In 2009, I became extremely concerned with the concept of Unique Identity for various reasons. Connected with many like minded highly educated people who were all concerned.
On 18th May 2010, I started this Blog to capture anything and everything I came across on the topic. This blog with its million hits is a testament to my concerns about loss of privacy and fear of the ID being misused and possible Criminal activities it could lead to.
In 2017 the Supreme Court of India gave its verdict after one of the longest hearings on any issue. I did my bit and appealed to the Supreme Court Judges too through an On Line Petition.
In 2019 the Aadhaar Legislation has been revised and passed by the two houses of the Parliament of India making it Legal. I am no Legal Eagle so my Opinion carries no weight except with people opposed to the very concept.
In 2019, this Blog now just captures on a Daily Basis list of Articles Published on anything to do with Aadhaar as obtained from Daily Google Searches and nothing more. Cannot burn the midnight candle any longer.
"In Matters of Conscience, the Law of Majority has no place"- Mahatma Gandhi
Ram Krishnaswamy
Sydney, Australia.

Aadhaar

The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholar Usha Ramanathan describes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.

Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the # BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Wednesday, March 6, 2013

3112 - AADHAAR PROJECT-Dispelling the haze by Usha Ramanathan



Volume 30 - Issue 05 :: Mar. 09-22, 2013
INDIA'S NATIONAL MAGAZINE
from the publishers of THE HINDU

( FrontLine)

That the lawmakers of the country have found themselves in a haze of incomprehension about the UID project, which is being promoted as a “game changer”, is deeply unsettling.


VIJAY VERMA/PTI 
United Progressive Alliance chairperson Sonia Gandhi presents an Aadhaar ATM card to a beneficiary at the launch of the Delhi Annashree Yojna in New Delhi on December 15, 2012. Chief Minister Sheila Dikshit (left) and UIDAI Chairperson Nandan Nilekani are also seen.

MANY Union Cabinet Ministers are confused about the government’s Unique Identity (UID), or Aadhaar, project. At a Cabinet meeting held on January 31, there was confusion regarding this issue, with some of them reportedly wanting to know whether the UID was a card or a number. This is an attempt to clarify some basic issues about the UID project.

Is the UID a card or a number?
The UID is a 12-digit number. It is not a card. What is sometimes mistaken for a “card” is only the intimation that the issuing authority, the Unique Identity Authority of India (UIDAI), sends to a person who has been allotted a number.

The enrolling agency collects a person’s demographic information —name, address, gender, age, and for children, details of parents/guardian—and captures the biometric information—prints of all 10 fingers, scans of both irises and the photograph of the face.

The UIDAI then has the data “de-duplicated” by cross-verifying them against its database to check whether the person is already enrolled and has been issued a number. Since a person could enrol multiple times with a changed name or address, the accuracy and usefulness of the system depend on biometrics.
The UID is, therefore, a number that is linked to a person’s fingerprints and iris scans on a database.

Do we know for sure that fingerprints and iris are unique and reliable metrics?
The truth is we do not. And this is an area of concern, especially as the UID project seeks to make these the key metrics of a person’s identity.

In February 2010, the UIDAI issued a “notice inviting applications for hiring a biometric consultant”, which contained this candid admission: “While NIST [National Institute of Standards and Technology, the United States agency that studies biometrics technology in the context of its application to public policy] documents the fact that the accuracy of biometric matching is extremely dependent on demographics and environmental conditions, there is a lack of a sound study that documents the accuracy achievable on Indian demographics (i.e., larger percentage of rural population) and in Indian environmental conditions (i.e., extremely hot and humid climates and facilities without air-conditioning). In fact we do not find any credible study assessing the achievable accuracy in any of the developing countries” 1 (emphasis added throughout).

Then, between March and June 2010, the UIDAI did a proof of concept (PoC) study of biometric enrolment. The report, uploaded in February 2011, concluded that it had “validated one hypothesis regarding biometric enrolment”—that iris enrolment was “not particularly difficult” and “dramatically improved” accuracy levels and the “accuracy levels necessary for the de-duplication of all residents of India are achievable”. But what sticks out is a paragraph in the report: “The goal of the PoC was to collect data representative of India and not necessarily to find difficult-to-use biometrics. 

Therefore, extremely remote rural areas, often with populations specialising in certain types of work (tea plantation workers, areca nut growers, etc.) were not chosen. This ensured that degradation of biometrics characteristics of such narrow groups was not over-represented in the sample data collected.” 2
In July 2010, it was reported that a 2005 paper by researchers at the Rajendra Prasad Ophthalmic Institute in Delhi estimated that there were six to eight million people in India with corneal blindness. It further identified the issue of cataract, which resulted from nutritional deficiencies and prolonged exposure to sunlight and ultraviolet rays, and corneal scars caused by injury or infection of the cornea.3 These are clearly problems essentially pertaining to the labouring masses, the aged and the disabled.

In March 2012, the UIDAI readied its report, “Role of Biometric Technology in Aadhaar Authentication”. Authentication is the process by which a person’s biometric detail is used to establish or verify his or her identity.
The report dislodges the common assumption that the print of the thumb and the index finger can be used to identify a person. It appears that for 55 per cent of those tested, these fingers did not work as their “best finger”. The report recommends a “Best Finger Detection” process. “The best finger to be used for authentication depends on the intrinsic qualities of the finger (for example, ridge formation, how worn out they are, cracked, etc.) as well as the quality of images captured during enrolment process and the authentication transaction,” it says. The fingers are, therefore, to be labelled green, yellow or red, depending on their suitability for single-finger authentication. In addition, some residents could be determined to be “not suitable for reliable fingerprint authentication”. Those younger than 15 and, more especially, persons above 60 years of age had the highest rates of rejection. This is the shaky foundation on which authentication rests.

The report does not tell us how “biometric exemptions”—that is, people who do not have reliable fingerprints or irises that can be used in enrolment—will be treated. Nor does it spell out an alternative to help secure their identity. Nor, indeed, does it speak of spoofing.

On September 30, 2011, J.T. D’Souza, managing director of SPARC Systems Limited, who works with biometrics equipment and has been following the UID project closely and critically, demonstrated to officials in the Planning Commission how, using some Fevicol and candle wax, he could spoof a fingerprint and use it to authenticate someone else. Officials of the UIDAI said they would look into it, but there is no information on what steps they have taken. 4

What about authentication using iris as a biometric? The “Iris Authentication Accuracy Report” was published in September 2012. It starts with the assumption that “the iris does not get worn out with age, or with use. In addition, iris authentication is not impacted by change in the weather.” The report attributes these assumptions to “iris technology literature”. The part of the claim that requires validation is that there is a part of the human body that neither ages nor withers nor wears out. The fact is that this is a new field of inquiry and there is very little literature on the subject.

Perhaps, the first longitudinal study of the ageing iris as a biometric is found in a Notre Dame University study conducted by two professors, Samuel Fenker and Kevin Bowyer. They state: “Using a large data set of iris images acquired over a three-year period, we have analysed cohorts of irises with images acquired over one, two and three years. We find clear and conclusive evidence that template ageing does occur in iris biometric matching. Specifically, the experimental evidence indicates that the false non-match rate increases with increasing time between acquisition of enrolment image and the image to be recognised. In our results, the false non-match rate increases by greater than 50 per cent with two years of time lapse.” The remedy, they suggest, is to have regular “re-enrolment”. At the time of writing, the implications of re-enrolment are not known.

In the process of the UID project roll-out, it has been reported from Jharkhand that authentication failed in four out of every 10 persons. This is the evidence emerging from the field.

Is UID voluntary?
While marketing the idea, the UID was projected as voluntary and was sold as providing an identity to those who have no other. Since, unlike the ration card or the voter ID, the UID does not have any intrinsic value or purpose, there was little enthusiasm for enrolling for it. This led to a change in tactics. Persons without UID are now facing the threat of denial of services. The UIDAI has been involved in the process of making UID mandatory. There is a push to make UID essential for getting rations, accessing banking services and getting gas connections and refills; for school admissions in the economically weaker section (EWS) category, registration of marriages and property transactions; and for getting caste certificates. And, if the Chief Secretary of Maharashtra were to have his way, even making an application under the Right to Information (RTI) Act would need the UID. This aggressive push seems to be based not on the usefulness of the UID to the system, but rather to drive the enrolment process.

The fact that the UID has such a low penetration even in the districts that have been selected for the roll-out of UID-linked cash transfers (in lieu of direct subsidies) must be understood in this context.

Is there a law that governs the UID project?
No. However, there is an executive order for the establishment of the UIDAI within the Planning Commission. On December 3, 2010, over two months after the project had begun to collect and process personal data, the National Identification Authority of India Bill, 2010, was introduced in Parliament and referred to the Standing Committee on Finance (SCF). The SCF gave its report in December 2011. SCF members, cutting across party lines, found the Bill severely inadequate and recommended that the UID project be taken back to the drawing board.

The SCF found it “unethical and violative of Parliament’s privileges” to proceed with the project when lawmaking was still under way. It commented adversely on the conflation of the “resident” and the “citizen”. The UID scheme, it said, had “been conceptualised with no clarity of purpose… leaving many things to be sorted out during the course of its implementation” and “is being implemented in a directionless way with a lot of confusion”. The “collection of biometric information and its linkage with personal information of individuals” without amending the Citizenship Act and Rules “appears beyond the scope of subordinate legislation, which needs to be examined in detail by Parliament”.

It was scathing about the project, which “continues to be implemented in an overbearing manner without regard to legalities and other social consequences”. On voluntariness, it said: “Although the scheme claims that obtaining Aadhaar number is voluntary, an apprehension is found to have developed in the minds of people that in future, services/benefits, including food entitlements, would be denied in case they do not have Aadhaar number.”

It cited the United Kingdom’s experience with the National ID project regarding the huge cost; the complexity; the untested, unreliable and unsafe technology; and the possibilities of risk to the safety and security of citizens.

The SCF recognised that the UID project “facilitates the UIDAI and the registrars to create database of information of people of the country. Considering the huge database size and possibility of misuse of information”, it said, “…and in the absence of data protection legislation, it would be difficult to deal with the issues like access and misuse of personal information, surveillance, profiling, linking and matching of databases and securing confidentiality of information, etc”.

On September 28, 2010, seventeen eminent persons, including Justice V.R. Krishna Iyer, Romila Thapar, Justice A.P. Shah, S.R. Sankaran, Aruna Roy, K.G. Kannabiran and Bezwada Wilson, issued a statement in which they said that before the UIDAI went any further, it was imperative to do a feasibility study and a cost benefit analysis, engage experts to study its constitutionality, put a law of privacy in place, and have an informed public debate before any major changes are introduced. In the meantime, they said, the project should be halted. The SCF echoed these concerns.

The SCF found the UID project to be “full of uncertainty in technology as the complex scheme is built upon untested, unreliable technology and several assumptions. Further, despite adverse observations by the UIDAI Biometrics Standards Committee on error rates of biometrics, the UIDAI is collecting the biometric information.”

Relying on registrars to ensure that only genuine residents are enrolled, the SCF said, “may have far-reaching consequences for national security”.
There is still no law, and the UIDAI continues to function in a legal vacuum.

What is the link between the National Population Register (NPR) and the UID?
The NPR is under the Citizenship Act and is a prelude to creating a National Citizen’s Register. The Registrar General of India is responsible for carrying out this task. It is an attempt to establish who is a citizen and who is not and to control infiltration and the entry of illegal immigrants.

The 2003 Rules authorise the collection of only 15 fields of data, and fingerprinting and scanning of irises are not among them. This means that what has been done so far in the NPR process is in violation of the law. The NPR has not itself studied biometrics but has merely gone along with the UID.

The notification that set up the UIDAI within the Planning Commission gave it the mandate to “generate and assign UID” to “residents”, to maintain the database and to work on ways in which user/implementing agencies may use the UID, for instance, for the delivery of various services. It was also to “take necessary steps to ensure collation of NPR with UID (as per approved strategy)”. The expansion of its mandate happened at a meeting of the Cabinet Committee on the UID, which was constituted after Nandan Nilekani, former chief executive officer of Infosys, was appointed the UIDAI Chairperson. 

Nilekani was extended permission initially to enrol 10 crore people, which was later increased to 20 crore. It was increased further to 50 per cent of the population after the Home Ministry in January 2012 agreed on an information-sharing agreement with the UIDAI.
The duplication in what the NPR and the UIDAI are doing is one of the unresolved areas.

UID and outsourcing.
The UID project relies on a large number of enrollers who, in turn, are dependent on “introducers” and “verifiers” to help enrol those without IDs. And these have proved to be severely compromised. The issuance of a UID number to “Kothimeer [coriander], s/o Palav, Gongura tota, Mamidikaya vuru [raw mango village, in Telugu]” with the photograph of a mobile phone was only an extreme manifestation of the deficiencies that have shown up. 5

One criticism has been that every time a problem crops up with the technology, or despite it, it is sought to be overlaid with another layer of technology, adding to the costs and introducing one more experiment to the project. So, for instance, when fingerprints seemed an inadequate metric, iris scan was added as an additional metric; a Global Positioning System (GPS) was attached to enrolment equipment after an episode in Hyderabad revealed large-scale enrolment of non-existent people. The investigations in the case are still on.

S. GOPAKUMAR 
 Scanning for Biometric Information for the Aadhaar project in progress at the Christ Nagar Senior Secondary School in Thiruvallam, Kerala, on February 16, 2012.

The NPR uses the method followed by the Census, where the enumerators have a responsibility to locate and reach persons to be enrolled.
The potential for exclusion is inherent in both processes.

Who holds the data collected?
The 2009 notification says that the UIDAI “shall own and operate UID database”. The standing committee cited the National Information Centre’s (NIC) concern that the “issues relating to privacy and security of UID data could be better handled by storing [them] in a government data centre”, indicating that it is not currently with the government but “owned” by the UIDAI.

In its Strategic Overview document (2010), the UIDAI had set out a revenue model by which it could become self-sufficient and begin to earn a reasonable profit through selling its authentication services, after which it would not be dependent on government resources. The report of the Technology Advisory Group on Unique Projects (TAG-UP, July 2011), chaired by Nilekani, promotes the idea of National Information Utilities (NIU). These will be “private companies” acting in the “public interest” and will be “profit-making” but not “profit maximising”. Data held by the government is to be handed over to these private companies, which will then use them for profit-making. The 2012-13 Budget adopted the NIU model of data management in relation to the Goods and Services Tax (GST). The UIDAI, too, seems to be moving in that direction, where it will acquire the character of an NIU.

This is deeply disturbing, for it will mean that our data will become the property of a company, which may then do data mining and use data as an asset to make money.

Why have there been concerns about the companies involved in the project?
Since the early days of the project, alarm bells have been rung about the involvement of companies such as L-1 Identity Solutions and Accenture. These companies have a close relationship with the intelligence establishment in the United States. L-1 Identity Solutions has been doing a lot of work for the Central Intelligence Agency (CIA). It has even had George Tenet, an ex-CIA chief, on its board. Accenture has been partnering the Department of Homeland Security in the U.S. in its Smart Borders Project. L-1 Identity Solutions has recently been bought by Safran, a French company in which the French government is a large shareholder.

In reply to an RTI query about these companies, the UIDAI said: “There are no means to verify whether the said companies/organisations are of U.S. origin or not. As per our contractual terms and conditions, only the companies/organisations who are registered can bid” (reproduced in an appendix to Mathew Thomas (ed.), UID is not yours, 2012).
These leave unanswered disturbing questions about the security and confidentiality of a population-wide database.

Has any other country got a project such as this?
No. In fact, the UIDAI prides itself that nowhere in the world is there such a project, on such a scale and on the basis of a biometric database. This, alongside the experimental stage in which biometric enrolment, de-duplication and authentication are at this point, has given rise to concerns that this is a massive experiment on the population of India.

None of the countries in the developed world has accepted biometric identity even as developing countries are encouraged to adopt it.

The George W. Bush administration considered a biometric database when it enacted the Real ID Act in 2005. But it realised the impracticalities of the project, especially in depending upon biometric stability and accuracy across the swathe of population, and across time, and so shelved it.

In Australia, an Access Card for health and welfare benefits was abandoned in 2007, two years after it was started, after protests that raised concerns about privacy, identity theft and disclosure of information.

In the U.K., when the David Cameron government jettisoned the biometric ID project, the Home Secretary explained that this was done because the government was the servant of the people and not their master, and that the project would constitute “intrusive bullying”.

What are the costs of the project?
The direct costs are expected to reach Rs.15,000 crore in this phase of the project. This does not include the cost to the enrollers, the registrars, the time and resources spent by non-governmental organisations (NGOs), administrators and the people enrolling, or the costs of authentication equipment. There is also the cost that is generated in shifting to the UID system, and the cost of failure, both to the individual and to the system. The savings are hypothetical and so far unsubstantiated.

Vijay Unni, former Registrar General of India, has asked why, when the complete Census exercise is carried out at a cost of about Rs.2,000 crore, the UID project cost, at many times that amount, is being borne without question.

Will the UID help in reducing leakage and reduce subsidies?
If de-duplication works, perhaps it will help eliminate duplicates and ghost entries in various databases. If there is a linking of databases and profiling of persons, those not entitled to subsidy may get identified.
But, as academics and activists advocating right to food have argued, given the rates of hunger and child malnourishment in India the country needs to worry about under-inclusion.

The only attempt at calculating the savings that the UID may effect can be found in a document produced for the Planning Commission by the National Institute of Public Finance and Policy (NIPFP). 6 The study, funded by the UIDAI, relies on patchy data since “the present state of knowledge does not permit precise quantification of the gains”. And “many of the gains from Aadhaar are difficult to quantify as they are intangible”.
In effect, we do not know the effect UID will have on subsidies and leakages.

What are the other anxieties that dog this project?
The convergence of databases and profiling of individuals is a serious concern, and the “seeding” of the UID number in various databases accentuates the problem.

A recent report says that Apollo Hospitals is spearheading an initiative to link the health records of patients with the Aadhaar identification system, raising questions about confidentiality of health data. Linking up the Socio-Economic and Caste Census and the voter ID to the UID will breach the protection that anonymity provides.

The rush into UID-linked cash transfer has given rise to the belief that this is only to help the UID quicken its pace of enrolment which, the UID website reveals, had slumped. And, the cost of failure has not even been considered.

That the lawmakers of the country have found themselves in a haze of incomprehension about a project that is being promoted as a “game changer” is deeply unsettling.

Usha Ramanathan works on the jurisprudence of law, poverty and rights.

END NOTES
4 D’Souza’s demonstration at the Press Club Mumbai can be viewed at: https://www.youtube.com/watch?v=0a96L_SphR4