In 2009, I became extremely concerned with the concept of Unique Identity for various reasons. Connected with many like minded highly educated people who were all concerned.
On 18th May 2010, I started this Blog to capture anything and everything I came across on the topic. This blog with its million hits is a testament to my concerns about loss of privacy and fear of the ID being misused and possible Criminal activities it could lead to.
In 2017 the Supreme Court of India gave its verdict after one of the longest hearings on any issue. I did my bit and appealed to the Supreme Court Judges too through an On Line Petition.
In 2019 the Aadhaar Legislation has been revised and passed by the two houses of the Parliament of India making it Legal. I am no Legal Eagle so my Opinion carries no weight except with people opposed to the very concept.
In 2019, this Blog now just captures on a Daily Basis list of Articles Published on anything to do with Aadhaar as obtained from Daily Google Searches and nothing more. Cannot burn the midnight candle any longer.
"In Matters of Conscience, the Law of Majority has no place"- Mahatma Gandhi
Ram Krishnaswamy
Sydney, Australia.

Aadhaar

The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholar Usha Ramanathan describes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.

Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the # BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Tuesday, July 27, 2010

316 - A Unique Identity Bill By: Usha Ramanathan


A Unique Identity Bill By: Usha Ramanathan
Vol XLV No.30 July 24, 2010



India’s unique identification number project has been sold on the promise that it will make every citizen, the poor in particular, visible to the State. But the UID project raises crucial issues relating to profiling, tracking and surveillance, and it may well facilitate a dramatic change in the relationship between the State and the people. The Unique Identification Authority of India has not acknowledged these concerns so far. And now, nowhere in the proposed draft bill that it has prepared have these issues been addressed nor have clauses been drafted to prevent abuse of information that will be collected by the agency. With so many questions on the project – regarding biometrics, security and privacy – yet to be answered, it is far from time for parliamentary approval. As has been observed, the Constitution is expected to provide the citizen with dignity and privacy; but these are missing in the UID project.

In February 2009, the unique identification number (UID) project was set up within the Planning Commission. Since August (July) 2009, when Nandan Nilekani was appointed as its chairperson, the Unique Identification Authority of India (UIDAI) has been propagating the idea of the UID which each resident in India will be given.
 
The project pegs its legitimacy on what it will do for the poor. It promises that it will give the poor an identity, with which they may become visible to the state. The UID number is expected to plug leakages, including in the Public Distribution System (PDS), ease payments to be made under the National Rural Employment Guarantee Scheme (NREGS), and enable achievement of targets in consonance with the right to education. Service delivery is a central theme in its promotional literature. The raising of expectations is, however, tempered by a quick caveat that the “UID number will only guarantee identity, not rights, benefits, or entitlements”.
 
The UID database is intended to hold information including the name, address and biometrics of the person. It has been reiterated with remarkable regularity that the UIDAI will not be gathering information that could lead to profiling, so, religion, caste, language and income, for instance, will not be brought on to the UID database.
 
The UIDAI has strained every nerve to explain that it will not be a database from which others may derive information about any person. The UIDAI will merely “authenticate”, i  e, it will give a “yes” or “no” answer when asked whether a name, address and biometric indicator tally. That is, it will attest to the veracity of the identity being asserted by a person by checking on its database. If the details tally, it will say no more.
 
The operation for being invested with an identity goes through stages: enrolling with a enroller/registrar who will set down the basic biographic details such as name, address, father/guardian’s name (and UID number), mother’s name (and UID number) and collect the biometrics – photographs, all 10 fingerprints and iris scan, de-duplication (which will be done by the UIDAI to make certain that there is one identity for one person), updating the database whenever any change occurs in relation to the information on the database (for instance, when there is a name or address change, the responsibility for which will rest with the individual).
 
The UIDAI has said that getting on to the UID database is voluntary. That is, it is clarified, there will be no compulsion from the UIDAI. But, if other agencies make the UID number essential in their transactions, that is a different matter. The UIDAI has been signing memoranda of understanding (MOUs) with a range of agencies including banks, state governments and the Life Insurance Corporation of India (LIC) to be “registrars”, who then may insist that their customers enrol on the UID to receive continued service.
 
Given the dramatic changes that the UID could bring to the relationship between the state and the people, it should cause concern that there has been so little public debate around the UID. There is an unquestioned benignness that is being attributed to the project, which could be explained in part by the image of Nandan Nilekani, whose salience to the project could foster a sense that this is a project around technology, and not about identity. The rhetoric has stayed focused on the poor, which has lent the project legitimacy and there has been no discussion from within the establishment on the possible downsides.
 
One concern that has been raised consistently is on the question of privacy – that information held in a central repository could result in breaches of privacy. The invasion of privacy that technology has facilitated and routinised in recent years has eroded the relevance of traditional notions of privacy. The experience with abandoning the idea of privacy is relatively recent, and it will be a while before its value is reconstituted and the idea resurrected. The introduction to the UID has been in terms of investing every resident with an identity, as a single stop for authenticating identity, as a de-duplication exercise, for plugging leakages, as a tracking device, and as a wage transferring device.
 
There are, however, other concerns that have been voiced and which remain unresolved. They include the contexts of convergence, national security, the national population register (NPR), and the shaky edifice of biometrics on which this superstructure is being built.
 
Convergence
 
The UID literature does not use the word, yet convergence is a predictable and inevitable consequence of the UID project. Convergence is about combining information. There are various pieces of information that we hand over to a range of agencies when buying, say, a railway ticket, maintaining a bank account, registering in a university, getting work at an NREGs worksite, taking out an insurance policy, buying a motorcycle, paying telephone bills, etc. Currently, with only the name and a possibly correct address, it will not be easy to profile a person or track them. The information is held in what are called “silos”, that is, discrete towers holding information that has been handed over by an individual in relation to a defined purpose. If it were possible to create bridges to link these silos, it would wrest control of information on the individual and make it available, metaphorically and literally, at the tap of a computer key.
 
There is a dark joke making its rounds which would be funny, but is not, and it runs like this:

Operator: Thank you for calling Pizza Plaza. May I have your...
Customer: May I place an order?
Operator: Can I have your multipurpose ID card number, sir?
Customer: It is, hold on ... 21356102049998-45-54610
Operator: Welcome back from Japan, Mr Singh.
Customer: May I order your Seafood Pizza...
Operator: That's not a good idea, sir.
Customer: Why would you say that?
Operator: According to your medical records, sir, you have high blood pressure and even higher cholesterol level.
Customer: What? ... What do you recommend then?
Operator: Try our Low Fat Pizza. You’ll like it.
Customer: How would you know that?
Operator: You borrowed a book titled Popular Dishes from the National Library last week, sir.
Customer: Oh ... Have three family size delivered. How much would that cost?
Operator: That should be enough for your family of 5, sir. That will be Rs 500.
Customer: Do you accept payment by credit card?
Operator: I'm afraid you have to pay us cash, sir. Your credit card is over the limit and you owe your bank Rs 23,000 since October last year. And that's not including the late payment charges on your housing loan.
Customer: I guess I have to run to the neighbourhood ATM and withdraw some cash before your guy arrives.
Operator: Oh, no, sir. Your records show that you've reached your daily limit on machine withdrawal today.
Customer: Never mind, just send the pizzas, I'll have the cash ready. How long will that take?
Operator: About 45 minutes, sir, but if you can't wait you can always come and collect it in your Nano. Will there be anything else, sir?
Customer: No... By the way... make sure you send the 3 free bottles of cola as advertised.
Operator: But, sir, your health records say you're a diabetic.......
Customer: #$$^%&$@$% ^
Operator: Please watch your language, sir. Remember on 15 July you were con-victed     of using abusive language at a policeman...?

It was reported last year that Apollo Hospitals had written to the UIDAI and to the Knowledge Commission to link UID numbers with health profiles of individuals and offered to manage the health records (Business Standard, 27 August 2009). It has already embarked on a project “Health Superhighway” that reportedly connects doctors, hospitals and pharmacies, who would be able to communicate with each other and access health records. This, then, is no longer hypothetical. The UID is poised to be the bridge between silos of personal information.
 
This convergence of information may be efficient for business and meet standards of efficiency, but there are those who would argue that it profiles individuals and exposes them to market and other forces in ways which are intrusive, and which could make them insecure, and unsafe.
 
National Security
Surveillance is a concern, and a term that is missing altogether in the UIDAI documents.

There are three initiatives that, together, form a pattern that is disturbing. The UID only produces a number which is a tag that is poised to be “universal” and “ubiquitous”. Its capacity to link disparate pieces of information is difficult to dispute. Place this in the context of the National Intelligence Grid (NATGRID), and the Home Minister P Chidambaram’s statement begins to sound ominous. “Under NATGRID”, he is reported as having said, “21 sets of databases will be networked to achieve quick seamless and secure access to desired information for intelligence and enforcement agencies” (The Hindu, 14 February 2010). This is to enable them “to detect patterns, trace sources for monies and support, track travellers, and identify those who must be watched, investigated, disabled and neutralised”. Many of these intelligence agencies, including the Research and Analysis Wing (RAW) and the Intelligence Bureau (IB), are neither creatures of the law, nor are they subject to oversight. And they are outside the Right to Information Act. 

Vice-President Hamid Ansari, quoting an intelligence expert, reportedly asked: “How shall a democracy ensure its secret intelligence apparatus becomes neither a vehicle for conspiracy nor a suppressor of traditional liberties of democratic self-government?” (Times of India, 20 January 2010). By all accounts, the question has not been answered yet.

In November 2009, newspapers reported Chidambaram’s statement that the government would soon be setting up a DNA data bank. There has been no word on the subject since, but on 12 July 2010, the Indian Express carried news of an im patient debate that has erupted about speeding up DNA data banks to hold DNA data of convicts. This is just a stretch away from extending it to more classes of the population.
The use of science and technology to practise the politics of suspicion is a possibility that is finding its way into becoming a fact.
 
National Population Register
The Census has acquired a disturbing dimension with the NPR being appended to it. The NPR is not an exercise undertaken under the Census Act, 1948. It is being carried out under the Citizenship Act of 1955 and the Citizenship (Registration of Citizens and Issue of National Identity Cards) Rules 2003. Why should that matter? Because there is an express provision regarding “confidentiality” in the Census Act, which is not merely missing in the Citizenship Act and Rules. But there is an express objective of making the information available to the UIDAI, which marks an important distinction between the two processes. Section 15 of the Census Act categorically makes the information that we give to the census agency “not open to inspection nor admissible in evidence”. The ­Census Act enables the collection of information so the state has a profile of the population; it is expressly not to profile the individual.
 
It is the admitted position that the information gathered in the house-to-house survey, and the biometrics collected during the exercise, will feed into the UID database. The UID document says the information that the database will hold will only serve to identify if the person is who the person says he, or she, is. It will not hold any personal details about anybody. What the document does not say is that it will provide the bridge between the “silos” of data that are already in existence, and which the NPR will also bring into being. So, with the UID as the key, the profile of any person resident in India can be built up.

The Citizenship Rules 2003 strips the veneer of voluntariness from the UID. It classes every individual and every “head of family” as an informant, who will be penalised if every person in the household is not in the NPR, or if the information is outdated.

The NPR is also slated to collect biometrics – photographs, fingerprints, iris. The coercion in the Citizenship Rules is not the only aspect which is worrying. The rules also envisage an exercise in sifting the citizen from the resident. The person collecting the information is expected to exercise judgment in deciding whether the person whose details are being taken down may not be a citizen. If there is any doubt, such person will be categorised to be subject to further investigation. The NPR, like the Census, is carried out by laypeople, and the untrained mind is asked to discern and judge matters that could lead to inclusion, or statelessness.
 
At the tail end of June 2010, the UIDAI web  site uploaded a “proposed draft bill”: the National Identification Authority of I ndia Bill, 2010. Comments were asked to be sent within two weeks, by 13 July 2010. Various individuals and groups have sent in their comments, but have asked that the time to respond be extended so that they may discuss it and understand it more fully before taking their position on the Bill.

One of the provisions that has raised concern is clause 33, which reads:
33. Nothing contained in the sub-section (3) of section 30 shall apply in respect of –
(a) any disclosure of information (including identity information or details of   authentication) made pursuant to an order of a competent court; or
(b) any disclosure of information (including identity information) made in the interests of national security in pursuance of a direction to that effect issued by an officer not below the rank of Joint Secretary or equivalent in the Central Government after obtaining approval of the Minister in charge.
 
Although some commentators on the UID project (and that includes me) have written about surveillance, tracking, profiling and social and executive control of the people by the state and its agents, the UIDAI has not acknowledged these concerns so far. This is despite the “Awareness and Communication Report” which the UIDAI commissioned and which advised the authority on how to anticipate and sidestep the unease that people may have, registering that:
the idea of giving out information and affixing one’s thumbprint to a document without fully understanding its implications, compounded with the fact that too many non-state players are visibly involved could pose a barrier to enrolment as well. The fear of individuals being in the government’s radar and the ability of various groups to play on this fear is another likely challenge.
 
Neither the Bill nor any document produced in the process has, however, addressed any of these concerns. What is reflected in the document is only the need to ensure that these anxieties do not come in the way of completing the exercise.
 
Such a major shift in public policy surely cannot occur without a discussion preceding it, a deliberation on the import, and consequences, of such a change, and a reasoned decision taken on the matter. The constitutionality of such a move is questionable. Among the issues that are likely to arise, there are two that Justice Rajendra Babu raised in the presence of Nandan Nilekani and his team at a consultation held in the National Law School, Bangalore on 23 November 2009: the Constitution guarantees us dignity and privacy, he said. Both seem to have been given a miss in the way the UID project has been conceived.
 
The combination of UID, NATGRID and the emerging idea of the DNA bank, makes state control of a population a very real possibility. To treat every person as a suspect, and to create systems that would support such a practice, is a highly questionable act of a state. That the State and its agents have faced the charge of being communal, and of having been involved in torture, fake encounters, forced dis appearances and complicity in crime adds to the amalgam of concerns. The Bill does not acknowledge it, but those within the system cannot be prosecuted without “sanction” of the powers-that-be. It seems like a prescription for impunity where the protocol for protecting the data is breached from within the state apparatus.
 
Discussions around the Bill will have to deal with the issues thrown up by the introduction of the element of “national security”, especially as it is located within a web of UID, NATGRID and a DNA data bank.
 
Biometrics
The most disturbing aspect of the UID project is the linking of identity, and rights, entitlements, citizenship and recognition, to biometrics. The UID project has settled on three metrics: facial recognition through the photograph, fingerprints (all eight fingers and two thumbs), and the iris. The UIDAI documents reveal a state of ignorance, and unpreparedness, that is inexplicable. Quotes will set it out most clearly:
 
In the UIDAI’s “Notice Inviting Application for Hiring Biometrics Consultant”, for a period of six months starting March 2010, it was written: While NIST (the United States agency) documents the fact that the accuracy of biometric matching is extremely dependent on demographics and environmental conditions, there is a lack of a sound study that documents the accuracy achievable on Indian demographics (i  e, larger percentage of rural population) and in Indian environmental conditions (i  e, extremely hot and humid climate and facilities without air-conditioning)... The ‘quality’ assessments of fingerprint data is not sufficient to fully understand the achievable de-duplication accuracy. The next step is to acquire biometrics data from the Indian rural conditions in two sessions (with a time difference) and assess the matchability ...
 
That is, the capacity to capture biometrics with any accuracy has not even been tested yet, and the project already has Rs 7 crore committed to it for just this year, and the whole apparatus through the NPR moving for it. This demands
an explanation.
 
In a cryptic note, the Notice reads: “The biometric evaluations are statistical. The statistical significance of the results are required to be analysed for the UIDAI.”
That is, the margin of error is not yet known.
 
In “Ensuring Uniqueness: Collecting Iris Biometrics for the Unique ID Mission”, the report refers to the Biometrics Committee set up under the UIDAI which had, in January 2010, been non-committal about the use of the third biometric, since “...in the absence of empirical Indian data, it is not possible for the committee to precisely predict the improvement in the accuracy of de-duplication to the fusion of fingerprint and iris scores.” The document acknowledges “technology risks”, including the inability to guarantee biometrics of “high quality across its thousands of enrolment points”. This capture would help in enrolment, but not in authentication since the equipment will not be available in most places. The compromise: “for authentication, the use of fingerprinting will be sufficient”. This could spell trouble for calloused hands and marred fingerprints – which would include those doing manual labour and agricultural operations, whose fingerprints cannot be authenticated.
 
On 17 July 2010, the Economic Times reported that “people with ‘low-quality’ fingerprints and corneal/cataract problems” could “pose difficulties” for the project. “Millions of Indians working in agriculture, construction workers and other manual labourers have worn-out fingers due to a lifetime of hard labour” resulting in “low-quality” fingerprints. 

The iris scan cannot be done on people with corneal blindness or corneal scars. A study done in 2005 at the All India Institute of Medical Sciences estimated six to eight million people in India had corneal blindness, and many more people would have corneal scars. A Hyderabad based eye institute identified cataract, which results from nutritional deficiency and prolonged exposure to sunlight and ultraviolet rays, and cataract surgery, as almost certain to affect the iris. This is about the people that the UIDAI projects as its main targets. A scientist with the Council of Scientific and Industrial Research is cited as suggesting that “they could use DNA fingerprinting in such cases”. Apart from the reduction of a people to a subject-population, these suggestions are inexcusably casual about using techniques that will be of no help to the person so identified.
 
The draft Bill does not deal with any of these concerns. In clause 3 (1), it declares that “every resident shall be entitled to obtain” a UID number, but nowhere in the Bill is there a clause that no agency may refuse services to a person because they do not have such a number, thus leaving the field open for compulsion. Nowhere in the Bill is there an acknowledgement of the extraordinary powers of surveillance, and i nvasion of privacy by government and private agencies that the UID will be facilitating, so there are no limits set on the uses of the number and of the networks of information it could be used to generate. So convergence is facilitated, and the person has no control over it, nor is it a wrong in law.
 
For those who are willing to place their faith in the UID clause 12 may cause them to pause. It reads: “The Authority shall consist of a Chairperson and two part-time members to be appointed by the Central Government”, and they may be re-appointed, or ejected, by the central government. There are sketchy offences of “intentionally” accessing the UID database and damaging, stealing, altering information or disrupting the data. But it provides no means by which a person whose data is stored to know that such an offence has been committed; and it does not allow prosecution to be launched except on a complaint made by the authority or someone authorised by it. Experience has revealed the failure of regulation; yet it is on regulation by the authority that a whole population is asked to place its trust. There is no grievance redressal mechanism mandated by law; it may be set up by regulation or it may not. There is a clause in passing that recognises that the data could reach people beyond the borders; but no idea at all on how to deal with that situation.
The demographic information gathered may not be elaborate at the start, but clause 23(b) leaves an opening for expanding the demographic and biometric data that may be collected. Most damning is the passing reference in the general “powers and functions of authority” to the use of the UID number “for delivery of various benefits and services as may be provided by regulation”. That is all there is to indicate that service delivery to the poor is the object of this exercise. The issues on which the UID project is piggyback riding for its legitimacy are too serious to be trivialised.
 
The MoUs the UIDAI has entered into with “registrars” that include banks, state governments and the LIC have been signed with no statutory backing and no legal power to collect, hold and transmit information from and about people. 

Biometrics has not even been tested, despite Indian demographic and environmental conditions being known to make a significant difference to the quality of biometric capture. In a May 2010 paper prepared for the UIDAI – “A UID Numbering Scheme” – is written: “We expect the UID system to live on for centuries”. This, then, is a tagging device that is expected to last well beyond a person’s lifetime.
The non-seriousness of the Bill, and the refusal to confront the hard issues, are a slight to democracy which must be remedied before the project progresses to create a fait accompli. There are murmurs that the Bill is to be introduced in the monsoon session of Parliament. It would be trite to say that, when biometric accuracy is still in question, and so many questions remain unanswered, it is nowhere near time for parliamentary consideration, or approval.
 
Thanks to Pavithra Ramesh and Murali for acting as sounding boards.
 
Usha Ramanathan (uramanathan@ielrc.org) is an independent law researcher who works on the jurisprudence of law, poverty and rights.