13112 - Security experts say need to secure Aadhaar ecosystem, warn about third party leaks - Economic Times

Security experts say need to secure Aadhaar ecosystem, warn about third party leaks

By Nilesh Christopher, ET Bureau|

Updated: Mar 26, 2018, 01.56 PM IST

BENGALURU: The public reckoning of data leaks in India’s national ID database, Aadhaar is still on hold while reports of data leakage through third-parties keep coming. 

While the Unique Identification Authority of India (UIDAI) has maintained that its database is secure and there are no breaches of Aadhaar data from its system, security researchers warn that leaks are happening in third-party sites and it is important for the agency to ensure that its ecosystem adopts measures to keep data safe. 

“Securing an entire ecosystem is more important than secure individual databases,” said security researcher Srinivas Kodali. Over the weekend, technology publication ZDnet citing an Indian security researcher said that it identified Aadhaar data leaks on a system run by a state-owned utility company Indane that allowed anyone to access sensitive information like a name, Aadhar number, bank details. The leak was plugged soon after the report appeared. 

UIDAI came out with a strong statement denying the breach. “There is no truth in the story as there has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure,” the government agency said. 

There have been no reports of any breach in the core database so far. However, it is the third-parties that have acted as weak links. 

“The simple parallel that can be drawn is, though Facebook’s core database of users information was secure, the data leak happened through third-party developers and organisation like Cambridge Analytica that have allegedly misused it,” Kodali said. 

In case of Aadhar too, the allegations of breaches have not been on ‘Aadhaar database’ but rather at insecure government websites and third-parties with API access to the database. “In this aspect, the issue in Facebook and Aadhaar is similar. In both the cases there was no breach of database, but it was third parties that acted as the weakest link. In both cases, it was a legitimate means of access through API that was open for abuse,” said Sunil Abraham, executive director, Center for Internet .. 

UIDAI could take a leaf from Indian Space Research Organisation while handling data breach reports. The state-run space agency put out a note appreciating security researches for their efforts. An email ID to report flaws is more important than summoning people regarding data breaches. 

“The fear of criminal prosecution hanging over the heads of ethical hackers would not help us develop a robust and strong security architecture,” said Karan Saini, a Delhi-based security researcher who first highlighted the Aadhaar leak at Indane. 

“UIDAI is working on a policy to enable security experts to report issues in a legal and safe manner,” tweeted Ajay Bhushan Pandey, chief executive of India's Unique Identification Authority (UIDAI), the government department that administers the Aadhaar database. Seven months after the tweet, Pandey’s promise of a bug-reporting mechanism has still has not fructified. 

Read more at:

//economictimes.indiatimes.com/articleshow/63459367.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst

12733 - Aadhaar Body Talked About Virtual ID 7 Years Ago, Put It Off: UIDAI Chief - NDTV

Aadhaar Body Talked About Virtual ID 7 Years Ago, Put It Off: UIDAI Chief

"And at that time, it was felt that let us first give Aadhaar number, let us see how it plays out and then, at an appropriate time, this will be introduced," Ajay Bhushan Pandey, the chief executive officer of UIDAI, or the Unique Identification Authority of India said in an interview to NDTV this week. He called it an "extra layer of security" for the 119 crore people issued Aadhaar numbers.

All India | Written by Sukirti Dwivedi | Updated: January 13, 2018 05:35 IST

NEW DELHI:  Virtual ID, the 16-digit temporary number, announced by UIDAI this week had been suggested way back in 2009-10 when its architects were still designing the system. But the Aadhaar authority, which has called Virtual ID a unique innovation to enhance privacy and security, decided against rolling it out at that time.

"And at that time, it was felt that let us first give Aadhaar number, let us see how it plays out and then, at an appropriate time, this will be introduced," Ajay Bhushan Pandey, the chief executive officer of UIDAI, or the Unique Identification Authority of India said in an interview to NDTV this week. He called it an "extra layer of security" for the 119 crore people issued Aadhaar numbers.

It may be a step forward. But not everyone is as convinced.

Cyber security Jiten Jain is one of them. Mr Jain told NDTV that UIDAI should first of all decide if the Aadhaar number was confidential information or not because it had changed its stance on this aspect on more than one occasion.

Like when government departments put out lakhs of Aadhaar number, the government agency had insisted that there was nothing really confidential about the number which could not be misused. Or when The Tribune earlier this month claimed to have found gaps in UIDAI's security system that let the newspaper demographic details of an individual, UIDAI claimed that "the Aadhaar number is not a secret number" anyways.

Also, a point is being made that if hiding an Aadhaar number enhances privacy, then what about the crores of people who have been forced to share their Aadhaar numbers - and a copy of their Aadhaar cards - all these years.

Experts suggest the timing of the announcement may not have been a coincidence. The initiative came against the backdrop of mounting privacy concerns after the newspaper expose. 

The hearing by a five-judge Constitution Bench of the Supreme Court to decide if the Aadhaar project violates citizens' privacy is to start hearing from next week, January 17.

Srinivas Kodali, cyber security expert and an Aadhaar researcher, said it was clear that the UIDAI had brought it hurriedly. "They said they will release the codes by March 1. So it clearly looks like they haven't planned this thoroughly," he said.

There are also concerns about the ability of people living in remote areas to generate the Virtual IDs, in terms of connectivity and literacy. That means a large proportion of people would not be able to generate the Virtual IDs.

UIDAI chief Mr Pandey said there was nothing to prevent them from continuing to use their Aadhaar number. It is an option, he stressed.

This, experts at the Bengaluru-based research group, Centre for Internet and Society, which has long advocated for a token system such as the Virtual ID, said was a problem area.

COMMENTS

"Privacy can be protected by design and not by choice," said CIS executive director Sunil Abraham, who believes the biggest flaw with Aadhaar was its design.

"Since it is not mandatory most people will just use the Aadhaar number instead of getting into the hassle of generating a VID... This is privacy through hurdles instead of privacy by design. I suggest authorities should generate VIDs for people and ensure that third parties only use VID and not the Aadhaar number," Pranesh Prakash at the CIS' policy director told NDTV.

12707 - UIDAI introduces new two-layer security system to improve Aadhaar privacy - Economic Times

UIDAI introduces new two-layer security system to improve Aadhaar privacy

ET Bureau|

Updated: Jan 11, 2018, 06.22 AM IST

It will not possible to locate your aadhaar based on your virtual id. 

NEW DELHI: The Unique Identification Authority of India (UIDAI) has introduced a system of virtual authentication for citizens enrolled on its database and limited the access available to service providers in a move aimed at allaying widespread concern over security breaches that have dogged the world's largest repository of citizen data. 

In one of the most significant security upgrades by the eightyear old agency, the UIDAI announced the creation of a "virtual ID" which can be used in lieu of the 12-digit Aadhaar number at the time of authentication for any service. 

The UIDAI has also limited access to stored personal information and mandated the use of unique tokens through which authenticating agencies can access required data. It claims that the measures will strengthen privacy and also prevent combining of databases linked to Aadhaar. 

ET was the first to report about the UIDAI plan to introduce virtual numbers to address security concerns in its November 20 edition last year. 

A top government official told ET that UIDAI has been working on this technology since July of 2016. "This is going to be one of the biggest innovations ever, people can change their virtual ID whenever they want or after every authentication or every 10 seconds." He added that this will silence most critics of Aadhaar. 

"The Aadhaar number being the permanent ID for life, there is need to provide a mechanism to ensure its continued use while optimally protecting the collection and storage in many databases," the UIDAI said in a notification on Wednesday while announcing the new measures. 

More Needed to be Done: Experts 

"The collection and storage of Aadhaar number by various entities has heightened privacy concerns," it stated. 

Under the new regime, for every Aadhaar number, the authority will issue a 16-digit virtual identity number which will be "temporary and revocable at any time." 

This virtual ID can be generated only by the individual Aadhaar holder and can be replaced by a new one after a minimum validity period. 

In addition, while some Authentication User Agencies (AUA) — categorised by the UIDAI as 'Global' — will have access to all the details or the e-KYC of a specific Aadhaar number, all other agencies will only have access to limited data through the virtual identity number. 

"So this is a very very significant thing and I think this is a great step forward," said Nandan Nilekani, former chairman of UIDAI, in an interview to television channel ET Now on Wednesday. 

Nilekani, widely regarded as the architect of Aadhaar, said that through these new security measures the possibility of the Aadhaar number being stored in many databases also goes away. 

It will make a huge difference in allaying the concerns and it really "eliminates all the arguments against Aadhaar," he told ET Now. 

Last week, Chandigarh-based daily The Tribune reported that demographic data from the Aadhaar database could be accessed for as little as Rs 500. The expose led to the UIDAI barring over 5,000 officials from accessing its portal through login ids and passwords. It also introduced biometric authentication for future access, as reported by ET on Tuesday. 

The widespread fear of misuse of demographic data is heightened by the fact that India still does not have a data protection legislation. The country's apex court is scheduled to resume its hearing on the validity of the Aadhaar scheme next week on January 17. 

Kamlesh Bajaj, former CEO of the Data Security Council of India said by limiting access to only those agencies mandated by law, the UIDAI has ensured that "someone will not be able to combine database. It's a positive development in my view and technologically feasible," he said 

EXPERT VIEWS 

Privacy experts and activists were of the view that more needs to be done to ensure foolproof security for critical personal information. 

The Bengaluru-based research organisation Centre for Internet and Society has suggested that all the Aadhaar seeding with all the existing databases should be revoked. "Until then, it is one step ahead and but not enough," said Sunil Abraham, executive director of CIS. 

To enable a speedy rollout of the new safety standards, the UIDAI plans to release the required technical updates by March 1, 2018 and all the Authentication agencies using the Aadhaar database will need to upgrade their systems latest by June 1, 2018. 

In its circular, UIDAI has also said that agencies not allowed to use or store the Aadhaar number should make changes inside their systems to replace Aadhaar number within their databases with UID Token. 

"Unless there is complete revocation, some database with Aadhaar numbers will still float around and secondly there is no reason why some data controllers should be trusted, the tokenisation should be implemented for everyone," said CIS's Abraham. 

The circular said that authentication using virtual ID will be performed in the same manner as the Aadhaar number and people can generate or retrieve their virtual numbers (in case they forget) at the UIDAI's resident portal, Aadhaar Enrolment Centers, or through the Aadhaar mobile application. 

In addition to the virtual numbers, UIDAI will also provide "unique tokens" to each agency against an Aadhaar number to ensure that they are to establish the uniqueness of beneficiaries in their database such as for distributing government subsidies under cooking gas or scholarships. 

Activists argue that most service providers — even digital ones — work with a paper ID card system. "They don't cross-check it with the UIDAI database. UIDAI is not issuing virtual ids for paper cards, and a new category of so called Global AUAs are exempted from using the virtual ids, so citizens are not protected almost anywhere that they need to use Aadhaar," said Kiran Jonnalagadda, co-founder of the Internet Freedom Foundation, who said the change doesn't help enough to secure the ecosystem .. 

Read more at:

//economictimes.indiatimes.com/articleshow/62442873.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst

12487 - Checks and balances needed for mass surveillance of citizens, say experts - The Hindu

Checks and balances needed for mass surveillance of citizens, say experts

Peerzada Abrar

BENGALURU , DECEMBER 09, 2017 20:00 IST

A number of measures are required to protect law-abiding citizens from mass surveillance and misuse of their personal data, according to top technology and legal experts.

The measures include issuing of tokens by the Unique Identification Authority of India (UIDAI) instead of Aadhaar numbers and having an official in the judiciary give permission to vigilance.

The experts were participating in a panel discussion on ‘Navigating Big Data Challenges’ at Carnegie India’s Global Technology Summit here. They also said there was a need to implement ‘de-identification of data’ or preventing a person’s identity from being connected with information.

The moderator of the discussion was Justice B.N. Srikrishna, a former Supreme Court judge, who was also heading a government-appointed committee of experts to identify “key data protection issues” and recommend methods to address them. Justice Srikrishna told the panellists that Aadhaar or the unique identification number had empowered the people. But in situations where the State wants all the information about citizens from different service providers because of its suspicions related to terrorism or criminal activity, he asked, what is the method to create a balance?

“Surveillance is like salt in cooking which is essential in tiny quantities, but counterproductive even if slightly in excess,” responded Sunil Abraham, executive director of Bengaluru-based think tank, Centre for Internet and Society. He said there was a need to make a surveillance system which had privacy by design built into it.

Mr. Abraham said that his organisation had proposed to the UIDAI that it used ‘tokenisation,’ which meant that whenever there was a ‘know your customer’ requirement, the Aadhaar number was not accessed by organisations like telecom firms or the banks. Instead, when the citizens used various services via smart cards or pins, a token got generated, which was controlled by the UIDAI. Organisations like banks and telecom firms can store those token numbers in their database. He said this would make it harder for unauthorised parties to combine databases. But at the same time would enable law enforcement agencies to combine database using the appropriate authorizations and infrastructure.

“UIDAI is considering this, they call it the dummy Aadhaar numbers. We need technical as well as institutional checks and balances,” said Mr. Abraham.

Countries like the U.S also have processes like Foreign Intelligence Surveillance Court (FISA court) which entertains applications made by the U.S Government for approval of electronic surveillance, physical search, and certain other forms of investigative actions for foreign intelligence purposes.

“My concern is that in the current system, surveillance can be done by the State machinery. I don’t necessarily suggest FISA court.... but some kind of mechanism where (one can’t) be held at the mercy of incestuous State machinery,” said Rahul Matthan, a partner at law firm Trilegal. “But have some second person who is outside the influence of this system (and) who actually says ‘yes this is a terrorist which requires us to do mass surveillance,” he said.

Artificial Intelligence

A large amount of information or Big data ranging from financial, health to political insights of people is being collected by different organisations and service providers which is sitting in different silos. All of this is likely going to be linked through Aadhaar. Mr. Srikrishna asked what if a situation arises where all of this data is aggregated and using artificial intelligence and machine learning, one is able to analyse it and profile individuals. He said “would that be not a terrifying scenario” where the State can act super-monitor for citizens. He asked how can citizens be guarded against it?

Mr.Srikrishna was referring to the ‘Social Credit System’ proposed by the Chinese government for creating a national reputation system to rate the trustworthiness of its citizens including their economic and social status. It works as a mass surveillance tool and uses big data analysis technology.

“It is a possibility. What stands in the way of it becoming a reality (in India) is a robust law,” said Mr.Matthan. “Technology is so powerful that it could equally be used for good as well as bad.”

11995 - DOES THE DATA SECURITY RISK OF A BILLION INDIANS HANDING OVER BIOMETRIC INFORMATION OUTWEIGH THE BENEFITS? - News Week

DOES THE DATA SECURITY RISK OF A BILLION INDIANS HANDING OVER BIOMETRIC INFORMATION OUTWEIGH THE BENEFITS?

BY SANDY ONG ON 9/3/17 AT 1:51 PM

The ominous changes at Ryan Sequeira’s workplace began in early 2015. First came the biometric machines, two on every floor of the New Delhi office where he worked as an architect for a government think tank. Then, about a month later, they did away with sign-in sheets—instead, employees had to clock in and out on the new machines by scanning their fingerprints and keying in their Aadhaar numbers.

This was all part of a radically ambitious plan set in motion in 2010, when the Indian government decided to enroll its 1.3 billion residents into a central database and issue unique identification numbers. Aadhaar, which means “foundation” in Hindi, was to form the backbone of social welfare programs by ensuring that beneficiaries could be properly identified, which in turn would help reduce fraudulent claims.

A villager performs an iris scan at an Aadhaar enrolment centre in Rajasthan, India on February 21, 2013. In a more ambitious version of programs that have slashed poverty in Brazil and Mexico, the Indian government began to use the identification database to make direct cash transfers to the poor and cut out fraudulent welfare claims.

MANSI THAPLIYAL/REUTERS

Keep Up With This Story And More By Subscribing Now

So Aadhaar was rolled out, and Indians all across the country headed to enrollment centers and had their biometrics taken—a photograph, 10 fingerprints and two iris scans—then waited for their free identity cards to arrive in the mail. Enrollment continues today, and the world’s largest biometrics database is now nearly complete, with over 99 percent of Indian adults —nearly 1.16 billion people—registered as of July.

Seven years on, the 12-digit Aadhaar number continues to be used in social welfare, but it has pervaded many other areas of Indian life—from banking to baby bonuses, mortgages to marriage licenses. For government employees like Sequeira, Aadhaar now means having to log their hours using biometric-based machines. The benefits of a unique ID number may seem plentiful, but there may be just as many risks.

When the new machines arrived at his office, “people didn’t know their numbers,” Sequeira says. “So the company put up a large sheet next to the machines with everybody’s name and Aadhaar number to ‘help’ them.”

He recalls, “That was stupid—I was really irritated at the callousness with which they treated our data.”

Fraud and Leakage

The idea for Aadhaar was first floated in the early 2000s, under the premise that welfare systems would become more efficient (and save money) if residents had a unique personal identifier. At the time, the government was having difficulty identifying who should rightfully receive rations of food, fertilizer, cooking gas and other necessities. People were siphoning off rations—over a quarter of all issued—by making fraudulent claims. The root of the problem, the government said, was a lack of proper identification among its people. Fewer than half of all Indians have a birth certificate, few pay taxes and even fewer have a driver’s license or passport.

“There were two main drivers behind Aadhaar,” says Nandan Nilekani, who in 2009 helped set up the statutory board, the Unique Identification Authority of India (UIDAI), responsible for rolling out Aadhaar. “One driver was inclusion, because many people in India didn’t have any form of an identity, especially poorer Indians. The second was that in the last 15 years, the government has been spending billions of dollars— at least $60 billion to $80 billion a year— on entitlements and benefits, but there was a lot of fraud and leakage. Therefore, we needed to have a robust, unique ID system to make sure the benefits went to the right person.”

Already, says Nilekani, Aadhaar has saved the government close to $7 billion. Roughly $2.5 billion of that came from plugging the leaky tap of cooking gas benefits. For a country that this year became one of the world’s largest importers of liquefied petroleum gas —after the government began offering in 2016 free connections to poor families to switch them from more polluting biomass-based fuels, like firewood and cow dung—that’s good news for India and the planet.

Ghewar Ram, right, 55, and his wife Champa Devi, 54, display their Unique Identification (UID) cards outside their hut in Rajasthan, India on February 21, 2013. Aadhaar has given many of India's poorest the keys to participate in the formal economy.

MANSI THAPLIYAL/REUTERS

But some say Nilekani grossly overestimates the savings. “It’s a lie—most of the de-duplication that the government claims has been dealt with without the use of Aadhaar,” says agricultural economist R. Ramakumar from Mumbai’s Tata Institute of Social Sciences. List-based de-duplication—getting officials to “sit with the local data to identify who came from the same address”—was reported to be 15 to 20 times more effective than Aadhaar-based de-duplication, Ramakumar says, citing a 2016 study by the International Institute for Sustainable Development, a Canada-based research organization.

Whether the figures tell a tall tale or not, however, doesn’t seem be a pressing concern for those on the ground. Instead, ordinary Indians are more focused on how Aadhaar has changed their lives. “I think it’s a good idea because before this, my two children and I had no identification, no passport, only a ration card,” says Anita Pereira, a domestic helper from the city of Pune. “The Aadhaar card supports so many things—if I want to do a passport, go to the bank, book a railway ticket.”

The Aadhaar card has allowed millions to finally be included into the formal economy. They can now open a bank account, borrow money from the Reserve Bank of India (the country’s largest lender), send and receive remittances, and purchase SIM cards. It’s also enabled mobile payments and other cashless transactions, crucial in light of last year’s disastrous demonetization drive, w h e n t h e g o v e r n m e n t s u d d e n l y r e m o v e d 5 0 0 a n d 1 , 0 0 0 r u p e e b a n k n o t e s f r o m c i r c u l a t i o n, o r 8 6 p e r c e n t o f i t s c u r r e n c y , l e a v i n g m a n y i n l i m b o. In Aadhaar’s few short years, financial inclusion among Indian women rose by 24 percent, more than 270 million Aadhaar-linked bank accounts were opened, and mobile phone penetration doubled to 79 percent of the population.

Aadhaar has a “tremendous potential to foster inclusion by giving all people, including the poorest and most marginalized, an official identity,” a United Nations report declared last year. This includes women, ethnic minorities, the illiterate and those in the lower castes—populations that typically live on the fringes of society in many parts of India.

Having an identity document that’s recognized throughout the country is also a boon, given how many millions crisscross the vast subcontinent every year—mostly to bustling metropolises like Kolkata, Mumbai and Delhi—for marriage or in search of work. One in every three Indians, according to a 2016 census, lives outside his or her hometown.

Having Aadhaar to verify identity also ensures that migrants don’t lose out on government benefits that might have required ration cards dependent on a local address, or health care access “mediated by familiar and familial contacts, a form of old-fashioned biometrics,” write Harvard human rights expert Jacqueline Bhabha and her doctoral student Amiya Bhatia in a 2017 paper published in the journal Oxford Development Studies .

Even residents who are noncitizens—5.2 million people, according to 2015 figures, mostly from neighboring countries Bangladesh and Pakistan—can apply for an Aadhaar number. Including immigrants is an unusual move, one that most other national identity schemes can’t boast of. “That’s huge when it comes to thinking about inclusion, migrant labor and that basic fundamental right to identification and legal identity,” Bhatia says.

Want an Ambulance? Get a Number

Aadhaar can break down barriers, but it also creates them. Without their 12-digit identification number, schoolchildren can’t claim their free midday meal, new mothers don’t receive their cash bonuses, farmers can’t apply for crop insurance benefits, and the disabled aren’t able to purchase discounted train tickets.

And Aadhaar isn’t just synonymous with poor Indians seeking benefits anymore. The Hindustan Times , a leading Indian newspaper, reported in April that for all 61 services where Aadhaar is mandatory, only 10 are welfare schemes. Indians now need their ID to file taxes, open an account at major banks and get mobile phone connections. Last July, the southeastern city of Tirupati, acclaimed for its temples, made Aadhaar compulsory for booking one of the 750 tickets issued daily to devotees seeking to perform the Angapradakshinam ritual—an ancient rite where worshippers roll in wet clothing on temple floors to express gratitude and ask for blessings from the presiding deity, Lord Venkateswara. The temple minders do so to control the crowds and to “make sure that the same person is not using the facility repeatedly.”

The Uttar Pradesh government in north India made it compulsory this June for those hailing an ambulance to produce their Aadhaar card before getting on board. If the patients aren’t well enough to do so, their next of kin has to present the right documents.

“Getting the number is voluntary,” says Nilekani, who left UIDAI in 2014 to become a congressman. “But as more and more programs require you to have it, effectively you have to get the number.”

Still, the Supreme Court of India declared in 2015 that “it is not mandatory for a citizen to obtain an Aadhaar card.” To this day, citizens continue to file petitions with the court, complaining that Aadhaar infringes on their right to privacy.

Others, however, believe something more sinister underlies Aadhaar’s growing ubiquity: state surveillance. “It’s like boiling the frog slowly,” says Sunil Abraham, executive director of the Centre for Internet and Society, a Bangalore-based think tank. “Initially, they made it sound like it’s for the poor…. Then slowly it creeps in, and more and more middle-class people and taxpayers have to get the card. So you pretend you’re improving governance, but on the other hand, you keep increasing surveillance. It serves both agendas.” Abraham resisted getting an Aadhaar number, but he had to fold when the law changed in 2017, requiring all taxpayers to have one.

Another big concern for Abraham is security for all that data. “Biometrics are irrevocable,” he says. “Once they’re compromised, they can’t be re-secured. Once somebody has stolen your biometrics, that’s the end of it.”

India doesn’t have a privacy law, nor does it have one that protects all the biometric data collected. Although Nilekani says he favors creating such laws, he insists Aadhaar is safe. With all biometric data encrypted and stored offline behind multiple firewalls, he says, “Aadhaar is well designed for privacy.” Agencies and merchants seeking to use Aadhaar as an identification and authorization tool, whether it’s to distribute benefits or enable cashless payments, have to be licensed. “It’s not a free-for-all, anyone-off-the-internet kind of thing,” Nilekani says. “It’s based on a very regulated and managed ecosystem.”

To that, Abraham says, So what? “I think it’s only a matter of time before the database is breached—unless you’re telling me my government’s security experts are better than Facebook’s.”

Already, the names, bank account details and Aadhaar numbers of more than 130 million people have been leaked from four government websites and published online. Abraham’s Centre for Internet and Society published a report in May blaming the leaks on UIDAI for not implementing stringent regulations on third-party users regarding their use of Aadhaar data (for example, barring the publication of private details online). When you have a centralized database like Aadhaar, Abraham warns, you “end up with a honeypot that all the terrorists, foreign states and criminals will want to attack.”

Bandwidth Starved

Security isn’t the only gripe Abraham has about Aadhaar. “In bandwidth-starved India, it’s just inappropriate technology,” he says. Fingerprint-scanning machines that verify a person’s identity require electricity and an internet connection to carry out cross-checks using the database. But India’s infrastructure works against such digitization—an estimated 240 million Indians have no electricity at all ; power cuts are frequent, especially in the hotter months; and the average internet speed ranks the lowest in Asia, at 4.1 megabits per second, or about a third of what the average American enjoys.

Then there’s the problem of whether the technology actually works. Fingerprint authentication fails 5 percent of the time, on average, but reports suggest that figure can be as high as 36 percent in some parts of the country. In many instances, it’s poor manual laborers who have problems, because relentlessly grueling work can wear out fingerprints.

Still, Aadhaar continues to grow. The beast of a database is expected to enfold all Indian residents by the end of the year, and the reach of its tentacles expands ever further to more programs, schemes and applications. Will this massive beast remain docile, bringing benefits to millions, or career out of control?

“When it comes to Aadhaar, I don’t think everyone trusts the government to do what is right only,” Sequeira says. “Like the Latin saying goes, Quis custodiet ipsos custodes —Who will watch the watchmen?”

11591 - Aadhaar Crime Bomb - India Legal

Aadhaar Crime Bomb

July 8, 2017

 Access to basic services like health and education will also be determined by biometric scans.

The government’s decision to link these vital numbers to bank accounts could trigger a wave of economic offences. It is time this decision that threatens the banking system is reviewed

~By Ajith Pillai

Is India sitting on an Aadhaar crime bomb that will soon begin ticking? Imagine a scenario where money is transferred from your account into another or vice versa by an unknown entity without your knowledge; when your fingerprint is placed at a scene of a serious crime to implicate you; when criminals track virtually all your activities and plot their next move; when foreign funds are transferred into your bank with devious intent and you find your account blocked pending investigations into your mysterious source of foreign monies…. All this and much more is very much in the realm of possibility thanks to your 12-digit Aadhaar number.

And to speed us on the risk-prone biometric highway is the June 1, 2017 notification (No2/F. No P. 12011/11/2016-Es Cell-DOR) of the Department of Revenue under the Finance Ministry which makes it compulsory for account holders to link their accounts with their PAN and Aadhaar numbers before December 31. 2017. Companies too will have to submit the same identification numbers to the banks, of their board members or those who have been authorised to transact business on their behalf.

Many cyber security experts are of the view that the Unique Identification (UID) programme, launched in 2010, has evolved dangerously and will become a veritable password for those indulging in a range of cyber-related crimes. At the receiving end will be ordinary Indians who now have to furnish the number for virtually every activity of their daily life—from buying a cellphone to opening a bank account.

Illustration: Anthony Lawrence

To them, and to a sizeable section in the police, cyber-crime is an alien concept and the government’s reluctance to accept glitches in the UID programme has not helped. But despite all the apprehensions and a clutch of pending petitions in the Supreme Court relating to the validity of the scheme and privacy concerns, the government has been doggedly pushing ahead with ushering in a biometric revolution of the kind the world has hitherto not seen.

Initially meant to provide an identity for the poor and to ensure that there are no leakages in money transfers under various welfare schemes, the Aadhaar net has been widened to encompass virtually every aspect of life. School admissions, mid-day meal schemes, driving licences, pensions, income tax payments, rail and air tickets and soon, opening a bank account or maintaining one, will require the person’s Aadhaar number.

And each time one shares a number with a new agency/service platform, the number of points from which personal data can be accessed by undesirable elements multiplies. And once the data thief gains access to the data, which includes facial image, image of the iris and fingerprints, he can access the respective bank account because it will be linked to the Aadhaar card.

A copy of a fingerprint is all that will be required to effect transfers or payments into another account using the Bhim app or a point of sale (POS) machine which requires only a fingerprint as proof and bypasses the need to swipe a debit or credit card. The Bhim app, introduced to facilitate cashless transfers by the unlettered, necessitated the need to link UID numbers and data to banks. Now the government has mandated that all accounts holders must also be linked through Aadhaar.

Then PM Manmohan Singh and Congress leader Sonia Gandhi launching the Aadhaar number in Nandurbar, Maharashtra, in 2010. Photo: PIB

This gives a different dimension to data theft as it can facilitate serious financial fraud. It is no longer just about big corporations mining data to size up your credit rating or spending patterns to focus and target their marketing efforts. Neither is it about the CIA keeping a tab on India’s demographics. What we are talking about is an invasion of privacy which may come with a huge criminal quotient and could impact every citizen.

The dividends from data mining are so huge and the implications so varied that this has already begun. It will not be long before the crimes start. Here are some pointers which also reveal how data is not secure with the government:

• On February15, 2017, the Unique Identification Authority of India (UIDAI) which is mandated to implement the Aadhaar scheme reportedly filed cases against employees of Axis Bank, Suvidha Infoserve and e-Mudhra for attempting unauthorised authentication and impersonation by illegally storing Aadhaar biometrics. The security breach came to light after 397 fake biometric transactions were carried out in five days of February.
• On February 18, the Hindi news daily Dainik Bhaskar reported the arrest of six salespersons of telecommunications service provider Reliance Jio in Madhya Pradesh for selling SIM cards at inflated prices by using the Aadhaar data and fingerprint scans of other customers.
• In April this year, the Aadhaar details of one lakh pensioners in Jharkhand who had seeded their UID numbers to bank accounts was freely available on the website of the Jharkhand Directorate of Social Security. A few days later, a leading national daily found that “secured” data was available on the websites of a scholarship database in UP; the PDS website of the Chandigarh administration; a pensioners’ listing in Kerala and the Swachh Bharat Mission.
• A report released in May 2017 by the Centre for Internet and Society, a Bangalore-based organisation looking at multi-disciplinary research and advocacy in internet use, reveals that in the past few months, data of 13.6 lakh citizens was leaked from four major government data bases, including the portals of NREGA and National Social Assistance Programme.
• A note generated on March 25 by an official of the Ministry of Electronics and Information Technology accessed by the New Indian Express, confirmed that biometric data was not secure. “There have been instances wherein personal identity or information of residents, including Aadhaar number and demographic information and other sensitive personal data such as bank account details etc. collected by various Ministries/Departments… has been reportedly published online and is accessible through an easy online search,” said the note displayed on the front page of the newspaper. The same ministry on March 5 had issued a statement that the Aadhaar data was absolutely secure.

The financial misuse of data has not been lost on experts. Sunil Abraham, executive director of CIS, has been quoted as saying: “Biometrics is an inappropriate technology for financial services. Linking Aadhaar, which has your biometric data, with bank accounts makes you a lot more vulnerable to financial frauds than before. Your fingerprint can easily be collected at a restaurant or any other public place and can be used to steal your identity and commit frauds. The government needs to rethink its use for Aadhaar as it will impact over a billion people.”

The Foreign Hand

In 2010-2012, Unique Identification Authority of India (UIDAI) awarded contracts for biometric profiling to three US-based Biometric Solution Providers (BSPs). These were—L-1 Identity Solutions, Morpho-Safran, and Accenture Services Pvt. Ltd. All three reportedly have business contracts with US, British and French intelligence agencies. There are also reports in the international media of former intelligence operatives in the employment of these companies and their subsidiaries.

The companies, as per the contract, were given Rs 20 crore each by UIDAI for their services. The charges paid per card was Rs 2.75.

This money went to foreign companies. The UID programme was not an indigenous effort as claimed by Nandan Nilekani, chairman of the UIDAI, when it was launched and the contracts with the foreign companies were signed.

The UIDAI has often made statements that the data collected is encrypted and inaccessible to the BSPs. But the contract with the three companies, accessed by an RTI activist, shows that they had access to unencrypted biometric data. As part of their contract, these BSPs had to weed out duplicate applications. This involved comparing the biometric data of all applicants which necessitated access to it.

It is not known whether the mass of biometric data was copied and stored abroad or sold. But given the demand for data, the possibility of this having happened cannot be ruled out. Also, one cannot say with certainty that it will not be put to use in future by intelligence agencies or exploited by corporates.

Clause 4.1.1 of Annexure ‘E’ of the contract admits that demographic data is inaccurate. Despite RTI requests, UIDAI has refused to provide Annexures ‘I’, ‘J’ and ‘K’ of its contracts with Biometric Solution Providers. It has even refused to comply with the orders to do so by the Chief Information Commissioner, citing security reasons. These annexures give the technical bids of the contractors which would specify the limitations.

Prashant Pandey, who knows a thing or two about cyber security and was the whistle-blower in the Vyapam scam, fears that the linking of Aadhaar cards to bank accounts could lead to serious frauds. He told India Legal: “Just imagine a trickster operating from outside India with leaked Aadhaar database and hundreds of POS machines with the biometric payment system, Bhim. He can pull money out from bank accounts to an anonymous destination abroad. The possibilities are immense unless security is tightened and data secured.”

Professor Anupam Saraph, an expert in governance of complex systems, describes the linking of Aadhaar to bank accounts as a move which will “enable benami bank accounts and scale benami transactions to destroy the Indian economy along with the Indian banking system”.

“The Aadhaar number is for all residents in India. It cannot hence, serve as ID for Indian citizens. It is not an ID card, but a number in a database. Every time people have to be identified, identification is needed by scanning biometrics from the UIDAI database, which is impractical.”

                                                                                             —Colonel Thomas Mathew, anti-Aadhaar campaigner

In his blog, Saraph lists several reasons why he feels the Aadhaar-bank account linking is dangerous. Innocent account holders, he notes, will find their UID numbers being used as “mules for money laundering”. Or their payments under government schemes easily compromised by tricksters. Worse, they can be “framed for economic offences” if someone deliberately transfers illegal money into their accounts. This, in turn, would lead to harassment and accounts being frozen pending investigation.

But how can fingerprints be copied and misused? Pandey pointed to the example of the Vyapam entrance examination scam for MBBS in Madhya Pradesh. Here, qualified persons fronted for the real candidates and wrote the exam on their behalf despite fingerprint scanners being used before allowing access into the examination hall. How were the scanners fooled? “The fake candidates merely copied the fingerprints of the real candidates on a silicon film and wore it on their thumb. This happened in not one or two cases but in several hundreds of them. What happened in Vyapam is proof of how unreliable fingerprint identification is,” he said.

Fingerprints from the Aadhaar database, once accessed, can easily be copied and used to implicate someone in a crime. Pandey believes it is a real possibility. “Your fingerprint can be placed at the scene of a crime by vested interests who can frame you with the help of the police. The prospect of misuse is frightening,” he said. Pandey hopes to demonstrate how Aadhaar data can be misused before the apex court.

Noted human rights activist and senior Supreme Court lawyer Indira Jaising said that privacy concerns are not to be taken lightly. She told India Legal: “As a citizen, why should I surrender all my personal details to the government so that it can be misused against me? Why should people know which hospital I go to or which school my child attends? Why should they know where I am travelling to or on which airline I have booked my tickets? Once all my activities can be mapped, the information can be used to perpetrate a crime against me. Why should I allow that?”

However, those who endorse the UID scheme brush aside privacy concerns by saying that such apprehensions reside only in the minds of those who are involved in illegal activity or have unaccounted wealth and would not like their bank transactions to be monitored. However, what is missed out is that there are already enough ways to keep tabs and there is no need to store personal data which can easily be stolen. “As for Aadhaar providing biometric proof of identity, the less said the better,” said Colonel Thomas Mathew, a Bangalore resident and one of the first to file a civil suit in the apex court against Aadhaar.

“The UID/Aadhaar number is for all residents in India (who could also be outsiders on an extended visa). It cannot hence, serve as an ID for Indian citizens. It is not an ID card, but a number in a database. The UID scheme envisages that people would be identified every time identification is needed, by scanning biometrics and querying the UIDAI database. This is impractical. UIDAI itself admits that demographic data is inaccurate. If demographic data is unreliable, UID cannot be proof of ID,” Mathew told India Legal.

As for the fallibility of biometric data, he quotes the 2010 study titled “Biometric Recognition—Challenges and Opportunities” by four US national academies—the National Academy of Sciences, the National Academy of Engineering, the Institute of Medicine and the National Research Council.

The first principal finding of the research was that “biometric recognition is inherently probabilistic and hence, inherently fallible”. According to estimates, under field conditions, the false matches are 1 in 16.

Added Mathew: “The actual number of false matches is even more—1 in 10. This fact is known from an ignorant, inadvertent admission of UIDAI in its counter-affidavit to my writ petition in which it stated that 80 million fake/ duplicate enrolments were detected (at a time when about 800 million enrolments were done). So, mathematical prediction is proved by ground reality data.”

Even in the Madrid train bombings case of 2004, fingerprints taken at the scene of the crime matched those of 20 people in the FBI database. When even the limited data bank of criminals with the FBI is fallible, imagine the probability of error when the entire population of a country as vast as India is involved.

Ahead of the 2014 general elections, the BJP had opposed the UID programme. In fact, Mathew was invited to make a presentation against Aadhaar before a BJP Parliamentary Party presided by LK Advani. The unanimous view then was that Aadhaar was a security risk and must be vehemently opposed. But things changed after the BJP came to power. Notes Mathew: “The party has done a complete ‘U’ turn without giving any reasons.”

In the final analysis, before the nation heads towards a total Aadhaar regime, it is perhaps time for the government to reassess the entire UID programme to plug the inherent security lapses. Also, it must not promote its use as proof of identity. It was only last month that the Union home ministry issued a communiqué: “Aadhaar (UID) card is not an acceptable travel document for travel to Nepal/Bhutan.” A valid national passport or election ID card issued by the Election Commission would however serve as proof.

Therein lies the harsh reality and identity crisis…

11000 - It’s the technology, stupid - Hindu Businessline

http://www.thehindubusinessline.com/blink/cover/11-reasons-why-aadhaar-is-not-just-nonsmart-but-also-insecure/article9608225.ece

It’s the technology, stupid

SUNIL ABRAHAM

Eleven reasons why the Aadhaar is not just non-smart but also insecure

Aadhaar is insecure because it is based on biometrics. Biometrics is surveillance technology, a necessity for any State. However, surveillance is much like salt in cooking: essential in tiny quantities, but counterproductive even if slightly in excess. Biometrics should be used for targeted surveillance, but this technology should not be used in e-governance for the following reasons:

One, biometrics is becoming a remote technology. High-resolution cameras allow malicious actors to steal fingerprints and iris images from unsuspecting people. In a couple of years, governments will be able to identify citizens more accurately in a crowd with iris recognition than the current generation of facial recognition technology.

Two, biometrics is covert technology. Thanks to sophisticated remote sensors, biometrics can be harvested without the knowledge of the citizen. This increases effectiveness from a surveillance perspective, but diminishes it from an e-governance perspective.

Three, biometrics is non-consensual technology. There is a big difference between the State identifying citizens and citizens identifying themselves to the state. With biometrics, the State can identify citizens without seeking their consent. With a smart card, the citizen has to allow the State to identify them. Once you discard your smart card the State cannot easily identify you, but you cannot discard your biometrics.

Four, biometrics is very similar to symmetric cryptography. Modern cryptography is asymmetric. Where there is both a public and a private key, the user always has the private key, which is never in transit and, therefore, intermediaries cannot intercept it. Biometrics, on the other hand, needs to be secured during transit. The UIDAI’s (Unique Identification Authority of India overseeing the rollout of Aadhaar) current fix for its erroneous choice of technology is the use of “registered devices”; but, unfortunately, the encryption is only at the software layer and cannot prevent hardware interception.

Five, biometrics requires a centralised network; in contrast, cryptography for smart cards does not require a centralised store for all private keys. All centralised stores are honey pots — targeted by criminals, foreign States and terrorists.

Six, biometrics is irrevocable. Once compromised, it cannot be secured again. Smart cards are based on asymmetric cryptography, which even the UIDAI uses to secure its servers from attacks. If cryptography is good for the State, then surely it is good for the citizen too.

Seven, biometrics is based on probability. Cryptography in smart cards, on the other hand, allows for exact matching. Every biometric device comes with ratios for false positives and false negatives. These ratios are determined in near-perfect lab conditions. Going by press reports and even UIDAI’s claims, the field reality is unsurprisingly different from the lab. Imagine going to an ATM and not being sure if your debit card will match your bank’s records.

Eight, biometric technology is proprietary and opaque. You cannot independently audit the proprietary technology used by the UIDAI for effectiveness and security. On the other hand, open smart card standards like SCOSTA (Smart Card Operating System for Transport Applications) are based on globally accepted cryptographic standards and allow researchers, scientists and mathematicians to independently confirm the claims of the government.

Nine, biometrics is cheap and easy to defeat. Any Indian citizen, even children, can make gummy fingers at home using Fevicol and wax. You can buy fingerprint lifting kits from a toystore. To clone a smart card, on the other hand, you need a skimmer, a printer and knowledge of cryptography.

Ten, biometrics undermines human dignity. In many media photographs — even on the @UIDAI’s Twitter stream — you can see the biometric device operator pressing the applicant’s fingers, especially in the case of underprivileged citizens, against the reader. Imagine service providers — say, a shopkeeper or a restaurant waiter — having to touch you every time you want to pay. Smart cards offer a more dignified user experience.

Eleven, biometrics enables the shirking of responsibility, while cryptography requires a chain of trust.

Each legitimate transaction has repudiable signatures of all parties responsible. With biometrics, the buck will be passed to an inscrutable black box every time things go wrong. The citizens or courts will have nobody to hold to account.

The precursor to Aadhaar was called MNIC (Multipurpose National Identification Card). Initiated by the NDA government headed by Atal Bihari Vajpayee, it was based on the open SCOSTA standard. This was the correct technological choice.

Unfortunately, the promoters of Aadhaar chose biometrics in their belief that newer, costlier and complex technology is superior to an older, cheaper and simpler alternative.

This erroneous technological choice is not a glitch or teething problem that can be dealt with legislative fixes such as an improved Aadhaar Act or an omnibus Privacy Act. It can only be fixed by destroying the centralised biometric database, like the UK did, and shifting to smart cards.

In other words, you cannot fix using the law what you have broken using technology.

Sunil Abraham is Executive Director, Centre for Internet and Society

(This article was published on March 31, 2017)

10981 - India’s National ID Program May Be Turning The Country Into A Surveillance State - Buzzfeed

India’s National ID Program May Be Turning The Country Into A Surveillance State

For seven years, India’s government has been scanning the irises and fingerprints of its citizens into a massive database. The once voluntary program was intended to fix the country’s corrupt welfare schemes, but critics worry about its Orwellian overtones.

Pranav Dixit

BuzzFeed News Reporter

posted on Apr. 4, 2017, at 5:18 p.m.

In February 2017, Microsoft announced Skype Lite, a brand-new edition of Skype just for India. A more spartan version of Microsoft’s marquee messaging service, Skype Lite is designed to run well on cheap Android phones and to handle calls over flaky 2G data networks — the trappings of an app made by a large, wealthy corporation for a large and largely poor emerging market. But that’s not all it does.

Skype Lite also taps into a giant government-owned database filled with the demographic and biometric records — names, dates of birth, addresses, phone numbers, photographs, iris and fingerprint scans — of more than a billion Indian citizens.

Touting that feature onstage at a launch event in Mumbai, Microsoft’s executives offered the most vanilla of demos: a job interview over Skype.

“If I want to hire somebody, I would feel more comfortable knowing that I am indeed talking to the right candidate,” said Skype engineer Rahul Malegaonkar. To do that in in Skype Lite, he explained, all an interviewee would need to do is punch in their 12-digit government-issued UID — short for unique identifier — which the app would check against the government database.

Some 1.12 billion Indians — more than 99% of citizens over 18 — now have UIDs thanks to this authentication system. It’s called Aadhaar — “support” or “foundation” in Hindi — and it is the largest, most ambitious national identity program in the world.

At an event in Mumbai held in February, Microsoft showed off Skype Lite’s built-in support for Aadhaar in the most vanilla of demos: a job interview over Skype. Microsoft

When it was first rolled out in 2009, Aadhaar was envisioned as a voluntary identity system that would help the Indian government crack down on fraud in the country’s notoriously corrupt welfare system. But over the years, it’s become effectively mandatory as the government and private sector alike rely on it to provide all manner of identity-linked services to India’s vast and diverse population. Now, less than a decade after its debut, Aadhaar is, for many Indian citizens, a proverbial “one ID to rule them all.” Not only is it a means of accessing India’s welfare system, it’s tied to everything from banking and internet services to international travel and marriage registration — and, of course, Skype.

Onstage at the company’s Mumbai event, Malegaonkar’s Skype Lite app displayed a large green checkmark along with dummy name, address, and date of birth information.

“Yep, it seems like we have a match,” he exclaimed, as the audience clapped wildly.

Meanwhile, India’s privacy experts rolled their eyes. “A proprietary software company harvests personal information from a centralized government database using unaudited technology in a jurisdiction without a proper privacy or data protection law,” said Sunil Abraham, director of the Centre for Internet and Society (CIS), an influential Bangalore-based think tank. “Sounds perfect to me!”

A Microsoft spokesperson assured BuzzFeed News that Skype Lite was compliant with local regulations. “We don’t store any users’ Aadhaar information,” the company explained. “Rather, we pass [the details] through to the government’s central Aadhaar database.”

Former Deputy Chairman of Planning Commission Montek Singh Ahluwalia with UIDAI Chairman Nandan Nilekani during the launch of new Aadhaar-based services and permanent enrollment centers in New Delhi. Mail Today / Getty Images

Who am I?

For millions of Indians, government-vetted identification has been elusive for decades. This is particularly true in India’s most impoverished regions, where a lack of simple birth or address documentation can lock people out of crucial services many take for granted — bank accounts, insurance, pensions, government services. With a very simple set of objectives, Aadhaar was designed to change that. It would provide every Indian with an official identity, and it would allow government agencies and private companies like Microsoft to authenticate that identity by plugging into a set of software application interfaces called the India Stack.

In 2009, the Indian government established the Unique Identification Authority of India (UIDAI) under the country’s IT ministry and tapped Nandan Nilekani, billionaire and co-founder of IT services juggernaut Infosys, to oversee it. Nilekani called Aadhaar a “turbocharged version of the Social Security number,” and a year later, the agency began collecting citizens’ demographic data — names, addresses, photographs, mobile numbers, iris scans, and all 10 fingerprints — and adding it to a centralized database.

Pitched as a panacea to welfare fraud by India’s ruling Congress party, Aadhaar was lauded by some of the biggest names in technology. Bill Gates called it a “world-class digital foundation,” and Microsoft CEO Satya Nadella said it was “pretty tremendous.” The Wall Street Journal called it “the most technologically and logistically complex national identification effort ever attempted.” After decades of being invisible, India’s poor would now simply authenticate themselves through their irises or fingerprints to receive their share of subsidized food and cooking fuel. The corruption that had plagued India’s welfare system was done for.

But in the years that followed, an increasingly vocal group of privacy activists, security experts, and citizens raised concerns about the implications of creating a vast database of biometric information for the population of an entire country. “Aadhaar is being converted into the world’s biggest surveillance engine,” Indian news website Scroll warned in a recent opinion piece.

And other critics sounded an equally troubling note: With the most intimate details of over a billion people in a database, what if Aadhaar were to be hacked?

No way out

“Indians have historically had different sets of information stored across different databases, such as their bank accounts, driver’s licenses, passports, accounts with cell phone carriers, and more,” said Nikhil Pahwa, editor of Indian technology news website MediaNama and a staunch Aadhaar critic. Traditionally, these weren’t linked to one another. “What Aadhaar aims to become is a single ID linking your entire life across dozens of these databases together,” he said. “This allows it to be used for mass surveillance and targeting very easily.”

While India’s Supreme Court has repeatedly ruled that Aadhaar numbers are not and cannot be required of the country’s citizens, it’s becoming increasingly difficult to get by without one. Indeed, Aadhaar’s critics complain that the Indian government has been shrewdly pushing it into broader usage by requiring it for things like driver’s license applications and renewals, and soon cell phone numbers.

Last month, the government passed a finance bill making it mandatory for every Indian who files tax returns to input their Aadhaar number. Asked if the government was forcing citizens to get Aadhaar despite the Supreme Court mandate, finance minister Arun Jaitley replied simply, “Yes, we are.”

In the future, Indians may be required to use Aadhaar to log on to public Wi-Fi hotspots, buy train tickets, access bank accounts, withdraw pension money, use matrimonial websites, and buy tickets for cricket matches — among other things.

Critics paint a grim picture of India with mandatory Aadhaar: an Orwellian state with every action of every citizen under constant scrutiny at all times.

Ramesh Srivats

✔

@rameshsrivats

Got it. It is compulsorily mandatory to voluntarily get yourself an Aadhaar card.

3:30 PM - 22 Mar 2017

“All this is illegal and is in contempt of the Supreme Court,” Usha Ramanathan, a legal researcher and activist who has been a vocal opponent of the Aadhaar project ever since it launched, told BuzzFeed News. “The Aadhaar project is less about technology and more about technocracy.”

In November 2016, Ramanathan organized a daylong session in New Delhi that was attended by more than 50 people — lawyers, activists, social workers, researchers, academics, and journalists — to draw up a plan to spread awareness about privacy issues related to the Aadhaar program.

“Aadhaar is a sitting duck.”

“Aadhaar alters the relationship between the citizen and the state,” said Shyam Divan, a Supreme Court lawyer who has been fighting the project in the country’s highest court for years, and who was present at the event. “It’s concerning, because it tilts the balance so steeply in favor of the government.”

That concern is well grounded in reality. In March 2016, India’s parliament passed legislation giving federal agencies access to the entire Aadhaar database — all billion-plus names, fingerprints, irises, mobile numbers, addresses, and photographs — in the interest of “national security.” In February, the UIDAI was accused of trying to silence critics by filing a police complaint against a writer who wrote about the project’s data security vulnerabilities. And in March, the agency filed a criminal complaint against a television journalist who aired a segment showing how he was able to use a fake name along with his real one to get two different Aadhaar numbers.

Nandan Nilekani (left), the billionaire brain behind Aadhaar, interviews Microsoft CEO Satya Nadella, who has lauded the Aadhaar project, at an industry event in Bangalore in February. Nilekani has dismissed privacy and surveillance concerns around Aadhaar. - / AFP / Getty Images

“You can’t change your fingerprints”

Sunil Abraham, the CIS director, calls himself a “technological critic” of the Aadhaar platform. For years, he’s been warning of the security risks associated with a centralized repository of the demographic and biometric details of a billion or so people.

“Aadhaar is a sitting duck,” Abraham told BuzzFeed News. That’s not an unreasonable assessment considering that India’s track record for protecting people’s private data is far from stellar. Earlier this year, for example, a security researcher discovered a website that was leaking the Aadhaar demographic data of more than 500,000 minors. The website was subsequently shut down, but the incident raised questions about Aadhaar’s security protocols — particularly those around data shared with third parties.

10951 - Is Aadhaar a breach of privacy? - The Hindu

Is Aadhaar a breach of privacy?

Sunil Abraham,

R.S. Sharma

Baijayant Jay Panda

MARCH 31, 2017 00:15 IST

Aadhaar is very poorly designed. The technology needs fixing today; the law can wait for tomorrow

Sunil Abraham, executive director at the Centre for Internet and Society

Aadhaar is mass surveillance technology. Unlike, targeted surveillance which is a good thing, and essential for national security and public order — mass surveillance undermines security. And while biometrics is appropriate for targeted surveillance by the state — it is wholly inappropriate for everyday transactions between the state and law abiding citizens.

When assessing a technology don't ask — “what use it is being put to today?”. Instead ask “what use can it be put to tomorrow and by whom?”. The original noble intentions of the Aadhaar project initiators will not constrain those in the future that want to take full advantage of technological possibilities.  However, rather than frame the surveillance potential of Aadhaar in a negative tone as three problem statements — I will propose three modifications that will reduce but not eliminate the surveillance potential.

Shift from biometrics to smart cards

 In January 2011, the Centre for Internet and Society had written to the parliamentary finance committee that was reviewing what was then called the “National Identification Authority of India Bill 2010”. We provided nine reasons for the government to stop using biometrics and instead use an open smart card standard. Biometrics allows for identification of citizens even when they don't want to be identified. Even unconscious and dead citizens can be identified using biometrics. Smart cards which require pins on the other hand require the citizens' conscious cooperation during the identification process. Once you flush your smart cards down the toilet nobody can use them to identify you. Consent is baked into the design of the technology. If the UIDAI adopts smart cards, we can destroy the centralized database of biometrics just like the UK government did in 2010 under Theresa May's tenure as Home Secretary. This would completely eliminate the risk of foreign government, criminals and terrorists using the breached biometric database to remotely, covertly and non-consensually identify Indians.

Destroy the authentication transaction database

 The Aadhaar Authentication Regulations 2016 specifies that transaction data will be archived for five years after the date of the transaction. Even though the UIDAI claims that this is a zero knowledge database from the perspective of “reasons for authentication” - any big data expert will tell you that it is trivial to guess what is going on using the unique identifiers for the registered devices and time stamps that are used for authentication.  That is how they put Rajat Gupta and Raj Rajratnam in prison. There was nothing in the payload ie. voice recordings of the tapped telephone conversations – the conviction was based on meta-data. Smart cards based on open standards allow for decentralized authentication by multiple entities and therefore eliminates the need for a centralized transaction database.

Prohibit the use Aadhaar number in other databases

 We must as a nation get over our obsession with Know Your Customer [KYC]. For example, for SIM cards there is no KYC requirement is most developed countries. Our insistence on KYC has only resulted in retardation of Internet adoption, a black market for ID documents and unnecessary wastage of resources by the telecos without preventing criminals and terrorists from using phones. Where we must absolutely have KYC for security, elimination of ghosts and regulatory compliance – we must use a token issued by UIDAI instead of the Aadhaar number. This would make it harder for unauthorized parties to combine databases. But at the same time would enable law enforcement agencies to combine database using the appropriate authorizations and infrastructure like NATGRID. The NATGRID unlike Aadhaar is not a centralized database. It is a standard and platform for the express assembly of sub-sets of up to 20 databases which is then access by up to to 12 law enforcement and intelligence agencies.

To conclude, even as a surveillance project — Aadhaar is very poorly designed. The technology needs fixing today, the law can wait for tomorrow.

Aadhaar protects privacy by design. It uses the best possible technology relating to data protection

R.S. Sharma, is a chairman at TRAI. The views expressed are personal

Since its inception, Aadhaar has been criticised as a project which violates privacy. India does not have a law on privacy. In fact, then chairman of UIDAI, Nandan Nilekani, wrote to the Prime Minister as early as in May 2010 suggesting that there was a need to have a data protection and privacy law.

In a digital world, search and aggregation of data have become relatively easy. Aadhaar was designed as a digital identity platform which is inclusive, unique and can be authenticated to participate in any digital transaction. This has transformed the service delivery in our country, conveniencing residents and reducing leakages. Direct benefit transfer, subscription to various services and authentication at the point of service delivery are some of the benefits which have accrued.

In-built privacy

Aadhaar followed the principle of incorporating privacy by design, a concept which states that IT projects should be designed with privacy in mind. Collection of biometrics has often been quoted as one of the means of violating privacy. Biometrics are essential to ensure uniqueness, a key requirement for this project. Additionally, these biometrics can be used for authentication for financial transactions, getting mobile SIMs and various other services using electronic KYC (e-KYC).

ALSO READ

Giving short shrift to children’s rights

Another principle of privacy by design states that you should collect only minimal data. As UIDAI was creating identity infrastructure, it was decided that only a minimal set of data, just sufficient to establish identity, should be collected from residents. This irreducible set contained only four elements: name, gender, age and communication address of the resident.

Another design principle was to issue random numbers with no intelligence. This ensures that no profiling can be done as the number does not disclose anything about the person. The Aadhaar Act has clear restrictions on data sharing. No data download is permitted, search is not allowed and the only response which UIDAI gives to an authentication request is ‘yes’ or ‘no’. No personal information is divulged.

When a biometric-based authentication takes place, it is the individual who must participate in the process by submitting his or her biometrics, typically at the service delivery point to prove his identity. Typical examples are at the time of lifting ration from a PDS shop, opening a bank account to provide eKYC to the bank or submission of Digital Life Certificates by pensioners. The basic purpose of authentication is to facilitate residents in getting service in a digital, paperless and convenient way. As no information is divulged to any agency without the consent of the concerned individual, it cannot be construed to violate any privacy.

Purpose of authentication

Besides the minimal data which UIDAI has about a person, it does not keep any data except the logs of authentication. It does not know the purpose of authentication. The transaction details remain with the concerned agency and not with UIDAI. This is the best model of keeping data where each data-owner has the responsibility of data confidentiality and security.

Aadhaar authentication and e-KYC ensures that documents cannot be misused. Physical papers are amenable to misuse. We know of situations where multiple SIMs are issued based on some document, and the real owner is not even aware. On the other hand, e-KYC ensures that the document cannot be used for any other transaction. UIDAI has also built a facility wherein one can ‘lock’ the Aadhaar number and disable it from any type of authentication for a period of one’s choice, guarding against any potential misuse.

Aadhaar is necessary but we also need a robust data privacy and data protection law

Baijayant Jay Panda, a Lok Sabha MP and frequently pens articles on socially relevant issues

I see many people taking what I call a black-and-white position on Aadhaar. Either they support or red-flag it. I am for Aadhaar but I also feel very strongly about a robust data privacy and data protection law. As a matter of fact, a bill to this effect will be introduced by me in the Lok Sabha. Having said that, I have for long maintained that Aadhaar was the United Progressive Alliance government’s best idea; they were not enthusiastic about it and I wish they had done more. I am also glad that Prime Minister Narendra Modi, who had earlier opposed Aadhaar, listened to Nandan Nilekani with an open mind and has emerged as its strongest votary.

Plugging loopholes

In my constituency and in other places which I visit frequently, I see enormous leakages in social schemes. Aadhaar can plug these loopholes. I will quote former Prime Minister Rajiv Gandhi who said that out of every rupee spent by the Indian government, barely 15 paisa reaches its citizens. A Planning Commission study done six years ago on the Public Distribution System found 27 paise reaching the citizens. The remaining 73 paise went on payments of salaries, administrative costs and corruption. MPs are required to chair a quarterly review of their constituencies. I do this often and when I ask for an audit, I invariably discover that the district authorities are faced with large number of fake names or fake roll numbers, either for PDS or the mid-day meal scheme. That’s where Aadhaar can help. Look at how Aadhaar assured transparency in LPG allocations. Of course, this was largely achieved by a concerned campaign spearheaded by the Prime Minister himself. Similarly, there are States where PDS has worked comparatively well, but not on all fronts. In Odisha, the rice scheme by the Chief Minister has worked well but the same cannot be said about, say, kerosene distribution.

ALSO READ

What exactly is a money bill?

While that’s one half of the debate, it is also true that we are rapidly becoming a digital economy. We are a nation of billion cell phones and yet we have antiquated laws for data protection and privacy. Problems of ID theft, fraud and misrepresentation are real concerns. We submit ourselves knowingly or unknowingly to personal information sought online, even without Aadhaar. In the U.S., there is a legal battle on to make a case for better informed consent. Let me give an analogy here. In the case of medical emergencies we are required to sign a consent form, often running into pages. In the U.S., it has been decided that it is not enough to sign the consent form; the doctor must explain to the patient the consequences of a medical procedure about to be performed.

Safeguards needed

Similarly, we need to educate people on the risks involved, and highlight examples of ID thefts and fraud. We have a multiplicity of laws which overlap. Our IT laws have to be modernised and we have to put the liability on the company handling the data so that it is not stolen or shared without consent.

This century comes with certain risks. If we want a risk-free environment, as extreme as it may sound, we have the option to go back to the stone age. It is like saying ban cars as driving has become risky. Cars are essential and we create road safety norms to mitigate their risk. Similarly, we need to take a level-headed approach and ensure that ample safeguards are put in place for data protection and privacy.

As told to Anuradha Raman