In 2009, I became extremely concerned with the concept of Unique Identity for various reasons. Connected with many like minded highly educated people who were all concerned.
On 18th May 2010, I started this Blog to capture anything and everything I came across on the topic. This blog with its million hits is a testament to my concerns about loss of privacy and fear of the ID being misused and possible Criminal activities it could lead to.
In 2017 the Supreme Court of India gave its verdict after one of the longest hearings on any issue. I did my bit and appealed to the Supreme Court Judges too through an On Line Petition.
In 2019 the Aadhaar Legislation has been revised and passed by the two houses of the Parliament of India making it Legal. I am no Legal Eagle so my Opinion carries no weight except with people opposed to the very concept.
In 2019, this Blog now just captures on a Daily Basis list of Articles Published on anything to do with Aadhaar as obtained from Daily Google Searches and nothing more. Cannot burn the midnight candle any longer.
"In Matters of Conscience, the Law of Majority has no place"- Mahatma Gandhi
Ram Krishnaswamy
Sydney, Australia.

Aadhaar

The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholar Usha Ramanathan describes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.

Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the # BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Thursday, March 31, 2016

9702 - Surveillance project SUNIL ABRAHAM - Front Line





K. Murali Kumar
A gummy finger to fool a biometric scanner can be produced using glue and a candle.



The Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better. 
By SUNIL ABRAHAM

Zero. The probability of some evil actor breaking into the central store of authentication factors (such as keys and passwords) for the Internet. Why? That is because no such store exists. And, what is the probability of someone evil breaking into the Central Identities Data Repository (CIDR) of the Unique Identification Authority of India (UIDAI)? Greater than zero. How do we know this? One, the central store exists and two, the Aadhaar Bill lists breaking into this central store as an offence. Needless to say, it would be redundant to have a law that criminalises a technological impossibility. What is the consequence of someone breaking into the central store? Remember, biometrics is just a fancy word for non-consensual and covert identification technology. High-resolution cameras can capture fingerprints and iris information from a distance.

In other words, on March 16, when Parliament passed the Bill, it was as if Indian lawmakers wrote an open letter to criminals and foreign states saying, “We are going to collect data to non-consensually identify all Indians and we are going to store it in a central repository. Come and get it!” Once again, how do I know that the CIDR will be compromised at some date in the future? How can I make that policy prediction with no evidence to back it up? To quote Sherlock Holmes, “Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.” If a back door to the CIDR exists for the government, then the very same back door can be used by an enemy within or from outside. In other words, the principle of decentralisation in cybersecurity does not require repeated experimental confirmation across markets and technologies.

Zero. The chances that you can fix with the law what you have broken with poor technological choices and architecture. And, to a large extent vice versa. Aadhaar is a surveillance project masquerading as a development intervention because it uses biometrics. There is a big difference between the government identifying you and you identifying yourself to the government. Before UID, it was much more difficult for the government to identify you without your knowledge and conscious cooperation. Tomorrow, using high-resolution cameras and the power of big data, the government will be able to remotely identify those participating in a public protest. There will be no more anonymity in the crowd. I am not saying that law-enforcement agencies and intelligence agencies should not use these powerful technologies to ensure national security, uphold the rule of law and protect individual rights. I am only saying that this type of surveillance technology is inappropriate for everyday interactions between the citizen and the state.


Some software engineers believe that there are technical fixes for these concerns; they point to the consent layer in the India stack developed through a public-private partnership with the UIDAI. But this is exactly what Evgeny Morozov has dubbed “technological solutionism”—fundamental flaws like this cannot be fixed by legal or technical band-aid. If you were to ask the UIDAI how do you ensure that the data do not get stolen between the enrolment machine and the CIDR, the response would be, we use state-of-the-art cryptography. If cryptography is good enough for the UIDAI why is it not good enough for citizens? That is because if citizens use cryptography [on smart cards] to identify themselves to the state, the state will need their conscious cooperation each time. That provides the feature that is required for better governance without the surveillance bonus. If you really must use biometrics, it could be stored on the smart card after being digitally signed by the enrolment officer. If there is ever a doubt whether the person has stolen the smart card, a special machine can be used to read the biometrics off the card and check that against the person. This way the power of biometrics would be leveraged without any of the accompanying harms.

Zero. This time, for the utility of biometrics as a password or authentication factor. There are two principal reasons for which the Act should have prohibited the use of biometrics for authentication. First, biometric authentication factors are irrevocable unlike passwords, PINs, digital signatures, etc. Once a biometric authentication factor has been compromised, there is no way to change it. The security of a system secured by biometrics is permanently compromised. Second, our biometrics is so easy to steal; we leave our fingerprints everywhere.
Also, if I upload my biometric data onto the Internet, I can then plausibly deny all transactions against my name in the CIDR. In order to prevent me from doing that, the government will have to invest in CCTV cameras [with large storage] as they do for passport-control borders and as banks do at ATMs. If you anyway have to invest in CCTV cameras, then you might as well stick with digital signatures on smart cards as the previous National Democratic Alliance (NDA) government proposed the SCOSTA (Smart Card Operating System Standard for Transport Application) standard for the MNIC (Multipurpose National ID Card). Leveraging smart card standards like EMV will ensure harnessing greater network effects thanks to the global financial infrastructure of banks. These network effects will drive down the cost of equipment and afford Indians greater global mobility. And most importantly when a digital signature is compromised the user can be issued a new smart card. As Rufo Guerreschi, executive director of Open Media Cluster, puts it, “World leaders and IT experts should realise that citizen freedoms and states’ ability to pursue suspects are not an ‘either or’ but a ‘both or neither’.”


Near zero. We now move biometrics as the identification factor. The rate of potential duplicates or “False Positive Identification Rate” which according to the UIDAI is only 0.057 per cent. Which according to them will result in only “570 resident enrolments will be falsely identified as duplicate for every one million enrolments.” However, according to an article published in Economic & Political Weekly by my colleague at the Centre for Internet and Society, Hans Verghese Mathews, this will result in one out of every 146 people being rejected during enrolment when total enrolment reaches one billion people. In its rebuttal, the UIDAI disputes the conclusion but offers no alternative extrapolation or mathematical assumptions. “Without getting too deep into the mathematics” it offers an account of “a manual adjudication process to rectify the biometric identification errors”.

This manual adjudication determines whether you exist and has none of the elements of natural justice such as notice to the affected party and opportunity to be heard. Elimination of ghosts is impossible if only machines and unaccountable humans perform this adjudication. This is because there is zero skin in the game. There are free tools available on the Internet such as SFinGe (Synthetic Fingerprint Generator) which allow you to create fake biometrics. The USB cables on the UIDAI-approved enrolment setup can be intercepted using generic hardware that can be bought online. With a little bit of clever programming, countless number of ghosts can be created which will easily clear the manual adjudication process that the UIDAI claims will ensure that “no one is denied an Aadhaar number because of a biometric false positive”.

Near zero. This time for surveillance, which I believe should be used like salt in cooking. Essential in small quantities but counterproductive even if slightly in excess. There is a popular misconception that privacy researchers such as myself are opposed to surveillance. In reality, I am all for surveillance. I am totally convinced that surveillance is good anti-corruption technology.

But I also want good returns on investment for my surveillance tax rupee. According to Julian Assange, transparency requirements should be directly proportionate to power; in other words, the powerful should be subject to more surveillance. And conversely, I add, privacy protections must be inversely proportionate to power—or again, in other words, the poor should be spared from intrusions that do not serve the public interest. The UIDAI makes the exact opposite design assumption; it assumes that the poor are responsible for corruption and that technology will eliminate small-ticket or retail corruption. But we all know that politicians and bureaucrats are responsible for most of large-ticket corruption.


Why does not the UIDAI first assign UID numbers to all politicians and bureaucrats? Then using digital signatures why do not we ensure that we have a public non-repudiable audit trail wherein everyone can track the flow of benefits, subsidies and services from New Delhi to the panchayat office or local corporation office? That will eliminate big-ticket or wholesale corruption. In other words, since most of Aadhaar’s surveillance is targeted at the bottom of the pyramid, there will be limited bang for the buck. Surveillance is the need of the hour; we need more CCTVs with microphones turned on in government offices than biometric devices in slums.

Instantiation technology
One. And zero. In the contemporary binary and digital age, we have lost faith in the old gods. Science and its instantiation technology have become the new gods. The cult of technology is intolerant to blasphemy. For example, Shekhar Gupta recently tweeted saying that part of the opposition to Aadhaar was because “left-libs detest science/tech”. Technology as ideology is based on some fundamental articles of faith: one, new technology is better than old technology; two, expensive technology is better than cheap technology; three, complex technology is better than simple technology; and four, all technology is empowering or at the very least neutral. Unfortunately, there is no basis in science for any of these articles of faith.

Let me use a simple story to illustrate this. I was fortunate to serve as a member of a committee that the Department of Biotechnology established to finalise the Human DNA Profiling Bill, 2015, which was to be introduced in Parliament in the last monsoon session. Aside: the language of the Act also has room for the database to expand into a national DNA database circumventing 10 years of debate around the controversial DNA Profiling Bill, 2015. The first version of this Bill that I read in January 2013 said that DNA profiling was a “powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another … without any doubt”. In other words, to quote K.P.C. Gandhi, a scientist from Truth Labs, “I can vouch for the scientific infallibility of using DNA profiling for carrying out justice.”


Unfortunately, though, the infallible science is conducted by fallible humans. During one of the meetings, a scientist described the process of generating a biometric profile. The first step after the laboratory technician generated the profile was to compare the generated profile with her or his own profile because during the process of loading the machine with the DNA sample, some of the laboratory technician’s DNA could have contaminated the sample. This error would not be a possibility in much older, cheaper and rudimentary biometric technology for example, photography. A photographer developing a photograph in a darkroom does not have to ensure that his or her own image has not accidentally ended up on the negative. But the UIDAI is filled with die-hard techno-utopians; if you tell them that fingerprints will not work for those who are engaged in manual labour, they will say then we will use iris-based biometrics. But again, complex technologies are more fragile and often come with increased risks. They may provide greater performance and features, but sometimes they are easier to circumvent. A gummy finger to fool a biometric scanner can be produced using glue and a candle, but to fake a passport takes a lot of sophisticated technology. Therefore, it is important for us as a nation to give up our unquestioning faith in technology and start to debate the exact technological configurations of surveillance technology for different contexts and purposes.
One. This time representing a monopoly. Prior to the UID project, nobody got paid when citizens identified themselves to the state. While the Act says that the UIDAI will get paid, it does not specify how much. Sooner or later, this cost of identification will be passed on to the citizens and residents. There will be a consumer-service provider relationship established between the citizen and the state when it comes to identification. The UIDAI will become the monopoly provider of identification and authentication services in India which is trusted by the government. That sounds like a centrally planned communist state to me. Should not the right-wing oppose the Act because it prevents the free market from working? Should not the free market pick the best technology and business model for identification and authentication? Will not that drive the cost of identification and authentication down and ensure higher quality of service for citizens and residents?


Competing providers

Competing providers can also publish transparency reports regarding their compliance with data requests from law-enforcement and intelligence agencies, and if this is important to consumers they will be punished by the market. The government can use mechanisms such as permanent and temporary bans and price regulation as disincentives for the creation of ghosts. There will be a clear financial incentive to keep the database clean. Just like the government established a regulatory framework for digital certificates in the Information Technology Act allowing for e-commerce and e-governance. Ideally, the Aadhaar Bill should have done something similar and established an ecosystem for multiple actors to provide services in this two-sided market. For it is impossible for a “small government” to have the expertise and experience to run one of the world’s largest database of biometric and transaction records securely for perpetuity.

To conclude, I support the use of biometrics. I support government use of identification and authentication technology. I support the use of ID numbers in government databases. I support targeted surveillance to reduce corruption and protect national security. But I believe all these must be put in place with care and thought so that we do not end up sacrificing our constitutional rights or compromising the security of our nation state. Unfortunately, the Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better. Our children will pay a heavy price for our folly in the years to come. To quote the security guru Bruce Schneier, “Data is a toxic asset. We need to start thinking about it as such, and treat it as we would any other source of toxicity. To do anything else is to risk our security and privacy.”


Sunil Abraham is Executive Director, Centre for Internet and Society, Bangalore.

9701 - Worst Is Yet to Come With Aadhaar, Warn Activists - Out Look



FILE PHOTO - NILOTPAL BARUAH

With the dust yet to settle on the dramatic passing of the UIDAI (Aadhaar) Bill in the Lok Sabha, anti-Aadhar activists had a press conference in Delhi to articulate their concerns about the unexpected development. The bill is expected to face a stiff challenge in the Supreme Court. Aadhaar is India’s largest identification project, covering vast swathes of the population.

PDT Achary, former secretary general of the Lok Sabha, argued that the passing of the bill as a money bill is unconstitutional. He said, “Article 110(3) confirms finality on the speaker’s decision on the question of whether a bill is a money bill. But this constitutional provision cannot be seen as a convenient tool to deal with an inconvenient second chamber,” referring to the Rajya Sabha which does not have a say in whether a money bill is passed or not.

Apart from the route used to clear the Aadhaar bill, activists raised privacy concerns. Nandan Nilekani, considered the pioneer of Aadhaar, recently said that the Aadhaar scheme worked as it was cashless, paperless and presence-less. Yet, these have emerged as the biggest problems with the bill. “The UID scheme has ensured that the person providing the data has no say in who utilises the data for what,” says Usha Ramanathan, an eminent jurist. “This was always supposed to be an identification project, not an identity project and the fact that the bill is touted to be cashless will only add to more last-mile problems,” she adds.

The technology being used for the collection of the data has also come under scrutiny. The government has specified that it will use  Studies though suggest that these parameters may change in the long run, rendering a person’s only link to the UID number unidentifiable.

Says Ramanathan, “In making biometrics compulsory for the poor, the poor are being told that they do not have any interest in privacy, and that they should only care about the money they may get from the government or the food that may be provided. This reduction of citizenship of the poor person to a rightless welfare recipient is itself unconstitutional.” Another concern is that mobile registrations have been mandated by the government which could lead to surveillance by both government as well as private companies which could be given access to the data.

The present government’s stand on the issues raised by Aadhar is still seen with apprehension by many because of the stand it took when the UPA government was in power. One of the major campaign points of the current NDA government in the 2014 assembly elections was to scrap the scheme. “One cannot but question the intent behind the NDA governments changed stance on the UIDAI scheme in the past few months. The sudden change from scrapping to passing a money bill to implement the scheme can only lead us to believe that it has something to do with the contract agreements the government signed with companies such as Accenture, E&Y and Safran group,” says Dr Gopal Krishna of Citizens Forum for Civil Liberties.
The issue of right to privacy with regards to the collection of Biometric data by governments has become a global one now as countries such as Philippines as well as the United States and United Kingdom have passed resolutions to conserve the privacy of its citizens. Closer to home, Bangladesh is currently fighting a legal battle in its high court to protect the right to privacy against a similar biometric system that was mandated by the government.


Report by Arushi Bedi, Outlook

9700 - Government notifies Aadhaar Act - ECONOMIC TIMES

Government notifies Aadhaar Act
By PTI | Mar 28, 2016, 04.52 PM IST



The Centre has notified the new Aadhaar Act which gives the numbers assigned by it a statutory backing for transfer of subsidies and benefits to people eligible for them.


NEW DELHI: The Centre has notified the new Aadhaar Act which gives the numbers assigned by it a statutory backing for transfer of subsidies and benefits to people eligible for them. 

The Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016 will provide for "efficient, transparent, and targeted delivery of subsidies, benefits and services, the expenditure for which is incurred from the Consolidated Fund of India, to individuals residing in India through assigning of unique identity numbers to such individuals", said the notification dated March 26. 

It will be used for all benefit that will linked to consolidated fund of India. 

The Aadhaar Bill for this act was approved by Parliament on March 16. It was tabled in Parliament as money bill. 

However, those individuals to whom Aadhaar number has not been assigned, the Act said that they "shall be offered alternate and viable means of identification for delivery of the subsidy, benefit or service". 

The Aadhaar number will not be a proof of citizenship or domicile. 

"The Authority (UIDAI) shall take special measures to issue Aadhaar number to women, children, senior citizens, persons with disability, unskilled and unorganised workers, nomadic tribes or to such other persons who do not have any permanent dwelling house and such other categories of individuals as may be specified by regulations," said the Act. 

It has provision that both centre and state government can use Aadhaar for disbursal for benefits and subsidies. 

The Act provides for statutory backing to the UIDAI by providing for establishment of the Unique Identification Authority of India consisting of a Chairperson (part time or full time) and two Members (part time). 

The bill has penalty provision which includes imprisonment in the range of one to three years or penalty in the ranges of Rs 10,000 to Rs 1 lakh for violation of the rules. 

Till date 99.64 crore Aadhaar numbers have been issued. 

Finance Minister Arun Jaitley had informed Parliament this month that targeted subsidy through Aadhar cards of LPG consumers had resulted in over Rs 15,000 crore of savings at the Centre. 


Four states which had started PDS delivery by a similar exercise on a pilot basis, had saved more than Rs 2,300 crore.

9699 - Freedom in peril by R RAMAKUMAR - Frontline




The government’s passage of the Aadhaar Bill in complete disregard of even basic parliamentary procedures and in subversion of an ongoing judicial process puts at risk a number of constitutional rights and liberties of citizens. The benefits cited are just ploys to realise a neoliberal dream. By R. RAMAKUMAR

“Congressmen are dancing as if [Aadhaar] was a herb for all cures. With the Supreme Court pulling up the Centre, people are now seeking answers from the Prime Minister who should disclose how much money had been spent... and who had benefited from it.” Thus spoke the then Gujarat Chief Minister Narendra Modi on the Aadhaar project in 2013. However, as Prime Minister, it is as if Modi has suddenly realised the value of the “herb”. His National Democratic Alliance (NDA) government has passed the Aadhaar Bill in Parliament.

Three points are worth noting. First, the passage of the Bill was nothing but a travesty of democracy. Such has been Modi’s commitment to Aadhaar that even basic parliamentary procedures were disregarded completely. The passage of the Bill also constituted the subversion of an ongoing judicial process. Secondly, the Bill has a number of provisions that put to risk, and offer no protection to, a number of constitutional rights and liberties of citizens. Thirdly, the financial savings that the government has claimed from the usage of Aadhaar, based on which the idea has been sold, are based on wrong data.

The dubious money Bill route

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, was introduced in the Lok Sabha as a money Bill. The characteristic feature of a money Bill is that it is not introduced in both the Houses. It is introduced only in the Lok Sabha; from the Lok Sabha, the Bill is just transmitted to the Rajya Sabha. The Upper House cannot make amendments to the Bill; it can only recommend amendments to the Lok Sabha, which can reject the amendments. Further, if the Bill is not returned to the Lok Sabha within 14 days from the date of receipt, it may be deemed as passed by both the Houses.

Evidently, the NDA government did not want to carry the Aadhaar Bill to the Rajya Sabha, where it does not have a majority. On the contrary, the government has a clear majority in the Lok Sabha. It was in this context that the money Bill route was manufactured.

The Aadhaar Bill is not a money Bill by any stretch of imagination. According to the Parliament website, only “Bills which exclusively contain provisions for imposition and abolition of taxes, for appropriation of moneys out of the Consolidated Fund, etc., are certified as money Bills”. However, the Aadhaar Bill does much more; its clauses facilitate multifarious intrusions into the lives of citizens by public and private agencies. These include the right to privacy.


Aadhaar envisages a centralised database of Indian residents. At present, information on each resident is, at best, available only in separate “silos” and it is extremely difficult to link a person’s information in one silo to that in another. However, the arrival of Aadhaar—where a unique number is linked to personal information in each silo—marks a qualitative shift. With Aadhaar, personal information in silos can be converged. An invasive government or a profit-minded private entity or a hostile group can obtain and use such converged personal information. In other words, it becomes possible to create profiles of individuals and track them for life. This constitutes an assault on a very basic freedom—privacy.

Aadhaar has the potential to create conditions conducive to such violations of privacy. When the use of Aadhaar becomes widespread, it would not just be in the government’s Central Identities Data Repository (CIDR) that personal information would be stored. Instead, personal information would lie scattered in bits and pieces across locations and agencies accessed by citizens. Bits and pieces of personal information may, seen in isolation, appear harmless. However, each bit leaves a trail. Over a period of time, these bits—thanks to Aadhaar—could be compiled and analysed in ways that render privacy rights meaningless.

How, then, can the Aadhaar Bill be a money Bill? While the Bill does, in part, deal with appropriation of money from the Consolidated Fund of India, its primary outcome is the potential violation of constitutional rights. Such a Bill requires deeper discussions in both Houses and the Standing/Select Committees. The money Bill route effectively subverted such a possibility.

Pre-empting the Supreme Court

The Supreme Court had, in August 2015, delivered a landmark order. First, it referred the question of whether privacy is a fundamental right to a larger constitutional bench. Secondly, it ruled that Aadhaar is not mandatory. The Aadhaar Bill interferes with both these directions.

First, in 2015, the government had told the Supreme Court that privacy was not a fundamental right and hence Aadhaar did not violate any fundamental right. The court noted that if privacy was not considered a fundamental right, Article 21 of the Constitution would stand “denuded of vigour and vitality”. Yet, as many judgments that affirmed privacy as a fundamental right were delivered by smaller benches, the court thought it fit for “institutional integrity and judicial discipline” that a larger constitutional bench resolved the matter. Ideally, the government should have waited for the judgment of the constitutional bench. In this context, the government’s haste in pushing the Bill becomes deeply suspect.

Secondly, from 2012 onwards, Aadhaar was a major source of harassment for citizens, particularly the poor. For providing many services, the government was insisting on an Aadhaar number. In gross violation of earlier Supreme Court orders, Aadhaar was made compulsory for releasing scholarships for Dalit/Adivasi students, disbursing salaries and pensions, marking attendance for teachers, registering marriages, buying or selling property, issuing driving licences, obtaining gas connections, purchasing goods from ration shops and making transactions in Provident Fund savings. Fearing denial of services, many citizens were forced to enrol for Aadhaar.
In its order, the court put an end to such harassment. It said that Aadhaar should not be made mandatory until the ruling of the constitutional bench. However, the current Bill has made Aadhaar mandatory even before the constitutional bench even considered the question. Indeed, the government was arrogantly trying to derail the judicial process.

Dangerous clauses

Finance Minister Arun Jaitley’s argument that Chapter VI of the Bill addresses privacy concerns is fallacious. Chapter VI has clauses that protect the biometric and personal data stored with the CIDR. However, as mentioned, Aadhaar-induced exposure of personal information is not limited to the CIDR; rather, it is a systemic concern. When public and private agencies collect and transmit personal information, including biometrics, it would always be possible for them to also retain a copy. Experience shows that such personal data quickly turn into a commodity freely available for purchase.

The Aadhaar Bill has no concern for such systemic issues except as passing references. Only broad-ranging privacy and data protection laws can address these systemic concerns. A weak chapter in one Bill is hardly a solution.
Many claims by the proponents of Aadhaar revolve around the uniqueness and security of biometric authentication. To begin with, biometric authentication of individuals has been shown to have high error rates (see “Tale of Errors”, Frontline, June 30, 2012). Further, biometrics is also poorly secured as an authentication token. Normally, when a password or PIN number is stolen or lost, the user can change the password; only the user remembers his/her password. In contrast, biometric passwords like fingerprints cannot be changed; we also leave them back wherever we go and on whatever we touch. Once stolen or lost, the security of a user’s account is permanently compromised. Hackers have ably demonstrated this possibility with Apple’s Touch ID sensors.
In 2013, when Apple’s iPhone 5S was released with fingerprint-based Touch ID security, it was claimed as totally secure. In just 24 hours, hackers such as Mark Rogers and Jan Krissler were able to break into and unlock the phone’s biometric security. For this, they used a decade-old technique of creating artificial fingerprints with wood glue and sprayable graphene. When Apple released its iPhone 6 in 2014 with promises of better biometric security, it again took Rogers and Krissler just two days to unlock it again.


In 2014, at the Chaos Communication Congress—an annual conclave of German hackers—Krissler demonstrated how he reverse-engineered the fingerprint of German Defence Minister Ursula von der Leyen. He required just a few high-resolution photographs of von der Leyen’s fingers from close quarters. In 2015, Krissler also demonstrated how he could extract the iris data of Angela Merkel, the German Chancellor. Here, he required just a high-resolution photograph of Angela Merkel’s eyes from a press conference. According to Krissler, “everything is spoofable”.

In other words, when Aadhaar-based biometric authentication becomes pervasive, identity thefts also are likely to rise. These glaring threats do not appear to have been adequately appreciated before pushing the Aadhaar project.

Exaggerated claims of “savings”

An important claim by the proponents of Aadhaar has been that duplication of beneficiaries in government schemes can be eliminated using Aadhaar, which would save tens of thousands of crores to the public exchequer. Within the social sector, the claims regarding liquefied petroleum gas (LPG) subsidies have occupied a prominent place. In Parliament, Jaitley claimed that “targeted subsidy through Aadhaar cards of LPG consumers had resulted in savings of over Rs.15,000 crore”. Such claims were used by the government to persuade the Supreme Court on the need to allow mandatory use of Aadhaar. However, Jaitley’s claim has been shown to be totally wrong by some brilliant work at the International Institute of Sustainable Development (IISD).

Let us discuss Jaitley’s claim and the IISD’s rebuttal step by step. According to the Ministry of Petroleum and Natural Gas, as on April 1, 2015, there were 18.19 crore “registered” LPG consumers but only 14.85 crore “active” consumers. The difference between registered and active consumers—i.e., 3.34 crore “inactive” consumers—was considered as the number of duplicate consumers eliminated by Aadhaar. The Ministry further assumed that each of the 3.34 crore consumers bought 12 cylinders a year; also, each obtained an average LPG subsidy of Rs.336 a cylinder in 2014-15. Thus, the estimated savings in LPG subsidy for 3.34 crore consumers would be Rs.14,672 crore in 2014-15. Jaitley’s estimate of Aadhaar-led savings—Rs.15,000 crore—is by using this method.


The IISD’s rebuttal is as following. Jaitley’s claim rests on the premise that the elimination of 3.34 crore consumers was made possible by Aadhaar. However, official figures show that a very large majority of the 3.34 crore customers were eliminated before the Direct Benefit Transfer for LPG scheme (DBTL) was introduced and through methods “entirely unrelated to DBTL or Aadhaar”. Oil marketing companies have been attempting to identify and block irregular connections even before Aadhaar or DBTL was introduced. As part of a connection regularisation drive from May 2010, the oil companies had identified at least 2.66 crore duplicate connections by November 2012 itself. The total number of connections reported as “inactive” in November 2014 was 2.3 crore. Thus, Aadhaar-based deduplication was not responsible for a very large number of duplicate connections identified and blocked. A list-based deduplication was 15 to 20 times more effective than Aadhaar-based deduplication. The IISD’s conclusion here is striking: “The maximum number of potential duplicates identified in LPG databases through Aadhaar-based deduplication is approximately 1 per cent (or less)...”. They also argue that the maximum gross savings in LPG subsidy expenditure from Aadhaar-based deduplication was approximately Rs.12 to 14 crore only. The savings of Rs.15,000 crore claimed by Jaitley for 2014-15 can be arrived at only if we include all the duplicate consumers identified without using Aadhaar also as identified because of Aadhaar.
The IISD has also released a set of alternative savings estimates for 2015-16. In its method of estimation, it used (a) number of actual deduplications achieved through Aadhaar; (b) the actual average number of cylinders bought per active consumer in 2014-15, or 7.4 cylinders (not 12 cylinders); and (c) the monthly subsidy rate per cylinder. According to the IISD, the total avoided expenditure owing to the integration of Aadhaar in LPG in 2015-16 was only Rs.120 crore, which was less than 1 per cent of what Jaitley claimed.
Many other claims in favour of Aadhaar are also based on such erroneous methods. For instance, in the public distribution system (PDS), a claim has been that seeding Aadhaar into ration cards can effectively eliminate “bogus” ration cards. However, what has gone unnoticed is that even without Aadhaar, State governments have been effectively eliminating “bogus” ration cards using an end-to-end computerisation plan. By December 2010, about 2.09 crore “bogus” ration cards were eliminated across 26 States (see “PDS in peril”, Frontline, November 19, 2011). By June 2014, about 4.94 crore “bogus” ration cards had been eliminated across 30 States/Union Territories. Yet, it is claimed that Aadhaar-based deduplication offers the only effective way to eliminate “bogus” ration cards.


Aadhaar in social sector schemes

Jaitley’s positioning of the Bill as pro-poor and welfare-oriented is nothing but a clever ploy to mask the real intentions behind it. The real intention behind the Aadhaar project is not to improve welfare or reduce poverty but to effect a neoliberal transformation of the state’s role in the social sector (see “Identity Concerns”, Frontline, November 19, 2011). Such an objective has two elements. The first is a shift from universalism to targeting. Aadhaar is not intended to expand or universalise social services. Its aim is to keep benefits restricted to “targeted” sections, ensure targeting with technological precision, and limit the government’s fiscal commitments. The second is a shift from direct provision to indirect provision of social services. Here, existing institutions of direct intervention are dismantled and replaced by new institutions of indirect provision intermediated by the market. The proposed objective of converting all in-kind provisions to in-cash transfers is a prime example. Citizens are provided with cash and are told to purchase the once state-provided services from the “market”. Here, Aadhaar is not a tool of empowerment; it is actually an alibi for the state to leave the citizen unmarked in the market for social services.

Given this larger design, Aadhaar has been forcibly incorporated into the implementation of social sector schemes, such as old-age pension disbursements, wage payments of the Mahatma Gandhi National Rural Employment Guarantee Scheme (MGNREGS), and PDS grain sales. From the pilot projects on these schemes, journalists and researchers have documented large error rates in the centralised biometric authentication of beneficiaries and the presence of disruptive factors like lack of electricity and poor Internet connectivity. According to a study by the United Nations Development Programme (UNDP) on Aadhaar linkage in MGNREGS in Jharkhand, only 4 per cent of the surveyed beneficiaries reported successful fingerprint authentication at the first attempt. About 54 per cent reported two to three attempts, 23 per cent reported four to five attempts and 18 per cent reported more than five attempts before authentication was completed. There have been, also, a large number of reports where beneficiaries are denied benefits because of the poor quality of their fingerprints. For the elderly beneficiaries of old-age pensions, fingerprint authentication has been a nightmare; their fingerprint authentications have had the highest error rates.

Regardless of such a poor record of Aadhaar in government schemes, Modi has pinned much of his hopes around the JAM (Jan Dhan-Aadhaar-Mobile) initiative. The JAM initiative is an extension of the earlier government’s Direct Benefit Transfer (DBT) scheme. It seeks to monetise all the transfers made from the state to citizens, and load that money onto the Aadhaar-linked Jan Dhan accounts of beneficiaries. However, opening Jan Dhan accounts is not sufficient for JAM. Account holders also need to withdraw the cash. As the spread of brick-and-mortar branches of banks is poor, banks have been relying on the Banking Correspondent (B.C.; also Bank Mitra; or private agents of banks who facilitate banking operations in unbanked areas) model to facilitate cash withdrawals. The revenue model here is based on a commission that B.Cs receive upon every transaction.

However, the B.C. model has been a failure. First, in many States, B.Cs were mainly village headmen, moneylenders and fertilizer dealers. This mirrored and reaffirmed power relations and hegemonies in villages. Secondly, corruption has been an important feature of the B.C. model. Finally, the B.C. model has been expensive. Banks and the government are not ready to pay higher commission rates to the B.Cs; as a result, B.C. salaries are low and rural youths are not interested in becoming B.Cs. According to a recent countrywide study of B.Cs by MicroSave, the average monthly salary of a B.C. was just Rs.4,692.

The poor financial viability of the B.C. model has forced the government to try alternatives. Leaving commission rates constant, can transaction volumes be increased so that B.C. earnings would rise? For this purpose, the government has been trying to pack the old DBT scheme with as many transfers as possible. As disbursements of pensions and MGNREGS payments are seen as insufficient to substantially raise transaction volumes, the target is the PDS. The subsidy implied in the in-kind grain transfer in PDS is sought to be converted into an equivalent cash transfer. Needless to say, such a step would effectively dismantle the PDS in India. Other new plans have included the conversion of free schooling into education vouchers and free health care into health vouchers. And that would indeed be a neoliberal’s dream come true.

So, why has Modi jumped onto the Aadhaar bandwagon after claiming that it was no “herb for all cures”? Why has his government suddenly lost respect for the Supreme Court’s “pulling up”? The answer appears to be simple. After coming to power, Modi has realised the utility of Aadhaar as an instrument to further entrench a neoliberal social policy.


R. Ramakumar is Professor at the Tata Institute of Social Sciences, Mumbai.

9698 - INTERVIEW: USHA RAMANATHAN Threat to citizen rights - FrontLine




Interview with Usha Ramanathan, legal researcher. By V. SRIDHAR

The grand Indian project for a “unified” identity regime has, since its inception, been grounded in two key propositions. The first is the notion that the targeted delivery of state-sponsored benefits and services will plug the “leakages”, which will ensure that only “genuine” beneficiaries will access state-distributed and subsidy-laden benefits. Thus, Aadhaar was visualised as the tool that would make sure that the benefit distribution system would operate efficiently. The other critical aspect of Aadhaar has been its techno-utopian foundation—that this is a magic wand to abolish poverty.
The independent legal researcher Dr Usha Ramanathan has written, campaigned and spoken extensively on various issues lying at the intersection of legal jurisprudence, civil rights and poverty. She was a member of the Expert Group on Privacy at the Planning Commission and a member of a committee (2013-14) set up by the Department of Biotechnology to review the draft Human DNA Profiling Bill, 2012. She has been a consistent critic of the philosophical, social, legal and economic foundations of the Aadhaar project.
Here, in this telephonic interview with Frontline, Usha Ramanathan argues that the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, abridges the rights of citizens and threatens to impose severe hardships on the poor, who are supposed to be the prime beneficiaries of the legislation. Excerpts:
What is your opinion as a legal researcher on the move to present the Bill as a money Bill—both legally and as a political manoeuvre?
Nobody seriously believed that the 2016 Bill was a money Bill. The words “Consolidated Fund of India” were slipped into a few provisions to justify introducing it as a money Bill. But, while the Bill in Clause 7 says that the government may make enrolment on the Aadhaar database a condition for getting subsidies, benefits and services, this Bill does not itself provide for any subsidies or benefits or services. What the Bill does is to make the UIDAI [Unique Identification Authority of India] a statutory entity, legalise the collection and databasing of demographic and biometric information of residents, expand the use of the UID number beyond the state to “any body corporate or person”, provide protection to officials of the UIDAI from prosecution and create some offences. The hallmark of a money Bill, which is to make money available to the executive to carry out its work, is nowhere present in the legislation.


In resolving a “dispute” about whether a Bill is a money Bill or not, the Speaker’s task is to decide whether the Bill conforms to what Article 110 of the Constitution says. A money Bill—that article is categorical—has to be “only” about the matters listed there, and this Bill is not about any of those matters at all. Maybe, the Speaker of the Lok Sabha had been advised that the Juvenile Justice Act had been passed in 1986 as a money Bill and so constituted a precedent. This, however, was proven wrong, but only after Jairam Ramesh found out otherwise and corrected Arun Jaitley in the Rajya Sabha. Now, it is either for the President to hold back on signing it into law and ask the government to remedy the mistake— maybe apologise to Parliament and restart the process of making the law. Or it may have to go to court and be judicially reviewed. That the money Bill route was taken to stifle debate is one of the tragic ironies of this project.
The Aadhaar legislation has been passed by Parliament even as a bench of the Supreme Court is considering a challenge on the grounds that it violates the right to privacy. Does the law now tilt the field against this challenge?
It is significant that just when the UID case was being heard in the Supreme Court, the Attorney General argued that privacy was not a fundamental right. He succeeded in putting under a cloud a right that has been part of our constitutional jurisprudence for over 40 years. And yet, at the same time that this argument was being made in the Supreme Court, the government was arguing in another courtroom that privacy being a fundamental right, Section 499 of the IPC [Indian Penal Code], which makes defamation a crime, should not be struck down. There the government was presenting itself as a protector of citizens’ fundamental right to privacy!
The UIDAI has been protesting that there are no privacy problems because all that the authority will do is respond to an authentication request with a “yes” or a “no”. This is not true, and the Bill reflects a part of the problem. The UIDAI collects and organises a database of demographic and biometric information, and it reserves the right to collect other data. So, the collected data have already expanded to include mobile numbers, e-mail addresses, bank accounts and other details of citizens. When the UIDAI receives the authentication requests, it has information about where the request is coming from—banks, employers, hospitals, airline companies, the Railways, shops, or even the Election Commission.


The 2016 Bill legalises “data sharing agreements”. The bureaucrats can then decide when and under what circumstances the information ought to be shared in the “national interest”. A court can direct the sharing of information, including authentication records. The government can take over from the authority “if persistently defaulted in complying with any direction given by the Central government”. The now-infamous Clause 57 permits “any body corporate or person” to “use” the Aadhaar number in pursuance of any law “or any contract to this effect”. Wherever the Bill provides for information to be taken from the UIDAI, the UIDAI has to be heard by the court or the government or an official. But the person whose data are being handed over is not only not heard, he/she is not even to be informed, either immediately or after a length of time.
There is no opt-out provision and no question of ever getting off the database. You cede control to the UIDAI once you enrol. The law endorses the one-sided control of citizen information.
But Aadhaar’s proponents claim “core” biometrics would not be disclosed under any circumstance—national security included?
The biometric history of the UID project tells its own story. There is a reason why the UIDAI is keen not to have the biometric database scrutinised, or even seen, by anyone but itself. This is not for the protection of the interests of those on the database. The willingness to share demographic and authentication data, get into data-sharing agreements and allow any person to access the UID database tells us that.
The admitted truth is that biometrics is still being researched. No one is yet sure of the value of the biometrics of such a vast and diverse population. The provision that “core biometrics”—which is everything other than the photograph—will not be given to anyone for any reason— never mind if it is a matter of national security or forensic need—is to shield the faults and fallacies, uncertainties and sure misses from scrutiny.
Why do I say this? Just go back to the time the UIDAI decided to adopt biometrics as the measure of uniqueness. That was in September 2009. What was known about it then? Very little. In January-February 2010, a notice inviting a biometrics consultant was candid:
“[The] National Institute of Standards and Technology [NIST, in the United States] has spent considerable efforts over the past 10-15 years in benchmarking the state-of-the-art extractor and matching technology for fingerprint, face, and iris biometrics on the Western population. While NIST documents the fact that the accuracy of biometric matching is extremely dependent on demographics and environmental conditions, there is a lack of a sound study that documents the accuracy achievable on Indian demographics [that is, larger percentage of rural population] and in Indian environmental conditions [extremely hot and humid climate and facilities without air-conditioning]. In fact we could not find any credible study assessing the achievable accuracy in any of the developing countries…The ‘quality’ assessment of fingerprint data is not sufficient to fully understand the achievable de-duplication accuracy.”


In December 2009, the Biometrics Standards Committee set up to report on the possibilities of achieving uniqueness during enrolment said that of the 25,000 people whom it had checked to see if the technology could deliver, 2 to 5 per cent had no biometrics that worked. So it suggested that maybe one more biometric could be added and maybe that could be the iris but that it should be tested before being adopted. And crucially, iris was included as an added biometric before tests or studies were undertaken. In the next few years, the proof of concepts on enrolment [2010-11], fingerprint authentication [March 2012] and iris authentication [September 2012] showed a system still at the stage of study and experimentation. The Parliamentary Standing Committee on Finance, which reported on the 2010 Bill, rejected it partly because of the use of “untested technology”. In 2011, the Mission Director of the UIDAI said:
“Capturing fingerprints, especially of manual labourers, is a challenge. The quality of fingerprints is bad because of the rough exterior of fingers caused by hard work, and this poses a challenge for later authentication.”
This bothered the Standing Committee, too, because it was plain that the difficulties in authentication would result in large-scale exclusion and denial since a large proportion of those needing state assistance are precisely those doing manual labour.
In 2013, the CBI [Central Bureau of Investigation] got an order from a magistrate to get the biometric database of all persons enrolled in Goa. This was in connection with the case of the rape of a child in school. The CBI said it had found a random palm print that it wanted verified. In a litigation that was appealed all the way to the Supreme Court, the UIDAI argued against the order asking it for access to its database in order to assist criminal investigations. It cited two considerations: one, privacy and two, that the way they collected and stored meant that data could not be used for forensic purposes. Initially, in May 2014, the Supreme Court directed that the biometric data of a person should not be shared without the consent of its owner. However, on August 11, 2015, the court modified this order by making an exception when directed by a court for the purpose of a criminal investigation.


On August 13, 2015, the UIDAI website was refreshed. The website now hosts a section on “UBCC and Research”. [UBCC stands for the UIDAI Biometrics Centre of Competence.] The text reads: “Biometrics features are selected to be primary mechanisms for ensuring uniqueness ... No country has undertaken to build a national registry at the scale and accuracy as UIDAI initiative. Nature and diversity of India’s working population adds another challenge to achieving uniqueness through biometric features. Like other technology fields such as telecommunication, we do not have experience like developed countries to leverage for designing UIDAI’s biometrics systems…Therefore, it is necessary to create a UIDAI Biometrics Centre of Competence that focuses on the unique challenges of UIDAI.” The “mission” of the UBCC is “to design biometrics system that enables India to achieve uniqueness in the national registry. The endeavour of designing such a system is an ongoing quest to innovate biometrics technology appropriate for the Indian conditions”.
ARE LEAKAGES REALLY PLUGGED?
At a popular level—and this appears to be its ideological underpinning—the notion that it is the most effective way to check “leakages” of benefits to citizens appears to have caught on, especially among those who are swayed by what can be termed techno-utopianism.
A study commissioned by the Andhra Pradesh Civil Supplies Department in 2015 to find out why almost one-fourth of those entitled to rations had not collected rations found fingerprint authentication failure in 290 of 790 cardholders, and Aadhaar “mismatch” in 93 instances. In the hundred days that the Jawaabdehi Yatra toured Rajasthan from December 1, 2015, the number of people reporting that they did not receive their rations or pensions because of failed fingerprint authentication or Aadhaar mismatch [where the information on the Aadhaar database and that on the public distribution system database, for instance, do not tally] was disturbingly high. There were others who had had to visit the shop four or five times before they got their rations because of fingerprint authentication problems.
Advocates of Aadhaar, including Nandan Nilekani, say the system being cashless, paperless and presence-less makes it ideal for plugging leaks.
If direct benefit transfer is introduced in place of the PDS, the last mile is still dependent on a banking correspondent or other such agent who will use an authentication system to decide whether or not or how much to hand over to the individual. The term micro-ATM is highly misleading because it is not anything like an ATM we know. It is indeed micro; but there is nothing automatic about it; in fact, it is through an agent who dispenses the monies. The risk of moneys being siphoned off, especially because of low literacy levels, particularly financial literacy, and the desperate vulnerability of the poor is being deliberately underplayed.


By making Aadhaar paperless—it is a number attached to a biometric—the project places barriers to identifying oneself when collecting rations, pensions, job cards, and so on. This may well suit the system, but it leaves people at the mercy of a technology that is still being tested, a technology with limitations for the working class that are already being demonstrated across the country. And, alongside with experimenting with this system of identification, it is setting at nought other ways people have had of identifying themselves to the system, such as with ration cards, or kisan cards, or voter IDs.The project was promoted with the claim that it would give a portable identity to migrant workers. We have not seen too many signs of portability yet, more than seven years after the project began. The large number of workers in the construction industry, for instance—and it is their biometrics that is expected to make their ID portable.
As for being presence-less, it appears Nilekani would have the government disappear behind a computer monitor. It is this absence that is already the problem. The supervision and reporting on a project such as this is largely missing. There is no one to take the problems to if and when they crop up. Technology is a useful tool. However, when it is interposed between the people and an administration, it is not necessarily empowering. But, techno-utopia has no patience for nuance or substance.
ISSUES RAISED IN COURT
What issues are raised in the cases in the Supreme Court?
The cases raise many issues of constitutional importance. One of these is the fact that a project of this nature and scale had been launched and had proceeded without a law prescribing its mandate and limits. Now there is a law, but it doesn’t address many of the concerns; in some aspects, it exacerbates the problems; these still have to be considered and adjudged by the court. There are two main streams in this project. One is biometrics. From early on, it was recognised that biometrics was untested technology, even by the UIDAI’s own admission, and that its imposition through the project was an experiment on the entire population. Two, with the “numberising” of the population and the insertion of the number in every database, citizens are exposed to tracking. Once it is in a range of databases, it makes it possible to do data mining, convergence of data, profiling, tracking and networking and trading in personal data. Use of this number, and of the UIDAI’s services, by the government and by private persons and agencies is a part of how this “ubiquity” will be achieved. That people are being asked to part with their number and personally identifiable information wherever anyone may demand it is among the insecurities generated by the project. These issues remain to be resolved by the court.


The use of companies such as L-1 Identity Solutions, Accenture and Morpho is already under challenge in the Supreme Court, especially for their proximity to foreign intelligence agencies including the CIA [Central Intelligence Agency], the U.S. Department of Homeland Security and the French government. One strange response to an RTI [Right to Information] request about how firms of such provenance could have been engaged for this project said that the authority had no means of knowing which country these companies were from; they had registered offices in India, and that is all that was on their applications! These are matters of national security before the court.
Exclusion, especially of the working class and the poor, is getting more established with experience. The court is also yet to decide on the contempt petitions filed in the pending cases which address the issue of coercion and exclusion that the project has brought with it.
The biometric, demographic and authentication data with the UIDAI is one level of privacy invasion. Seeding this number in multiple databases and the profiling and tracking that facilitates it is another. It is not only poverty and political dissent that this will target. One way to understand the implications of the ubiquity of this number is through the National Intelligence Grid [NATGRID]. Its mandate has been to give information in real time from 21 databases—and this can be expanded to include 11 security and intelligence agencies. This is not under any law, and it has been declared to be a security organisation and therefore outside the remit of the RTI Act. We often hear people say, if you have done nothing wrong, why should you care if everything about us is known? Well, it is not what we think is of interest to us that counts in such situations; it is how we are construed by those who have an interest in us. And this is not what we put out about ourselves; it is about how databases reflect us. These too are before the court.
There is a fundamental principle being argued in court: that the Constitution is not about the power of the state but about the limits of the power of the state over the people. The idea of transparency, too, is being contested. While the RTI Act aspires to make the state transparent to its people, the UID project works at making the individual not just visible, but to be profiled and tracked by the state and by private companies and persons. The matter was referred to a Constitution Bench on the question of privacy; the court is still to hear and decide this question.
COURT ORDERS FLOUTED
The database has reached a hundred crore. What now?
First, this database was built up by flouting the orders of the court. The court said time and again the UID number should not be made mandatory, and that was consistently ignored. Even the Election Commission got into the game in March 2015 until a contempt petition halted it in its tracks. This, therefore, is not a legally constituted database.


Second, when the UIDAI decided that it wanted to do its own enrolment—and not only help in the standardising of the governmental databases, as was its original mandate—it was said that all other existing government databases were full of errors but this would be the one that would be perfect. The manner of enrolment through thousands of enrollers (27,000 enrolment stations at one count), the hurry, the process which has no patience with verifying documents, the lack of monitoring of enrollers and registrars: all this explains why errors abound. In January 2012, P. Chidambaram, as Home Minister, refused to give credence to the UID database because the process was porous and the data unreliable. By end-January, there was a rapprochement between the Home Ministry and the UIDAI and they decided to share the country 50:50. That tells us something about how the project has proceeded, and the worth of its database.
Three, if the creation and maintenance of this database raises national security risks, it makes sense to dismantle it. Four, take a look at who is a resident in the 2016 Bill: it is a person who has resided in India for 182 days in the 12 months preceding the application. There was no such criterion, and no such check, in enrolments so far. The UIDAI Mission Director is reported to have said that consent, which has to be obtained from a person when being enrolled, will only apply to those who enrol after the law comes into force; the law, according to him, ratifies everything that the UIDAI has done so far. So will it also ratify a database that is not verified if the person is a “resident”?
What other aspects of the law are of concern?
The breadth of the definitions of subsidies, services and benefits covers almost the entire universe of our lives—and both private persons and companies and government can demand the number as a condition. The law allows the UIDAI to do what it will through regulations —it includes adding more biometrics, more fields of personal data, and extends way beyond. The individual has no means of asking, finding answers to or contesting what the UADAI does. When an offence, including data theft and identity fraud, is committed, the individual can do nothing. It is only the UIDAI that can take a complaint to a court. There is a clause that lets the UIDAI make regulations to “omit” or “deactivate” the number. This is what is called “civil death”.

This project began without a feasibility study. It left open questions of constitutionality and civil liberties and was based on untested technology. It was aggressively promoted, using the power and resources at the command of the state. That is why it has met with opposition from many quarters. One of the tragedies of this project pertains to how it has successfully made a villain of the recipient of state support. It has institutionalised the notion of the “undeserving” poor, which threatens to promote, instead of curtail, the extent of deprivation in the country.

9697 - Press Conference on “Are Aadhaar like biometric identification projects in India, Nepal, Bangladesh and Pakistan legitimate?”

PRESS INVITE  
Press Conference on “Are Aadhaar like biometric identification projects in India, Nepal, Bangladesh and Pakistan legitimate?”

Date: Wednesday, 30th March, 2016
Time: 3.30 PM
Venue: The Foreign Correspondents’ Club of South Asia
AB-19, Mathura Road, New Delhi: 110001
Tel: 91-11-23388535, 91-11-23385518 
Speakers:  Mr P D T Achary, former Secretary General, Lok Sabha     
Dr Usha Ramanathan, noted jurist
Ms. Kavita Krishnan, Secretary, All India Progressive Women Association (AIPWA)
Dr. M Vijayanunni, former Registrar General and Census Commissioner (TBC)
Col. Mathew Thomas, former Defence Scientist (TBC)
Dr Gopal Krishna, Citizens Forum for Civil Liberties (CFCL)
and other eminent citizens and representatives from neighboring countries 

Now that Aadhaar Act, 2016 has been notified in the Gazette after it received the President’s assent, the press conference is aimed at examining the constitutionality and legitimacy of such initiatives in a global and South Asian context. Supreme Court of India is seized with the matter. Election Commission of India has refused to link Aadhaar with Voter ID in compliance with Court’s order. Governments of India, Bangladesh, Pakistan and Nepal appear to have been compelled to adopt biometric identification for its residents ignoring the fact that countries like UK, USA, China, Australia, and France have scrapped either their identity projects or indiscriminate use of biometrics. But the same has been bulldozed in India, Bangladesh, Pakistan and Nepal. In the aftermath of disclosures by Wikileaks, Edward Snowden, Grec Greenwald and Citizen Four and access of a locked iPhone, it is evident that illegitimate advances of transnational entities are being legalized. Mass surveillance is harming democracy. It is silencing minorities of all ilks.  
Citizens Forum for Civil Liberties (CFCL) has been working on the issue of biometric identification and related issues since 2010. It had submitted testimony before India's Parliamentary Standing Committee on Finance that examined the Aadhaar Bill, 2010 that was meant to legitimize Unique Authority (UIDAI) of India.

To discuss this and allied issues we cordially invite you to join us on Wednesday, 30th March, 3.30 pm at Foreign Correspondents’ Club of South Asia.

For Details: Gopal Krishna, Citizens Forum for Civil Liberties (CFCL), Mb: 09818089660, 08227816731, E-mail-1715krishna@gmail.com, Ramesh, Indian Social Action Forum, Mb: 9818111562 Email: rameshinsaf@gmail.com 



9696 - Govt should protect citizens from surveillance instead of collecting data – Dr Gus Hosein & Dr Edgar Whitley Reddit AMA - Media Nama


By Sneha Johari ( @thejunebug ) on March 29, 2016


In this Reddit India AMA held last week, Dr Gus Hosein and Dr Edgar Whitley talk about the perils of Aadhaar, citizen privacy and surveillance, a law for privacy and the right to privacy. Dr Gus Hosein works with Privacy International, a London-based charity and is a Visiting Fellow at the London School of Economics, and Dr Edgar Whitley is an Associate Professor (Reader) of Information Systems at the London School of Economics. Here are snippets from the AMA:

On generating awareness on the online privacy breaches:

Hosein: .. For some people it is all about the specific scenario that raises their awareness — a data breach, or the lack of power resulting from a decision against them based on their data. For others it is the matter of principle — that any entity could have control over their lives in such a way.

The answer I can give for an entire country (the question asked about India) is that you need many many stories of many many different types that give rise to debate and more stories and more debate. Then you have a national conversationNonetheless I can say that the debate in India has come so far since 2007 when I first visited. At the time whenever we spoke to people about privacy they all laughed.

Since then, due to the hard work of individuals and organisations, the debate has advanced significantly — faster than anywhere else in the world… We’re still working on the best ways of doing this!

Whitley: Another approach is to build in technological features that minimize the potential privacy risks, so that they don’t arise in the first place. Clearly, this needs to be done in conjunction with awareness raising/education as well… Education can include adding the topic to the curriculum of Schools – increasingly schoolchildren are being taught about the risks of sharing sensitive personal information online – and privacy risks are part of that.

On a case where a company found out a customer’s info and address and went to their doorstep:

Hosein: India needs a privacy law. It’s as simple as that… Without it, you cannot regulate government activities nor industry activities…No one is really talking about anywhere is how hard it is to secure data; and companies and governments don’t like these laws making it their duty to protect our data. If they were finally held to account for this challenge of protecting our data, they may finally start collecting less and sharing it less. Only the law gets them to do this…

Whitley: Indeed, some organisations are starting to realise that, despite the claimed benefits of big data and data analytics, data are actually a toxic resource that they are better off NOT holding on to. This comes to the broader question about privacy rights/laws in India. The Aadhaar bill doesn’t address this kind of situation… The home visit seems to be a completely different issue, given you weren’t likely to become a future customer of the organisation.

On other countries rejecting UID/Aadhaar like projects, implications of Aadhaar and impact of biometric technology on civil liberties:

Whitley: In the UK between the launch, in 2005, of a biometric identity card scheme and its scrapping in 2010, following election of the coalition government, public mood about the “surveillance state” changed dramatically. It was also affected by the government losing the personal details of all families claiming child support etc. Since then the UK has developed an explicitly privacy friendly identity verification service.

Hosein: I think that any country that has an open debate about whether to start an ID system inevitably concludes that it is not a good idea to create a multi-purpose centralised mandatory system. So instead every other government with such a system has managed to sneak it in through the backdoor, by making it voluntary for instance until it is made mandatory, or blaming foreign entities. So these systems are always rejected whenever they are openly deliberated upon.. Creating a system that is multi-purpose and mandatory costs so much money, takes so many security risks, has to create so much buy-in from across government and the general public, that it is almost inevitable that it will fail either in being dreamed-up, being legislated, or being implemented.
The biometrics industry has seen a boom since 9/11… then there was a second wave, with India and other countries being sold the ‘development’ angle to biometrics… I am very worried about this. We have to watch for Indian companies and consultants travelling the world selling these systems.
For the link with intelligence agencies.. there is a surveillance industry out there profiting from all of these types of surveillance technologies and traditionally have links with either defence firms or involve ex-intelligence agency employees going into the private sector. I am not sure about the biometrics industry though — we haven’t tracked them as much as the communications surveillance industry.

Whitley: Again, there are technological alternatives at play – not just “the use of biometrics”. Some smartphones use fingerprint biometrics to authenticate the user of the phone but they are designed to NEVER share the fingerprint data with any other system (and don’t need to). They simply check whether the fingerprint presented now is the same as the fingerprint presented earlier. Aadhaar (currently) seems to require the fingerprint presented now to be matched (via a secure internet connection) with the fingerprint collected previously. This, of course, also creates an audit trail of when (and where) the fingerprint was checked and, as Gus mentioned, increases the costs of using the system considerably.

On costs being borne by the citizens:

Hosein: We can only hope for debate and deliberation. In the UK the Government did get their legislation and did try to build their system over a 5 year period until the next government repealed it. The costs are always borne by the next politician, the next government, and yes, ultimately the citizens. The risks are ours too. Not the creators of the idea…

Whitley: Good detailed analysis of some of the problems with biometrics and their exclusionary effects can be found in Magnet SA (2011) When biometrics fail: Gender, race and the technology of identity. Duke University Press, Durham.



On additional risks of Aadhaar and it being just another ID:

Hosein: There are many identifiers out there. With modern surveillance systems, our face, how we talk could be used to identify us. Our mobile number is an identifier, but more interesting and useful is our IMSI number for our mobile — it is mandatorily disclosed by our phone to mobile phone towers all the time..

The problem with all of these IDs is that you have no say over them, and they are leaking your information and your uniqueness all the time, making you traceable to anyone who is able to monitor. Our governments should be protecting us from these kinds of surveillance, whether done by agencies or the private sector, in our country or abroad. But instead, governments are spending their time and money getting into the business of data collection.
We need identity systems that empower us and protect our data. UID seems to be making all the wrong decisions on security, no decisions on privacy, and by making it practically mandatory, is taking all the power away from the individual. This is not what Indians need.

On what questions should citizens ask the government with respect to privacy issues, especially in the face of Digital India:

Hosein: This is a fascinating question that I’m still getting my head around. ‘Digital country’ initiatives are massive funding initiatives that end up in wasted money and useless IT. Again, politicians love announcing these initiatives and then waste billions of taxpayers money on it. The exchange for their ‘Digital’ initiatives should be that citizens deserve transparency on how their information is going to be used, have a privacy law in the country, and taxpayers need to be kept aprised on how the funds are planning on being spent.



On free WiFi:
Hosein: As for free wifi at railway stations are often insecure, allow for interception and other forms of surveillance, and can be used to track you over time. If something is free, odds are that someone’s up to no good.
Whitley: The issue with most of these “free” services is that they aren’t really “free” – the most common method of making money is through analysing the data and providing (targeted) advertising. One consequence is that there is normally no reason to tell the truth when registering for the free service.

Hosein: Sadly they don’t need your date of birth and instead grab unique identifiers from your devices or browsers (e.g. IDs or cookies), from your network connection (IP address). So they are still able to uniquely identify you. The solution isn’t just faking out the system. The true solution is a legislative fix: a privacy law.
On things that make you give up your privacy, protecting self and if open source is a better system:

Hosein: Yes, mobile operating systems are key challenges/risks/opportunities for privacy. Android is open, which has its advantages. But the most glaring problems are that i) it is very hard to stop the transfer of data to Google in the process; and ii) most handsets running Android are not updated for security faults.
That is, every operating system and app out there needs to be updated periodically to fix any security holes in the system… Android is a fragmented environment. Most phones are operating very old versions of the operating system, and are as a result very insecure. But it also comes down to the hardware which is not owned by anyone you ever contract with; and is capable of being hacked or leak information…
So what we need are open devices with open hardware, and open operating systems that are kept up to date and patched continuously. This is going to take some investment but I’m optimistic.
On passive surveillance to watch for threats and citizen security:

Whitley: This is probably not an either/or situation rather one where I would want to know the details of what kinds of “passive surveillance” you are thinking about. Certainly, better policing helps a lot, not least because this is a rapidly changing context – e.g.reports that the Paris attackers were using burner (one-time) phones rather than encrypted messages.
Hosein: I agree with Edgar. The interesting thing to date about those terrorist attacks, is that the individuals were all known to the authorities. Surveillance is certainly a part of the answer. But mass surveillance is highly unlikely to be effective, and it is unacceptable from a human rights and legal perspective… Nonetheless, politicians will likely seek more surveillance powers. Seeking powers is easy particularly after an atrocity. But when there is another attack further down the road, the politicians are not held to account for their focus on surveillance instead of other measures — they only respond with the need for more surveillance. Again, like ID, politicians like pointing to simple solutions and aren’t there to be held to account when their ‘solutions’ fail.
On types of passive surveillance, like people visiting radicalised sites etc

Hosein: I don’t have an easy answer to it. How do you create a law that allows only this form of activity? We always see the expansion of purposes in practice. So what starts with ‘radicalised sites’ will soon become other types of sites that you are more concerned about. Such sites are an exercise in religious freedom and freedom of expression. Are you going to be criminalised for web surfing, or is it for actual speech, or just ‘liking’ something? Are you going to be tracked across your professional and personal life because of ending up somewhere on the internet? I’m not sure that is an effective way of doing things.

Authorities draw friendship trees: who knows someone who knows someone who knows someone who may be related to a terrorist investigation. That is already 3 degrees of separation and may include hundreds of thousands of people to investigate. It’s very hard to do that.

On risks of (Aadhaar) being an authentication system:
Whitley: The most obvious risks is the audit trail associated with authentications to the central database (see comment below). The other risk is that, inevitably, there may be some circumstances where “any reasonable person” would see that the biometric data should be shared (FBI / Apple anyone?). To be fair to UID, to date they have resisted any such calls but if the data is held, inevitably people will try and get access to it.

Hosein: Part of the Snowden disclosures included statements about how intelligence agencies are getting copies of national identity databases of other countries. I don’t know how you can entrust such sensitive information with a single authority that can never keep it secure enough from foreign agencies.



On NSA spying on citizens of other countries, steps for prevention and what steps needs to be taken by India:
Whitley: It is helpful to note that it is probably not that helpful to think about this being THE national policy as this immediately leads to contradictions – THE national policy might be to fight terrorist threats AND THE national policy might be to make the country a good place to do e-business (which requires strong encryption – which runs counter to the first national policy). Often it is different parts of “the government” pushing for these different agendas – did the NSA really think about the effects of their work on the business models for US cloud providers? (e.g. the removal of the safe harbor provisions – Silicon Valley now ‘illegal’ in Europe: Why Schrems vs Facebook is such a biggie

Hosein: The incredible work by Edward Snowden gave us the evidence of what the UK and US Governments were up to (and a bit about others). The challenge is that we discovered they were doing everything they could: they were intercepting vast components of the internet (see XKeyScore and Tempora), they were monitoring activities on social networks (see Squeaky Dolphin), they were hacking entire companies, networks and individuals… The list goes on.

What is actually to be done in response?

1. Demand governments to come clean on how they are secretly interpreting communications surveillance law to somehow undertake all these activities. It is highly likely that every intelligence agency is now undertaking similar activities, if they weren’t already doing so.

2. Demand companies to take extensive measures to protect security and privacy of your data and communications. Some companies have taken basic steps of say implementing SSL in their web server connections. But so much more is needed. Some firms have started to implement encryption more widely — it’s a good start, but they must do so as openly as possible. So you make a good point about closed-source software. Open review of code is absolutely necessary to ensure that it can be trusted.

3. We need to take ownership of the ‘cybersecurity’ agenda created by governments to spy on more communications and interactions; and make it about protecting our devices, our networks, and our information.

4. Stronger legal protections. Again, India needs a privacy law. With that as a foundation, more work is needed across the world to strengthen safeguards in surveillance laws. Privacy is a qualified right; but surveillance can only be done in limited circumstances with strong privacy safeguards. The problem is that governments secretly interpret the laws and loosely implement safeguards. We need to push a reform agenda.

5. We have taken a number of cases against the UK Government and its spying — on all the issues I highlighted above. We are likely to end up soon at the European Court of Human Rights. We’ll get back to you once we see what happens.

Hosein: ..Colombia had to shut down its intelligence agency because of surveillance abuses; then we found that the other agencies were re-creating many of these powers. The Ugandan government was making claims around the benefits of hacking the communications devices of the opposition party and protest movements. The Egyptian intelligence agency was buying hacking technology…

Whitley: If NSA etc. have infiltrated the developers of, elliptical encryption curve software, then making the software open source doesn’t necessarily help in practice.. as appears to be happening in relation to some aspects of privacy (ironically, in a closed environment).

On phone interceptions:

Whitley: If you mean listen in on them, then how would you feel if this was a call where you whispered sweet nothings to your loved one but then discovered that someone else was hearing this as well. If you mean just recording the metadata, then the EFF has some great examples https://www.eff.org/deeplinks/2013/06/why-metadata-matters

Hosein: Governments are not necessarily investing vast amounts of resources to listening in to phone calls, they are gathering metadata (who is speaking to who, when) and generating metadata (can we understand the language of the call, the mood of the people on the call, etc.) and store that in a database(s) so that it is possible to do detailed analysis at a later time, e.g. bring up all your call information, all your locations, all your moods over a six month period because you knew someone who knew someone who knew someone who might have been subject of an investigation at some point. Finally, to intercept your call and monitor you in any way, it is up to them to provide the justification why it is necessary in a democratic society to do so. It’s not for you to ascertain whether it caused you harm in any way.

On what ‘right to privacy’ stems from:

Hosein: Is it a right that enables other rights, or is it a right that must be respected for its inherent value? Or is it about dignity and autonomy (which is true of all the other human rights)? I tried to explore the definition in this piece. https://www.privacyinternational.org/node/54
***