by Elonnai Hickok in Privacy — Dec 07, 2010 03:10 PM
On 23 November 2010 a public meeting was held for the UID in Bangalore. The speakers included B.K Chandrashekar, former Chairman of the Karnataka Legislature Council, Mr. Vidyashankar, Principal Secretary to Government of e-commerce, Sunil Abraham, Executive Director of Centre for Internet and Society, Jude D’Souza, Technology Specialist and Mathew Thomas, Retired Army Officer.
Mr. Chandrashekar opened the public talk by giving a summary of the UID scheme, and sharing his own personal apprehensions to the project. Voicing his concerns as to the scale and architecture of the project, the collection of biometrics from individuals, and the fact that other countries have abandoned similar projects – he raised many points that evoked thought from the audience.
In his presentation, Jude D’Souza explained how the technology (iris scanners and fingerprint readers) that is used in the UID project can be easily spoofed. Through demonstration he proved how fingerprints can be replicated and subsequently authenticated with the use of simply a wax model. He also raised the point that high resolution cameras are now able to capture an individual’s fingerprint and iris at that point the captured image can be transferred and duplicated, and subsequently used for authentication. The point emphasized by D’Souza was that the technology being used by the UID is not as fool proof as is being claimed, and yet nowhere in the Bill or project is this concern being addressed. Redress for possible transaction errors is not provided for in the Bill, and it is not clear if a problem does arise what steps an individual should take.
Sunil Abraham spoke on the legality of the UID project. Emphasizing the point that civil society does not oppose the project in itself, but that civil society is concerned with the weaknesses that exist in the proposed legislation. He noted problems such as an overly broad scope, privacy concerns, and lack of adequate forms of redress. Mr. Abraham also contrasted the UID project with the identity work that has been done in Estonia, and raised the question as to whether a centralized is entirely necessary as opposed to a decentralized system of identity.
Mathew Thomas, through the use of many examples drove home two main questions.
Why is a project that is based on biometrics with a centralized structure necessary?
Can the project realistically meet its proposed objectives of bringing benefits to the poor?
Using the UK’s failed centralized identity scheme, which is similar to the UID scheme, he made the argument that India has the opportunity to learn from the mistakes of others, and this opportunity should not be overlooked or passed by. Mr. Thomas also pointed out that a proper cost benefit analysis is lacking for the project, as well as proper test trials of the technology and scheme.
Mr. Vidyashankar presented on the progress of the UID in Karnataka and answered questions concerning the project. In particular he focused on explaining the collection of information for Know Your Resident (KYR), and Know Your Resident+ (KYR+). KYR information includes: an individual’s name, address, date of birth, gender, relation details, phone number (optional), email (optional), and financial information. KYR+ includes: Physically Handicapped, EPIC Card No, Pan No., Bank Details, LPG Gas Connection, Supply Card, MNREGA Job Card, RSBY Card No, Pension ID, National Population Register No, Property Tax, Electricity Consumer No., Water Connection No., and BPL Data. The purpose of collecting the extra data for KYR+ is to prevent the exploitations of subsidies. By having on record who is eligible for what benefit, the over collection of benefits will be stopped. Vidyashankar also addressed privacy concerns, assuring the audience that information is encrypted at the time of collection and secured for privacy measures.
The reaction from the audience was one of apprehension, and in some cases anger. Individuals questioned the achievability of the objectives of the project, and expressed concerns that their tax money was being wasted. The overall sentiment in the room was that the UID project and Bill will be passed through Parliament but that in the long run, it will not benefit the everyday Indian citizen.
In a later interview Mr. Vidyashankar kindly clarified different details of the project that were still unclear. For example, if an individual needs to update the information in their profile – like their address - they are able to by visiting the closest centre , authenticating themselves, and requesting that the information be changed. He also clarified that registrars and enrollers are monitored as they are registering and authenticating individuals. He also clarified that numbers issued today and in the pilot projects will be valid after the Bill is passed through parliament. At the close of the interview he again assured me that the UID project does account for individual’s privacy, and is able to adequately protect collected data on due to the use of level five encryption. Despite Mr. Vidyanshankar’s assurances, it does not seem logical that the UID project is privacy safe, if a Privacy Legislation is being created specifically to protect the data that the UID will be collecting. It is concerning that the UID project is being carried forward without adequate built in safeguards, and even more concerning that it will the Bill could be passed through parliament and become a living law without the much needed privacy safeguards in place.
Note: Recently a final draft of the UID Bill that will be submitted to the Lok Sabha was released to the public. Civil Society has responded with comments and concerns for the UID Bill, which can be found on the CIS website.
VIDEOS
On 23 November 2010 a public meeting was held for the UID in Bangalore. The speakers included B.K Chandrashekar, former Chairman of the Karnataka Legislature Council, Mr. Vidyashankar, Principal Secretary to Government of e-commerce, Sunil Abraham, Executive Director of Centre for Internet and Society, Jude D’Souza, Technology Specialist and Mathew Thomas, Retired Army Officer.
Mr. Chandrashekar opened the public talk by giving a summary of the UID scheme, and sharing his own personal apprehensions to the project. Voicing his concerns as to the scale and architecture of the project, the collection of biometrics from individuals, and the fact that other countries have abandoned similar projects – he raised many points that evoked thought from the audience.
In his presentation, Jude D’Souza explained how the technology (iris scanners and fingerprint readers) that is used in the UID project can be easily spoofed. Through demonstration he proved how fingerprints can be replicated and subsequently authenticated with the use of simply a wax model. He also raised the point that high resolution cameras are now able to capture an individual’s fingerprint and iris at that point the captured image can be transferred and duplicated, and subsequently used for authentication. The point emphasized by D’Souza was that the technology being used by the UID is not as fool proof as is being claimed, and yet nowhere in the Bill or project is this concern being addressed. Redress for possible transaction errors is not provided for in the Bill, and it is not clear if a problem does arise what steps an individual should take.
Sunil Abraham spoke on the legality of the UID project. Emphasizing the point that civil society does not oppose the project in itself, but that civil society is concerned with the weaknesses that exist in the proposed legislation. He noted problems such as an overly broad scope, privacy concerns, and lack of adequate forms of redress. Mr. Abraham also contrasted the UID project with the identity work that has been done in Estonia, and raised the question as to whether a centralized is entirely necessary as opposed to a decentralized system of identity.
Mathew Thomas, through the use of many examples drove home two main questions.
Why is a project that is based on biometrics with a centralized structure necessary?
Can the project realistically meet its proposed objectives of bringing benefits to the poor?
Using the UK’s failed centralized identity scheme, which is similar to the UID scheme, he made the argument that India has the opportunity to learn from the mistakes of others, and this opportunity should not be overlooked or passed by. Mr. Thomas also pointed out that a proper cost benefit analysis is lacking for the project, as well as proper test trials of the technology and scheme.
Mr. Vidyashankar presented on the progress of the UID in Karnataka and answered questions concerning the project. In particular he focused on explaining the collection of information for Know Your Resident (KYR), and Know Your Resident+ (KYR+). KYR information includes: an individual’s name, address, date of birth, gender, relation details, phone number (optional), email (optional), and financial information. KYR+ includes: Physically Handicapped, EPIC Card No, Pan No., Bank Details, LPG Gas Connection, Supply Card, MNREGA Job Card, RSBY Card No, Pension ID, National Population Register No, Property Tax, Electricity Consumer No., Water Connection No., and BPL Data. The purpose of collecting the extra data for KYR+ is to prevent the exploitations of subsidies. By having on record who is eligible for what benefit, the over collection of benefits will be stopped. Vidyashankar also addressed privacy concerns, assuring the audience that information is encrypted at the time of collection and secured for privacy measures.
The reaction from the audience was one of apprehension, and in some cases anger. Individuals questioned the achievability of the objectives of the project, and expressed concerns that their tax money was being wasted. The overall sentiment in the room was that the UID project and Bill will be passed through Parliament but that in the long run, it will not benefit the everyday Indian citizen.
In a later interview Mr. Vidyashankar kindly clarified different details of the project that were still unclear. For example, if an individual needs to update the information in their profile – like their address - they are able to by visiting the closest centre , authenticating themselves, and requesting that the information be changed. He also clarified that registrars and enrollers are monitored as they are registering and authenticating individuals. He also clarified that numbers issued today and in the pilot projects will be valid after the Bill is passed through parliament. At the close of the interview he again assured me that the UID project does account for individual’s privacy, and is able to adequately protect collected data on due to the use of level five encryption. Despite Mr. Vidyanshankar’s assurances, it does not seem logical that the UID project is privacy safe, if a Privacy Legislation is being created specifically to protect the data that the UID will be collecting. It is concerning that the UID project is being carried forward without adequate built in safeguards, and even more concerning that it will the Bill could be passed through parliament and become a living law without the much needed privacy safeguards in place.
Note: Recently a final draft of the UID Bill that will be submitted to the Lok Sabha was released to the public. Civil Society has responded with comments and concerns for the UID Bill, which can be found on the CIS website.
VIDEOS
( Click on the Main Title up top and visit CIS link to watch video clips)
