uid

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win. -Mahatma Gandhi

In matters of conscience, the law of the majority has no place. Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.” -A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholar Usha Ramanathan describes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.
Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant. Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017


Special

Here is what the Parliament Standing Committee on Finance, which examined the draft N I A Bill said.

1. There is no feasibility study of the project]

2. The project was approved in haste

3. The system has far-reaching consequences for national security

4. The project is directionless with no clarity of purpose

5. It is built on unreliable and untested technology

6. The exercise becomes futile in case the project does not continue beyond the present number of 200 million enrolments

7. There is lack of coordination and difference of views between various departments and ministries of government on the project

Quotes

What was said before the elections:

NPR & UID aiding Aliens – Narendra Modi

"I don't agree to Nandan Nilekeni and his madcap (UID) scheme which he is trying to promote," Senior BJP Leader Yashwant Sinha, Sept 2012

"All we have to show for the hundreds of thousands of crore spent on Aadhar is a Congress ticket for Nilekani" Yashwant Sinha.(27/02/2014)

TV Mohandas Pai, former chief financial officer and head of human resources, tweeted: "selling his soul for power; made his money in the company wedded to meritocracy." Money Life Article

Nilekani’s reporting structure is unprecedented in history; he reports directly to the Prime Minister, thus bypassing all checks and balances in government - Home Minister Chidambaram

To refer to Aadhaar as an anti corruption tool despite overwhelming evidence to the contrary is mystifying. That it is now officially a Rs.50,000 Crores solution searching for an explanation is also without any doubt. -- Statement by Rajeev Chandrasekhar, MP & Member, Standing Committee on Finance

Finance minister P Chidambaram’s statement, in an exit interview to this newspaper, that Aadhaar needs to be re-thought completely is probably the last nail in its coffin. :-) Financial Express

The Rural Development Ministry headed by Jairam Ramesh created a road Block and refused to make Aadhaar mandatory for making wage payment to people enrolled under the world’s largest social security scheme NRGA unless all residents are covered.


Search This Blog

Tuesday, May 16, 2017

11405 - Dear Mr R S Sharma: Aadhaar has no place on the open web - Factor Daily


Thejesh G N May 15, 2017 10 min



R S Sharma, currently chairman of the Telecom Regulatory Authority of India, or TRAI, responded to this report with a blog entitled There has been no Aadhaar ‘data leak’. Sharma is the former CEO of Unique Identification Authority of India, or UIDAI, the agency responsible for issuing Aadhaar numbers to Indian residents, and has an inside view on the identity project.

In his blog post, Sharma argues that publication of Aadhaar numbers and other personal details by authorities as part of beneficiary details don’t constitute a data breach or data leak. He further argues, in fact, that public authorities are forced to publish personal details for transparency under the Right To Information (RTI) act.

In his blog post, Sharma argues that publication of Aadhaar numbers and other personal details by authorities as part of beneficiary details don’t constitute a data breach or data leak  
We in the open data and RTI community have been answering such questions for a very long time. Hence, I thought it’s a good opportunity to settle this debate.

I am going to ignore Sharma’s questioning of the timing of the reports. He just needs to do a Google search to get previous reports on data leakage or privacy violation in India.
Let’s examine the important parts of his claim.

It is true that you can’t derive an Aadhaar number given the attributes of an user, but the reverse is not completely true

Sharma starts with “Aadhaar is not a secret or confidential number. It is a random number bereft of any intelligence.” His reason being as per the Aadhaar Act, “An Aadhaar number shall be a random number and bear no relation to the attributes or identity of the Aadhaar number holder.” This statement is from enrolment section of the Aadhaar Act, which states how a number gets generated. It’s true that the generation of an Aadhaar number is random and not a function of user attributes. But once the generation is complete, it gets attached to a user and stops being random. In fact, it becomes unique.

It is true that you can’t derive an Aadhaar number given the attributes of an user, but the reverse is not completely true. Given an Aadhaar number, you can look up to find the user’s information specially when complete Aadhaar numbers are littered all over open web. One can go further and create a dossier of personal information by finding and joining datasets based on Aadhaar number. Hence, stating that “Aadhaar is not a secret or confidential number” is misleading and dangerous.

Given an Aadhaar number, you can look up to find the user’s information specially when complete Aadhaar numbers are littered all over open web. Hence, stating that “Aadhaar is not a secret or confidential number” is misleading and dangerous
Further, Sharma cites two specific laws to say it’s legal to share Aadhaar details; in fact, public authorities are mandated by the law to share them, he says. He cites section 29(4) of the Aadhaar Act that prohibits publishing of Aadhaar details unless specified by the regulations.

This is what the relevant part of Section 29(4) says: No Aadhaar number or core biometric information collected or created under this Act in respect of an Aadhaar number holder shall be published, displayed or posted publicly, except for the purposes as may be specified by regulations.
The referred regulation in this case being Section 4 (1) (b) (xii) of RTI Act:
4(1) Every public authority shall—
(b) publish within one hundred and twenty days from the enactment of this Act,— (xii) the manner of execution of subsidy programmes, including the amounts allocated and the details of beneficiaries of such programmes;

Where the RTI Act says “details of beneficiaries” and, hence, as per Sharma, the Aadhaar number along with other personal information of the beneficiaries is required to be public.

It’s important to note the premise of RTI Act Section 4 is to make public authorities transparent and accountable by publishing the data suo motu. Its requirement is not to expose information of beneficiaries.

It’s important to note the premise of RTI Act Section 4 is to make public authorities transparent and accountable by publishing the data suo motu. Its requirement is not to expose information of beneficiaries  

Section 4(1)(b)(xii) doesn’t define what exactly is “details of beneficiaries”. It is left to the judgement of the information officer. In each case, he is expected to validate the data against Section 8(1)(j) and then publish it.

Section 8(1)(j) prohibits sharing of personal information if it causes any “unwarranted invasion of the privacy of the individual” unless the officer thinks there is a larger public interest in disclosing the personal information of every beneficiary.

This is what the relevant part of Section 8 (1) says: Notwithstanding anything contained in this Act, there shall be no obligation to give any citizen — 
(j) information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information: Provided that the information which cannot be denied to the Parliament or a State Legislature shall not be denied to any person.

Now let’s take example from the CIS report: the NREGA dashboard. For the sake of transparency, wouldn’t it be enough to publish the job card number, name and address of the beneficiary? Is it really required to publish name, address, job card number, bank account number, Aadhaar number, caste etc.? Isn’t exposing a person’s caste, Aadhaar number, or mobile number an “unwarranted invasion of the privacy of the individual”?

Imagine if you had your Aadhaar number, mobile number and much more online. We need to be much more serious because the stakes are higher

Let’s be conscious that the information exposed here is not of big contractors or businessmen. It’s that of daily labourers, who earn a couple of thousand rupees per month. There is no larger public interest in publishing every bit of information about them. Especially when India is going all digital and leaked info can also cause financial loss. It opens doors for fraudsters to perform attacks such as social engineering on unsuspecting individuals.
Sharma says, “Section 8 exemptions will not be able to hold back the Aadhaar numbers.” We have to disagree. We have enough privacy reasons to completely remove Aadhaar number using section 8(1)(j). The authorities need to be sensitised about personal data and citizen need to pressurise them to follow the law.

Isn’t exposing a person’s caste, Aadhaar number, or mobile number an “unwarranted invasion of the privacy of the individual”?  

This is exactly happened with the TRAI in April 2015 when the telecom regulator made public a million email IDs of people who had written in with their views on net neutrality. Rahul Khullar was chairing the TRAI then. Making email data public meant exposing respondents to spammers and cyber criminals. The TRAI tried to defend the act in the name of public consultation, transparency etc. But soon started cleaning up after many media reports put pressure on them to remove the personal information.

After the incident and pressure by the civil society, TRAI announced before its next consultation: “All stakeholders are hereby informed that during submission of their counter comments, if anyone desires that his/her email id should not be displayed, it may be specifically stated so in the email.”
This instance was just about email addresses. Imagine if you had your Aadhaar number, mobile number and much more online. We need to be much more serious because the stakes are higher.

Further under Aadhaar Law section 28(4)(c), it’s the responsibility of UIDAI ensure third parties keep information secure and confidential. UIDAI is expected to make proper agreements and arrangements to ensure this happens  
Further under Aadhaar Law section 28(4)(c), it’s the responsibility of UIDAI ensure third parties keep information secure and confidential. UIDAI is expected to make proper agreements and arrangements to ensure this happens:

28. (1) The Authority shall ensure the security of identity information and
authentication records of individuals.
(2) Subject to the provisions of this Act, the Authority shall ensure confidentiality of identity information and authentication records of individuals.
(3) The Authority shall take all necessary measures to ensure that the information inthe possession or control of the Authority, including information stored in the Central Identities Data Repository, is secured and protected against access, use or disclosure not permitted under this Act or regulations made thereunder, and against accidental or intentional destruction, loss or damage.
(4) Without prejudice to sub-sections (1) and (2), the Authority shall—
(a) adopt and implement appropriate technical and organisational security
measures;
(b) ensure that the agencies, consultants, advisors or other persons appointed or engaged for performing any function of the Authority under this Act, have in place appropriate technical and organisational security measures for the information; and
(c) ensure that the agreements or arrangements entered into with such agencies, consultants, advisors or other persons, impose obligations equivalent to those imposed on the Authority under this Act, and require such agencies, consultants, advisors and other persons to act only on instructions from the Authority…

It’s a legal requirement, in short. UIDAI simply can’t pass the buck and act innocent about such data leaks. It needs to get across to users of Aadhaar data to follow the law or be held responsible.

Though Sharma disagrees with the term “data leaks” stating, “However, to say that publication of Aadhaar numbers by authorities constitutes a data breach, or data leak, is far from the truth,” which can be debated, to his credit he agrees that publishing full Aadhaar number may not be the right thing to do. He suggests: “My personal view is that the last four digits of Aadhaar number can be published and the first eight digits be masked. This will satisfy the provisions of both RTI and the Aadhaar Acts.”

It’s a legal requirement, in short. UIDAI simply can’t pass the buck and act innocent about such data leaks. It needs to get across to users of Aadhaar data to follow the law or be held responsible  

We completely disagree. As we have seen before, there is no need to publish Aadhaar in full or partial to satisfy section 4(1)(b)(xii) of RTI. In fact, UIDAI should enforce non publishing of Aadhaar using section 28(4)(c) of the Aadhaar Act with the support of section 8(1)(j). An Aadhaar number, full or partial, doesn’t have a place on the open web. Publishing it on the open web will put too many unsuspecting people at risk.

We need to stop blaming the transparency requirements of the RTI. We need to sensitise the public authorities about privacy and responsible data sharing. We need to pressurise the UIDAI to enforce its agreements with its partners. Whether you call it a data leak or not doesn’t reduce the harm done if the authorities continue to publish Aadhaar details on the open web.

Lead visual: Nikhil Raj

Updated at 10.02 am May 15: 

The copy incorrectly said R S Sharma chaired the TRAI in April 2015. Rahul Khullar was the chairman then.