12727 - Aadhaar opponents argue that sharing biometric information with third parties is unsafe - First Post

Aadhaar opponents argue that sharing biometric information with third parties is unsafe

News-Analysis tech2 News Staff Jan 19, 2018 11:41 AM IST
Comment
0
Tweet

In the on-going Aadhaar hearing in the Supreme Court, the critics of Aadhaar have argued against the collection of biometric information.


Representational image. AFP

The bone of contention is the parting of sensitive biometric data with third parties, over which the government or even the Unique Identification Authority of India (UIDAI) have little control.

According to senior advocate, Shyam Divan, who is arguing on the side of the Aadhaar opponents, the government does not have a contract with the third parties who collect your biometric information. This increases the possibility of the misuse of this sensitive data by these entities, said the lawyer, who questioned the integrity of this data.

Divan also told the five-judge bench that according to a government statement in the Parliament, the UIDAI had blacklisted 34,000 operators for issuing false Aadhaar cards.

The five-judge constitution bench headed by Chief Justice Dipak Misra said, "You want an insurance policy, you go to a private company. You want mobile connection, you go to private entities and part with personal information... Here the government has multiplied the options... the moment the government asks you to give proof of address and other details, you have a problem and you say 'sorry'."

To this Divan responded by saying that there is no issue with an individual parting with information out of his or her own accord. "The point here is that you are being asked to part with information to someone you do not know and have no contractual relation with," said Divan.

The bench, also comprising Justice A K Sikri, Justice A M Khanwilkar, Justice D Y Chandrachud and Justice Ashok Bhushan, is hearing a clutch of petitions challenging the constitutional validity of the government's flagship Aadhaar programme and its enabling Act of 2016.

Divan, who is representing petitioners like former Karnataka High Court judge Justice K S Puttaswamy, several activists Aruna Roy, Shantha Sinha and veteran CPI(M) leader V S Achuthanandan, submitted that the State cannot compel its citizens to give personal information, that too to a private company, as it violated their fundamental rights.

Terming the scheme as "unconstitutional from beginning to end", Divan said that initially the State was not authorised to compel the citizens to part with personal information and moreover, it became more troublesome when people were asked to share them with private firms.

(With inputs from PTI)


Published Date: Jan 19, 2018 09:32 AM | Updated Date: Jan 19, 2018 11:41 AM

12726 - Constitutional Validity of Aadhaar, Day 2 - Media nama

Constitutional Validity of Aadhaar, Day 2

By  MediaNama editor@medianama.com     January 19, 2018   
Share This:            Share via Email   

By Vidyut

The second day of proceedings in the Supreme Court on the constitutionality of Aadhaar began with Advocate Shyam Divan presenting diagrams showing the distinction between deterministic and probabilistic methods of identification and the moments of enrolment and the moments of authentication. Mr. Divan pointed out that machines used for authentication were of lower quality.

Justice Chandrachud remarked that they might even be unreadable in the case of manual labourers or ageing. Mr. Divan agreed.

He said that he would finish the technical presentation, take the Court through the privacy judgment, and then the Aadhaar Act. There were three problems: the integrity of the process, the integrity of the information, and a pervasive violation of fundamental rights. He would address three issues pertaining to fundamental rights: privacy, autonomy, and compelled speech.

Mr. Divan brought up the question of integrity of process of the UIDAI and informed consent for the enrolment of Aadhaar. He showed the court the enrolment form and pointed out that there was no mention on the form of the enrolment being voluntary, no mention of biometrics, no verification, no signature of enroller or enrollee, no counselling, no purpose stated for the collection of the information.

Referring to a question by  Justice DY Chandrachud yesterday regarding limited purpose, Mr. Divan highlighted that this programme, by design, is a general purpose database of identity data. A discussion followed regarding the consent to share the data and Mr. Divan referred to an affidavit on record that says the software would not take no for an answer.

Mr. Divan then brought up a point about delegating a core sovereign function – even assuming the state can do it according to the Indian constitution (challenged yesterday) – of collecting biometrics of all citizenry to private persons and termed the state compelling citizens to give all personal sensitive data to random players as absurd.

Mr. Divan brought up the sting operation reported in India Today and Mail Today that showed that the enrolment agencies were selling the data they received on the forms.

Moving on, he pointed out the section on consent in the enrolment form, which in reality was merely a statement that the information furnished was correct and not consent to share the data further at all. He also pointed out that the Union government had been unable to answer to the question of how many had said “no” for further sharing of information (implying that the consent or lack of it was not recorded and thus adhered to).

Justice DY Chandrachud and Justice Sikri wanted to know how different that was from people giving their address proof to other private entities for insurance, credit card company and so on. Mr. Divan replied that there is no problem per se with an individual voluntarily giving private information. The point was that they were being asked to part with information to someone they not know and had no contractual relation with.

“The point is that the private party is so much outside the control of the UIDAI that they can use it for their own commercial purposes. The problem is the process is compromised – that is what distinguishes it for example the Census Act.” said Mr. Divan.

Justice DY Chandrachud asked “what were the nature of safeguards to ensure that the information was not purloined?” and mentioned the case of M S Dhoni’s Aarhaar card details being leaked and the lack of coverage of Aadhaar in states like Meghalaya. He asked about the option to opt-out

Mr. Divan read out the affidavit of Nachiket and Ankita Anand describing how they were coerced into enrolling for Aadhaar and not allowed to withold consent for their information being shared further and how the Supreme Court orders were violated with impunity by the state authorities such as the SDM and ADM.

Mr. Divan explained that only 0.003% of enrolments were made through the introducer system, showing that Aadhaar was the first identity document for a very small percentage of the population.

Mr. Divan then read out a list of enrollment agencies, showing how all sorts of people were made enrolment agents. “Sagar Foods” “Chirag Constructions”…

Session 2

Mr Divan read out the statement of Minister RS Prasad in the Rajyasabha on April 10, 2017 that 34,000 enrolment operators had been blacklisted. “These operators tried to pollute the system or make fake Aadhaar cards.” He pointed out that the number was 49,000 as of September 12, 2017 (drawing attention to an increase of 15,000 since April)

Mr Divan next presented the Registrar handbook (2013) and highlighted the KYR+ and how Registrars were allowed the freedom to collect additional information beyond the Aadhaar enrolment data required by the UIDAI. (Ironically, while this was being presented in court, a Union government press release today explicitly permited this same additional data collectionagain)

Mr. Divan emphasized the part of the Handbook where it says that Registrars must retain biometrics and contrasted it with UIDAI’s contrary statement on affidavit and in public statements of late that no biometrics are ever retained. He explained further definitions – verifier, introducer, operator and so on.
Then reads the qualification for verifier introducer operator etc.

Presenting the MOU between the UIDAI and the Delhi Govt, from 2010, Mr. Divan explained that this was the first time the word biometric was used with reference to UIDAI’s mandate to issue identification based on demographic and biometric information. “The UIDAI will be conducting proof of concept and pilot programmes.” “UIDAI shall develop prescribed standards for the biometric fields.”

Justice Chandrachud wanted to know whether the registrars were all government agencies, to which Mr. Divan explained that there was no such restriction and they could be private bodies as well.

Mr Divan then pointed out Article 299 of the Constitution and said that the MoUs were not even contracts in view of Article 299 (“All contracts made in the exercise of the executive power of the Union or of a State shall be expressed to be made by the President, or by the Governor of the State, as the case may be…”) “This is the palpable lack of integrity in this project for all these years. This denuded the rule of law and erodes governance. That is why you now have a situation where 34000 operators have been blacklisted.”

Justice Khanwilkar said that Aadhaar Act retrospectively validates all this.  To this, Mr. Divan replied that you cannot have a retrospective validation of the violation of fundamental rights. He said he would address this later.

Justice Chandrachud wanted to know how the registrars were paid. Mr. Divan read the latest statement on the per enrolment fee that agencies were paid. He also detailed the recent case of fake Aadhaars in Kanpur and outlined the modus operandi.

Mr. Divan then illustrated how the Aadhaar enabled round the clock surveillance and showed an illustration of the “cradle to grave” ubiquity of Aadhaar – from birth certificates to school, to university and so on till the death certificate.

He displayed a chart on the convergence and link of various databases with the UID and explained what such homogenised access would entail and read from the 9 judge Constitution Bench judgment on privacy. Paragraphs 23,24,27,32,34,35,38 (right to be let alone) 41 through 96 (privacy under article 21 and part 3), inalienable rights under 120-121 and 103 107 on rule of law were read out.

Mr. Divan proceeded to talk about international obligations, the constitution as a living instrument and privacy not being an elitist construct. He emphasized that in the modern era privacy was endangered not just by the state, but by private companies as well and that there was a positive duty on the state to ally with and protect citizen privacy.

Mr Divan referenced the part of the privacy judgment that referred to the American SC case of US v Jones, which dealt with putting a GPS system on a car and pointed out Justice Sotomayor’s concurring opinion in US v Jones, which observed how you no longer need physical interference to violate privacy. Information about a person’s transactions is enough to give a complete profile about an individual’s life.

Mr. Divan delved further into the right to privacy judgment’s articulation of the right to informational self-determination and informational privacy and referred to Helen Nissenbaum’s work. He proceeded to stress different parts of the privacy judgment about fundamental rights in the transformation from colonial rule to a Democratic Republic, civil/political rights and socio-economic rights are complementary, and not at odds, privacy is not just a privilege of the elite and the importance of judicial review in order to protect individual right.

Chief Justice of India asked Mr. Divan to read the paragraph on privacy and the age of information (306) that deals with issues of data mining and data profiling, especially of metadata.

The next hearing will be on 23rd January.

12722 - Aadhaar: Will face recognition, Virtual ID really add security checks? - Hindu Busionessline

Aadhaar: Will face recognition, Virtual ID really add security checks?

VIRENDRA PANDIT

COMMENTS (0)   ·   PRINT   ·   T+  

inShare

Share

AHMEDABAD, JANUARY 18:  

Even as the Unique Identification Authority of India (UIDAI) proposes to introduce Virtual ID and face recognition as extra layers of security in Aadhaar cards, along with biometric detail including finger-printing and iris identification, questions have been raised about the efficacy of these fresh moves in protecting the privacy of the individual from unscrupulous elements.

The Supreme Court is currently hearing the issue of the citizen’s liberty being allegedly threatened by the linking of Aadhaar numbers to the individual’s various documents. According to Ankush Johar, Director of Infosec Ventures, which provides infrastructure security solutions to the government and commercial clients, the recent measure taken by the UIDAI to provide facial recognition via images captured from an old 3 to 5 megapixel (MP) camera in most cases may be “too little, too late.” The face recognition mechanism is expected to act as another layer of verification as a “fusion” alongside fingerprint, IRIS and OTP authentication.

Terming the UIDAI’s latest move as a “PR gimmick” to save its own skin in the wake of possible data-leaks, Johar said the face-recognition measure would provide “zero” extra security due to poor resolution cameras used in making Aadhaar cards for 1.2 billion people.

He said although adding an extra later of security is a good initiative for card holders, face recognition is a “bad factor” for authentication. “It might not do much good as not only is it not too difficult to replicate as compared to other biometrics, but also because the major problem lies in the source of the poor images used as the authentication mechanism.”

To make things convenient, UIDAI had commented that it will be using the photo of the card holder captured at the time of Aadhaar enrolment. Facial recognition will give an additional choice for people having trouble with their fingerprints and iris authentication, which is supposed to go live by July this year. This is expected to provide relief to older people whose fingerprints and iris go blurred and unclear due to ageing and diseases.

HOW SECURE WOULD FACIAL RECOGNITION BE AS AN EXTRA AUTHENTICATION?

In November 2017, a group of cyber security researchers were able to crack iPhone’s facial recognition technology by using a $150 mask. The cyber security firm posted a video on their official blog which showed that they had found a way to hack Face ID by using a composite mask of 3-D printed plastic, silicone make-up, and simple paper cutouts, which in combination tricked an iPhone X into unlocking, he told BusinessLine.

While Apple had developed the infrared-based specialised hardware to capture a 3-D image of a person’s face, it is dicey how it would compare to the 3-5 MP cameras used at the time of enrolment for Aadhaar in India. In other words, facial recognition in Aadhaar cards would be a questionable security measure as an individual’s face, like other body parts, usually undergoes changes, and it can also be manipulated as in the iPhone case.

The photographs captured years ago with an extremely low resolution camera stands little chance given that hackers were able to bypass even the 3-D face model recognition developed by one of the biggest tech pioneers, he argued.

While welcoming the UIDAI move on face recognition, he cautioned that it might have succeeded had the card holders’ images been captured with at least a high-definition camera if not an infrared based 3-D facial recognition system. Such images would have made the Aadhaar card security easier and reliable.

He said the UIDAI can still remedy the situation by “deep diving into the whole issue” and reaching out to the 1.2 billion card holders for updating with latest technologies. Unless it is done, “horrible things” may happen with people’s data.

Similarly, a Virtual ID may not be too much of help as the card holder’s number in many a case had already gone out to those who could misuse it.

12721 - Aadhaar contradicts the role of the state, say petitioners challenging scheme - The Hindu

Aadhaar contradicts the role of the state, say petitioners challenging scheme

Krishnadas Rajagopal

NEW DELHI, JANUARY 18, 2018 22:58 IST

UPDATED: JANUARY 19, 2018 09:50 IST

SHARE ARTICLE
•  123
•  28
• PRINT
• A A A

MORE-IN

Right to Privacy

Aadhaar and cash transfers

‘State exploiting personal rights of individuals’

The Aadhaar scheme contradicts the role of the state as the custodian of the citizens’ fundamental right of privacy. A duty is cast on the government and its agencies to protect the citizen’s crucial personal data from commercial exploitation by private corporates, petitioners challenging the scheme submitted in the Supreme Court on Thursday.

Referring to the nine-judge Bench judgment which upheld privacy as a fundamental right, senior advocate Shyam Divan and advocate Vipin Nair submitted before a Constitution Bench led by Chief Justice of India Dipak Misra that Aadhaar enrolment and subsequent leakages of personal mass datashow that the state itself is exploiting personal rights of individuals by giving it to private corporates who use it for commercial ends. In a case where the private rights of an individual are exploited, it is the duty of the state to protect him from private enterprises, Mr. Divan argued.

“The state is empowered with a ‘switch’ by which it can cause the civil death of an individual. Where every basic facility is linked to Aadhaar and one cannot live in society without an Aadhaar number, the switching off of Aadhaar completely destroys the individual,” Mr. Divan submitted for the petitioners.

The Aadhaar enrolment has seen the state delegate “sensitive and exclusive sovereign” functions to private contractors and agencies. None of these private agencies which enrol citizens and collect their personal data have any agreement with the UIDAI, Mr. Divan submitted.

When Justice A.M. Khanwilkar observed that the Aadhaar Act of 2016 would protect fundamental rights, Mr. Divan responded that crores of citizens had already been enrolled between 2009 and 2016, when the Act came into existence, and fundamental rights could not be protected retrospectively. He said there was no audit check of these private collection agents to whom the UIDAI had outsourced the work of personal data collection for years prior to the Act.

In an illustration of how Aadhaar has become an instrument of exclusion, Mr. Divan related how a couple could not register their marriage under the Special Marriage Act as the authorities insisted on Aadhaar.

12720 - Aadhaar: Petitioners challenge process of gathering personal info - Live Mint

Aadhaar: Petitioners challenge process of gathering personal info

Compelling citizens to part with personal information to a third party—UIDAI—with whom they had no contractual relations had resulted in compromising their privacy rights, the SC was told

Last Published: Fri, Jan 19 2018. 12 42 AM IST

Priyanka Mittal

A total of 29 petitions, challenging several aspects of Aadhaar and the use/sharing of data collected by UIDAI, have been tagged by the SC to be heard by the Constitution bench. Photo: HT

New Delhi: Petitioners before a Constitution bench of the Supreme Court set up to hear the case against Aadhaar on Thursday challenged the process of collecting personal and biometric information for the unique identification number programme, and highlighted its implications for privacy.

“Everything about it is patently unconstitutional. It’s a complete invasion -- cannot stand up to minimal standards of scrutiny,” said Shyam Divan, counsel for petitioners, who include leading non-government organizations, privacy campaigners, retired Army officers, Magsaysay award winners and the government of West Bengal.

Compelling citizens to part with personal information to a third party—the Unique Identification Authority of India (UIDAI)—with whom they had no contractual relations had resulted in compromising their privacy rights, Divan told the Constitution bench comprising Chief Justice Dipak Misra and justices A.K. Sikri, A.M. Khanwilkar, D.Y. Chandrachud and Ashok Bhushan.

The court was then shown for examination the original Aadhaar enrolment form as it existed before the passing of the Aadhaar Act, 2016 when a majority of the people enrolled.

Nowhere in the form, the judges were told, did it state that parting of information was voluntary. There was no mention of biometric information, no provision for verification of information collected, or any kind of counselling to tell citizens of the advantages, reasons and shortcoming of the enrolment.

At this, Chandrachud intervened: “Even when you apply for an insurance policy or a mobile connection, the private insurance agent or the mobile service provider requires identity proof. So, why is there an issue with parting with the same to the government?”

Divan explained that the problem did not lie with parting of personal information, but with the fact that the information was being given to third parties that could use it for commercial purposes.

“As long as its backed by a statute, I don’t see a problem. Take for instance the collection of information under the Census Act, 1948 where demographic data is collected by the state,” Divan said.

He also drew the top court’s attention to the privacy judgment that grounds privacy in ideas of dignity, autonomy, and identity, which pervade the entire Constitution.

On Wednesday, Divan had warned that if the programme is allowed to operate unimpeded, it would hollow out the Constitution. A people’s Constitution would turn into a state Constitution because of the mass surveillance it would entrench, he said.

The Constitution bench was formed in December to hear arguments on the constitutional validity of the 12-digit biometric identification number that is assigned by the UIDAI. Aadhaar has now become the bedrock of government welfare programmes, the tax administration network and online financial transactions.

A total of 29 petitions have been tagged by the Supreme Court to be heard by the Constitution bench. They challenge several aspects of Aadhaar and the use/sharing of data collected by UIDAI.

Petitioners have challenged making Aadhaar mandatory for availing of social welfare benefits and filing of income tax returns (ITRs) as well as for obtaining and retaining the Permanent Account Number (PAN) required for filing ITRs. They have also cited the potential for infringement of an individual’s right to privacy.

In a path-breaking ruling on 24 August 2017, the apex court held that privacy is a fundamental right. In the process, it set the stage for the introduction of a privacy law; the government has appointed an expert group under former Supreme Court judge B.N. Srikrishna to make recommendations.

The hearing continues on 23 January.

First Published: Fri, Jan 19 2018. 12 42 AM IST

12719 - Even Dhoni's UID details public, list privacy safeguards, says SC - TNN

Even Dhoni's UID details public, list privacy safeguards, says SC

Amit Anand Choudhary| TNN | Updated: Jan 19, 2018, 08:21 IST

10

NEW DELHI: The Centre will need to assure the Supreme Court that data collected under Aadhaar+ is fully protected and cannot be misused to ensure its ambitious scheme passes muster, with the apex court on Thursday asking what is the nature of the safeguard to prevent sale of information by private operators.
With a nine-judge bench last year declaring the right to privacy a fundamental right+ and asking the government to prepare a robust data protection regime, the apex court's Constitution bench of Chief Justice Dipak Misra and Justices A K Sikri, A M Khanwilkar, D Y Chandrachud and Ashok Bhushan asked whether the government had taken measures to protect data related to Aadhaar.

Learning with the Times: Why Aadhaar has no parallel

Senior advocate Shyam Divan, appearing for the petitioners challenging the constitutional validity of Aadhaar scheme, told the bench that information collected by private operators was being sold and the Unique Identification Authority of India (UIDAI) had no control over them. Referring to news reports and sting operation of a news channel, he alleged private operators continued to hold demographic and biometric data which could be easily purchased and misused, violating the people's fundamental rights .

In its statements relating to leak of data, the UIDAI has repeatedly asserted that there has been no breach as far as biometric data are concerned and that Aadhaar authenticates identity but not the purpose of a transaction.

Read also: Link these 6 documents with Aadhaar before March 31 deadline ends

• How Cruise Ships Fill Their Unsold CabinsZagline
• $3399: All-Inc 5-Star Maldives w/Flights,$2700 OffTravelzoo

Recommended By Colombia

The bench, however, noted that Aadhaar details of former captain of Indian cricket team M S Dhoni was also made public. "What safeguard the government has introduced to ensure that information is not sold out and what is the nature of the safeguard?" Justice Chandrachud asked.

YOU MIGHT ALSO LIKE

ENTERTAINMENT

• Baby Misha and mommy Mira Rajput go hand-in-hand for an evening stroll

SPORTS

• New Zealand beat Pakistan to seal series sweep

Divan claimed that the Aadhaar scheme had been unconstitutional from the beginning as the government could not compel citizens to part with personal information to private operators without sanction of law. He said 49,000 operators were blacklisted by the government till September 2017 and it showed something is wrong in the process. "I am questioning the very integrity and pervasive nature of the process. A person cannot travel or go to school or open a bank account or have an insurance policy or invest in mutual fund if he or she does not have Aadhaar," he said.

TOP COMMENT

The only reason to oppose Aadhar is if you have something to hide. This is just a cover story with privacy and stuff like that to hide the illegal activities and black money.
Hopefully sense will... Read MoreVarun Nanda

The bench, however, pointed out that people provide personal information to private companies while getting mobile connection and insurance and asked why they should be reluctant in giving information under Aadhaar scheme. "How can you say that it (information) is part of your identity while denying information to the government while you provide information to private parties. If you want mobile connection or insurance, you go to private entity and provide information to them," Justice Chandrachud said.

The arguments remained inconclusive and hearing would resume on January 23.