent criticism of Aadhaar is that it ‘profiles’ people.” …“Most of us have one or more identity/address documents, such as a passport, ration card, PAN card, driving licence, vehicle registration documents or a voter ID card. The government departments managing these already have our data. Aadhaar is no different. We give our data to banks, to insurance companies and to telecom companies for accounts, policies and mobile connections.”</span></p>
<p style="text-align: justify; "><strong>Fact</strong><span>: That’s like saying BJP can be more corrupt because the Congress was corrupt. Instead we need to engage more seriously with the work of </span><a href="http://www.business-standard.com/article/opinion/aadhaar-is-actually-surveillance-tech-sunil-abraham-116031200790_1.html" target="_blank"><span><span>Sunil Abraham</span></span></a><span>,</span> <a href="http://www.dnaindia.com/scitech/column-are-we-losing-the-right-to-privacy-and-freedom-of-speech-on-indian-internet-2187527" target="_blank"><span><span>Amber Sinha</span></span></a><span> and others at the </span><a href="http://cis-india.org/internet-governance/blog/analysis-of-aadhaar-act-in-context-of-shah-committee-principles" target="_blank"><span><span>Centre of Internet and Society</span></span></a><span>. There are crucial differences between Aadhaar and Social Security Number in the US, see </span><a href="http://cis-india.org/internet-governance/blog/aadhaar-vs-social-security-number"><span><span>this</span></span></a><span>. </span><a href="http://bostonreview.net/world/malavika-jayaram-india-unique-identification-biometrics" target="_blank"><span><span>Malavika Jayaram</span></span></a><span> listed the UID project among a slew of “big brother” projects facilitating mass surveillance in India.</span></p>
<p style="text-align: justify; "><strong>Conclusion</strong></p>
<p style="text-align: justify; "><span>The debate on UID tends to begin with the premise that Aadhaar is necessary for ‘good governance’. Those claims of the UIDAI have long been demolished. </span><span>In a nutshell, Aadhaar cannot help identify the poor, its possession does not guarantee inclusion into government social welfare (go to #1). </span><span>It cannot reduce PDS or NREGA corruption as claimed in their early documents. Thankfully, </span><a href="http://www.thehindu.com/opinion/blogs/blog-datadelve/article6861067.ece" target="_blank"><span><span>PDS</span></span></a><span>–</span><a href="http://www.thehindu.com/opinion/op-ed/learning-from-nrega/article6342811.ece" target="_blank"><span><span>NREGA</span></span></a><span> corruption has been on the decline without Aadhaar – more needs to be done. (More details? Try </span><a href="http://www.ideasforindia.in/article.aspx?article_id=250" target="_blank"><span><span>this</span></span></a><span> and </span><a href="http://www.epw.in/journal/2011/09/perspectives/uid-project-and-welfare-schemes.html" target="_blank"><span><span>this</span></span></a><span>.)</span></p>
<div class="aligncenter wp-caption" id="attachment_25580" style="text-align: justify; "><a href="http://i1.wp.com/128.199.141.55/wp-content/uploads/2016/03/Reduction-in-leakages-graphic.jpg"><img class="wp-image-25580 size-full" width="880" alt="Bihar shows how much corruption in the PDS can be reduced without Aadhaar. Credit: Reetika Khera" height="516" src="http://i1.wp.com/128.199.141.55/wp-content/uploads/2016/03/Reduction-in-leakages-graphic.jpg?resize=917%2C538" /></a>
<p class="wp-caption-text">Bihar shows how much corruption in the PDS can be reduced without Aadhaar. Credit: Reetika Khera</p>
</div>
<p style="text-align: justify; "><span>Aadhaar is not required for </span><a href="http://indiatogether.org/core-pds-smart-system-in-raipur-chhattisgarh-food-security-portability-government" target="_blank"><span><span>portability</span></span></a><span> of benefits or for cash transfers. Cash transfers need bank accounts. To get a bank account, you need a proof of ID and a proof of address (go to #1). </span><span>Aadhaar can help de-duplicate, but so can local biometrics (go to #3). </span><span>We need to “reboot” the Aadhaar debate, starting on the right terms – why exactly do we need to create a centralised biometric database of Indian residents?</span></p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/the-wire-march-23-2016-reetika-khera-debate-five-aadhaar-myths-that-dont-stand-up-to-scrutiny'>https://cis-india.org/internet-governance/news/the-wire-march-23-2016-reetika-khera-debate-five-aadhaar-myths-that-dont-stand-up-to-scrutiny</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-04-01T15:48:17ZNews ItemIn India, Biometric Data Storage Sparks Demands for Privacy Laws
https://cis-india.org/internet-governance/news/voice-of-america-anjana-pasricha-march-18-2016-in-india-biometric-data-storage-sparks-demands-for-privacy-laws
<b>In India, calls for strict privacy laws are growing after this week's passage of a measure that allows federal agencies access to biometric data of the nation's citizens, the world's largest such repository.</b>
<p style="text-align: justify; ">The article by Anjana Pasricha was <a class="external-link" href="http://www.voanews.com/content/india-biometrics-privacy/3243744.html">published in Voice of America</a> on March 18, 2016. Pranesh Prakash gave inputs.</p>
<hr />
<p style="text-align: justify; ">The government says the use of biometrics will help cut rampant graft in the distribution of subsidies, but activists and opposition lawmakers warn it could usher in an era of increased state surveillance.</p>
<p style="text-align: justify; ">Raghubir Gaur, who works as an electrician in the capital, New Delhi, says he has never collected subsidized rations such as wheat and rice, because “somebody else has been taking the rations I should have gotten.” Now, with a national proof of identity, or "Aadhaar" card in his hands, Gaur says he is confident he will be able to access his designated subsidies.</p>
<p style="text-align: justify; ">The Aadhaar card is being used to give welfare benefits to the poor, who often cannot provide any proof identity, allowing corrupt officials to siphon entitlements.</p>
<p style="text-align: justify; ">The government says it has saved nearly $2 billion by preventing misuse of the subsidies in the last fiscal year alone.</p>
<h3 style="text-align: justify; ">Critics fear ‘police state’</h3>
<p style="text-align: justify; ">Civil activists and research groups, however, have dubbed the Aadhaar program “surveillance technology” that constitutes a serious breach of privacy. They point to identity-verification systems in other countries, where cards or identification numbers are used for verification without creating a gigantic central database that documents every last transaction.</p>
<p style="text-align: justify; ">Indeed, the Aadhaar database also stores fingerprints and iris scans of every account holder, labeling each with a 12-digit identification number.</p>
<p style="text-align: justify; ">Concerns that this could lead to a massive invasion of privacy have been heightened because the new law allows the data to be used “in the interest of national security.”</p>
<p style="text-align: justify; ">“From verifying yourself to the ticket conductor on a train to someone who is delivering something at your house, all the way to opening a new bank account, all these transactions get logged against the centralized data base," says Pranesh Prakash of the Center for Internet and Society in Bangalore. "So this invades your life completely and thoroughly.”</p>
<p style="text-align: justify; ">Some lawyers and privacy advocates say this has made it even more important to support a strong privacy law to ensure the huge government database isn't misused.</p>
<p style="text-align: justify; ">Finance Minister Arun Jaitley has defended the biometrics legislation, saying the data will be accessed only in rare cases that require authorization by a senior official.</p>
<p style="text-align: justify; ">“You mark my words, you are midwifing a police state,” said lawmaker Asaduddin Owaisi, just one parliamentarian opposed passage of the legislation and found no comfort in Jaitley's assurances.</p>
<h3 style="text-align: justify; ">Fraud concerns</h3>
<p style="text-align: justify; ">Despite objections, the bill was passed by legislators who argued that such a move is critical to ensuring subsidies reach intended beneficiaries in a country where millions are poor and illiterate.</p>
<p style="text-align: justify; ">Attempts to draft a right to privacy bill to protect individuals against misuse of data by government or private agencies date back to 2010, but have made little headway. The latest push started in 2014.</p>
<p style="text-align: justify; ">Citing a cyberattack targeting the U.S. government, in which a hacker gained access to the information of millions of people, research groups have also flagged security concerns around India’s ambitious Aadhaar program.</p>
<p style="text-align: justify; ">“If this database gets leaked, the entire identification system collapses because people will be able to authenticate themselves as anyone else. So identity fraud is a great concern,” said Prakash of the Center for Internet and Society.</p>
<p style="text-align: justify; ">Nearly one billion biometric identity cards have been issued in India in the last six years.</p>
<p>
For more details visit <a href='https://cis-india.org/internet-governance/news/voice-of-america-anjana-pasricha-march-18-2016-in-india-biometric-data-storage-sparks-demands-for-privacy-laws'>https://cis-india.org/internet-governance/news/voice-of-america-anjana-pasricha-march-18-2016-in-india-biometric-data-storage-sparks-demands-for-privacy-laws</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2016-03-23T02:27:05ZNews Item