#India – Threat of exclusion, and of surveillance #UID #Aadhaar


Uid- I am not a criminal

The aadhaar project has become the bane of average Indians, threatening their access to all manner of services. basic questions have sometimes been asked and almost never been answered, says
Usha Ramanathan, in the first of a multi-part series.

The Unique Identity (UID) project has been around for over four years. The Unique Identification Authority of India (UIDAI) was set up by an executive notification dated 28 January 2009 and came into its own after Mr Nandan Nilekani was appointed as chairperson in July 2009. Now it has, as some observers say, become an experiment being conducted on the entire  country.
In its early stages, it was marketed, simply, as giving the poor and the undocumented an identity. It was to be voluntary, and an entitlement. But, it is evident even from the Strategy Overview document of the UIDAI that it was never intended to be an entitlement that people may choose to adopt or ignore. That document said that “enrolment will not be mandated”, but went on to add: “This will not, however, preclude governments or registrars from mandating enrolment”. So, the potential for compulsion was built into the architecture of the project. Starting in 2012, voluntariness began to be eroded, and threats of exclusion from services and entitlements began to be bandied about. By January 2013, a virtual panic was set off when it was announced that various services and entitlements would not be accessible to persons who did not have a UID number.
Mr Nilekani has said time and again that half the population is expected to be enrolled by the end of 2014; yet, there have been warnings that people without a UID number may find themselves unable to access benefits and subsidies if they did not have it, if a bank account had not been opened, and if the UID number were not embedded in the bank account. So, subsidy for cooking gas, kerosene, and scholarships, for instance, became dependent on having a bank account seeded with the UID, or aadhaar, number. In case anyone wonders what the UIDAI has to do with these decisions, it is the chairperson of the UIDAI, Mr Nilekani, who chaired the committees that recommended these changes. The reports are in the public domain.
From its inception, the UID project has been about creating the ‘database resident’. The website of the Department of Information Technology, which has been renamed as Department of Electronics and Information Technology, modestly carrying the acronym DeitY, has said all along that “Project UID, a Planning Commission initiative, proposes to create a central database of residents, initially of those above the age of 18 years”. Except, that the UIDAI got more ambitious and wanted everyone, from the newborn to the oldest resident, on its database. And it was always intended to converge various databases to construct a profile of the individual, and to this effect the website of DeitY says that “the project envisages provision of linking of existing databases, as well as providing for future additions, by the user agencies”. The MoUs between the UIDAI and various registrars that include the state governments, oil companies, banks and the Registrar-General of India, who is in charge of census and the National Population Register and socio-economic and caste census, not only provide for various additional fields of data being collected during enrolment, but also for having the UID number appended to each such database.
As for biometrics, documents reveal that when the decision was made to use fingerprints and iris for enrolment, there was no knowledge about whether these biometrics would work in India, given the demographic and environmental conditions. In fact, it has since been found that with age the fingerprint fades, that manual labour makes the fingerprint difficult to read, that malnourishment-induced cataract blights an estimated 8-10 million people, and so on. In fact, as recently as 23 April 2013, Mr Nilekani said in his speech at the Centre for Global Development in Washington: “We came to the conclusion that if we take sufficient data, biometric data of an individual, then that person’s biometric will be unique across a billion people. Now we have to find that out. We haven’t done it yet. So we’ll discover it as we go along.” First, the conclusion. Then they will wait to find out! That is why some observers of the project have been saying that it is an experiment being conducted on the entire population. The consequences of failure have not been discussed, although, in a talk at the World Bank in Washington on 24 April 2013, Mr Nilekani said in response to a question about what he thought was the greatest downside risk to the UID: “To answer the question about what is the biggest risk,” he said “in some sense, you run the risk of creating a single point of failure also.”
There is more to cause concern, and much to be answered about UID.
(The writer is an academic activist. She has researched the UID and its ramifications since 2009.)
LEGALITY
The UID project is proceeding without the cover of law. There is only the notification of January 2009 which says the UIDAI “owns” the database, but which says nothing about how it may be used, or what will happen if it fails or if there is identity fraud, or some outside agency gains access to the database. A Bill was introduced in Parliament in December 2010, after the project had been launched and data collection had begun. The Bill collapsed in December 2011 when the Parliamentary Standing Committee found it severely defective, and after it found that the Bill and the project needed to be sent back to the drawing board. There is no sign yet of a Bill, and any protection that the law may offer is non-existent. There is no law to protect privacy either.
Convergence and snooping
The UIDAI, and Mr Nilekani, have refused to address the probability of surveillance, convergence, tracking, profiling, tagging and intrusions into privacy that is likely to result from the creation of the database of residents and the intended convergence. The link between technology, databases, governmental power and corporate involvement in creating, maintaining, managing and using databases has produced various scenarios of surveillance that we ignore at our peril. PRISM is such a stark demonstration of the ambitions that can fuel a state that the UIDAI can no longer just say `no comment’ when asked about the surveillance potential being created.
In the same period, the state has already set up agencies such as the Natgrid, NCTC, NTRO, CCTNS, MAC which will use the potential for convergence of databases that the UID makes possible. In April 2011, the government made rules under the IT Act 2000, by which it would be able to access any data held by any “body corporate”. More recently, we have been hearing about the CMS, or the Central Monitoring System, speaking to a surveillance and control approach that will have the state snooping on us with no oversight, no prior permission, no answerability at any time to anyone.
The companies engaged by the UIDAI to manage the database include L1 Identity Solutions and Accenture. The UIDAI, in response to an RTI request, has claimed that they have no means of knowing that these are foreign companies, given the process of their selection! Yet, a search on the internet reveals the closeness between the L1 Identity Solutions and the CIA, and that after a recent transaction, it is part-owned by the French government; while Accenture is in a Smart Borders Project with the US Department of Homeland Security. Data security, personal security, national security and global surveillance are all drawn into a ring of concern, but remain unaddressed.

 

#India – Plea in Kerala HC against #Aadhaar enrolment #UID


 

By Express News Service – KOCHI 19th June 2013 1

200 px

200 px (Photo credit: Wikipedia)

 

 

 

A petition has been filed before the High Court challenging the decision of the government to insist upon the public for Aadhaar registration as a prerequisite to avail of the benefits of government schemes.

 

 

The petition was filed by Asees Kakkadan, general secretary of the Kozhikode Jilla Pouravakasha Samrakshana Samithi. According to the petitioner, the National Identification Authority of India Bill-2010 was rejected by the Parliamentary Standing Committee in December 2011. But even then the Centre is going ahead with the project only to aid the private agency involved in the enrolment procedure, the petitioner alleged.The petitioner submitted that the government insists on Aadhaar registration for availing of benefits of schemes like LPG subsidy, welfare pension and education benefits.

 

 

“A citizen cannot be denied the benefits of government projects only for not registering under an authority. And the Aadhaar lacks legislative sanction. At present, various identity cards are being issued like election identity card, ration card, driving licence, pan card etc., which clearly establish the identity of a person. Hence insisting on Aadhaar number is illegal,” the plea said.

 

 

Nandan Nilekani’s #Aadhaar faces fight from a team of Europay, Mastercard & Visa #UID


200 px

 

By Sugata Ghosh, ET Bureau | 17 Jun, 2013,
Nandan Nilekani‘s Aadhaar project faces fight from a team of Europay, Mastercard & Visa
MUMBAI: This could be a sign of what the future holds for Aadhaar. Amid an alarming rise in credit card frauds, data thefts and card cloning, a group of bankers will decide in a month the appropriate payment technology for the Indian banking system and retail consumers.
If the group votes for EMV – an internationally accepted technology standard for authenticating credit card, debit card and ATM transactions – Aadhaar, which is comparatively untested and follows a different technology, may face an uncertain future. EVM is a joint initiative between Europay, Mastercard and Visa – the world’s leading payments service providers.
Credit and debit cards that are based on EMV have the card and CVC numbers, which are the key to any electronic transaction, hidden or encrypted. Since encrypted data reduces the risk of cloning or skimming at ATMs and merchant outlets, some of the private banks have started upgrading their systems to EMV standards following recent card frauds.
But, if the group, constituted by the Reserve Bank of India, prefers Aadhaar, banks will have to change their systems, procure biometric machines and prepare for different security standards. Bankers, however, are reluctant to spell out their stand openly because the government thinks Aadhaar can be a game changer in disbursing subsidies to people in far-flung regions.
Besides, banks, particularly the state-owned lenders, are unwilling to take on Nandan Nilekani, the former InfosysBSE 1.05 % CEO who heads the Unique Identification Authority of India (UIDAI), the state-owned agency that issues the 12-digit Aadhaar numbers.
“Mr Nilekani is pursuing Aadhaar with RBI. He has a standing and has political backing,” said a person familiar with the discussions.
Transition Could Take Some Time
“So, while many banks are in favour of EMV due to rising incidents of frauds, they are quiet, waiting for the committee to submit its report, which is expected by early July,” said the person. If the committee recommends Aadhaar for banks, it will be a victory for UIDAI. Banks will then have to use Aadhaar for not only customer authentication, but also for payments. But even if banks are mandated to implement Aadhaar, the transition could take time and a slice of the market will move back to cash. So, it will be some years before Visa and Mastercard feel the threat.
Indian banks’ payments technology for retail customers is currently at crossroads. ATM transactions are processed through the state-backed National Payments Corporation, which is being positioned as an umbrella organisation for processing all retail payments, while credit and debit card transactions are processed by multinationals like Visa and MasterCard. National Payments Corp, headed by Nilekani’s former boss NR Narayana Murthy, is unable to support EMV at present for its network and will have to change its standards if EMV is implemented by banks.
“What’s drawing banks towards EMV — and many Asian banks have already migrated to it — is the vulnerability of the magnetic stripe technology that’s used for credit and debit card transactions today. Micro devices can be planted in ATMs machines to copy the magnetic stripe and scan the PIN to clone cards. This is not possible in EMV where the data is encrypted,” said a banker.
Highlighting the monopolies in the industry being created, the Financial Sector Legislative Reforms Commission (FSLRC) has recommended the Competition Commission to look into the subject. Meanwhile, the RBI governor has set up a committee to come out with a discussion paper on Aadhaar as an additional factor of authentication for card transactions. While Aadhaar can be used for authentication and KYC purposes, the regulator would like a final answer on whether it can be used for payments.

 

 

 

 

#India- Who owns our identity? #UID #Aadhaar #Biometrics


Author: Latha Jishnu, Down to Earth
Posted on: 31 May, 2013

Between Nilekani’s UID and National Population Register’s KYR+is a huge mess and a looming nightmare

imageIllustration: Anirban Bora

 

Yattan Bibi, scrubber of floors and cleaner of dishes (other people’s), has spent the past six months visiting a number of government departments, bank offices and “camps” in different schools. All this to get her identity proven—again and again. It’s a bureaucratic obstacle race that’s tired her out but the hope of getting some kind of dole “for my old age when my limbs get weak” keeps this unlettered woman stubbornly on the paper chase. Most of the time she has no clue quite what is expected of her, much less why.

In recent weeks, armed with her tattered ration card and an old bank passbook which are her most prized assets, Yattan Bibi has piled up an impressive number of documents. Thanks to her ration card she has got an aadhaar number, which is software czar Nandan Nilekani’s “gift” of a unique identity to the millions he says have been left out of the system because they have no documents to prove who they are. The unique 12-digit number is not an open sesame however. It did not help Yattan Bibi open a special public sector bank account for pension of Rs 600 a month under the Delhi government’s Dilli Annshree Yojana. The bank says aadhaar is not a valid proof of residence. It has, instead, asked for a voter ID card or a permanent account number (PAN) card to prove her bonafides.

As different arms of the government work on parallel lines, unnecessary complexities are being created. Officially, aadhaar registration is voluntary but it is implicitly compulsory since there is the threat of denial of services. Enrolment with the National Population Register (NPR), on the other hand is mandatory, and C Chandramouli, Registrar General and Census Commissioner of India, who runs NPR has sent out a warning that the time for filling in the Know Your Resident Plus (KYR+) form is running out. The KYR+ will, eventually, result in the ultimate proof of identity, a citizenship card with the aadhaar number on it. Or so we are promised.

   Related Articles

Between the seemingly lax aadhaar of the Unique Identification Authority of India (UIDAI) and the stricter KYR+ of NPR, which comes under the Ministry of Home Affairs, is a messy universe of verification and authentication that is complicating the lives of the poor, with no guarantee of the much promised “social inclusion” at the end of it all. If anything, Down To Earth’s investigations have shown that the Unique Identification (UID) programme is as prone to being a tool of exclusion as it is of ensuring the benefits of welfare schemes (see ‘Unique identity crisis’, Down To Earth, May 1-15, 2012). Across the country, workers are being denied their wages because authentication machines fail to match their fingerprints with the UIDAI database. Forget the iris scans because we don’t have the money for such sophisticated machines. Above all is the overarching question of safety and likely misuse of data.

Recently, data of 300,000 applicants containing PAN and biometric information was lost while being uploaded from Mumbai to the UIDAI server in Bengaluru because a hard disk of the Maharashtra government’s IT department crashed. Shocking, said many commentators. But what of the many instances that have come to light of laptops with such data that have gone missing? In spite of the frequency of such data disasters, privacy concerns are being dismissed as elitist. Such questions, goes the official argument, ignore the ground realities of India where millions desperately need an identity of some kind to be part of the system. Yet, in March, the Bombay High Court directed UIDAI and the Union government to respond within three months to a public interest litigation questioning the lack of safeguards in aadhaar.

Now comes an even more troubling disclosure. Legal expert Usha Ramanathan who has been studying the policy and practices of Nilekani’s UIDAI over the past five years, warns that the authority will be a business entity governed by the Companies Act. It is not bound by a law that will recognise the fiduciary role of the state, she warns. In that role, government does not own data.

As Ramanathan explains it, the framework for ownership of data was set out by Nilekani in the Technology Advisory Group for Unique Projects which he chaired. This group suggested the setting up of National Information Utilities (NIUs) to manage government’s databases through the creation of NIUs which will then “own” the data as private companies with a public purpose. But essentially profit-making would be their goal. While the government would have “strategic control”, NIUs would be at least 51 per cent owned privately. In other words, the data would be privatised after the operations of NIUs are stabilised (with state funding and support, of course). Thereafter, the government would become a “paying customer” whereas NIUs would be “essentially set up as natural monopolies”. How do we deal with such a chilling scenario in a country that has no privacy laws or data protection regulations?

 

 

Look who has Aadhaar Cards- Trees, Chairs and even Dogs #UID #WTFnews


Dogs, trees and chairs have Aadhaar cards

Sunitha Rao R, TNN May 31, 2013,
(Acknowledging slip-ups…)

 

BANGALORE: In hilarious slip-ups in the Aadhaar card enrolment process, some cards have ended up with pictures of an empty chair, a tree or a dog instead of the actual applicants.

Asked about the cases, where data collected from applicants were not reflected on the cards, Unique Identity Authority of India (UIDAI) deputy director general Ashok Dalwai said no system was foolproof. “There have been some errors,” he said.

“We had even come across an empty chair printed as the applicant‘s photo on an Aadhaar card. This could have happened due to the operator’s mistake. We look for accuracy in the fingerprints and photograph. The operator might have copied a wrong photo, but it may have matched only because of a lack of clarity. To avoid such errors, we have in place another team to go through the printed Aadhaar cards, to check for manual duplication.”

Acknowledging slip-ups in the Aadhaar enrolment process, UIDAI deputy director general Ashok Dalwai told TOI there have been cases where an operator’s fingerprints had been registered instead of the applicant’s. “This could have happened while the operator was guiding the applicant on where and how to put his finger during data enrolment,” he said.

“We have four attempts in which the right data has to be fed into the system. In some cases, the operators have registered their own fingerprints by mistake,” he added.

In such cases, Aadhaar enrolment is rejected and the applicant informed about the rejection. Such applicants have to undergo fresh enrolment.

Dalwai said no one should apply more than once for an Aadhaar card unless he/she receives a rejection letter from the UIDAI. “Please don’t reapply for the card,” he said. “The applicant can reapply only in the case of rejection of the accuracy of data and only on getting a rejection letter. Otherwise, it’s a waste of time for us and the applicant.”

 

 

 

Fake ration cards being used for #Aadhaar cards in Goa #UID


aadhaar

Pilerne Citizens Forum in Goa has filed a complaint with Nandan Nilekani, chairman of the Unique Identification Authority of India

News | by IANS

PANAJI, GOA: Bogus ration cards, a fact which has been acknowledged by Goa’s civil supplies ministry, are being used to acquire Aadhaar cards in the state, a civil society group claimed Thursday.

“Bogus ration cards are being used as identity proofs, especially in slum areas, to get Aadhaar cards. This will reduce the social security number exercise to a farce,” Yatish Naik, a spokesperson of the Pilerne Citizens Forum (PCF) told reporters here.

The PCF, which brought to light instances where ration cards had been forged by the hundreds a couple of years back, has filed a complaint with Nandan Nilekani, chairman of the Unique Identification Authority of India — in-charge of the central agency implementing the Aadhaar card project.

“We have asked Nilekani to plug this loophole,” Naik said.

The civil supplies ministry has already ordered a probe into the problem of fake ration cards after a ruling legislator told the Goa assembly recently that Nepali and Bangladeshi nationals had obtained ration cards by forging documents.

 

Biometrics programs for the developing world could put data in the wrong hands #Aadhaar #UID


Privacy for the Other 5 Billion

Western-backed biometrics programs for the developing world could put data in the wrong hands.

By  and 

Posted Friday, May 17, 2013, at 11:51 AM

An Indian villager looks at an iris scanner during the data collecting process for a pilot project of The Unique Identification Authority of India (UIDAI) in the village of Chellur, some 145kms north-west of Bangalore on April 22, 2010.

An Indian villager looks at an iris scanner for a pilot project of the Unique Identification Authority of India, or UIDAI, in the village of Chellur, northwest of Bangalore, on April 22, 2010.Photo by Dibyangshu Sarkar/AFP/Getty Images

Move over, mobile phones. There’s a new technological fix for poverty: biometric identification. Speaking at the World Bank on April 24, Nandan Nilekani, director of India’s universal identification scheme, promised that the project will be “transformational.” It “uses the most sophisticated technology … to solve the most basic of development challenges.” The massive ambition, known as Aadhaar, aims to capture fingerprints, photographs, and iris scans of 1.2 billion residents, with the assumption that a national identification program will be a key ingredient to “empower poor and underprivileged residents.” The World Bank’s president, Jim Yong Kim, effusively summed up the promise as “just stunning.”

Although few can match Nilekani’s grand scale, Aadhaar is but one example of the development sector’s growing fascination with technologies for registering, identifying, and monitoring citizens. Systems that would be controversial—if not outright rejected—in the West because of the threat they pose to civil liberties are being implemented in many developing countries, often with the support of Western donors. The twin goals of development and security are being used to justify a bewildering array of initiatives, including British-funded biometric voting technology in Sierra Leone, U.N. surveillance drones in the Democratic Republic of the Congo, and biometric border controls in Ghana supported by the World Bank.

This vigorous adoption of technologies for collecting, processing, tracking, profiling, and managing personal data—in short, surveillance technologies—risks centralizing an increasing amount of power in the hands of government authorities, often in places where democratic safeguards and civil society watchdogs are limited. While these initiatives may be justified in certain cases, rarely are they subject to a rigorous assessment of their effects on civil liberties or political dissent. On the contrary, they often seek to exploit the lack of scrutiny: Nilekani recommended in another recent speech that biometric proponents work “quickly and quietly” before opposition can form. The sensitivity of the information gathered in aid programs is not lost on intelligence agencies: Pulitzer Prize-winning journalist Mark Mazzetti recently revealed that the Pentagon funded a food aid program in Somalia for the express purpose of gathering details on the local population. Even legitimate aid programs now maintain massive databases of personal information, from household names and locations to biometric information.

Advertisement

Humanitarian organizations, development funders, and governments have a responsibility to critically assess these new forms of surveillance, consult widely, and implement safeguards such as data protection, judicial oversight, and the highest levels of security. In much of the world, these sorts of precautions are sorely lacking: For example, despite the success of information technology in Africa, only 10 countries on the continent have some form of data protection law on the books (and even those rarely have the capacity or will to enforce them).

Kenya is a good example of how these programs can go wrong. In the country’s recent election, a costly biometric voting scheme flopped, adding widespread uncertainty to an already fragile situation. The problems were manifold, from biometric scanners that couldn’t recognize thumbprints to batteries that failed and servers that crashed. As journalist Michela Wrong put it, “almost none of it worked.” With limited resources, why support expensive and often ineffective technologies like biometric voting when traditional systems often suffice? While biometrics could help clean up electoral rolls, they may very well serve to obfuscate the electoral process, as information is passed through proprietary applications and technologies, closed to public scrutiny and audit.

But the worries in Kenya extend beyond technological failure. Like many low-income countries, Kenya has historically lacked a robust program of birth registration, making public health work notoriously difficult. It also stymies the provision of education services and cash transfers to vulnerable populations. To rectify this, the Kenyan state has sought to enroll all adults in a biometric national identification scheme that aims to interoperate with various other databases, including the tax authority, financial institutions, and social security programs. According to the director of this Integrated Population Registration System, George Anyango, the government now has “the 360 degree view of any citizen above the age of 18 years.” The Orwellian language is particularly worrisome given Kenya’s lack of data protection requirements and history of political factionalism, including the ethnic violence in the aftermath of the 2007 election that resulted in the death of more than 1,000 Kenyans.

The Aadhaar project in India—a country with a history of ethnic unrest and social segregation, widespread political and bureaucratic corruption, and with no effective legislative protection of privacy—should raise similar, magnified fears. Furthermore, it’s doubtful the program could help bring about the social equality it promises. Proponents of these state registration schemes argue that a lack of ID is a key reason why the poor remain marginalized, but they risk misdiagnosing the symptom for the cause. The poor are marginalized not simply because they lack an ID, but rather because of a complex history of discriminatory political, economic, and social structures. In some cases a biometric identity scheme may alter those, but only if coupled with broader, more difficult reforms.

One of Aadhaar’s biggest promises is the opportunity to open bank accounts (which require identification). Yet, poor, marginalized Indians, even with an ID, find formal banks to be unfriendly and difficult to join. For example, the anthropologist Ursula Rao foundthat the homeless in India—even after registering for Aadhaar—were blocked from banking, most frequently for lack of proper addresses, but more fundamentally because, as she notes, biometric identification “cannot establish trust, teach the logic of banking, or provide incentives for investing in the formal economy.” Bank managers remain suspicious and exclusionary, even if an identity project is inclusive. Without broader reforms—including rules for who may or may not access identity details—novel identification infrastructures will become tools of age-old discrimination.

Another, more practical drawback is that biometric technology is particularly ill-suited for individuals who have spent years in manual labor, working in tough conditions where their fingerprints wear down or they may even lose full fingers or limbs. Even with small authentication error rates—say, the 1.7 percent that recent estimates from Aadhaar suggest—the number of failures in a population the size of India’s can be enormous. Aadhaar has already enrolled 240 million people, with plans to reach all residents. You do the math.

The growth of these systems is due in part to the lack of public education and consultation, as well as the paucity of technical expertise to advise on the risks and pitfalls of surveillance technologies. But certainly the international donors and humanitarian organizations that support these initiatives have a responsibility to critically assess and build in safeguards for these technologies. Given the enormity of the challenge facing these organizations, it is perhaps easy not to prioritize issues like privacy and security of personal data, but the same arguments were once made against gender considerations and environmental protections in development. Aid programs that involve databases of personal information—especially of those most vulnerable and marginalized—must adopt stringent policies and practices relating to the collection, use, and sharing of that data. Best practices should include privacy impact assessments and consider the scope for “privacy by design” methodologies.

As the rhetoric around Aadhaar makes clear, the promise of a quick technical solution to intractable social problems is alive and well. However, it is time to recognize that human development involves the protection of civil liberties and individual freedoms, and not blindly rush into the creation of surveillance states in the name of development and poverty alleviation. Donors and aid organizations need to remember that the other 5 billion deserve privacy, too.

 

SOURCE- slate.ocm

#India – #Aadhaar private ownership of UID data – Part II


200 px

 

USHA RAMANATHAN | 30/04/2013 , Moneylife.com

 

Those enrolling on the UID database have not been informed that their data is to yield profit for the UIDAI, Rs288.15 crore a year and its only investor, the government, does not even own the data. How many in the government are even aware of this investing of ownership in an entity that continues to remain deliberately undefined and opaque

The Unique Identification Authority of India (UIDAI) was set up by an executivenotification dated 28 January 2009. As per the notification, the Planning Commission was to be the nodal agency “for providing logistics, planning and budgetary support” and to “provide initial office and IT infrastructure”. As part of its “role and responsibilities”, the UIDAI was to “issue necessary instructions to agencies that undertake creation ofdatabases, to ensure standardisation of data elements that are collected and digitised and enable collation and correlation with UID and its partner databases”. It was to “take necessary steps to ensure collation of the National Population Register (NPR) with the UID”. And, the UIDAI “shall own and operate” the UID database.

 

In July 2009, Nandan Nilekani was appointed as the chairman of the UIDAI, representing a lateral entry of a person from the private sector into the government, with the rank of a Cabinet minister.

 

The UID project proceeded without a law, despite the seriousness of privacy and security concerns till, caving in to public pressure, a draft Bill was prepared by the UIDAI in June 2010; and it was not till December 2010, after the project had begun to collect resident data, that this Bill was introduced in Parliament. The Bill stayed close to the framework for corporate control over databases that was later enunciated in the report of Technology Advisory Group on Unique Projects (TAG-UP) of which Mr Nilekani was the chair, and which gave its report in January 2011.

 

The Bill to give statutory status to the UIDAI was roundly rejected by the Parliamentary Standing Committee on Finance in December 2011. The Parliamentary Committee recommended that both the Bill and the UID project be sent back to the drawing board. There has been no effort since to reintroduce the Bill. Every time the UIDAI is confronted with questions about the legality of its enterprise, its officers assert that the executive order of 28 January 2009 is the legal instrument from which they derive their authority; and that order makes them the ‘owner’ of the database.

 

In the context of the UID project:

• Residents from whom the data is being collected have not been informed that the government is not the owner of the data, or of the database; nor what the legal status of the ownership by the UIDAI will mean for the citizen/resident;

• the UIDAI set up a Biometrics Standards Committee in September 2009, which gave its report in December 2009. Its report reveals that the UIDAI intended to “create a platformto first collect identity details of residents, and subsequently perform identity authentication services that can be used by government and commercial service providers”;

• the “UIDAI Strategy Overview”, in April 2010, estimated that it would generate Rs288.15 crore annual revenue through address and biometric authentication once it reaches steady state, where authentication services for new mobile connections, PAN cards, gas connections, passports, LIC policies, credit cards, bank accounts, airline check-in, would net this profit. Those enrolling on the UID database have not been informed that their data is to be yield profit for the UIDAI; they were perhaps expected to read up from the UIDAI website.

• as set out in the TAG-UP report, the data we think we are giving to the government is to end up on the database of what will be in the nature of a private company once it reaches steady state. When it is still a start-up, and till it reaches steady state at least, it will be funded by the government. After that, the government, like other commercial service providers, will become the customer of the UIDAI;

• with the UIDAI owning the database, the column in the UIDAI enrolment form for “information sharing consent” acquires a new significance. The UIDAI has all along been claiming that it will only be providing authentication by saying ‘yes’ or ‘no’, and nothing more. But, when the consent to share information is recorded on the database as having been given, the UIDAI may give all data on their database to any “service provider”, a term of wide and undefined import. That is, it is not only authentication services that the UIDAI will provide; through this consent, it is also assuming the authority to make money on thedata that it holds, both demographic and biometric. This will provide it one more avenue to find customers, and one more product to market. Mr Nilekani often refers to the UIDdatabase as “open architecture”, and avows that a wide array of applications can be built on it;

• the claim that enrolment is voluntary has rung hollow for some time now. For one thing, the UIDAI plainly has no authority to compel anyone to enrol or to use their service. However, the UIDAI has been hard at work urging governments, banks, oil companies and other institutions to adopt the UID, to re-engineer their databases to fit the UID and to seed all their systems with the UID. The push is for ubiquity. The UIDAI has been complicit in the coercion and bullying that is now part of the UID enrolment process, and its silent acquiescence while people are threatened with exclusion from services and benefits if they have not enrolled, for a UID is one dimension of complicity. It is easy to understand why this is happening, for, as critics have observed, the services, and the people, have little to gain from the UID, while the UIDAI finds compulsion an easy way to expand their database;

• the non-existence of a law that says where the liability will lie in the event of identity fraud, or failure of the system of authentication resulting in denial of services, for instance, places the burden on the individual with no responsibility on the UIDAI for the consequences of the failures of fraud;

• while ubiquity of the UID would be a recipe for tracking, profiling, tagging, converging ofdatabases and result in violations of privacy in which ways that could threaten personal security, this would become a mere incidence of the business, leaving the resident/citizen unprotected;

• the 2009 notification that set up the UIDAI says that the UIDAI is to “take necessary steps to ensure collation of the NPR (National Population Register) with the UID”. Registering in the NPR is compulsory under the Citizenship Act and the Citizenship Rules of 2003. Although biometrics is not within the mandate of the NPR, they have also been collected in the process of building up the NPR database. Therefore, the data mandated to be given to the NPR is being handed over to the UIDAI to be ‘owned’ by the UIDAI!

 

I wonder how many in government are even aware of this investing of ownership in an entity that continues to remain deliberately undefined and opaque.

 

References

  • • Notification No. A-43011/02/2009-Admn.I dated 28 January, 2009 published in Part I, section 2 of the Gazette of India
  • • UIDAI Strategy Overview: Creating a Unique Identity Number for Every Resident in India, UIDAI, Planning Commission, GoI, April 2010
  • • Standing Committee on Finance (2011-12), National Identification Authority of India Bill 2010, Forty-second Report, Lok Sabha Secretariat, December 2011
  • • Report of the Technology Advisory Group for Unique Projects, Ministry of Finance, January 31, 2011
  • • Biometrics Design Standards for UID Applications, prepared by the UIDAI Committee on Biometrics, December 2009.

 

 

 

#India – Aadhaar: Private ownership of UID data- Part I


 USHA RAMANATHAN | 29/04/2013 ,Moneylife.com

 

200 px

 

As per the report of the TAG-UP Committee headed by Nandan Nilekani,government data and databases would be privatised through the creation of NIUs, which will then ‘own’ the data and the government would become a ‘customer’ to whoever controls the data!

It is no secret that data is the new property. The potential for evolving technologies to record, collate, converge, retrieve, mine, share, profile and otherwise conjure with data has given life to this form of property, and to spiralling ambitions around it. The Unique Identification Authority of India (UIDAI) was set up with its push to enrol the entire Indian resident population, and with Nandan Nilekani as both its chairman and as chair of committees set up by Dr Manmohan Singh’s government. In this set-up, we are witnessing the emergence of an information infrastructure, which the government helps—by financing and facilitating the ‘start-up’, and by the use of coercion to get people on to the database—which it will then hand over to corporate interests when it reaches a ‘steady state’.

 

Since Mr Nilekani was appointed the chairperson of the UIDAI, in the rank of a Cabinet minister, he has chaired multiple committees, each of which pushes for the collection of data and the creation of databases, and steers the government to become a customer of whoever controls the database. Several reports on e-governance as part of the report of the National Knowledge Commission: Report to the Nation 2006-2009 as well as Report of the Committee for Unified Toll Collection Technology (June 2010), the National e-governance plan (November 2011, Background Papers), Interim Report of the Task Force on direct transfer of subsidies on kerosene (June 2011), LPG and fertiliser’ Report of the Task Force on IT Strategy and an implementable solution for the direct transfer of subsidy for food and kerosene (October 2011: Final report), Report of the Task Force on anAadhaar-enabled unified payment infrastructure (February 2012), and, of course, the TAG-UP report, are testimony to how Mr Nilekani has been used to promote a set ofdatabase-related ambitions.

 

It was in the January 2011 report of the Nilekani-chaired Technology Advisory Group on Unique Projects (TAG-UP) that the framework for the private ownership of databases was elaborated and explained. These were about databases constructed out of data that is given to the government to hold in a fiduciary capacity, and expected to be used for specified, and limited, purposes. The Nilekani Committee report directly dealt with five projects—Goods and Services Tax Network (GSTN), Tax Information Network (TIN), Expenditure Information Network (EIN), National Treasury Management Agency (NTMA) and the New Pension System (NPS). It recommended that the suggested framework “be more generally applicable to the complex IT-intensive systems, which are increasingly coming to prominence in the craft of Indian public administration”.

 

As the Nilekani Committee understood it, the government has two major tasks: policymaking and implementation. Implementation is fettered by absence of leadership and active ownership of projects, outdated recruitment processes and methodology, inability to pay market salaries for specialised skills, lack of avenues for continued enhancement of professional skills and career growth, non-conducive work environment, outdated performance evaluation and preference for seniority over merit, and untimely transfer of officers. Rather than expend time on finding correctives to the system, the Nilekani committee found in this an opportunity for private business interest. Without further ado, and without considering, for instance the capacities and deficiencies in privatising databases, and what this means for citizens and residents, the Nilekani committee found its answer in National Information Utilities (NIUs).

 

“NIUs would be private companies with a public purpose: profit-making, not-profit maximising”. The government would have “strategic control”, that is, it would be focussed on how it would achieve the objectives and outcomes, leaving the NIU ‘flexible’ in its functioning. Total private ownership should be at least 51%. The government should have at least 26% share. Once it reaches a steady state, the government would be a “paying customer” and, as a paying customer, “the government would be free to take its business to another NIU”. Except, of course, given the “large upfront sunk-cost, economies of scale, and network externalities from a surrounding ecosystem (and what this means is not explained any further), NIUs are … essentially set up as natural monopolies”.

 

The Nilekani Committee evinces a deep disinterest in the various rungs of government. It asks for the “total support and involvement of the top management within the government” — words reflecting the UIDAI’s experience, with the Prime Minister and Montek Singh Ahluwalia being its staunch supporters, and much of the rest of the administration seemingly unclear about what the project entails. To get a buy-in from the bureaucracy, “in-service officers” are to be deployed in the NIUs and are to be given an allowance of 30% of their remuneration.

 

“Once the rollout is completed,” the Nilekani committee says, “the government’s role shifts to that of a customer.”

 

On the question of open source, the Nilekani committee “recognises the intellectual property of the NIU”, but considers that it may be counterproductive to the business planning and profitability of the NIU to release all source as open source.

 

The report is littered with references to the UIDAI, and suggests that the way the UIDAI has been functioning is what an NIU should use as its model.

 

What emerges is this:

• Governmental data and databases are to be privatised through the creation of NIUs, which will then `own’ the data;

• NIUs will be natural monopolies;

• NIUs will use the data and the database to be profit-making and not profit-maximising, and the definition of these terms may, of course, vary;

• Government will support the NIUs through funding them till they reach a steady state, and by doing what is needed to gather the data and create the database using governmental authority;

• Once the NIU reaches steady state, the government will reappear as the customer of the NIU;

• Government officers will be deployed in NIUs and be paid 30% over their salaries, which, even if the report does not say it explicitly, is expected to forge loyalties and vested interests;

• The notion of holding citizens’ data in a fiduciary capacity cedes place to the vesting of ownership over citizens’ data in an entity which will then have the government as their customer.

 

This notion of private companies owning our data has not been discussed with state governments, nor with people from whom information is being collected. This might have been treated as another report without a future; except, in the budget presented by Pranab Mukherjee as finance minister in March 2012, he announced that the “GSTN (Goods and Sales Tax Network) will be set up as a National Information Utility”.

 

The NIU was not explained to Parliament, and no one seems to have raised any questions about what it is. This, then, is the story of how the ownership of governmental data by private entities is silently slipping into the system.

 

(Dr Usha Ramanathan is an independent law researcher on jurisprudence, poverty and rights.)

 

 

The #Aadhaar registration mess and agony of citizens in Maharashtra #UID


 

MONEYLIFE DIGITAL TEAM | 25/04/2013 03:52 PM |   

Euro Finmart carried out enrolment work for Aadhaar number at a housing society in Mumbai. Oriental Bank of Commerce, which appointed the agency, said the work was illegal. Finally after a call to the OBC CMD’s office, the residents were issued registration acknowledgement receipts for theirAadhaar number

Close on the heels of Maharashtra’s information technology (IT) department losing unique identification (UID) data of about three lakh people collected for the Aadhaarnumber scheme, here is a first person account about the registration mess. This also highlights the dubious games being played by agencies and registrars appointed by the Unique Identification Authority of India (UIDAI) led by technocrat Nandan Nilekani.

Moneylife reader registered for his Aadhaar number but could not even getacknowledgement receipt for the enrolment. In addition, when he raised the issue with top officials of the registrar, Oriental Bank of Commerce (OBC) and the agency, Euro Finmart, he claims to have received abusive calls!

Here is what Subhash Malviya, the Moneylife reader (name changed to protect the reader from further harassment) says…

The UID or Aadhaar registration was carried in our society during the last week of February 2013. The way the work was carried out by the agency was complete mess. The employees of the agency (Euro Finmart, I came to know later) used to arrive in the afternoon. They always used to walk in without any proper equipment, so residents used to provide it to them.

Some of the residents from our society were not even provided registration receipts from the agency. Without the registration receipt, it is very difficult to track the progress of issuance and delivery of the Aadhaar number.

One of my neighbours told me the name of the agency, Euro Finmart and the registrar, Oriental Bank of Commerce (OBC). OBC was appointed by the UIDAI to carry outAadhaar registration work across Maharashtra and it was the lender that appointed Euro Finmart to do the job on its behalf.

Since we were not given our registration acknowledgement receipts, on 27th February, I called up Euro Finmart’s nodal officer on his mobile. In addition, I also sent him a mail. The officer promised to call back after checking the details. However, the call never came.

On the same day, I called Kamal Seth from Delhi who was the chief manager at OBC looking after the Aadhaar registration project. He clearly told me that the registration carried out by the agency (Euro Finmart) in our society was illegal as it was done outside the OBC branch. However, he assured that we would receive our registration receipts after he checks the details.

Following instruction from Mr Seth, another officer, Mr Mathews from OBC’s regional office in Mumbai contacted me. He also gave the same assurance about the registration receipts.

Surprisingly, after my conversation with Mr Mathews, the registration work being carried out by Euro Finmart in our society was suddenly stopped.

After waiting to get registration receipts for over 15 days, on 14th March, I again called up Mr Seth. He repeated his assurance but nothing really happened till 26th March.

On 26th March, I called up the office of SL Bansal, chairman and managing director (CMD) of OBC, seeking assistance. The official on the other end asked me to send the details. Within hours after sending the details, several top officials from Euro Finmart and the chief manager from OBC called me assuring that we would receive our registrationacknowledgement receipts soon.

Meanwhile, I also received some abusive calls from ‘angry’ employees claiming to be from the agency. Fortunately, I recorded all such calls and then showed it to the top officials from both the agency and the bank.

Finally, on 28th March the registration acknowledgement receipts were delivered in our society office.

It took me over a month and call to the CMD’s office to get just the registrationacknowledgement receipts for the Aadhaar number.

Later I checked the terms and conditions of the memorandum of understanding between OBC and UIDAI. As per the terms and conditions, OBC was supposed to supervise the enrolment work being carried out by the agency. But from my own experience, I can say, the bank failed to do its job. Not a single employee from OBC was present during the enrolment in our society. In addition, they kept quiet for over a month, until the matter reached their CMD’s office.

It seems that OBC employees were protecting the agency for reasons best known to them. OBC is carrying the work with the agency for entire Maharashtra region. Imagine the plight of average citizens who cannot do the follow up. They would be in fix as all the cash subsidy depends on UID.

OBC has appointed Euro Finmart (L-1 bidder) and Shri Ram Raja Sarkar Lok Kalyan Trust (L-2 bidder) as empaneled agencies for UID enrolment in Maharashtra. Apparently, the L-2 bidder was asked to match the prices quoted by the L-1 bidder.