In 2009, I became extremely concerned with the concept of Unique Identity for various reasons. Connected with many like minded highly educated people who were all concerned.
On 18th May 2010, I started this Blog to capture anything and everything I came across on the topic. This blog with its million hits is a testament to my concerns about loss of privacy and fear of the ID being misused and possible Criminal activities it could lead to.
In 2017 the Supreme Court of India gave its verdict after one of the longest hearings on any issue. I did my bit and appealed to the Supreme Court Judges too through an On Line Petition.
In 2019 the Aadhaar Legislation has been revised and passed by the two houses of the Parliament of India making it Legal. I am no Legal Eagle so my Opinion carries no weight except with people opposed to the very concept.
In 2019, this Blog now just captures on a Daily Basis list of Articles Published on anything to do with Aadhaar as obtained from Daily Google Searches and nothing more. Cannot burn the midnight candle any longer.
"In Matters of Conscience, the Law of Majority has no place"- Mahatma Gandhi
Ram Krishnaswamy
Sydney, Australia.

Aadhaar

The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholar Usha Ramanathan describes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.

Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the # BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Wednesday, August 23, 2017

11836 - The accountability framework of UIDAI: Concerns and solutions - Medianama



By Guest Author editor@medianama.com    August 21, 2017   
Share This:          Share via Email   


The public discourse on Aadhaar has largely focused on concerns about the privacy issues associated with the collection of personal information, and the constitutionality of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (“the Act”). Regardless of the outcome of the case at the Supreme Court, most residents will likely have to interact with the UIDAI, which is the body empowered to roll out an enrollment and authentication program for beneficiaries of welfare programs.

The UIDAI is an Agent established by the Principal (Parliament), with three powers. The law allows the State to compel an individual seeking a state-sponsored subsidy to undergo the enrollment and authentication processes designed by the UIDAI (although Aadhaar has now been made mandatory for certain non-welfare schemes as well, which goes beyond the conception in the law). The UIDAI is empowered to license and regulate Registrars and enrolling agencies to collect the demographic and biometric information of individuals, and enroll them under the Act. Finally, the UIDAI has quasi-legislative powers, such as the power to suspend the licenses of such enrolling agencies and Registrars.

In this article, we examine the foundations required to make UIDAI work properly: the performance and accountability standards. Under the present law, UIDAI is neither performance oriented nor is there accountability for failure. The problem of accountability at UIDAI is a little explored issue, other than occasional media reporting which expresses angst about data breaches and authentication failures (see herehere, and here). There is considerable knowledge from the global and Indian literature on public administration on how to achieve performance of such an Agent. Drawing on this body of knowledge, we propose that the UIDAI should be held to appropriate accountability standards, so as to create an environment where it will perform well.

Agencification and its associated challenges
Since the 1980s, governments have established specialised organisations which perform certain functions. These Agents have diverse mandates such as regulating a specific sector (SEBI and TRAI); administration of social welfare schemes (the erstwhile Benefits Agency in the UK); and running prisons (such as the HM Prison Service (HMPS) in the UK or the Dienst Justitiële Inrichtingen – National Agency for Correctional Institutions (DJI) in the Netherlands).

The Agent performs its mandate through the exercise of three kinds of powers, namely, quasi-legislative powers, quasi-executive powers, and quasi-judicial powers (FSLRC, 2013). While some agencies have all three kinds of powers at their disposal, others have some of them. For instance, while SEBI has all three powers, agencies which are tasked with administrative functions such as the UK Benefits Agency or the HMPS have limited quasi-legislative powers and no quasi-judicial powers. Whatever may be the scope of powers of these agencies, two features cut across all such agencies: (a) they perform functions that the sovereign would have otherwise performed; and (b) they wield the power of the State in being able to coerce certain private persons in certain ways.
Broadly speaking, agencification has worked well in improving State capacity. However, this has come from establishing an array of mechanisms to deal with a few important concerns:
  1. Weaker links between the people and agencies: When a sovereign delegates functions to agencies, this reduces accountability through elections (Maggetti, 2010). The persons manning such agencies are one more step away from the people, as they are autonomous from the government and are not politically accountable to the people. Power in the hands of unelected officials also creates concerns about democratic legitimacy (Majone 1998). For instance, agencies which have been tasked with the administration of social welfare have been accused of opacity (Pollitt et al, 2004).
  2. Unfettered discretion: When agencies have the power to write subordinate legislation (i.e. regulations), this power is often not accompanied by checks and balances. In liberal democracies, there are elaborate checks and balances that are placed upon Parliamentary law. These checks and balances can, and often are, diluted in the context of the “regulatory state”. For example, in all these years of SEBI’s establishment, only one of its quasi-legislative instruments has been challenged. Compare and contrast this to the constitutional challenge that virtually every significant parliamentary law faces in India. Similarly, in the last 30 years, no order issued by RBI has been challenged by the person penalised. This leads to the possibility of abuse of power (Cochrane, 2015).
  3. Size and ever-growing footprint in administration of public affairs: Autonomous bodies, especially those entrusted with the administration of social security benefits, end up assuming significant proportions, both in terms of their size and budget allocations. For instance, in 2000, the Benefits Agency which was responsible for the administration of social welfare schemes in the UK employed a staff of 70,642 and accounted for 30% of the overall state budget (Pollitt et al, 2004). Similarly, the Social Security Administration in the United States now has a staff strength of 60,000. In the Indian context, the annual expenditure of the RBI is larger than that of the States such as Goa.
An accountability framework for agencies of the State
The power to coerce or the power to spend, that is conferred upon the Agent, must be associated with commensurate accountability mechanisms (Stone and Thatcher, 2002). Accountability mechanisms are ex-ante and ex-post. Examples of both are enumerated below:
Ex-ante accountability mechanisms:
  1. Having an adequate strength of independent directors on the board of the agency
  2. Regular internal audits to review the performance of the agency and ensuring that it complies with the law in exercising the discretion vested in it
  3. Setting out the objectives of the agency and the instruments to be used to achieve them, clearly in the law
  4. Setting out performance oriented goals and metrics for measurement of performance, in advance
  5. Defining formal processes for the exercise of the powers vested in the agency
  6. Mechanisms to facilitate transparent decision making, such as public consultations before making delegated legislation, maintaining a website, publishing a clear rationale for each decision of the agency
Ex-post accountability mechanisms:
  1. Laying all quasi-legislative instruments before the Parliament
  2. Reports showing the goals set out at the beginning of the year, the extent to which they are achieved at the end of the year and a statement of reasons for failure
  3. Resource allocation towards different goals and year-end utilisation
  4. Performance and audit by external independent agencies and publishing the reports of such audits
How do other social security administrators account for their performance?
Since the Aadhaar number is so often compared to the social security number issued by the Social Security Administration (SSA) in the United States, we can usefully draw a comparison with the annual performance and financial report published by the US SSA. The report sets out the strategic goals of the SSA that were determined at the beginning of the year. It divides the strategic goal into multiple objectives, specifies measurable performance metrics to ascertain the extent to which the objectives have been met, and the extent to which the goal was achieved. An example of how the performance reporting for the SSA works, is given below.
  1. For FY 2012, a pre-determined strategic goal of the SSA was to deliver “quality disability decisions and services”.
  2. This strategic goal was divided into three objectives. One of the objectives was to “Reduce the wait time for hearing decisions and eliminate the hearing backlog”. The metrics used to measure the performance of the SSA on this objective was to complete “the budgeted number of hearing requests” and “reduce waiting time between hearings and decisions”. SSA reported its performance on these two metrics as under:
Example of performance reporting by the SSA
Objective: Reduce the wait time for hearing decisions and eliminate the hearing backlog
Performance Measure
FY 2012 target
FY 2012 Actual
Whether target achieved
Complete the budgeted number of hearing requests
875,000
820,484
No
Minimize average wait time
from hearing request to decisions
321 days
362 days
No
The SSA’s performance report also shows the funds allocated to each objective and a statement of reasons where the performance metric is not met.
The current accountability framework of the UIDAI
A reading of the objectives and functions assigned to the UIDAI under the Act would suggest that the UIDAI must, at the very least, be held accountable for:
  1. The enrollment and authentication of persons [sections 11 and 23(1)]
  2. The regulation of enrollment agencies and other service providers licensed by it [section 23(2)(i)]
  3. The security and confidentiality of the data shared by persons who have enrolled with the UIDAI [section 23(2)(j) and (k)].
The Act and the accompanying Regulations specify a limited accountability framework, which is not oriented towards performance or service delivery to the citizen. Three accountability measures are present under the Aadhaar Act and Regulations:
  1. An annual CAG audit, and requiring these certified accounts of the UIDAI to be laid before each House of Parliament [Section 26 of the Act]; and
  2. Requiring an annual report in a prescribed form describing UIDAI’s past activities, accounts, and future programmes of work, to be laid before each House of Parliament [Section 27 of the Act]. However, no such manner and form for the publication of the report has been laid down in the Aadhaar Regulations, nor does such a Report seem to be available in the public domain.
  3. Requiring certain processes to be followed by the CEO in transacting business at the UIDAI (Transaction of Business at Meetings of the Authority) Regulations, 2016, although these only relate to the number of meetings, quorum, voting procedure etc.
Apart from an annual financial audit, the law lacks any performance accountability mechanisms for the UIDAI. For instance, there is nothing in the law requiring the UIDAI to set performance standards for itself or account for core responsibilities such as number of people enrolled and not enrolled, number of authentication failures or number of data and security breaches. The law is similarly completely silent on ex-post accountability mechanisms. It neither requires a performance audit nor demands a justification for failures on its part.

Weak law will deliver weak performance
The conduct of an agency is largely shaped by the law governing it. For instance, Burman and Zaveri (2016) find that there is a correlation between the laws which mandate transparency of a regulator and the responsiveness of such regulators to citizens’ preferences. Similarly, the detailed performance reporting by the SSA is underpinned by a law called the Government Performance and Results Act, 1993, a law that set up a performance-oriented framework of reporting for the US federal agencies to show the progress they make towards achieving their goals.
In the absence of such statutorily mandated accountability standards, measuring the performance of the UIDAI is difficult. Stories of security breaches and authentication failures for availing benefits abound. For instance, Scroll.in queried the UIDAI about the authentication requests received between September 2010 (when the first Aadhaar number was issued) till October 2016, and how many failed or succeeded. The query was aimed at assessing the efficacy of biometric authentication. 

The UIDAI replied that it had not maintained any records between September 2010 and September 2012 and that it did not maintain authentication data state-wise. More importantly, the UIDAI revealed that data about the success or failure of the over 331 crore authentication requests was “not readily available”, nor was the breakup of the negative reply to the requesting authority on each of the five modes of authentication “readily available”.

Similarly, cases of fake Aadhaar cards have also been reported. Pertinently, in response to an RTI filed by PTI, seeking details related to all cases of duplicate and fake Aadhaar cards and the action taken on them, the UIDAI refused the request on the grounds that the disclosure might affect national security, or lead to incitement of an offence. The UIDAI also informed PTI that its CIDR facilities, information assets, logistics and infrastructure and dependencies, are all classified as “protected system” under the IT Act, and are thus, exempt from RTI. It further stated that the format in which it held the information contained identity details, which may be prone to identity theft, if divulged. The practical reality thus is that cases of unauthorised leaks/disclosures of identity information are being dealt with on a case to case basis, with zero clarity in the law on who is to be held accountable for such lapses in the future.
Conclusion
In previous decades, when we first set up state agencies in India, we were driven by concerns of efficiency and expertise that such agencies would bring to public administration. We now have sufficient experience about the endemic failure of State capacity in that approach. If one more new agency is built, on the lines of existing agencies, there is a high chance that it will reproduce the failures of existing agencies.
The climate of thinking on these questions in India is shifting.

 The FSLRC report, which proposes a new financial regulatory architecture, made extensive recommendations on the accountability framework for financial sector regulators. These recommendations were codified in the Indian Financial Code (IFC), a draft law that accompanied the FSLRC report. For example, the IFC contains provisions that mandate (a) regulators to build a system of periodical internal audits and publish the reports of such audits, (b) performance audits by an external auditor, (c) building systems for measuring the performance and efficiency of regulators, and (d) public consultation and a cost benefit analysis before exercising quasi-legislative powers. Some of these provisions that do not require legislative amendments are being implemented by the Ministry of Finance through a Handbook on Governance enhancing recommendations of the FSLRC, adopted by the four financial sector regulators in October 2013.

The report of the Bankruptcy Law Reforms Committee (2015), drew on the regulatory governance framework recommended by the FSLRC and recommended four elements for achieving accountability of the Insolvency and Bankruptcy Board of India, India’s new insolvency regulator. While some of these elements were codified in the Insolvency and Bankruptcy Code, others are sought to be implemented in the course of setting up the Insolvency and Bankruptcy Board of India. Recent events at TRAI are pushing the organisation towards sound processes.
While the subject of regulatory governance seemed remote and a second order issue in setting up institutions in India, policy thinking today has increasingly started recognising that enhancing governance standards is as important as technical soundness, when designing new frameworks. Every government agency is an Agent, and the journey to building high performance agencies lies in setting up a sound principal-agent relationship, in the law. UIDAI is an important new organisation, and it should emerge as a high performance agency. We must harness our experience and our knowledge, to build appropriate accountability standards for the UIDAI in the law.

References
Heidenheimer, A.J., Heclo, H. and Teich Adams, C. (1990), Comparative Public Policy: The Politics of Social Choice in America, Europe, and Japan, (3rd edition) New York: St. Martins.
Maggetti, Martino (2010). Legitimacy and Accountability of Independent Regulatory Agencies: A Critical Review, Living Reviews in Democracy Vol 2.
Pollitt, Christopher, Colin Tablot, Janice Caufield, and Amanda Smullen (2004), Agencies: how governments do things through semi-autonomous organizations, New York: Palgrave Macmillan.
Young Han Chun, Hal G. Rainey (2005), Goal Ambiguity in U.S. Federal Agencies, J. Public Adm. Res. Theory 2005, 15 (1): 1-30.
Majone, Giandomenico (1998), The Regulatory State and its Legitimacy Problems, Political Science Series No. 56, Department of Political Science of the Institute for Advanced Studies (IHS)
Sweet, Alec Stone and Thatcher, Mark (2002), “Theory and Practice of Delegation to Non-Majoritarian Institutions”, Faculty Scholarship Series, Paper 74
Burman, Anirudh and Zaveri, Bhargavi (2016), Regulatory responsiveness in India: A normative and empirical framework for assessment, IGIDR Working Paper WP-2016-025, October 2016.
*
Vrinda Bhandari is a practicing advocate in Delhi. Renuka Sane is a researcher at the National Institute of Public Finance and Policy, Delhi. Bhargavi Zaveri is a researcher at the IGIDR Finance Research Group, Mumbai.
*
Source: The accountability framework of UIDAI: Concerns and solutions by Vrinda Bhandari and Renuka Sane and Bhargavi Zaveri,  Ajay Shah’s blog, August 20, 2017.