Comments on ‘The National Identification Authority of India Bill 2010’
Long Title:
‘Manner of authentication of such individuals to facilitate access to benefits and services to such individuals to which they are entitled’
Comment: –
(1) This Bill does not deal with benefits and services. The Strategic Overview of the Unique Identification (UID) Number/Aadhaar project specifies that the Unique Identification Authority of India (UIDAI) is not concerned with rights and entitlements.
(2) This Bill does not acknowledge entitlements, benefits or services
CHAPTER I
PRELIMINARY
Clause 1(2): Extraterritoriality
Comment: It anticipates the possibility of an offence or contravention committed under this Act ‘outside India by any person’. The nature of the technology is such that anyone, anywhere, may hack into, steal, or tamper with the Central Identities Data Repository (CIDR), the database of UID Numbers. The Wikileaks experience shows that electronic data can never be adequately secured against leaks and invasions.
Clause 2(c): Deals with ‘authentication’
Comment: The essential tests required to establish that authentication through fingerprints can effectively be done over a population of 1.2 billion have not, even hypothetically, been done. The iris scan is being used for purposes of enrollment – that is, to put people on the Database of UID Numbers. But authentication is to be done by using only fingerprints. Many problems have been identified in relation to fingerprints – including callused hands, the ineffectiveness of fingerprints of persons in manual or hard labour. The problem has been acknowledged by the UIDAI ; however no solutions to this problem have been mooted so far. In relation to the Indian population, iris scans too have been found to be unreliable, especially in conditions of manual labour and malnourishment.
Clause 2(e): ‘Biometric information’ means a set of such biological attributes of an individual as may be specified by regulation.
Comment: – This leaves it to the Authority to expand the attributes that may have to be given during enrollment or at a later date, as they may decide. That is, while currently photographs, fingerprints and iris scans are the biometric attributes being collected, this could be expanded to include any other metrics, including DNA fingerprinting. This is not a statement without basis. In July 2010, when the Economic Times reported that there could be a problem of millions of people in the country whose fingerprints may not work because of the kind of work in which they are engaged, and iris scans may not work because of cataracts related to malnourishment or corneal scars that are common among the working population, it was reported that the Director General of the Council for Scientific and Industrial Research suggested DNA fingerprinting as a possibility. It is also significant that the Department of Biotechnology in the Ministry of Science & Technology has a draft DNA Bank Bill of 2007, which is accessible online.
Clause 2(f): – Central Identities Data Repository (CIDR): This is a centralized data base which is to be in one or more locations containing all UID (Aadhaar) numbers and the
demographic, and
biometric information
and other information related thereto.
Comment: - The dangers of a centralized data base of a whole population need hardly be stressed.
It says it will be held in ‘one or more locations’. It is significant that the information may be managed by a public or private agency.
This is not a project that is managed, held, run, controlled by the government, but is already being spread out among various private entities.
There is a vague catch-all phrase at the end of the clause ‘and other information related thereto’. It is not clear what this means except that it may help expand the information held in the database.
Clause 2(h): – ‘Demographic Information’ currently includes name, age, gender and address of an individual. It specifically is not to include information relating to race, religion, caste, tribe, ethnicity, language, income or health.
Comment: - These can be altered by amending the law.
Nothing in the law prevents other agencies from gathering the data that the UIDAI will not gather. So, for instance, the National Population Register may gather information about caste. Under the MoU with the UIDAI, the UID number would be handed over to the agency acting as a registrar for the UIDAI. So, although the UIDAI may not itself gather that information, it facilitates the linking up of the data that is with the various Registrars with the help of the UID number, thereby facilitating profiling of people. To prevent the profiling which Clause 2 (h) anticipates, it would be necessary for the law to protect against the linking up of the UID number with any database that has information beyond that, which is in the protocol of information referred to in Clause 2 (h). In fact, the documents on the UID website suggest that one means of achieving enrolment is by loading the number by making its use compulsory in many applications: for example, the PDS, NREGA and public health institutions. Already the expansion of the use of this process is visible in current proposals in the state of Odisha, where 12 additional categories of information are required to be provided by every person enrolling for a UID. The consequences of such profiling have not been discussed, and many questions have been raised but remain unanswered.
Clause 2(i) and (j): – ‘Enrolling agency’ and ‘Enrollment’: These shall be as appointed by the Authority or by the Registrars to collect demographic and biometric information.
Clause 2(o): – ‘Registrar’ – as ‘authorized’ or ‘recognized’ by the ‘Authority’
Comment: - There are no prescribed criteria for who may act as an enrollment agency and who may be involved in the process of enrollment. This is true in relation to ‘Registrars’ too. This becomes significant especially because the information collected for the UIDAI, and other information, can be held by the enrolling agency and Registrar, and what they may do with it is not in the control of the person whose information is so collected.
The power given to the Authority to determine the extent and use of private entities is unchecked in this Bill. Later in the Bill, the nature of the Authority reveals the power that will be wielded by the Chairperson of the Authority who will be the only full time functionary of the Authority assisted by two part time members.
Clause 2(k): ‘Identity Information’ means biometric, demographic information and UID (Aadhaar) number.
Comment: - It is important to note that the potential to combine information (convergence) which is made possible by the existence of the UID number is not prohibited by this law. So, when the UID number is used to pull information together from different silos, or when an enrolling agency or Registrar gathers additional information which helps profile the person, this is not prohibited by this law.
The DOPT’s background paper on a law of privacy starts with acknowledging that, although the issue of privacy has grown generally, the UID and the convergence of information that it facilitates creates the most immediate and urgent need for a Privacy law. Yet, this law is sought to be tabled before the Privacy law is anywhere near ready.
Chapter II
AADHAAR NUMBERS
Clause 3(1): - ‘Every resident shall be entitled’ to obtain a UID number upon giving demographic and biometric information
Comment: - Throughout, the project has been promoted as being ‘voluntary’ – yet, Mr. Nilekani has consistently maintained that other agencies may make it compulsory. If this happens, it could actually lead to exclusion of those who do not have a number, or have forgotten it, or whose biometrics do not work.
The law must be clear that it is voluntary, and that no one can be denied any right, entitlement, service etc if they do not have a UID (Aadhaar) number.
Clause 4(3): - An Aadhaar number shall, ‘subject to authentication’, be accepted as proof of identity
Comment: - If biometric information does not work that raises the possibility for exclusion.
This is linked with the problem of ‘loss of identity’ vis-à-vis the state, if this technology is going to be the primary, essential, identifier.
There has to be a clause that this does not dislodge other forms of ID. There must also be safeguards against allowing a lack of an Aadhaar number (in case of operational failures) to lead to exclusion since it is unproven technology (and there are questions that have arisen already), and providing that it is to be voluntary. This, therefore, may be one among many identifiers and cannot be conclusive. It can, at best, be facilitative.
Clause 5(1): - ‘Payment of fee’ for authentication
Comment: –
a. Nothing in the Bill explains what parameters the payment of fees should be within. That is, what are the criteria that should determine whether fees should be charged or not, and how much they should be.
b. How much they should be becomes important, especially since the UIDAI expects to make profits, when at the same time it is supposed to be helping the poor.
c. There is also no mention of who will bear the other costs of authentication, which are currently not being addressed and so are externalized. For example, the project has made a big pitch for dependence on the mobile phone, for connectivity as also for capacity to transmit fingerprints in good enough condition to be authenticated.
d. There is no talk of an alternative where, as one pilot study already indicates, there can be no dependence on fingerprints.
e. So there is the business of who pays for the mobile phone? And who pays for the transmission charge of the fingerprint? The poor cannot keep pace with constantly changing technologies because of profit-margin incentives for mobile phone companies. The project is premised, in the first instance, on everyone having a mobile phone, or having access to one, and the instrument being in a condition that can record and transmit fingerprints in condition sufficient for authentication.
f. The process of Authentication has not been studied yet.
Clause 5(2): - The Authority shall respond to an authentication query with a yes or no ‘or with any other appropriate response’ excluding any demographic information and biometric information.
Comment: - This widens the responses the Authority may give, and is in contradiction of what the UIDAI has been saying all along while marketing the idea – that the only answers obtainable from the database will be ‘yes’ or ‘no’ and none other.
Clause 6: - Aadhaar not evidence of citizenship
Comment: - The National Population Register (NPR) is doing this exercise. And the UIDAI has agreed to pass back the UID numbers to NPR. So, it has already agreed to do indirectly what it says it will not do directly.
It is important to recognize that the creation of the scheme of UID (Aadhaar) is not isolated. In the context of citizenship, it is directly connected with the NPR including by giving numbers back to the NPR. It is a collaborative exercise.
This is why the scheme is being criticized as being between a half–truth and a complete lie. Those who do not make it to getting a UID number or whose biometrics do not work would be threatened with not being recognised as citizens.
Clause 7: - The Authority may engage ‘one or more entities’ to establish and maintain the Central Identities Data Repository and ‘to perform any other functions as may be specified by regulations’.
Comment: - Unlike the Election Commission, for instance, the Authority is only acting as an outsourcing agency. So, information is going to be handled, maintained, managed, updated, protected by other ‘entities’.
Currently, we know, for instance, that it is a range of technology companies that are being brought in to do the ‘de-duplication’. Accenture, L-1 Identity Solutions, TCS, Google, Yahoo and Microsoft have all indicated their interest. It is evident that this is a corporate project and not a state project that concerns democracy and the country’s population. L-1 Identity Solutions, for instance, is well-known for its links with the CIA, which is its most-favored client. Many of its employees are drawn from retired personnel in the US Intelligence establishment. Accenture again is on a Smart Borders project with US Homeland Security.
The MoUs and contracts have to be scrutinized to see if Parliament would actually endorse them. There are many issues, including violation of rights including that of privacy and security that are involved in the agreements/MoUs.
Clause 8: – Onus on “Aadhaar number holders” to “update their demographic information and biometric information”.
Comment: - Apart from the onus, what is meant by ‘updating biometric information”? Is it that biometric information is expected to change? If so, does this biometric capture have to be done at regular intervals? How often?
Is it also about new biometric information that may become mandated if a person is to have an Aadhaar number? There is simply no information and certainly no clarity about this. But this much is clear; it is not going to be a one-time exercise.
Clause 9: - The Authority may not, till the law is changed, gather data about the ‘prohibited’ list of information, including ‘income’ and ‘health’.
Comment: - But other agencies, acting as registrars/ enrollers may do so. [See NPR, SGs including Orissa, MoUs with banks, LIC]. In fact the MoUs specifically encourage Registrars to gather additional information while capturing data for the UID. This is a dubious role that the UIDAI is playing which requires investigation. This is exacerbated by the agreement to give their UID number to the Registrar after de-duplication.
This is a provision that will deliberately deceive especially those who believe that the UID is harmless because it captures a limited range of information, when we consider that the UIDAI has in its own MoUs with Registrars, been encouraging them to increase the basket of information.
Clause 10: - Special measures to issue Aadhaar number to ‘women, children, senior citizens, persons with disability, migrant unskilled and unorganised workers, nomadic tribes or to such other persons who do not have any permanent dwelling house and such other categories of individuals as may be specified by regulations.”
Comment: –
a) This sounds good, but the procedure is inherently flawed. Those without documents will have to depend on an NGO to act as “Introducers”. Without the NGO/Introducer, the poor would be excluded. Apart from what this does to those who do not find empathetic NGOs (and the NGO needs to know them), it is also not clear what is the responsibility of the Introducer – it has not been given in the Bill, or anywhere else.
b) Interestingly, although the Bill does not refer to the Introducer system, the protocol of ‘information held by the UIDAI includes the name and number of the Introducer’. And, as said earlier, the responsibility of the ‘Introducer’ has not been spelt out.
CHAPTER III
NATIONAL IDENTIFICATION AUTHORITY OF INDIA
Clause 12: - The “Authority shall consist of a Chairperson and two part time Members to be appointed by the Central Government”
Comment: - The casualness of the appointment process is only one startling feature.
a) The Authority will, in sum total, be just one person with two part time people. What is the role envisaged for the Authority?
b) What kind of monitoring and oversight and protection can they guarantee?
Clause 13: - The Chairperson and Members of the Authority shall be persons of ability, integrity and outstanding caliber having experience and knowledge in the matters relating to” technology, governance, law, development, economics, finance, management, public affairs or administration”.
Comment - What does this indicate? That it does not matter who is appointed? There is a wide opening in this provision for corporate control of the project. The Civil Services have been sidelined to merely the performance of day-to-day work on the project [See Clause 20]. This is a vague provision and allows for too much latitude with the appointing authority.
Clause 14: - The Chairperson and the Members appointed under this Act “shall hold office for a term of three years from the date on which they assume office and shall be eligible for re-appointment: Provided that no person shall hold office as a Chairperson or Member after he has attained the age of sixty-five years”
Comment: –
a) The provision says that Mr. Nandan Nilekani may stay on ‘for the term for which he had been appointed”. What is that term?
b) Wherever we read ‘Chairperson and Members’ it is important to remember that is the Chairperson and two part time Members! And since they are only part time, only the Chairperson shall not hold any other office – the part time Members, of course, may, and in fact, by having them as part time, they will or are expected so to do (Clause 14(4)].
Clause 15(1): - The Central Government may remove from office the Chairperson, or a Member, who—
(a) is, or at any time has been adjudged as insolvent;
(b) has become physically or mentally incapable of acting as the Chairperson or, as the case may be, a Member;
(c) has been convicted of an offence which, in the opinion of the Central Government, involves moral turpitude;
(d) has acquired such financial or other interest as is likely to affect prejudicially his functions as the Chairperson or, as the case may be, a Member; or
(e) has, in the opinion of the Central Government, so abused his position as to render his continuance in office detrimental to the public interest.
Comment: - There is no insulation from the ‘Central Government’. This is about subjective satisfaction of the Central Government. And, the Central Government can decide whether or not to act on it.
Clause 16: - Restrictions on Chairperson and Members on employment with or on behalf of, or in advisory capacity, or on board of any associated organization with work under the Act-but this can be waived by “previous approval of the central government”.
Comment: - Given the corporate interest in the project, these restrictions are too weak; this weakness is not being sufficiently addressed in the Bill.
The UIDAI has, on its staff, people who are on ‘sabbatical’ and volunteering during leaves from various corporates (amongst others), and these are part of the technical coterie. Such persons are outside the purview of this Bill.
Clause 17: - Functions of Chairperson.
Comment: - All power is vested in with one person, which is the Chairperson.
Clause 18(2): The Chairperson, or, if for any reason, he is unable to attend a meeting of the Authority, the “senior most Member” shall preside over the meetings of the Authority.
Comment: - This clause does not reflect the extremely restricted composition of the Authority. For instance, all matters to be considered at a meeting of the Authority are to be decided by majority of votes of the Members present and voting and ‘in the event of equality of votes, the Chairperson, or in his absence, the Member presiding over shall have the second or casting vote’.
Clause 18(5): About direct or indirect pecuniary matters coming up before the Authority, the Member is to disclose ‘interest’ and is only not to take part in the proceedings.
Comment:- This is in contrast with the prohibition on taking up employment after ceasing association with UIDAI (Clause 16).
Clause 19: - No act or proceeding of the Authority shall be invalid merely by reason of—
(a) any vacancy in, or any defect in the constitution of, the Authority;
(b) any defect in the appointment of a person as a Member of the Authority; or
(c) any irregularity in the procedure of the Authority not affecting the merits of the case.
Comment: - So, interests of the Chairperson or Member cannot be kept away and their presence does not invalidate any procedure adopted. There are two factors that make this especially significant:
a. The power of the Authority to give contracts, and
b. That the UIDAI depends entirely on outsourcing.
Clause 20(1): - Chief Executive Officer of the Authority, to be not below the rank of the Additional Secretary to the Government of India, and who shall be Member-Secretary of the Authority.
Comment: - This is the role given to the Civil Services.
Clause 20(3): - Government officers working with the Authority shall be paid according to the regulations with the approval of the Central Government.
Clause 21(1): - The Chief Executive Officer shall be the ‘legal representative’ of the Authority and shall be responsible for—
(a) the day-to-day administration of the Authority;
(b) implementing the work programmes and decisions adopted by the Authority;
(c) drawing up of proposals for the Authority’s work programmes;
(d) the preparation of the statement of revenue and expenditure and the execution of the budget of the Authority.
Clause 22(1): – “All liabilities shall be deemed to include all debts, liabilities and obligations of whatever kind”.
Comment: - There has been no projection of budget, or expected expense, on the project. This is a project with no projected cost, uncertain benefits, and we don’t even know if there will be continuing costs, how much they will be, and who will bear them.
Clause 22(2): Without prejudice to the provisions of sub-section (1), all data and information collected during enrolment, all details of authentication performed, debts, obligations and liabilities incurred, all contracts entered into and all matters and things engaged to be done by, with or for such Unique Identification Authority of India immediately before that day, for or in connection with the purpose of the said Unique Identification Authority of India, shall be deemed to have been incurred, entered into or engaged to be done by, with or for, the Authority
Comment: Therefore all data and information collected during enrollment, all details of authentication performed, debts, obligations and liabilities incurred, all contracts entered into and all matters and things engaged to be done by, with or for such UIDAI immediately before the day, for or in connection with the UIDAI, shall be deemed to have been incurred, entered or engaged to be done by, with or for, the Authority. This is like ratification. They each need to be studied. The contracts and MoUs, especially, have to be scrutinized, since there are several problems with them. For instance, L-1 Identity Solutions, which is connected with US intelligence agencies, and Accenture, which is on the Smart Borders project with the US Homeland Security Department, have been given contracts for the ‘de-duplication’, i.e., the protocol of personal information along with photograph, fingerprints, and iris scan will be handed over to them for de-duplication.
The MoUs disclose various aspects of invasion of rights that must be carefully studied by Parliament before it can consider endorsing them.
Clause 23(1): The Authority shall develop “policy, procedure and systems for issuing Aadhaar numbers to residents and perform authentication thereof under this Act.”
Comment: –These are unguided powers which do nothing to set out boundaries for subordinate legislation.
Clause 23(2):
(a) specifying, by regulation, demographic information and biometric information for enrollment for an Aadhaar number and the processes for collection and verification.
Comment: - This means that the ‘Authority’ can decide to expand the details that they will collect for their database. This ‘creeping’ expansion is made possible by this provision.
Clause 23(2):
(c) appointing of one or more entities to operate the Central Identities Data Repository (CIDR);
(d) generating and assigning Aadhaar numbers to individuals;
(e) performing authentication of the Aadhaar numbers;
(f) maintaining and updating the information of individuals in the Central Identities Data Repository in such manner as may be specified by regulations;
(g) omitting and deactivating of an Aadhaar number and information relating thereto in such manner as may be specified by regulations;
Comment: – These are the extent of powers and must be considered by the Parliament before they are given sanction.
Clause 23(2):
(h) Regulations will specify the usage and applicability of the Aadhaar number for delivery of various benefits and services as may be provided by regulations;
Comment: UID has been marketed as a means to deliver to systems like the PDS and MGNREGA. Yet, nowhere in the Bill is the connection made. In the Regulations, the Authority may consider matters of usage of the number in relations to “benefits and services”. This heightens the doubt that PDS and MGNREGA have been used by the UIDAI only for marketing the idea. This needs a closer look. In the meantime, the corporate interest in the UID has become clear, with ‘Visa’ credit services declaring that they are going to make their services accessible to all UID number holders including the poor. How do profit and the poor come together for Visa?
Clause 23(2):
(i) specifying, by regulation, the terms and conditions for appointment of Registrars, enrolling agencies and service providers and revocation of appointments
Comment: - The MoUs precede/ predate this. Should there not be limits on what may be contracted?
CHAPTER IV
Clause 24: Grants by Central Government
Clause 25: Other fees and revenue
Comment: The UIDAI expects to be making profits on the fees it will change for each authentication which it decides should be on payment. This refers to ‘fees or revenue collected by the Authority, but sets no criteria on the basis of which charges may be levied. It also does not recognize the costs of each authentication nor say who is to bear the cost. How are the poor expected to pay?
Clause 26: Accounts and audit.
Clause 27(2): Returns and annual report, etc
The Authority shall prepare, once in every year, and in such form and manner and at such time as may be prescribed, an annual report giving—
(a) a description of all the activities of the Authority for the previous years;
(c) the annual accounts for the previous year; and
(d) the programmes of work for coming year.
CHAPTER V
IDENTITY REVIEW COMMITTEE
Clause 28(3): Three Members in the Review Committee to be appointed by a committee consisting of—
(a) the Prime Minister, who shall be the chairperson of the committee;
(b) the Leader of Opposition in the Lok Sabha; and
(c) a Union Cabinet Minister to be nominated by the Prime Minister.
Clause 28(5): The Members of the Review Committee shall hold office for a term of three years from the date on which they enter upon office, and shall not be eligible for re-appointment.
Comment: - Compare this with Clause 14, where the Chairperson and the two part time Members who constitute the ‘Authority’ are appointed by the ‘Central Government’ and they shall each be eligible for reappointment till they are 65.
Clause 28(6): The Central Government may by order remove from office any Member of the Review Committee, who —
(b) has become physically or mentally incapable of acting as a member;
(d) has acquired such financial or other interest as is likely to affect prejudicially his functions as a member; or
(e) has, in the opinion of the Central Government, so abused his position as to render his continuance in office detrimental to the public interest:
Provided that a Member shall not be removed under clause (d) or clause (e) unless he has been given a reasonable opportunity of being heard in the matter.
Comment: The committee of Prime Minister, Leader of the Opposition and a Union Minister is to appoint, and the ‘Central Government’ may remove from office. Since it does not have to be a unanimous decision, the Prime Minister would have a decisive voice.
Removal for ‘physical incapacity’ is a standard that is much lower than it is in other legislations that carry a similar clause. It also does not account for the changes that have happened in law and in public policy in the matter of treatment of persons with disability.
Clause 29(1): The Review Committee shall ascertain the extent and pattern of usage of the Aadhaar (UID) numbers across the country and prepare a report annually in relation to the extent and pattern of usage of the Aadhaar numbers along with its recommendations thereon and submit the same to the Central Government.
Comment: There are no limitations on the extent and usage of this number. The intention as reflected in the public statements by the present Chairperson of the UIDAI, is to make the usage extensive and pervasive. This does not account for the consequences of
- convergence of information from different, distinct silos of information which will become easy through the usage of UID numbers.
- breach of privacy
- breach of notions of confidentiality, for instance which medical records are brought within the usage of UID. The UIDAI document on ‘UID and Public Health’ indicates this.
- UID becoming the means of ‘ tagging’ and ‘profiling’ people
- abuse or misuse of the information that the use of this number may facilitate
- surveillance
The possible misuses are not even mentioned.
Students at a public meeting on 2nd December 2010 demanded to know how the MoHRD could plan to track them from elementary school upwards, with their UID numbers appended even to their mark sheets, and as part of Midday Meal Scheme records. They demanded to know if any understanding of the social consequences of such tracking had emerged. The fact is that none has.
CHAPTER VI
PROTECTION OF INFORMATION
Clause 30: - Security and confidentiality of information
Comment: This clause merely leaves it to the Authority to ‘ensure the security and confidentiality of identity information of individuals’. It is significant, especially in this context, that the corporate entities with which contracts have been signed for biometric – related technology and ‘de-duplication’ include L-1 Identity Solutions and Accenture. Questions about the kinds of due diligence that has (or has not) been exercised need to be asked. These entities are contracted to receive all information that the UIDAI has gathered and effect ‘de-duplication’ after which the number will be allotted.
It is significant that there are at least three entities that will have access to the demographic, biometric and UID number of persons who are enrolled: the Registrar, UIDAI and the ‘de-duplication’ agency. If more than one Registrar collects the details of any person, then the number of entities who will have access to the information which includes biometrics and the UID number increases. Enrollers too would have the data with them. This is how the project is being rolled out. This makes data theft only a subsidiary issue, since, even in the process of data collection, it passes through so many hands.
It is also significant that, while any individual who steals or parts with information may face penalties if he/she is found out and prosecuted [this will not be within the capacity of most people who enroll for a UID number, because of technological and access issues], the UIDAI faces no sanctions if they fail in their duty to protect data.
Clause 31: Alteration of demographic and biometric information: when either changes, the UID number holder may request the Authority to change it in their records
Comment: - The uncertainties about biometrics concern how it will work when it is spread over as large a population as 1.2 billion. (So far, the maximum number covered has been 50 million people, according to the Report of the Biometrics Committee of the UIDAI). It is also uncertain how biometrics may alter with age, illness and occupation. These have not even been tested. There is a distinct possibility that periodic collection of biometrics will be necessary if the biometrics are to work. This possibility has not been acknowledged and, so, not provided for.
If, for instance, the exercises have to be repeated every five, or ten, or fifteen years, that has huge policy implications, including cost, which are not being considered. This would have been explained in a Feasibility Report; but, since no feasibility study preceded the project, and it has not been done till now, there is no means of informing policy and law makers about its implications.
Corruption, inefficiency, leakage and inaccuracy in relation to other documents and processes have been cited as reasons that justify the UID project. How this will prevent the problems that have been identified is not explained anywhere. In the context of Clause 31, it becomes important to seek an explanation as to how these problems will affect those who seek to alter the information in the CIDR. This also makes it clear that enrollment and updating are not a one–time exercise, although public statements by the UIDAI seem to suggest otherwise.
Clause 32: Access to own information and records and of requests for authentication.
Comment: This is a very important aspect of the right to privacy, and control over use of data about oneself. It would be impossible to find out who has been assessing the CIDR about oneself unless this information was to be readily available to the UID number holder.
However, there is another aspect of access to data through the UID number which is addressed neither in this provision nor anywhere else. Registrars, enrollers and de-duplicating agencies, and others who get information from them, will not need to refer to the CIDR for authentication. The networking of demographic and biometric information that this makes possible is one aspect of ‘convergence’ of data from different, discrete, databanks (‘silos’). Neither in this provision, nor anywhere in this Bill, is it made unallowable
- for Registrars, Enrollers, De-de-duplicating agencies to retain any information that they collect/ process for the UIDAI
- for any of them to network using the access the data that they have
- for ‘convergence of data from discrete silos to be done’.
If these are not expressly prohibited by law, may be treated as being permitted.
The capital MoUs that the UIDAI has entered into with various agencies including State Governments, banks and the LIC, have a clause by which the UIDAI suggests that these entities – as Registrars – to collect information beyond that required for rolling out the UID number. This is not a clause that is within the authority of the UIDAI to provide. It is also a direct invitation to profile, and tag, every person enrolling for the UID.
The claims of the UIDAI that UID number is not a means of ‘profiling’, and ‘converging’ information about people does not hold true in this context.
Clause 33:– Disclosure of information (a) by order of competent count, and (b) when made in the ‘interests of national security in pursuance of a direction to that effect issued by an officer not below the rank of Joint Secretary or equivalent in the Central Government after obtaining approval of the Minister–in–charge’.
Comment: The documents, comments and statements and interviews issuing from the UIDAI and its personnel have consistently refused to address what it means to give officers of the state the use of the data held by the UIDAI in the CIDR in the name of national security. This clause is an admission that officers of the Central Government may access the information including identity information – by citing ‘national security’.
This is a matter beyond concerns of privacy. It is a provision that gives officers of the Central Government the power to
- tag
- track
- profile
- mount surveillance
- use as they deem fit, information – including demographic and biometric information,
This will also directly feed into the National Intelligence Grid (NATGRID) that has been set up by the Home Ministry expressly to mount pervasive surveillance.
It is significant that the NATGRID gives information about people that is in 21 databases, to eleven security agencies, including the RAW and IB over which there is no superintendence or oversight. The UID number will allow the security agencies to expand their reach beyond the 21 data bases through the process of ‘convergence’ from different ‘silos’ that the UID number will make easy.
If the UID number is only about delivery of services, rights and entitlements to the poor, then, like the Census Act, this Bill too should be prohibiting the use of the UID number, and the data held in the CIDR, for anything other than authentication. However, Clause 33 expands the use of the data held in the CIDR to various purposes beyond that for which it is being avowedly collected.
Significantly, Mr. Sam Pitroda, who seems to be tasked with implementing a Public Information Infrastructure project currently estimated to cost Rs. 27,000 crores said, in a recent interview: “The UID will tag every person, the GIS will tag every place, and the PII will tag every institution”. This has repercussions on the federal structures of government too, which have not been considered.
Chapter VI
OFFENCES AND PENALTIES
Clause 34: - Impersonation at the time of enrollment- including by providing ‘false demographic….or biometric information’.
Clause 35: - Impersonation by changing information.
Clause 36: – Unauthorisedly collecting identity information
Comment: None of these define what constitutes ‘impersonation’. The responsibility of the ‘Introducer’ for accuracy of information is not set out.
Clause 37: – Penalty for disclosing identity impersonation
Clause 38: – Penalty for unauthorized access to CIDR
Comment: This clause sets out the many things that can result in identity loss. Yet, even as some penalty is provided to a person when caught, there is no remedy for a person whose identity is lost, stolen, altered or impersonated.
Clause 39: Penalty for tampering with CIDR
Clause 40: Penalty for manipulating biometric information
Clause 41: Offences by companies
Clause 43: Offence or contravention committed outside India
Comment: This clause acknowledges that the offences are capable of being committed beyond the territorial limits of the State.
The centralization of data, and holding it in a virtual space, means that hacking, stealing, destroying or tampering with data is not an improbability.
This is acknowledged, also, in the kinds of offences set out in this chapter.
Clause 44: - Offences to be investigated by police officer not below the rank of Inspector of Police
Clause 45: - No penalty under this law to prevent imposition of any other penalty or punishment under any other law
Clause 46: - Cognisance of offences - Cognisance only on complaint made by the authority or any officer or person authorised by it
Comment: - This clause gives the Authority the exclusive right to lodge complaints for prosecution, indicating that no individual can lodge a complaint even if there is a violation that affects them. For instance, if there is identity theft or wrongful handing over of information from the database, even the complaint against the Authority can only be lodged by the Authority. Unlike regulatory laws, such as labour laws, where an Inspectorate is created is created to monitor the working of an organization, in this Bill there is no autonomous, independent or external regulator.
Chapter VIII
MISCELLANEOUS
Clause 47(Omitted)- In the UIDAI’s draft Bill “exemption from wealth, income, profit, and gains taxes” was provided for. It is reported that when Cabinet cleared the Bill they did not endorse this Clause, and it was, consequently, dropped.
Clause 47(1): -
Power of the Central Government to supersede authority
a. “On account of circumstances beyond the control of the Authority it is unable to discharge the functions or perform the duties imposed on it by or under the provisions of this Act”; or
b. The Authority has “persistently defaulted in complying with any direction given by the Central Government under this Act” or “in discharge of the functions or performance of the duties imposed on it” or for financial difficulties, or
c. If circumstances exist which render it necessary in the public interest so to do.
d. This may be for a period of six months at a time, and, before superseding the Authority, the Authority shall be given a reasonable opportunity to make a representation against the proposed supersession.
Comment: Consequences of default, being unable to discharge the functions or circumstances that may require that, in the public interest, the Authority should be superseded are too serious to be left open-ended. With these possible scenarios being acknowledged in the Bill, the project itself is brought into question.
Clause 48: – Members, officers etc. to be public servants.
Comment: – This will provide them the extraordinary protections that are currently in place with respect to prosecution, sanction and good faith. This will add one more obstacle to persons seeking to protect their identity and information from misuse, abuse or unauthorized use and against breaches of privacy.
Clause 49: – Power to Central Government to issue directions and the Authority to be bound by such directions. Provided that the Authority shall, as far as practicable, be given an opportunity to express its views before any direction is given.
Clause 50: - Authority has the power to “delegate to any member, officers of authority, or any other person” all powers except the power to make Regulations.
Comment: Given the sensitivity of the information held and the various issues that have been raised but not resolved, this broad power to delegate is extraordinary.
Clause 51: – Protection of action taken in good faith
Comment: This protects the Central Government or the Authority or the Chairperson or any member or any officer or other employees of the Authority from nearly any action taken, unless clear ill-intent can be demonstrated, which, as is known, is a very high threshold.
Clause 52: Rule making powers of the Central Government
Comment: This is essentially about formats in which the authority is to take oath and give the information mandated.
Clause 53: – Power of Authority to make regulations. This includes matters concerning biometric information, demographic information, procedure for authentication, and CIDR, “the manner of updating biometric information and demographic information”.
Comment: The project document does not account for the scale of population, and periods of time, over which biometric information may need to be updated.
Clause 53(2)(n): – The usage and applicability of the Aadhaar number for delivery of various benefits and services under clause (h) of subsection (2) of section 23.
Comment: The UIDAI has been saying that it will merely produce the UID number and it is for the various agencies to decide how to use it. In the Bill, however, they are retaining the power to make regulations in this regard. It is also significant that the ‘rights, entitlements and services’ are not set out in the law but are left to the agencies of the government and of private entities.
Clause 54: – Rules and Regulations to be placed before Parliament
Clause 55: – The provision of this Act shall be in addition to and not in derogation of any other law for the time being in force.
Clause 56: – The Power of the Central Government to “remove difficulties” in giving effect to the provisions of the Act.
Comment: - The link between the Right to Information Act 2005 and the present Bill is not clear. RTI activists have questioned the Bill in that it seems to take the power away from the CIC in determining the kinds of information that may be withheld and that which will have to be given to an applicant seeking information. A Privacy Law is still under consideration, and that too will have its effect on this law.
Clause 57: – Savings
Comment: Anything done under the notification that set up the UIDAI “shall be deemed to have been done or taken under the corresponding provision of this Act”. This especially necessitates the cross-checking of various things done by the UIDAI especially since it may have serious consequences in connection with identification of persons, who the information is handed over to, with whom contracts have been entered, the state of pilot studies, the non-existence of a privacy law, the relationship with NATGRID and the possible connection with the Draft DNA Profiling Identity Bill, 2007.
“No empirical study is available to estimate the accuracy achievable for fingerprint under Indian conditions” (Page 44) and “…it is strongly recommended that carefully designed experiments and proper statistical analysis under pilot should be carried out, to formally predict the accuracy of biometric systems for Indian rural and urban environments” (Page 52), Biometrics Standards Committee Report. “Subsequently, a pilot study was done, and 250,000 fingerprints were collected and analysed. The committee’s conclusion: “There is good evidence to suggest that fingerprint data from rural India may be as good as elsewhere when proper operational procedures are followed and good quality devices are used ... (but) the quality drops precipitously if attention is not given to operational processes […] In the pilot study, 2-5% of subjects were found to not have any biometric data. “Missing biometrics is a license to commit fraud,” the study notes”, Missing biometrics create unique problems for UID project (ET, July 17, 2010). precipitously if attention is not given to operational processes […] In the pilot study, 2-5% of subjects were found to not have any biometric data. “Missing biometrics is a license to commit fraud,” the study notes”, (Missing biometrics create unique problems for UID project; ET, July 17, 2010).