We Don’t Trust UID with Our Data: India Inc

16th Jan 2012
Shweta Rao

The government is likely to sort out differences between the home ministry and Planning Commission over data collection for UID cards this week.

The Nandan Nilekani-led UID project has been touted as the world’s largest, most advanced, biometric database of personal identities. And many believe, according to reports, that the UID is meant to be more secure than the US’ Social Security Number (SSN).

In the absence of a coherent privacy law, Indian CISOs aren’t buying that. “Even SSNs have been misused by criminals for years. The flaw of any personal identification project is that when you input data into a database, there must be an assured mechanism in place. Fingerprints have inherent inaccuracies as a proof of identification and retina scans make data storage requirements much higher,” says security and privacy expert Deepak Rout. “If you don’t provide enough security, then chaos is inevitable.”

Though reports suggest that Nilekani has said that use of UID cards will be voluntary, it becoming mandatory cannot be ruled out. When all transactions will get linked to a single number, the same may be used by various state agencies to monitor citizens’ activities. This may interfere with an individual’s right to privacy. “Even if owning an Aadhaar card is made compulsory, I’ll stay out of it as long as I can,” says Rout.

Pawan Kumar Singh, CISO at Tulip Telecom agrees. “I am still insecure with the idea of entrusting my data to the government. Would I go for a UID card? No, thanks. The government may lay down stringent rules but where is the enforcement mechanism? UIDAI’s security policy will remain like our constitution–on paper–if citizen awareness is not brought up.” Singh believes that India isn’t ready to consolidate its entire citizens’ personal data on a single card.

Both Singh and Rout have reason to worry. In October last year, the UID project saw its first victim of privacy breach. A citizen from Maharashtra lodged a complaint stating that his address proof was compromised. The incident raised concerns on the vulnerability of personal data being collected by UIDAI. And that’s just one of the many instances of security breaches.

Even those close to the UID project are raising questions on the loopholes that may exist in the project. Sanjay Deshpande, CEO and CIO at Uniken Technologies–a security firm that was involved in initial talks with the UID project team–says that UID could be vulnerable to insider attacks. “How are they (the government) going to ensure that the systems aren’t vulnerable to insider threat? How trustworthy are the people handling a citizen’s personal identity? Also, are the biometric devices used by the government foolproof? You might have heard of losing your e-mail ids and passwords at an Internet café owing to malicious software in public computers. How is the government ensuring that the data capture device by itself is not malicious?” asks Deshpande.

Application level security is another major concern. “My problem as an Indian citizen–once the UID project starts collecting biometric data everywhere—is how would we prove our disassociation with a wrong UID and a crime we have not committed?” asks Deshpande.

While the cabinet decides the fate of the government’s ambitious UID project, it seems like Indian CISOs have already written its destiny. The question now remains – Do you trust the government with your data?

For any queries, you can contact the author at: shweta_rao@idgindia.com

How reliable is UID? – R. Ramachandran

Biometric scanning of fingerprints during the launch of UID enrolment at the General Post Office in Bangalore

Biometric scanning of fingerprints during the launch of UID enrolment at the General Post Office in Bangalore

THE Unique Identification (UID) project, the national project of the Government of India, aims to give a unique 12-digit number – called Aadhaar – to every citizen of the country, a random number that is generated and linked to a person’s demographic and biometric information. The key word is “unique”. Launched in 2009 with the objective of reaching various benefits such as the public distribution system (PDS) to the poor, better targeting of developmental schemes such as the Mahatma Gandhi National Rural Employment Guarantee Scheme (NREGS) and enabling services such as the opening of a bank account, this uses technology based on a biometrics recognition system. Significantly, there will only be a UID number and no UID card as had been proposed earlier by the National Democratic Alliance (NDA) regime.

The advocates of the project believe that this will eliminate the multiple bureaucratic layers that the people of the country, particularly the rural poor, are confronted with and the multiplicity of documents that they have to present in order to access their legitimate entitlements, and the channels of corruption that these have bred over the years. But it has been clearly stated that “Aadhaar will only guarantee identity, not rights, benefits or entitlements”. It is only envisaged as a “robust” mechanism to eliminate duplicate and fake identities by uniquely verifying and authenticating genuine beneficiaries and legitimate claimants.

After authentication by a centralised database of biometric and demographic information to which service providers will be linked, this unique identification number alone will enable every individual to access services and entitlements anywhere in the country and at any time. The centralised database, Central ID Repository (CIDR), will be maintained and regulated by the UID Authority of India (UIDAI), which has been set up with the technocrat Nandan Nilekani, former co-chairman of the IT enterprise Infosys, as its chairman.

So will the system do what it claims it will? Socio-political issues and those of ethics and breach of privacy have been raised in this regard in different quarters. But purely at a technical level, the question is whether the technology deployed for identification will return answers that are unambiguous. Can it be that definitive that the authentication and verification made by matching the presented data with the stored data for a given individual in the CIDR will be unique and refer only to that individual? Are there no errors in such biometric systems?

What is biometrics? Biometrics, as defined by the report of the Whither Biometrics Committee (2010) of the National Research Council (NRC) of the United States, “is the automated recognition of individuals based on their behavioural and biological characteristics. It is a tool for establishing confidence that one is dealing with individuals who are already known (or not known) and consequently that they belong to a group with certain rights (or to a group to be denied certain privileges). It relies on the presumption that individuals are physically and behaviourally distinct in a number of ways.” The UID biometric system is a “multi-modal” one and uses data on the ten (single) fingerprints, palm print or slap fingerprint (which combines the features of fingerprints and hand geometry), iris characteristics and facial images of every person.

The NRC study concludes thus: “Human recognition systems are inherently probabilistic and hence inherently fallible. The chance of error can be made small but not eliminated…. The scientific basis of biometrics – from understanding the distribution of biometric traits within given populations to how humans interact with biometric systems – needs strengthening particularly as biometric technologies and systems are deployed in systems of national importance.” A biometric identification system basically involves the matching of measured biometric data against previously collected data, the reference database, for a given individual. Since the sources of uncertainty in a biometric system are many, this can only be approximate. So biometric systems can only provide probabilistic results.

Sources of uncertainty

The sources of uncertainty include variations in biological attributes both within and between persons, sensor characteristics, feature extraction and matching algorithms. Traits captured by biometric systems may change with age, environment, disease, stress, occupational factors, socio-cultural aspects of the situation in which data submission takes place, changes in human interface with the system and, significantly, even intentional alterations. This would be so particularly of the poor engaged in labour-intensive occupations such as farming, where hands are put to rough use causing weathering of finger and hand prints. Recently, it has also been shown that the three “accepted truths” about iris biometrics involving pupil dilation, contact lenses and template aging are not valid. Kevin Bowyer and others from the University of Notre Dame, U.S., have demonstrated that iris biometric performance can be degraded by varying pupil dilation, by wearing non-cosmetic prescription contact lenses, by time lapse between enrolment and verification and by cross-sensor operation and that all these factors significantly alter the matching done to identify an individual uniquely.

According to the NRC report, there are many gaps in our understanding of the nature and distinctiveness and stability of biometric characteristics across individuals and groups. “No biometric characteristic,” it says, “is known to be entirely stable and distinctive across all groups. Biometric traits have fundamental statistical properties, distinctiveness, and differing degrees of stability under natural physiological conditions and environmental challenges, many aspects of which are not well understood, especially at large scales.” (Emphasis added, given its particular relevance to the UID, which has to deal with 1.21 billion registrations in the database.)

Calibration changes and aging of sensors and the sensitivity of sensor performance to variations in the ambient environment (such as light levels) can affect the measurements. Biometric characteristics cannot be directly compared, but their stable and distinctive features are extracted from sensor outputs. Differences in feature extraction algorithms – chiefly pattern recognition algorithms – can affect performance, particularly when they are designed to achieve interoperability among different proprietary systems. However, in the case of UID, customised enrolment and extraction software are supposed to have been used in all systems used by enrolment (registration) agencies across the country. The same will have to be done for systems at the service provider level, where a beneficiary’s data will be captured for authentication. Similar will be the issue with regard to matching algorithms. However, since matching is generally expected to be done at a centralised database at CIDR, only the algorithm’s performance or sensitivity in handling variations in biometric data presented will be important, but this needs to be known and quantified.

Biometric match

A fundamental characteristic of a biometric system is that a biometric match represents “not certain recognition but probability of a correct recognition, while a non-match represents a probability rather than a definitive conclusion that an individual is not known to the system”. Thus, even the best designed biometric systems will be incorrect or indeterminate in a fraction of cases, and both false matches and false non-matches will occur. Recognition errors of biometric systems are stated in terms of false match rate (FMR) – the probability that the matcher recognises an individual as a different enrolled subject – and the false non-match rate (FNMR) – the probability that the matcher does not recognise a previously enrolled subject. (Correspondingly, 1–FNMR means the probability that a trait is correctly recognised and 1–FMR that an incorrect trait is not recognised.)

“Assessing the validity of the match results, even given this inherent uncertainty,” the NRC report points out, “requires knowledge of the population of users who are presenting to the system — specifically, what proportions of those users should and should not match. Even very small probabilities of misrecognitions — the failure to recognise an enrolled individual or the recognition of one individual as another — can become operationally significant when an application is scaled to handle millions of recognition attempts. Thus, well-articulated processes for verification, mitigation of undesired outcomes, and remediation (for misrecognitions) are needed, and presumptions and burdens of proof should be designed conservatively, with due attention to the system’s inevitable uncertainties.”

India’s current population is 1.21 billion and the UID scheme aims to cover all the residents. No country has attempted an identification and verification system on this scale. Though enrolment for the proposed system is stated to be voluntary, it will be on an unprecedented scale because a potential beneficiary can be denied access to a particular scheme or service if the individual does not enrol himself/herself and obtain the Aadhaar number. Indeed, many countries that had launched a biometric identification system have scrapped the idea as there are many unanswered questions about the reliability of a biometric system for the purposes they had considered it. It should be remembered that the objective of the Indian system is developmental, rather than security and related issues that countries of the West have been concerned with, and is aimed at delivering specific benefits and services to the underprivileged and the poor of the country. The envisaged system is also correspondingly different from those proposed elsewhere. To see if the system envisaged by the UIDAI meets these criteria and can deliver unique identification of all, it is important to understand the way the system is supposed to work.

The process

The process of enrolment that is currently on – already about 70 million have enrolled – involves presenting oneself to one of the agencies, termed registrars, identified by the UIDAI for enrolment purposes across the country. This involves the registrar recording the individual’s properly verified basic demographic information – which includes name, address, gender, date of birth, relationship – and capturing biometric information – which includes palm print (slap fingerprint), ten single fingerprints, iris imaging and face imaging – and this is encrypted and transmitted to the UIDAI electronically, including physical transmission using pen-drives for locations that lack any data connectivity. In principle, unknown errors or data corruption could occur at the transmission stage.

Even assuming that the transmission is perfect, data presented during enrolment need to be compared and checked to avoid duplication – “de-duplication” – and thus prevent any fraud. Otherwise one individual may end up with two Aadhaar numbers. So any new set of biometric data – fingerprints and iris prints – need to be compared with those of already enrolled individuals and shown to be different from every other set. This comparison was trivial when the first person, Ranjana Sonawne of Tembhli village in Maharashtra, enrolled because there was no one before that to be compared against. But it is clear that when the nth person goes to enrol, the data will have to be compared against the already enrolled n–1 sets of data. So registrars will send the applicant’s data to the CIDR for de-duplication. The CIDR will perform a search on key demographic fields and on the biometrics for each new enrolment so as to minimise duplication in the database.

Can one totally eliminate duplication? As noted earlier, this will depend on the FNMR which, in a probabilistic system, will be a finite number, however small. So there will be a small but finite probability for duplication to occur. It is easy to see that this matching exercise will involve n(n-1)/2 comparisons, which, as n becomes large, obviously, is a highly computationally intensive exercise requiring large computing power. The number of comparisons will be several orders of magnitude more than the numbers enrolled. So in a population of 1.21 billion, when the (1.21 billion+1)th person comes in to enrol, the CIDR server will have to perform about 700 million billion (7×10 {+1} {+7}) comparisons. This may seem mind-boggling, but a modern-day high-performance computer can do this pretty fast. And since such a de-duplication exercise will be done off-line before issuing the Aadhaar numbers, the time involved in doing the comparisons is not the issue. The key issue is the magnitude of probabilistic error in these comparisons. In case of a false match, for example, the system will reject a genuine applicant. A computer cannot resolve FMR and FNMR cases; it has to be done physically by tracking down individuals and carrying out the re-enrolment-cum-matching exercise.

One way to improve the performance (reducing error rates) of the biometric system is to use the multimodal approach. Data from different modalities – face, palm print, fingerprints and iris in the UID case – are combined. Such systems obviously require different kinds of sensors and software (essentially different algorithms) to capture and process each modality being used for comparison. Already, using 10 single fingerprints provides additional information compared with a single fingerprint and this improves the performance, especially in very large-scale operations. Of course, this will be computationally intensive, particularly when matching is to be done from among millions of references in the database. Multimodality, in addition, will require even greater computational resources.

(Spoofing a single fingerprint has been demonstrated to be possible and such an impostor fingerprint can be used to fool a biometric reader. But this seems nearly impossible to do for all the 10 fingerprints and the palm print without being caught. And, combined with multimodal comparison, chances of such impersonation become extremely low.)

Error rate

The crucial issue, therefore, is the error rate and how many false positive identifications and false negative identification cases can potentially arise? A Proof of Concept (POC) exercise was carried out by the Authority with 40,000 subjects, divided into two sets of 20,000, in rural Andhra Pradesh, Karnataka and Bihar. This was done to analyse data from rural groups where quality of fingerprints is likely to be uneven.

For POC analyses, only 10 fingerprint data and two iris data were used. The face biometric was not used. According to the report, the study – which clearly was a multimodal one – observed an FNMR – that is a person is identified to be a different individual and re-enrolled resulting in duplication – of 0.0025 per cent.

Similarly, the study observed an FMR – where a new applicant is rejected because of false matching – of 0.01 per cent using irises alone and 0.25 per cent with fingerprints alone. But the concluding claim of the report that “by doing analysis as shown in the examples above on real data captured under typical Indian conditions in rural India, we can be confident that biometric matching can be used on a wider scale to realise the goal of creating unique identities” is clearly misleading as the order of magnitude of such cases of misrecognition in the real situation involving much larger numbers (say hundreds of millions) will be pretty large. The corresponding exercise of resolving these cases would be huge. If not resolved, large numbers would either be denied the benefits due to them or large number of impostors would get benefits that are not legitimately theirs because of inherent errors in the technology.

Also, as the NRC report emphasises, “Although laboratory evaluations of biometric systems are highly useful for development and comparison, their results often do not reliably predict field performance. Operational testing and blind challenges of operational systems tend to give more accurate and usable results than developmental performance evaluations and operational testing in circumscribed and controlled environments.” As against this one-to-many comparisons at the stage of identification of an individual during the enrolment process, the process of authentication or verification when a claimant presents his/her UID number is a case of one-to-one match. The process of Aadhaar authentication, as outlined by the UIDAI, is as follows:

Aadhaar number, along with other attributes (including biometrics), is submitted to the UIDAI’s CIDR for verification. The CIDR verifies whether the data (demographic and/or biometric) submitted match the data available in the CIDR and respond with a “yes/no” answer. No personal identity information is returned as part of the response. And this process can be done online by the service provider linked to the UIDAI. But the authentication is based entirely on the Aadhaar number submitted so that this operation is reduced to a 1:1 match (emphasis added).

This means that the Authority has only to match the presented data with the copy of the individual’s biometrics that was captured earlier and stored in the CIDR corresponding to that UID number. The CIDR will, in turn, say ‘yes’ or ‘no’ to a particular query on, say, the demographic information of the individual, which can be verified against documents such as Proof of Address (PoA) or Proof of Identity (PoI) by the service provider. This is quite different from the verification required in biometric systems for security purposes, say entry through airports, where every verification procedure may be a one-to-many matching exercise. But authentication, despite being a 1:1 match, could have its own error rates largely arising from inevitable human errors, especially in large-scale implementation – for example, transmitting the wrong Aadhaar number or wrongly keyed-in query – and since the system is designed to answer only in “yes/no”, the service provider, say NREGA, may not be in a position to know that the error has originated at the agency-end itself. While, in principle, the UID number holder should be able to crosscheck what is being transmitted, in the rural Indian context, given the level of illiteracy, this may not always happen.

More pertinently, the verification process could itself become the channel of new ways of corruption. Suppose the service provider deliberately transmits the wrong Aadhaar number during the authentication process and in return obviously gets a ‘no” for an answer to any query pertaining to the claimant of service or benefits that he/she is entitled to. Now this could become the basis of corruption. The service provider could say that the service/benefit can be provided – which the claimant is entitled to legitimately – on payment of ‘x’ amount of money.

This socio-cultural trait of corruption will always find new ways of doing it, especially when such a project is sought to be implemented on such a countrywide scale involving hundreds of million transactions. It is not clear how this manual error – deliberate or otherwise – at the man-machine interface in the UID system can be avoided on a real-time basis during the interaction between a potential beneficiary and the service provider. In addition to probabilistic errors in the biometric identification scheme, perhaps such issues could also become cause of real concern.

FRONTLINE- Volume 28 – Issue 24 :: Nov. 19-Dec. 02, 2011

Setback to UID – Usha Ramanathan

At Tembhli village in Nandurbar district, a day before the launch of the UID in 2010.The village received the first numbers under the project.

At Tembhli village in Nandurbar district, a day before the launch of the UID in 2010.The village received the first numbers under the project.

THE Parliamentary Standing Committee on Finance has dealt a body blow to the Unique Identification (UID) project.

The Unique Identification Authority of India (UIDAI) was set up under the Planning Commission by an executive order on January 28, 2009. The scheme involves the collection of demographic and biometric information to issue ID numbers to individuals. The first numbers were handed to the tribal residents of Tembhili village in Nandurbar district of Maharashtra on September 29, 2010. The National Identification Authority of India Bill, 2010, was introduced in the Rajya Sabha on December 3, 2010. On December 10, 2010, it was referred to the Standing Committee.

Over the next year, the Standing Committee received suggestions, views and memoranda, and heard from various institutions, experts and individuals. It was briefed by representatives of the Planning Commission and the UIDAI. News reports were considered and clarifications sought from the Planning Commission. The Standing Committee adopted the report on December 8, 2011. On December 13, 2011, it was placed before Parliament.

The report is a severe indictment of the UID project. It found the project to be “conceptualised with no clarity of purpose” and “directionless” in its implementation, leading to “a lot of confusion”. The overlap between the National Population Register (NPR) and the UID is unresolved. The structure and functioning of the UIDAI had not been determined before beginning the exercise. The methodology of collection of data is built on shifting sands. There is no focussed purpose for the resident identity database.

Nandan Nilekani, chairman of the UIDAI, in his talks and interviews, calls it “open architecture”. The UID project is only about producing a number and linking an identity to the number. What could be done with that identity infrastructure will depend on who uses it and for what purpose. It leaves the field open for those who have the power to use, or abuse, the data and for those who use the number to converge on data about individuals.

Even as it is claimed that obtaining the UID number is voluntary, apprehensions have grown that services and benefits will be denied to those without the number. This is an inversion of the idea of inclusion, which is a key element in the image-building exercise done for the project.

The lack of preparation before launching a project of this dimension is striking. As the Planning Commission admitted to the Standing Committee, no committee had been constituted to study the financial implications of the project. There is no comparative analysis of costs of the UID number and the various extant ID documents. No comprehensive feasibility study was carried out at any time. In fact, the Detailed Project Report was done as late as April 2011. On September 28, 2010, a day before the launch, a group of eminent citizens, including V.R. Krishna Iyer, Romila Thapar, Upendra Baxi, A.P. Shah, Aruna Roy, Nikhil Dey, S.R. Sankaran, Bezwada Wilson, and nine others released a statement reflecting just these concerns. This statement was later submitted to the Standing Committee. In the time that elapsed between the expression of concern by the group of eminent citizens and the report of the Standing Committee, the situation had hardly changed.

The Standing Committee has found the project to be “full of uncertainty in technology as the complex scheme is built upon untested, unreliable technology and several assumptions”. This is a serious concern given that the project is about fixing identity through the use of technology, especially biometrics. As early as December 2009, the Biometrics Standards Committee set up by the UIDAI had reported adversely on the error rate. Since then, neither the Proof of Concept studies nor any assessment studies done by the UIDAI have been able to affirm the possibility of maintaining accuracy as the database expands to accommodate 1.2 billion people. The estimated failure of biometrics is expected to be as high as 15 per cent.

Critics of the project have referred to studies such as the 2010 report of the National Research Council in the United States (cited in Frontline December 2, 2011: “How reliable is UID?”), which concluded that “human recognition systems” are “inherently probabilistic and hence inherently fallible”. In India, a report from 4G Identity Solutions, which is a consultant to the UIDAI and supplies it with biometric devices, suggested that children under 12 years and persons over 60 years would find their fingerprints to be undependable biometrics. Most damaging to the credibility of using fingerprints for authentication – which is what is proposed and currently seen as practical in terms of cost and technology – is what Ram Sevak Sharma, Director-General and Mission Director of the UIDAI said in an interview to Frontline (December 2, 2011, page 8): “Capturing fingerprints, especially of manual labourers, is a challenge. The quality of fingerprints is bad because of the rough exterior of fingers caused by hard work and this poses a challenge for later authentication…. Issuing a unique identity with iris scans to help de-duplication will not be a major problem. But authentication will be because fingerprint is the basic mode of authentication.” The Standing Committee has taken this admission on board.

Enrolment requires an individual to produce documents that the enroller accepts as sufficient proof of person and address. When documents do not exist, or they are inadequate for the purpose, a person may find a “verifier” to establish their identity. Or, especially in the case of the poor, they may be introduced to the system by approved introducers. In practice, these two methods have been shown to be irrational and prone to error. The Home Ministry had questioned this erratic method of enrolment and its implications for national security. These concerns have resonated with the Standing Committee.

Nilekani has been talking about enrolling 600 million residents before he completes his term in 2014. However, it seems that the Cabinet Committee on UID had, in the first instance, given its approval to let him enrol 10 crore residents, which was later increased to 20 crores. The UIDAI does not currently have the mandate to enrol more than that number. To meet his target of 600 million, Nilekani entered into memorandums of understanding with a multiplicity of entities, including State governments, banks, oil companies and insurance companies, to act as registrars. This may have helped in spreading the net wider to capture residents to get their demographic and biometric data. But it also meant that the chances of duplication of work increased. The Ministry of Home Affairs also alleged that some registrars had not adhered to the procedures laid down by the UIDAI, setting the MoUs to nought. This, it was feared, was also compromising the security and confidentiality of the information gathered. The Standing Committee found that issues relating to the process of data collection, the duplication of efforts and the security of data remained unresolved.

The UIDAI says it is now developing a monitoring and evaluation framework. There are plans for periodic audits. The project has carried on so far without these essential safeguards.

There has been speculation that the dissensions within are signs of a turf war. There could be something in that. Yet, the Standing Committee report reveals that the issues have been raised by a range of agencies and they are impossible to ignore. So:

the Ministry of Finance (Department of Expenditure) has been concerned about the duplication of effort and expenditure among at least six agencies that collect information – the NPR, the Mahatma Gandhi National Rural Employment Guarantee Scheme (MNREGS), the BPL (below poverty line) Census, the Rashtriya Swasthya Bima Yojana (RSBY) and bank smartcards.

The Ministry of Home Affairs has raised security concerns about “introducers”, the involvement of private agencies which could also have security implications, and the uncertainties in the revenue model of the UIDAI which proposes that a fee be imposed once a separate pricing policy is in place.

The NIC has pointed out that privacy and security of UID data may be better handled if they were stored in a government data centre.

The Planning Commission has voiced its reservations about the merits and functioning of the UIDAI. It has also questioned the necessity of collecting iris images, which has resulted in a steep escalation of costs.

Further, there is the matter of the number of government agencies collecting biometrics as part of different schemes that ought to give one pause.

Setting a refreshing precedent, the Standing Committee has drawn on the research around the United Kingdom’s Identity Project anchored at the London School of Economics and Political Science. While acknowledging that there are likely to be differences between one jurisdiction and another, it found it relevant to draw lessons regarding the factors of complexity; untested, unreliable and unsafe technology; possibility of risk to the safety and security of citizens; and requirement of security measures of a high standard, which is likely to result in escalating operational costs.

In the UID project, every resident is entitled to a UID number. It is not a marker of citizenship. The Standing Committee’s concern is that even illegal migrants can get the UID number. It favours restricting the scheme to citizens for the reason that this entails numerous benefits proposed by the government.

What upset the Standing Committee most was the disdain shown to Parliament in proceeding with the project, on the premise that the “powers of the executive are coextensive with legislative power of the government”. What would happen if Parliament rejected the project and the law?

In the Attorney-General’s opinion: “If the Bill is not passed for any reason and if Parliament is of the view that the authority should not function and expresses its will to that effect, the exercise would have to be discontinued. This contingency does not arise.” This anticipation has been belied by the rejection of the project and of the Bill by the Standing Committee. The Standing Committee also considered “unethical and violation of Parliament’s prerogatives” the continuance of the project while the framing of the law is under way.

The government, as the Standing Committee records, had recognised the need for a law to deal with the security and confidentiality of information, imposition of obligation of disclosure of information in certain cases, impersonation at the time of enrolment, investigation of acts that constitute offences, and unauthorised disclosure of information. Yet the project was rolled out with no protections in place.

The Standing Committee recognised the legitimacy of concerns raised about issues, including access and misuse of personal information, surveillance, profiling, linking and matching databases in securing confidentiality of information. A data protection law has to be debated and enacted before large-scale collection of information from individuals and its linkage across separate databases can be contemplated.

The “concerns and apprehensions” voiced by the Standing Committee have led to its categorical rejection of the Bill. In conclusion, the committee has said that it will “urge the government to reconsider and review the UID scheme as also the proposals contained in the Bill in all its ramifications and bring forth a fresh legislation before Parliament”.

The data already collected may be transferred to the NPR, if the government so chooses.

That, however, is not all. The NPR, which came in for scrutiny because of its link with the UID project, has embarked on the collection of biometric data which is authorised neither by the Citizenship Act, 1955, nor by the Citizenship Rules of 2003. This, the report says, has to be examined by Parliament. Until then it is reasonable to assume that it should be suspended.

The UID project has raised many questions about data convergence, imperfect technology, national and personal security, extraordinary expenditure, exclusion and inclusion, and the source of power to gather, hold and use data about individuals. This report raises unanswered questions about the biometric and data-gathering ambitions of the state. The association of the project with a corporate icon has tended to lull many into complacency. Yet, as is reflected in the Standing Committee report, the process, the technology and the consequences are deeply problematic. The report leaves no room for doubt that the UID project will have to be revisited and the NPR re-examined.

Usha Ramanathan works on the jurisprudence of law, poverty and rights. in Frontline Volume 29 – Issue 01 :: Jan. 14-27, 2012


Kractivism-Gonaimate Videos

Protest to Arrest

Faking Democracy- Free Irom Sharmila Now

Faking Democracy- Repression Anti- Nuke activists


Kamayaninumerouno – Youtube Channel


Enter your email address to follow this blog and receive notifications of new posts by email.

Join 6,228 other followers

Top Rated

Blog Stats

  • 1,839,229 hits


April 2021
%d bloggers like this: