12714 - Virtual Aadhaar ID: too little, too late? - The Hindu

Virtual Aadhaar ID: too little, too late?

Yuthika Bhargava

NEW DELHI, JANUARY 11, 2018 23:10 IST

The UIDAI on Wednesday introduced the concept of a virtual ID  

Problems persist as many have already shared their 12-digit number with various entities, say experts

The move to introduce an “untested” virtual ID to address security concerns over Aadhaar database is a step in the right direction, but may be a case of too little, too late, according to experts, as many of the 119 crore Aadhaar holders have already shared their 12-digit numbers with various entities.

“What about all the databases that are already linked up with our Aadhaar number? Virtual ID will therefore not attack the root of the problem. At best, it is band-aid,” said Reetika Khera, faculty, Indian Institute of Technology-Delhi.

“Can we realistically expect rural folks to use this to protect themselves? Or are we pushing the barely literate into the hands of middlemen who will ‘help’ them navigate it?” she questioned.

The Unique Identification Authority of India (UIDAI) on Wednesday introduced the concept of a virtual ID that can be used in lieu of the Aadhaar number at the time of authentication, thus eliminating the need to share and store Aadhaar numbers. It can be generated only by the Aadhaar number-holder via the UIDAI website, Aadhaar enrolment centre, or its mobile application.

Experts pointed out that the virtual ID is voluntary and the Aadhaar number will still need to be used at some places.

“Unless all entities are required to use virtual IDs or UID tokens, and are barred from storing Aadhaar numbers, the new measures won’t really help,” said Pranesh Prakash, Policy Director, Centre for Internet and Society, Bengaluru.

Kiran Jonnalagadda, co-founder of the Internet Freedom Foundation, agreed. “The idea is good but it should have been done in 2010, as now all the data is already out. Now, what can be done is revoke everybody’s Aadhaar and give new IDs.”

Mr. Jonnalagadda added that Authentication User Agencies (AUAs) categorised as ‘global AUAs’ by the UIDAI will be exempted from using the virtual IDs. “These are likely to be entities which require de-duplication for subsidy transfer, such as banks and government agencies. All the leaks have happened till now from these entities. So, basically, the move will exempt the parties that are the problem,” he said.

Vipin Nair, one of the advocates representing the petitioners who have challenged the Aadhaar Act in the Supreme Court said, “It is potentially a case of unmitigated chaos purely from an Information Technology perspective.”

11109 - Details of over a million Aadhaar numbers published on Jharkhand govt website - Hindustan Times

Details of over a million Aadhaar numbers published on Jharkhand govt website

Jharkhand has over 1.6 million pensioners, 1.4 million of whom have seeded their bank accounts with their Aadhaar numbers to avail of direct bank transfers for their monthly pensions. Their personal details are now freely available.

INDIA Updated: Apr 23, 2017 11:24 Ist

Aman Sethi, Samarth Bansal and Saurav Roy

Jharkhand has over 1.6 million pensioners, 1.4 million of whom have seeded their bank accounts with their Aadhaar numbers to avail of direct bank transfers for their monthly pensions. Their personal details are now freely available.(HT File Photo)

Digital identities of more than a million citizens have been compromised by a programming error on a website maintained by the Jharkhand Directorate of Social Security.

The glitch revealed the names, addresses, Aadhaar numbers and bank account details of the beneficiaries of Jharkhand’s old age pension scheme.

Jharkhand has over 1.6 million pensioners, 1.4 million of whom have seeded their bank accounts with their Aadhaar numbers to avail of direct bank transfers for their monthly pensions.

Their personal details are now freely available to anyone who logs onto the website, a major privacy breach at a time when the Supreme Court, cyber-security experts and opposition politicians have questioned a government policy to make Aadhaar mandatory to get benefits of a variety of government schemes and services.

When HT reporters logged onto the site, they could drill down to get transaction-level data on pension paid into scores of pension accounts.

The publishing of Aadhaar numbers is in contravention of Section 29 (4) of the Aadhaar Act. Earlier this year, the Unique Identification Authority of India (UIDAI) blacklisted an Aadhaar service provider for 10 years for publishing the Aadhaar number of MS Dhoni, former captain of the Indian cricket team.

The authority has also filed at least eight police complaints in the past month against private parties for “illegally collecting” Aadhaar numbers of citizens – information that the Jharkhand government has now put into the public domain. UIDAI did not respond to queries sent by HT.

At present, the Supreme Court is considering the legality of a government decision to make it mandatory to provide an Aadhaar number when filing income tax returns.

In Jharkhand, officials were surprisingly sanguine about the breach, suggesting that they had been aware of the situation for several days.

“We got to know about it this week itself. Our programmers are working on it, and the matter should be addressed very soon,” said MS Bhatia, secretary of the state’s social welfare department.

Bhatia declined to comment on the legal implications of publishing this information.

“Will the CEO of UIDAI take any action against the government of Jharkhand for making this dataset public? And if they don’t, does that mean they condone this act?” said Pranesh Prakash, policy director at the Centre for Internet and Society.

The data breach, senior Congress leader Jairam Ramesh said, “makes a complete mockery of all that Jaitley and Ravi Shankar Prasad have said in Parliament.”

Problems with Aadhaar-based authentication and enrollment, Ramesh added, had also meant that many vulnerable people had been denied their legally mandated welfare entitlements.

11066 - How to fix Aadhaar: Destroy the database, issue a smartcard and make linking to services optional - First Post

How to fix Aadhaar: Destroy the database, issue a smartcard and make linking to services optional

By Aditya Madanapalle /  17 Apr 2017 , 10:21

So far, various people and agencies associated with Aadhaar have repeatedly proclaimed that the Aadhaar database is adequately secured. The list includes the Unique Identity Authority of India (UIDAI), UIDAI CEO Ajay Bhushan Panday, the Minister of State for Electronics and IT PP Chaudhary and IT Minister Ravi Shankar Prasad, who did it twice. The statements were in response to reports of various breaches and leaks in the wider Aadhaar ecosystem, but not in the Aadhaar database itself.

Arun Jaitley responded to concerns of data breaches in the Rajya Sabha, by saying “If firewalls can be broken, and hacking can be done, it will be done whether Aadhaar is there or not. Don’t say it is due to Aadhaar.”

Jaitley is missing the point, however. It is difficult to hack a database that does not exist.

The very existence of an Aadhaar biometric database makes it a high value target. Harsh laws can apply to Indian citizens, but it is difficult to bring to task state-sponsored foreign hackers.

Destroy the Aadhaar Database

Any database of the intimate details of the bodies of people is something that unnecessarily exposes the people to risk. The Aadhaar database can be repurposed for other uses, just because the database is there. Swarna Subba Rao, Surveyor General of India, while launching the Nakshe mapping service said, “We wanted to make passport mandatory for this service, but then not all people have passports, so we have made Aadhaar mandatory for people.”

This is despite the fact that the Aadhaar Act clearly states that “The Aadhaar number or the authentication thereof shall not, by itself, confer any right of, or be proof of, citizenship or domicile in respect of an Aadhaar number holder.”

A more insidious use for the service took place when the UIDAI itself asked the SC to not use Aadhaar for criminal investigations. The Goa Police, however, were handed over the biometric details of citizens, even though Aadhaar was not meant for that purpose.

The problem is that no biometric authentication system in the world is a hundred percent accurate. When finding a match with the Aadhaar database, the UIDAI itself claims a false positive rate of 0.057 percent. In the population the size of India, this marginal failure rate, as well as the false positive rate, can disproportionately affect lakhs of people if Aadhaar is not used for what it was built for, and the reason that the people of India have trusted the government with their biometric information.

Rajesh Bansal, senior advisor at Bankable Frontier Associates and former assistant director general at UIDAI has indicated that the fingerprints are themselves not stored on the server used for Aadhaar authentication, instead the database only stores the templates of the fingerprints needed for verification.

“We have various levels of firewalls and end to end encryption mechanisms to ensure that only authorised entities have access to the Aadhaar database. Also, fingerprints are never stored on the servers, only the templates are stored. Till now, there hasn’t been a single case of any compromise on our data” Bansal has said.

Image: Reuters

A biometric database is a civil rights issue, which is why developed countries such as the United States, the United Kingdom, Canada, France and Australia have resisted the creation of biometric databases for national identity schemes. In fact, a biometric database that was being maintained for five years was destroyed in the United Kingdom over concerns of privacy, and to “to scale back the power of the state and restore civil liberties.” Most of the goals of the UIDAI can be achieved without the need for a biometric database.

A biometric database gives the government too much unnecessary power over its citizens and the government is unnecessarily involved in the daily lives of the people. The PAN card, filing Income Tax returns, having a driving license, registering a vehicle, owning a SIM card and booking railway tickets are all in some way or other being linked to the Aadhaar database. The government can authenticate and verify identity without the need for having a biometric database. The Electronic Frontier Foundation recommends protests against any government that chooses to implement a national biometric database.

Experts in cybersecurity believe that the Aadhaar ecosystem needs to be secured better. The UIDAI and the authorities are repeatedly dodging the question of the security of the Aadhaar ecosystem by pointing out the flawless record of the Aadhaar database. The question of security is being addressed with more or less the same response, but the question of Privacy is also getting increasingly urgent. The situation is made worse by the lack of any dedicated laws on data security and privacy in India.

Issue an actual smartcard

One of the problems with Aadhaar is that it is not an actual smartcard. A hacked smartcard can be replaced with a new one, but biometrics cannot be replaced. Once they are hacked, people cannot regrow their fingers or replace their eyeballs. Even though Aadhaar is being mandatory for a number of reasons, it is not practically of any real use.

Getty Images

It cannot be used as a proof of identity or citizenship, according to the Aadhaar act. However, it is still used for banking services and for getting a passport. This begs the question: Why not use it as an identity proof?

There is no reason why a smart Aadhaar card cannot be used as a proof of identity or citizenship. If Aadhaar is linked to the PAN card, the bank accounts, the driving license, the passport and other documents, there is no reason why Aadhaar cannot be used instead of all these plastic cards.

The Aadhaar system exists in the air right now, without any physical presence or control in the hand of the users. Some may be fooled into thinking that as long as one is in possession of one’s own fingers, it cannot be hacked. This is, however, not necessarily true. Hacking fingerprints is surprisingly easy and low tech, and can even be achieved with just a candlestick.

In fact, if the merchant is unscrupulous, handing over your biometric information to pay for groceries is as much as a security risk as handing over the merchant your banking password. If a smartcard is used to authenticate transactions, there is that much less of a security risk, as in case of theft or loss, the smartcard can simply be replaced with a new one.

Follow

Pranesh Prakash @pranesh

Would you tell a shopkeeper your debit card's PIN? No. Then why share your fingerprint? A fingerprint is like an unchangeable PIN. #Aadhaar

6:48 PM - 3 Feb 2017

The Aadhaar card stands to benefit the citizens of the nation in a much better way if it is actually implemented as a smart card. This thought is such a natural progression over the very idea of a nationalised identity system, that the government has actually asked its users to not fall for Aadhaar “Smart Card” scams, where the Aadhaar details were being printing on plastic cards.

Make linking to services optional

The Aadhaar system, if implemented correctly, can actually make life easier for the citizens. One of the important aspects about this is giving the choice to the user, instead of making it increasingly difficult for users to choose not to get an Aadhaar card.

Reuters

Giving a deadline for integration with third party services, puts unnecessary pressure on the citizens to get an Aadhaar card. Caregivers of the mentally ill, senior citizens and the differently abled are disproportionately affected by harsh deadlines. Aadhaar was initially introduced as an optional program, but it has been increasingly integrated into the daily lives of people.

Just as the UIDAI dodges questions on the security of the Aadhaar ecosystem by pointing out that the Aadhaar database is adequately secured, the UIDAI blames third parties for any issues that pop up with linked services. For example, if users have a problem with the Aadhaar number being linked to the Pan card, the blame for setting a harsh deadline goes to the Income Tax department, and not UIDAI.

Another major concern was the linking of Aadhaar for the distribution of benefits. Here, Aadhaar has shown its usefulness. Implementation of Aadhaar has saved the government Rs 36,144 crore over a period of just two years. In one smooth operation, over one million farmers in Karnataka received benefits, through direct dispersal.

However, the Supreme Court has ruled that those without an Aadhaar card should not be deprived of benefits. The government subsidies and benefits continued to be distributed even for those without an Aadhaar card, but there is a caveat. The actual implementation on the ground is a Hobson’s choice — you can either have an Aadhaar card or be in the process of getting one. In the same ruling, the SC said that the government cannot be stopped from using Aadhaar for authentication purposes, such as in the filing of income tax returns.

If there is no biometric database, the Government can take a number of approaches for a national identity program, without making it a civil rights concern. Giving the citizens granular control on what services they use Aadhaar for gives them the convenience of a digital identity, and at the same time takes away unnecessary power from the hands of the government.

Publish date: April 17, 2017 10:21 am| Modified date: April 17, 2017 10:21 am

10997 - Will making Aadhaar mandatory help at all? dna India

http://www.dnaindia.com/analysis/column-will-making-aadhaar-mandatory-help-at-all-2374234

Will making Aadhaar mandatory help at all?

 DIPSHIKHA GHOSH | Thu, 30 Mar 2017-08:10am , DNA

Policy watchers weigh in on Aadhaar use and abuse

There are dozens of instances of the government (and even private companies) making Aadhaar compulsory, which directly violates the Supreme Court’s orders, which only allow Aadhaar to be used on a voluntary basis for a limited number of government schemes. Apart from contradicting the SC order, Aadhaar has security and privacy problems. Aadhaar Pay is to be launched in April. CIS has shown that multiple UIDAI-approved fingerprint devices that are on the market today allow you to copy people’s fingerprints. This means shopkeepers who collect your fingerprints for Aadhaar Pay can surreptitiously sell your fingerprints and Aadhar number, which is enough to defraud you of money. How will you prove you didn’t authorize a transaction when it was your fingerprint?

We don’t have a privacy law in India, so there is no protection against private companies misusing Aadhaar while collecting personal data about you, and selling that data without your consent. We need a strong privacy law, and we need to stop using biometrics as a “password”.

Pranesh Prakash, Policy Director at the Centre for Internet and Society

Aadhaar would be effective if it was to be made mandatory for voting. That would reduce dependence on voter booths. Those with access to the internet could stay at home and do a simple scan and cast their votes. A big bulk of poll expenses are spent on the polling day itself. Workers and booth organisers, in the case of Odisha at least, need to be around constantly. They work in shifts and are responsible for herding rural voters to the polling booths. What also tends to happen is politicians automatically invest in booth workers from villages who have local support so that they can influence his/her close ones to vote for them. In some cases private enities lik microfinance companies who hold Aadhaar data in rural areas of customers can sell the data for a mere four per cent of the loan they gave. I do not stand with the Bengaluru tech mafias who want to make Aadhaar mandatory.

Tathagata Satpathy, MP, Odisha

Aadhaar comes with immense benefits and this is the reason there has been expansion in its uses. The new Aadhaar Act has no legal constraints for expansion. The biggest advantage is that there will be no leakages or duplication of Aadhaar identities, which seems to be a pervading problem with both PAN and ration cards. It also helps in direct transfer of benefits. Thirdly, it makes it much easier to know who is accessing benefits. Many schemes are spread over different databases. Integrating schemes into one Aadhaar database helps understand who is accessing what benefits and whether there are any overlaps. Any argument against Aadhaar is specious and lacks substance.

GVL Narasimha Rao, BJP spokesperson

As told to Dipshikha Ghosh

10965 - Aadhaar marks a fundamental shift in citizen-state relations: From ‘We the People’ to ‘We the Government’ - Hindustan Times

Aadhaar marks a fundamental shift in citizen-state relations: From ‘We the People’ to ‘We the Government’

Your fingerprints, iris scans, details of where you shop. Compulsory Aadhaar means all this data is out there. And it’s still not clear who can view or use it

INDIA Updated: Apr 03, 2017 12:34 Ist

Pranesh Prakash  Hindustan Times

Until recently, people were allowed to opt out of Aadhaar and withdraw consent to have their data stored. This is no longer going to be an option.(Siddhant Jumde / HT Illustration)

Imagine you’re walking down the street and you point the camera on your phone at a crowd of people in front of you. An app superimposes on each person’s face a partially-redacted name, date of birth, address, whether she’s undergone police verification, and, of course, an obscured Aadhaar number.

OnGrid, a company that bills itself as a “trust platform” and offers “to deliver verifications and background checks”, used that very imagery in an advertisement last month. Its website notes that “As per Government regulations, it is mandatory to take consent of the individual while using OnGrid”, but that is a legal requirement, not a technical one.

Since every instance of use of Aadhaar for authentication or for financial transactions leaves behind logs in the Unique Identification Authority of India’s (UIDAI) databases, the government can potentially have very detailed information about everything from the your medical purchases to your use of video-chatting software. The space for digital identities as divorced from legal identities gets removed. Clearly, Aadhaar has immense potential for profiling and surveillance. Our only defence: law that is weak at best and non-existent at worst.

HT Explains | 10 things you need Aadhaar for

The Aadhaar Act and Rules don’t limit the information that can be gathered from you by the enrolling agency; it doesn’t limit how Aadhaar can be used by third parties (a process called ‘seeding’) if they haven’t gathered their data from UIDAI; it doesn’t require your consent before third parties use your Aadhaar number to collate records about you (eg, a drug manufacturer buying data from various pharmacies, and creating profiles using Aadhaar).

It even allows your biometrics to be shared if it is “in the interest of national security”. The law offers provisions for UIDAI to file cases (eg, for multiple enrollments), but it doesn’t allow citizens to file a case against private parties or the government for misuse of Aadhaar or identity fraud, or data breach.

It is also clear that the government opposes any privacy-related improvements to the law. After debating the Aadhaar Bill in March 2016, the Rajya Sabha passed an amendment by MP Jairam Ramesh that allowed people to opt out of Aadhaar, and withdraw their consent to UIDAI storing their data, if they had other means of proving their identity (thus allowing Aadhaar to remain an enabler).

But that amendment, as with all amendments passed in the Rajya Sabha, was rejected by the Lok Sabha, allowing the government to make Aadhaar mandatory, and depriving citizens of consent. While the Aadhaar Act requires a person’s consent before collecting or using Aadhaar-provided details, it doesn’t allow for the revocation of that consent.

In other countries, data security laws require that a person be notified if her data has been breached. In response to an RTI application asking whether UIDAI systems had ever been breached, the Authority responded that the information could not be disclosed for reasons of “national security”.

The citizen must be transparent to the state, while the state will become more opaque to the citizen.

HOW DID AADHAAR CHANGE?

How did Aadhaar become the behemoth it is today, with it being mandatory for hundreds of government programmes, and even software like Skype enabling support for it?

The first detailed look one had at the UID project was through an internal UIDAI document marked ‘Confidential’ that was leaked through WikiLeaks in November 2009. That 41-page dossier is markedly different from the 170-page ‘Technology and Architecture’ document that UIDAI has on its website now, but also similar in some ways.

In neither of those is the need for Aadhaar properly established. Only in November 2012 — after scholars like Reetika Khera pointed out UIDAI’s fundamental misunderstanding of leakages in the welfare delivery system — was the first cost-benefit analysis commissioned, by when UIDAI had already spent ₹28 billion. That same month, Justice KS Puttaswamy, a retired High Court judge, filed a PIL in the Supreme Court challenging Aadhaar’s constitutionality, wherein the government has argued privacy isn’t a fundamental right.

Every time you use Aadhaar, you leave behind logs in the UIDAI databases. This means that the government can potentially have very detailed information about everything from the your medical purchases to your use of video-chatting software.

Even today, whether the ‘deduplication’ process — using biometrics to ensure the same person can’t register twice — works properly is a mystery, since UIDAI hasn’t published data on this since 2012. Instead of welcoming researchers to try to find flaws in the system, UIDAI recently filed an FIR against a journalist doing so.

At least in 2009, UIDAI stated it sought to prevent anyone from “[e]ngaging in or facilitating profiling of any nature for anyone or providing information for profiling of any nature for anyone”, whereas the 2014 document doesn’t. As OnGrid’s services show, the very profiling that the UIDAI said it would prohibit is now seen as a feature that all, including private companies, may exploit.

UID has changed in other ways too. In 2009, it was as a system that never sent out any information other than ‘Yes’ or ‘No’, which it did in response to queries like ‘Is Pranesh Prakash the name attached to this UID number’ or ‘Is April 1, 1990 his date of birth’, or ‘Does this fingerprint match this UID number’.

With the addition of e-KYC (wherein UIDAI provides your demographic details to the requester) and Aadhaar-enabled payments to the plan in 2012, the fundamentals of Aadhaar changed. This has made Aadhaar less secure.

SECURITY CONCERNS

With Aadhaar Pay, due to be launched on April 14, a merchant will ask you to enter your Aadhaar number into her device, and then for your biometrics — typically a fingerprint, which will serve as your ‘password’, resulting in money transfer from your Aadhaar-linked bank account.

Basic information security theory requires that even if the identifier (username, Aadhaar number etc) is publicly known — millions of people names and Aadhaar numbers have been published on dozens of government portals — the password must be secret. That’s how most logins works, that’s how debit and credit cards work. How are you or UIDAI going to keep your biometrics secret?

In 2015, researchers in Carnegie Mellon captured the iris scans of a driver using car’s side-view mirror from distances of up to 40 feet. In 2013, German hackers fooled Apple iOS’s fingerprint sensors by replicating a fingerprint from a photo taken off a glass held by an individual. They even replicated the German Defence Minister’s fingerprints from photographs she herself had put online. Your biometrics can’t be kept secret.

Typically, even if your username (in this case, Aadhaar number) is publicly known, your password must be secret. That’s how most logins works, that’s how debit and credit cards work. How are you or UIDAI going to keep your biometrics secret?

In the US, in a security breach of 21.5 million government employees’ personnel records in 2015, 5.2 million employees’ fingerprints were copied. If that breach had happened in India, those fingerprints could be used in conjunction with Aadhaar numbers not only for large-scale identity fraud, but also to steal money from people’s bank accounts.

All ‘passwords’ should be replaceable. If your credit card gets stolen, you can block it and get a new card. If your Aadhaar number and fingerprint are leaked, you can’t change it, you can’t block it.

The answer for Aadhaar too is to choose not to use biometrics alone for authentication and authorisation, and to remove the centralised biometrics database. And this requires a fundamental overhaul of the UID project.

Aadhaar marks a fundamental shift in citizen-state relations: from ‘We the People’ to ‘We the Government’. If the rampant misuse of electronic surveillance powers and wilful ignorance of the law by the state is any precedent, the future looks bleak. The only way to protect against us devolving into a total surveillance state is to improve rule of law, to strengthen our democratic institutions, and to fundamentally alter Aadhaar. Sadly, the political currents are not only not favourable, but dragging us in the opposite direction.

(Pranesh Prakash is policy director at the Centre for Internet and Society, and Affiliated Fellow at Yale Law School’s Information Society Project)

9618 - In India, Biometric Data Storage Sparks Demands for Privacy Laws - VOA News

News / Asia

In India, Biometric Data Storage Sparks Demands for Privacy Laws

FILE - A woman places her finger on a biometric card reader before buying her quota of subsidized rice from a fair price shop under the Public Distribution System in Rayagada, in the Indian eastern state of Orissa, March 20, 2012.

Anjana Pasricha

March 18, 2016 11:34 AM

NEW DELHI—

In India, calls for strict privacy laws are growing after this week's passage of a measure that allows federal agencies access to biometric data of the nation's citizens, the world's largest such repository.

The government says the use of biometrics will help cut rampant graft in the distribution of subsidies, but activists and opposition lawmakers warn it could usher in an era of increased state surveillance.

Raghubir Gaur, who works as an electrician in the capital, New Delhi, says he has never collected subsidized rations such as wheat and rice, because “somebody else has been taking the rations I should have gotten.” Now, with a national proof of identity, or "Aadhaar" card in his hands, Gaur says he is confident he will be able to access his designated subsidies.

The Aadhaar card is being used to give welfare benefits to the poor, who often cannot provide any proof identity, allowing corrupt officials to siphon entitlements.

The government says it has saved nearly $2 billion by preventing misuse of the subsidies in the last fiscal year alone.

Critics fear ‘police state’

Civil activists and research groups, however, have dubbed the Aadhaar program “surveillance technology” that constitutes a serious breach of privacy. They point to identity-verification systems in other countries, where cards or identification numbers are used for verification without creating a gigantic central database that documents every last transaction.

Indeed, the Aadhaar database also stores fingerprints and iris scans of every account holder, labeling each with a 12-digit identification number. 

Raghubir Gaur (L) and his wife Kusum are confident their "Aadhaar" cards with their biometric data will enable them to access entitlements such as subsidized food rations. (A. Pasricha/VOA)

Concerns that this could lead to a massive invasion of privacy have been heightened because the new law allows the data to be used “in the interest of national security.”

“From verifying yourself to the ticket conductor on a train to someone who is delivering something at your house, all the way to opening a new bank account, all these transactions get logged against the centralized data base," says Pranesh Prakash of the Center for Internet and Society in Bangalore. "So this invades your life completely and thoroughly.”

Some lawyers and privacy advocates say this has made it even more important to support a strong privacy law to ensure the huge government database isn't misused.

Finance Minister Arun Jaitley has defended the biometrics legislation, saying the data will be accessed only in rare cases that require authorization by a senior official.

“You mark my words, you are midwifing a police state,” said lawmaker Asaduddin Owaisi, just one parliamentarian opposed passage of the legislation and found no comfort in Jaitley's assurances.

Prior to the intruduction of biometric cards, millions of poor people across India did not have any proof of identity, making it difficult for them to take advantage of government welfare programs. (A. Pasricha/VOA)

Fraud concerns

Despite objections, the bill was passed by legislators who argued that such a move is critical to ensuring subsidies reach intended beneficiaries in a country where millions are poor and illiterate.

Attempts to draft a right to privacy bill to protect individuals against misuse of data by government or private agencies date back to 2010, but have made little headway. The latest push started in 2014.

Citing a cyberattack targeting the U.S. government, in which a hacker gained access to the information of millions of people, research groups have also flagged security concerns around India’s ambitious Aadhaar program.

“If this database gets leaked, the entire identification system collapses because people will be able to authenticate themselves as anyone else. So identity fraud is a great concern,” said Prakash of the Center for Internet and Society.

Nearly one billion biometric identity cards have been issued in India in the last six years.

9464 - Aadhaar: Govt will not compromise on national security - Live Mint

Last Modified: Wed, Mar 09 2016. 08 18 PM IST

Aadhaar: Govt will not compromise on national security

The government is confident that the Aadhaar Bill will be passed

Shreeja Sen

New Delhi: In what could raise concerns of privacy activists questioning India’s unique identification project Aadhaar, the government on Tuesday said national security will not be compromised at all.

“We will not compromise on national security; certainly we will not compromise. The Supreme Court has already highlighted certain areas for consideration. We are going ahead taking into consideration all the suggestions of the Supreme Court,” law minister D.V. Sadananda Gowda said at a press conference, when asked how the Aadhaar bill tabled in Parliament last week will balance the protection of core biometrics and national security concerns.

Under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, there are measures to protect core biometric information like fingerprints and iris scans of the unique identification number holders.

However, Section 33 says for the purposes of national security, officials at the joint secretary level and above can access this information.

The section has caused some worry to experts. In this analysis , policy director of the Centre for Internet and Society Pranesh Prakash says that the national security clause is worrisome. Adding to their concerns, the bill does not define what national security means.

The government is, however, confident that the bill will be passed.

“Certainly it will be passed. The benefits that go from the exchequer to the beneficiaries will be taken care of by this bill,” Gowda said.

Shreeja Sen

9452 - Aadhaar: still too many problems - Live Mint

Aadhaar: still too many problems

While one wishes to welcome govt’s attempt to bring Aadhaar within a legislative framework, the fact is there are too many problems that still remain unaddressed for one to be optimistic

Pranesh Prakash

Photo: Priyanka Parashar/Mint

The Aadhaar Bill has been introduced as a money bill, even though it doesn’t qualify as such under Article 110 of the Constitution. If the Speaker agrees to this, it will render the Rajya Sabha toothless in this matter, and will weaken our democracy. The government should reintroduce it as an ordinary legislative bill, which is what it is.

While the government has in the past argued before the Supreme Court that Aadhaar is voluntary, Section 7 of the bill allows the government to mandate an Aadhaar number (or application for an Aadhaar number) as a prerequisite for obtaining some subsidies, benefits, services, etc. This undermines its arguments before the Supreme Court, which led the court to pass orders holding that Aadhaar should not be made mandatory. This move to make it mandatory will now need the government to argue that rather than contravene the apex court order, it has instead removed the rationale for it.

Interestingly, the Bharatiya Janata Party (BJP)-led National Democratic Alliance (NDA) government seems to have done a U-turn on the issue of the unique identification number not being proof of citizenship or domicile. The previous Congress-led United Progressive Alliance (UPA) government never meant the Aadhaar number to be proof of citizenship or domicile. This was attacked by the Yashwant Sinha-chaired standing committee on finance, which feared that illegal immigrants would get Aadhaar numbers. Now, the BJP and the NDA seem to be in agreement with the original UPA vision of Aadhaar.

Importantly, there is very strong language when it comes to the issue of privacy and confidentiality of the information that is held by the Unique Identification Authority of India (UIDAI). Section 29 (1), for instance, says that no biometric information will be shared for any reason whatsoever, or used for any purpose other than Aadhaar number generation and authentication. However, that provision is undermined wholly by Section 33, which says that “in the interest of national security”, the biometric info may be accessed if authorized by a joint secretary. This will only fan the fears of those who have argued that the real rationale for Aadhaar was not, in fact, delivery of services, but to create a national database of biometric data available to government snoops.

ALSO READ

• Pros and cons of Aadhaar bill

Further, there are no remedies available for governmental abuse of this provision.

Lastly, in terms of privacy, the concern of those people who have been opposing Aadhaar is not just that the biometric and other identity information may be leaked to private parties, but also that having a unique Aadhaar number helps private parties to combine and use other databases that are linked with Aadhaar numbers in a manner that is not within the subject’s control. This is not at all addressed in this bill, and we need a robust data protection law in order to do that.

There are some other crucial details that the law doesn’t address: Is user consent, to be taken by third parties that use the UID database for authentication, needed for each instance of authentication, or would a general consent hold forever? How can consent be revoked?

There were many other objections that were raised against the Aadhaar scheme that have not been addressed by the government. For instance, in a recent article in the Economic and Political Weekly, Hans Varghese Mathews points out that going by the test data UIDAI made available in 2012, for a population of 1.3 billion people, the incidence of false positives—the probability of the identities of two people matching—is 1/112.

This is far too high a ratio to be acceptable.

Actual data from the field in Andhra Pradesh—of people who were unable to claim rations under the public distribution system (PDS)—paints a worse picture. A survey commissioned by the Andhra Pradesh government said 48% of respondents pointed to Aadhaar-related failures as the cause of their inability to claim rations.

So, even if the Aadhaar numbers were no longer issued to Lord Hanuman (Rajasthan), to dogs (e.g., Tommy Singh, a mutt in Madhya Pradesh), and with photos of a tree (New Delhi), it might not prove to be usable in a country of India’s size, given the capabilities of the fingerprint machines. As my colleague Sunil Abraham notes, the law cannot fix technological flaws.

So, while one wishes one could welcome the government’s attempt to bring Aadhaar within a legislative framework, the fact is there are too many problems that still remain unaddressed for one to be optimistic.

Pranesh Prakash is policy director at the Centre for Internet and Society, a think tank.

Pranesh Prakash