"All that is necessary for the triumph of evil is for good men to do nothing".
Edmund Burke
"Among a people generally corrupt liberty cannot long exist".
Edmund Burke
“In matters of conscience, the law of the majority has no place.”
Mahatma Gandhi

"Democracy was the greatest gift of our freedom struggle to the people of India. Independence made the nation free. Democracy made our people free. A free people are a people who are governed by their will and ruled with their consent. A free people are a people who participate in decisions affecting their lives and their destinies".
Rajiv Gandhi
Hi-tech without Panchayati Raj is just a bogus stunt for geeks and nerds."
Mani Shankar Aiyar, Congress leader

Wednesday, December 1, 2010

USHA RAMANATHAN



Sunday, January 16, 2011

The Myth of the Technology Fix

Usha Ramanathan

The myth of the technological fix is currently in the making. Corruption, inefficiency and ‘leakages’ are persuasive reasons for replacing the human element with technology.
In a milieu where there are many users of technology but remarkably few who understand it, or its consequences, or its application, technology is easily perceived as value-neutral and not sharing the traits and faculties of the human, social condition.
The depths to which public morality has sunk evokes desperation, which seeks answers somewhere other than where the problem now abides, viz. the human person. Technology and the machine can, in the land of desperate optimism, seem relatively incorruptible. The potential intrusiveness of technology is shielded by the extent to which the temptations of technology have upended ideas of privacy, confidentiality, personal security and fraud. This seems to have prepared the ground for the technology fix.
First, there was the UID
In January 2009, the UIDAI was set up within the Planning Commission by an executive order. In July 2009, Nandan Nilekani was handpicked by the Prime Minister to head the UIDAI. Since then, the promotional literature on the UID has kept close to the section titled ‘Getting rid of our phantoms: Single Citizen ID’ in the chapter on ‘ICT in India’ in Nandan Nilekani’s ‘Imagining India’ (2008). The pitch is that there are many people in India who have no identity and who, therefore, are not known to the state. Once they can demonstrate to the state that they exist – and the UID will do it for them – that will be one step towards reaching services and entitlements which the state provides to its poor. The project has been in the popular imagination as being about the poor, with the convenience of a KYC (Know Your Customer) facility that will help those with multiple identity documents not having to prove, time after time, that they are who they say they are – the UID will do it for them. All they need to do is enrol, and, to do that, they have to give simple and basic information to the enrolling agency, which will pass it on to the UIDAI, which will get it ‘de-duplicated’ (that is, make sure that they have not already been given a number; the biometrics are to help achieve de-duplication through the use of fingerprints and the iris metrics) and allot each individual a unique 12 digit number. Enrolment is voluntary. And, with this, the myths begin to take shape.
The myth of voluntariness is exploded even as it is stated. For, as the project document acknowledges, the compulsion will not come from the UIDAI; but other agencies may demand that a person must have a UID number to be provided a service. Banks, for instance, may make UID a prerequisite to opening, or maintaining, accounts. Or to get onto the NREGA muster roll. Or to be entitled to a BPL card. And so on. Voluntarism is not a norm that is compatible with the unrelenting ambition of the UID to have universal enrolment. The ‘document’ on ‘UID and Public Health’ reads: “We surmise that the starting point (for providing a UID to every Indian Citizen) would be to aggregate records for various population databases such as the census, the PDS System, voter identity systems etc., while dealing with the challenges of duplication. Existing databases would probably still leave a large percentage of the population uncovered. Therefore every citizen must have a strong incentive or a ‘killer application’ to go and get herself a UID, which one could think of as a demand side pull. The demand pull for this needs to be created de novo or fostered on existing platforms by the respective ministries.” So, “the launch of the RSBY (Rashtriya Swasthya Bima Yojana) by the Ministry of Labour is a great example of a killer app waiting for a platform .... partnering with the scheme will (1) provide an additional and fresh, unlikely to be duplicated, source of registration for the UID.”[1]

It is this aspect of the UIDAI, where the project piggybacks on the schemes and services of the government that propelled over 100 activists to issue a public statement asking the UID not to ride on the fragile NREGA system to achieve its enrolment targets.[2]
The myth of entitlements
The UID, it is being said, will provide the poor with an identity, and that will take them closer to that to which they are entitled. However, this is immediately followed up with a disclaimer: that the UID does not guarantee  services and entitlements. That the driving force is not delivery of services but enrolment is in evidence, for instance, in the UID document on ‘UID and PDS’:  “To support enrolment into the UID database, the central government will mandate that the UID numbers of each family member should be recorded in the ration card..” And, linking it up with the PDS will improve UID coverage -- “If the UID enrolment is integrated into the process of the creation of a beneficiary database for PDS, the coverage for UID improves significantly” – and aid data updating – “Ration cards are a persistent source of citizen transactions with a monthly frequency. If there is a change in the family structure, or the family moves, the ration card is sure to be updated. At this time, the data can also be updated to the UID database”.[3]  And, again: “The legislative support in form of the need for submitting the UID number for several transactions will push residents to acquire a UID.” Those working on food security such as Jean Dreze and Ramakumar[4] have explained that, the problem having been inaccurately identified, the UID as an answer was, in effect, a misrepresentation.
“The real game plan for social policy,” writes Jean Dreze “seems to be a massive transition to ‘conditional cash transfers’ ... If the backroom boys have their way, India’s public services as we know them will soon be history, and every citizen will just have a smart card – food stamps, health insurance, school vouchers...”[5],  a move that will reductively recast the role of the state in the contexts of malnourishment, unemployability, access to education and services in the social sector. There are indications even within the PDS and UID document, in the language of ‘direct cash transfer programs’ and ‘food stamps’.
There is the myth that this will be inclusive. Yet, even the keenness to enrol as quickly and as many people as possible has not produced a method by which enrolment will be simple, painless and precise. There are two ways in which a person gets enrolled: the documentary route, and through an ‘introducer’. There is a third way, through the “National Population Register” process of public scrutiny, but that is still in the future. Those who possess identity documents which are accepted by the enrolling agency as sufficient and accurate may use a document as the primary identifier for enrolment. Those who do not possess such a document, or where the enrolling agency is unwilling to rely on its authenticity or accuracy, will need an Introducer. An Introducer can only be a person who has got a UID number on the basis of an identifying document. “Essentially”, the Vittal Committee report says, “this idea has been borrowed from the account opening procedure in the banks ... In effect, there will be several approved ‘introducers’ who can help residents without supporting documents to enrol for a UID. Having multiple introducers within and outside government agencies should provide a needy resident access to people who can assert their identity while minimising harassment.”[6] The UIDAI has busied itself with signing on NGOs to introduce the excluded into the system. They are expected to ensure that the information that is fed into the system is accurate. Yet, how many will know the unidentified well enough to even know each person’s name? And what does the ‘address’ of the homeless person mean? And how are the vagaries of pronunciation and spelling to be met? How much do the poor have to remember to be authenticated as being the person they say they are? If the biometric does not match the name or address as spelt out, what is to happen to the individual? None of this has been addressed, anywhere, except in the Vittal report where they have said that the responsibility of the introducer needs to be engrafted into law. The National Identification Authority of India Bill 2010 does not acknowledge the ‘introducer’; so they continue without any certainty of how they may be held answerable for errors and omissions. Those for whom no one is willing to take responsibility will, of course, stay out of the system altogether.
There is the myth that biometrics are a sure-fire way of pinning identity. This is entirely unproven. In September this year, it was reported that there was a report jointly-commissioned by the CIA, the US Department of Homeland Security and the Defence Advanced Research Projects Agency, and carried out by the National Research Council in the US. It has concluded that the current state of biometrics is “inherently fallible”. While the technology may work in a small scale, it will cause major problems if utilised in a wide scale, it reportedly argued. In the current state of biometrics, the results are probabilistic; and the technology assumes that the parameters are static, which they are not[7]. On July 17, the Economic Times reported that the UID project had run into trouble because “scores of people that Aadhaar project will help the most do not have the sharp curving lines on their fingers as depicted in its logo. Millions of Indians working in agriculture, construction workers and other manual labourers have worn-out fingers due to a lifetime of hard labour, resulting in what is euphemistically referred to in technical literature as ‘low-quality’ fingerprints. This is precisely the demographic that UID aims to help – those that are outside government records and welfare schemes.” 
Yet, a ‘proof of concept’ study, limited to enrolment (and not authentication) of a number in the thousands, excluding persons whose biometrics could be more complex such as workers in tea gardens, has given a thumbs up to biometrics.[8] The UIDAI Biometrics Committee had cautioned that two factors raised uncertainty: the scaling of database from 50 million (which is the largest number of persons on a biometric database so far) to one billion plus that has not been adequately analysed; and the fingerprint quality, the most important variable for determining accuracy, has not been studied in depth in the Indian context.[9] The influence of demographics – rural, urban, manual work, work in water – and environmental conditions – hot, cold, clammy, air-conditioned or otherwise is not clear as yet. What seems certain is that malnourishment-induced cataract blight millions, and corneal injury is uncounted in occurrence, which makes the iris an unworkable measure. The work of millions causes callused hands, and imperfect fingerprints. Yet, myth-making allows biometrics to be certain and sure.
There is a myth that the UIDAI will collect a very limited data set which will not allow profiling. The UIDAI will not engage in ‘convergence’ of data by breaching, or bridging, discrete silos in which information is held. When questions are raised about the UID number’s potential in surveillance, tracking, profiling, tapping and convergence – which makes privacy a redundant concept – the response so far has been that the UID will be doing none of this. That the information held will be limited. That the only information that will flow out of the UIDAI will be a ‘yes’ or a ‘no’ to a request for authentication.
The mythical nature of these claims has already begun to be evident, and what will be is beginning to appear. For a start, the UIDAI had limited the information it was to gather to name, address, names and UID numbers of father, mother, guardian, gender, date of birth and biometrics. This was in the phase when the idea was being sold. The form being administered, however, has a ‘Part B’: Additional Information”. This includes the ‘phone number/mobile number’ and ‘email’ which are parenthetically indicated to be ‘optional’. However, Reetika Khera, watching the enrolment process in Jharkhand, saw no signs that a choice of giving the information or not was being offered.[10] There is a ‘Part C –Financial Information’ where a person may tick a box to declare “I want to link my existing bank account to Aadhaar and I have no. this issue (sic)’, followed by ‘Bank name and branch’ and ‘A/C number’.
In the ‘office copy’ of the ‘consent for enrolment form’, an asterisk reads: “I confirm that information (including biometrics) provided by me to the UIDAI and the information contained therein is my own and is true, correct and accurate. I have no objection to the UIDAI sharing information provided by me to the UIDAI with agencies engaged in delivery of welfare services including financial services.”[11] The Department of Information Technology speaks of the UID project as the “National Citizen Database” which “envisages provision of linking of existing databases, as well as providing for future additions, by user agencies.”
The approach paper on privacy that was prepared for the Department of Personnel and Training as a prelude to a law on the subject says: “Data privacy and the need to protect personal information is almost never a concern when data is stored in a decentralised manner... However, all of this is likely to change with the implementation of the UID project. One of the inevitable consequences of the UID project will be that the UID number will unify multiple databases. As more and more agencies of the government sign on to the UID project, the UID number will become the common thread that links all those databases together. Over time, private enterprises could also adopt the UID number as an identifier for the purposes of the delivery of their services or even for enrolment as a customer. Once this happens, the separation of data that currently exists between multiple databases will vanish.”[12] Despite these direct connections being made between the UIDAI, convergence of data and concerns of privacy, the potential invasiveness of the UID is, simply, denied.
There is the myth of data security. The many places through which the data travels before it rests in the Central Identities Data Repository (CIDR) – the enrollers, the Registrars, the UIDAI, the de-duplicating agency; the many places where fingerprints and the UID number will be left to be used; and the incongruence betweens electronically held data and secrecy make data security improbable, at best. The idea that the data of a whole populace be gathered and held in a ‘repository’ is not comforting. If corruption and abuse of power are problems that the UID is intended to overcome, how is one to view the role that these characteristics may have in data security? There are, of course, no answers other than this: that the technologists know what they are doing, and we should trust their competence and knowledge.
Even the idea that the UID is a state project is emerging as a myth. The project has been without the authority of law since its inception. It continues to run without a feasibility report or estimate of how much it may cost – estimates vary from Rs. 45000 crore to Rs. 1.5 lakh crore, and the UIDAI has not said a word either way. It is peopled by staunch allies of Mr. Nandan Nilekani, with whom he has a history of working together. On its technical staff are those who have joined, been lent, are on sabbatical, or are volunteering from the technology industry. The actual work of capturing the data, de-duplicating and allocating numbers is outsourced; the UIDAI has made contractual arrangements, and entered into MoUs that take care of that.
State governments and ministries and departments are linked to the UIDAI through MoUs. The Ministry of Human Resources and Development, for instance, signed an MoU with UIDAI on 27 October, 2010. A Press Information Bureau release speaks of the HRD Ministry ‘cooperating and collaborating’ with the UIDAI in, among other things, “putting in place an institutional mechanism to effectively oversee and monitor the implementation of the UID project and provide logistic and liaison support to the staff and representatives of UIDAI.”[13] The Government of India set up the UIDAI and it is funding the project, but control and normative boundaries are remarkably fuzzy.
The myth of corporate innocence
This becomes significant when in the context of questions raised about the companies that have passed the pre-qualification. Accenture is a company that has been working closely with the US Department of Homeland Security on a Smart Borders Project.[14] A report on the web dated May 7, 2007 speaks of L-1 Identity Solutions being the “company with the closest ties to the CIA” and being “the nation’s biggest player in biometric identification”. L-1 Identity Solutions, according to this report, assists the Pentagon, US Intelligence, the State Department, and the Department of Homeland Security. It had George Tenet, the ex-chief of the CIA on its Board until 2007.[15] The National Corruption Index, which analyses and assesses corruption, cites the company in its 2008 records. What due diligence could have passed these two companies and given them a role in de-duplication and allotment of UID numbers?
 The National Population Register
The National Identification Authority of India Bill, 2010 (NIAI Bill) has been piloted into the Rajya Sabha by the Prime Minister, but the bill is in his name, and without reference to the capacity in which he is introducing it in Parliament. There are connections between the UID and other processes that are underway about which little is known. We now know that the National Population Register is being constructed primarily to feed into the UID enrolment process; that it is being built up along with the census exercise but lacks the strict terms of confidentiality that are in the Census Act; and, that it is being conducted under the Citizenship Rules of 2003. But we have heard only a little about the Public Information Infrastructure (PII) which has Sam Pitroda in charge of it.
Public Information Infrastructure
In a promo on YouTube, Mr. Pitroda explains that the starting point is a nationwide network of fibre-optics and wireless systems.[16] This is how he says it: “For government PII, it is very important to first identify all beneficiaries, essentially people. So one task is to tag people. We also at the same time need to identify all our physical assets all over the country, like primary schools, railways stations, hospitals. Then we also need to tag all our programmes ... Once you tag people, places and programmes, then it is easier to organise information for public services. Hopefully, with new focus on PII, where we could essentially tag people, tag places, tag programmes, we will be able to restructure delivery systems to get lot better productivity, efficiency, reduced cost.” Hopefully. And, as he said elsewhere, the UID will tag people, the GIS will tag places, and the PII will tag programmes.[17]
There is a further link to the UIP project: institutions are to be given UID numbers, too.
NATGRID
Then, there is Mr. Chidambaram’s NATGRID, where 21 databases will feed information to eleven security and intelligence agencies including RAW and IB; which, as we know, are accountable no one, are beyond parliamentary oversight, and outside the RTI. Its chief, Captain Raghu Raman, authored a report entitled ‘A Nation of Numb People’ in his earlier incarnation as the CEO of Mahindra Special Services Group. “Let’s face it”, he said, “security forces are stretched. With four belligerent and two troubled neighbours (and internal aid to civil authorities thrown in) the defence forces don’t have any bandwidth to spare. Jammu and Kashmir, Naxalite problems, and the North-East keep paramilitary forces occupied. Internal security is falling apart and the bureaucracy and government know this”. So, “it’s time for the corporates to step in.” As part of the prescription, “enterprises would need to raise their own protection units... Think of it,” he says “as a private territorial army.” And the write-up acquires a rhythmic cadence: “15 years ago the enemy was in the distant Kashmir and North-East. Five years ago, the enemy was at the gates hitting cities from outside. Now the enemy is inside the gates. If the commercial czars don’t begin protecting their empires now, they may find the lines of control cutting across those very empires.”[18]
It may not have invited serious attention, except that this is now the NATGRID’s chief who has spoken.

Corporate insecurities, and the desire to control a population that is too vast and complex, has produced reports such as FICCI’s 2008 December report on National Security and Terrorism, and ASSOCHAM’s 2010 report on Homeland Security in India, which opens with invoking the NATGRID and the UID as tracking devices. The state is supporting, funding and partnering in these enterprises, and acting, when it can do so in the silence of secrecy. Technology seems to be a shield that lulls people into acquiescence, and allows incomprehension to lead us to unquestioning acceptance. The myth of the technology fix is asking to be challenged.
A version of this paper was published in Seminar, January 2011, pages 110-114



[1] uidai.gov.in/UID_PDF/Working_Papers/UIDandPublicHealth.pdf
[2] http://timesofindia.indiatimes.com/india/Govt-urged-not-to-link-UID-NREGA/articleshow/7026090.cms
[3]uidai.gov.in/UID_PDF/Working_Papers/UIDandPDS.pdf
[4] http://www.hinduonnet.com/fline/fl2616/stories/20090814261604900.htm
[5] Jean Dreze, Unique Facility or Recipe for Trouble, The Hindu, 2010/11/25, (http://www.hindu.com/2010/11/25/stories/2010112563151300.htm).
[6] http://uidai.gov.in/UID_PDF/Committees/UID_DDSVP_Committee_Report_v1.0.pdf, p.16
[7] http://homelandsecuritynewswire.com/report-biometric-id-technologies-inherently-fallible.
[8] http://uidai.gov.in/images/FrontPageUpdates/uid_enrolment_poc_report.pdf
[9] http://uidai.gov.in/UID_PDF/Committees/Biometrics_Standards_Committee_report.pdf
[10] Personal communication, dated 19 December 2010.
[11] This is the one clause in the form only in English.
[12] http://persmin.gov.in/WriteReadData/RTI/aproach_paper.pdf.

[13] pib.nic.in/release/release.asp?relid=66615.
[14] http://newsroom.accenture.com/article_display.cfm?article_id=4112
[15] http://www.informationclearinghouse.info/article17664.htm.
[16] http://www.youtube.com/watch?v=Ktn3oqY6NVE
[17] http://www.hindustantimes.com/Play-it-again-Sam/Article1-611033.aspx
[18] http://www.mahindrassg.com/A_nation_of_numb_people.pdf


__________________________________________

Saturday, December 11, 2010

937 - NIAI Bill Critique by Usha Ramanathan

Aadhaar Article No 937 

Comments on ‘The National Identification Authority of India Bill 2010’


Long Title:
‘Manner of authentication of such individuals to facilitate access to benefits and services to such individuals to which they are entitled’
Comment:
(1) This Bill does not deal with benefits and services. The Strategic Overview of the Unique Identification (UID) Number/Aadhaar project specifies that the Unique Identification Authority of India (UIDAI) is not concerned with rights and entitlements.
(2) This Bill does not acknowledge entitlements, benefits or services

CHAPTER I
PRELIMINARY

Clause 1(2): Extraterritoriality
Comment: It anticipates the possibility of an offence or contravention committed under this Act ‘outside India by any person’. The nature of the technology is such that anyone, anywhere, may hack into, steal, or tamper with the Central Identities Data Repository (CIDR), the database of UID Numbers. The Wikileaks experience shows that electronic data can never be adequately secured against leaks and invasions.

Clause 2(c): Deals with ‘authentication’
Comment: The essential tests required to establish that authentication through fingerprints can effectively be done over a population of 1.2 billion have not, even hypothetically, been done. The iris scan is being used for purposes of enrollment – that is, to put people on the Database of UID Numbers. But authentication is to be done by using only fingerprints. Many problems have been identified in relation to fingerprints – including callused hands, the ineffectiveness of fingerprints of persons in manual or hard labour. The problem has been acknowledged by the UIDAI[1] [2]; however no solutions to this problem have been mooted so far. In relation to the Indian population, iris scans too have been found to be unreliable, especially in conditions of manual labour and malnourishment.

Clause 2(e): ‘Biometric information’ means a set of such biological attributes of an individual as may be specified by regulation.
Comment: – This leaves it to the Authority to expand the attributes that may have to be given during enrollment or at a later date, as they may decide. That is, while currently photographs, fingerprints and iris scans are the biometric attributes being collected, this could be expanded to include any other metrics, including DNA fingerprinting. This is not a statement without basis. In July 2010, when the Economic Times reported that there could be a problem of millions of people in the country whose fingerprints may not work because of the kind of work in which they are engaged, and iris scans may not work because of cataracts related to malnourishment or corneal scars that are common among the working population, it was reported that the Director General of the Council for Scientific and Industrial Research suggested DNA fingerprinting[3] as a possibility.
It is also significant that the Department of Biotechnology in the Ministry of Science & Technology has a draft DNA Bank Bill of 2007[4], which is accessible online.

Clause 2(f): – Central Identities Data Repository (CIDR): This is a centralized data base which is to be in one or more locations containing all UID (Aadhaar) numbers and the
demographic, and
biometric information
and other information related thereto.
Comment: - The dangers of a centralized data base of a whole population need hardly be stressed.
It says it will be held in ‘one or more locations’. It is significant that the information may be managed by a public or private agency.
This is not a project that is managed, held, run, controlled by the government, but is already being spread out among various private entities.
There is a vague catch-all phrase at the end of the clause ‘and other information related thereto’. It is not clear what this means except that it may help expand the information held in the database.

Clause 2(h): – ‘Demographic Information’ currently includes name, age, gender and address of an individual. It specifically is not to include information relating to race, religion, caste, tribe, ethnicity, language, income or health.
Comment: - These can be altered by amending the law.
Nothing in the law prevents other agencies from gathering the data that the UIDAI will not gather[5]. So, for instance, the National Population Register may gather information about caste. Under the MoU with the UIDAI, the UID number would be handed over to the agency acting as a registrar for the UIDAI. So, although the UIDAI may not itself gather that information, it facilitates the linking up of the data that is with the various Registrars with the help of the UID number, thereby facilitating profiling of people. To prevent the profiling which Clause 2 (h) anticipates, it would be necessary for the law to protect against the linking up of the UID number with any database that has information beyond that, which is in the protocol of information referred to in Clause 2 (h). In fact, the documents on the UID website suggest that one means of achieving enrolment is by loading the number by making its use compulsory in many applications: for example, the PDS, NREGA and public health institutions.
Already the expansion of the use of this process is visible in current proposals in the state of Odisha, where 12 additional categories of information[6] are required to be provided by every person enrolling for a UID. The consequences of such profiling have not been discussed, and many questions have been raised but remain unanswered.

Clause 2(i) and (j): – ‘Enrolling agency’ and ‘Enrollment’: These shall be as appointed by the Authority or by the Registrars to collect demographic and biometric information.

Clause 2(o): – ‘Registrar’ – as ‘authorized’ or ‘recognized’ by the ‘Authority’
Comment: - There are no prescribed criteria for who may act as an enrollment agency and who may be involved in the process of enrollment. This is true in relation to ‘Registrars’ too. This becomes significant especially because the information collected for the UIDAI, and other information, can be held by the enrolling agency and Registrar, and what they may do with it is not in the control of the person whose information is so collected.
The power given to the Authority to determine the extent and use of private entities is unchecked in this Bill. Later in the Bill, the nature of the Authority reveals the power that will be wielded by the Chairperson of the Authority who will be the only full time functionary of the Authority assisted by two part time members.

Clause 2(k): ‘Identity Information’ means biometric, demographic information and UID (Aadhaar) number.
Comment: - It is important to note that the potential to combine information (convergence) which is made possible by the existence of the UID number is not prohibited by this law. So, when the UID number is used to pull information together from different silos, or when an enrolling agency or Registrar gathers additional information which helps profile the person, this is not prohibited by this law.
The DOPT’s background paper on a law of privacy starts with acknowledging that, although the issue of privacy has grown generally, the UID and the convergence of information that it facilitates creates the most immediate and urgent need for a Privacy law. Yet, this law is sought to be tabled before the Privacy law is anywhere near ready.

Chapter II
AADHAAR NUMBERS

Clause 3(1): - ‘Every resident shall be entitled’ to obtain a UID number upon giving demographic and biometric information
Comment: - Throughout, the project has been promoted as being ‘voluntary’ – yet, Mr. Nilekani has consistently maintained that other agencies may make it compulsory. If this happens, it could actually lead to exclusion of those who do not have a number, or have forgotten it, or whose biometrics do not work.
The law must be clear that it is voluntary, and that no one can be denied any right, entitlement, service etc if they do not have a UID (Aadhaar) number.

Clause 4(3): - An Aadhaar number shall, ‘subject to authentication’, be accepted as proof of identity
Comment: - If biometric information does not work that raises the possibility for exclusion.
This is linked with the problem of ‘loss of identity’ vis-à-vis the state, if this technology is going to be the primary, essential, identifier.
There has to be a clause that this does not dislodge other forms of ID. There must also be safeguards against allowing a lack of an Aadhaar number (in case of operational failures) to lead to exclusion since it is unproven technology (and there are questions that have arisen already[7]), and providing that it is to be voluntary.
 This, therefore, may be one among many identifiers and cannot be conclusive. It can, at best, be facilitative.

Clause 5(1): - ‘Payment of fee’ for authentication
Comment:
a.     Nothing in the Bill explains what parameters the payment of fees should be within. That is, what are the criteria that should determine whether fees should be charged or not, and how much they should be.
b.     How much they should be becomes important, especially since the UIDAI expects to make profits, when at the same time it is supposed to be helping the poor.
c.     There is also no mention of who will bear the other costs of authentication, which are currently not being addressed and so are externalized. For example, the project has made a big pitch for dependence on the mobile phone, for connectivity as also for capacity to transmit fingerprints in good enough condition to be authenticated.
d.     There is no talk of an alternative where, as one pilot study already indicates, there can be no dependence on fingerprints.
e.     So there is the business of who pays for the mobile phone? And who pays for the transmission charge of the fingerprint? The poor cannot keep pace with constantly changing technologies because of profit-margin incentives for mobile phone companies. The project is premised, in the first instance, on everyone having a mobile phone, or having access to one, and the instrument being in a condition that can record and transmit fingerprints in condition sufficient for authentication.
f.      The process of Authentication has not been studied yet.

Clause 5(2): - The Authority shall respond to an authentication query with a yes or no ‘or with any other appropriate response’ excluding any demographic information and biometric information.
Comment: - This widens the responses the Authority may give, and is in contradiction of what the UIDAI has been saying all along while marketing the idea – that the only answers obtainable from the database will be ‘yes’ or ‘no’ and none other.

Clause 6: - Aadhaar not evidence of citizenship
Comment: - The National Population Register (NPR) is doing this exercise. And the UIDAI has agreed to pass back the UID numbers to NPR. So, it has already agreed to do indirectly what it says it will not do directly.
It is important to recognize that the creation of the scheme of UID (Aadhaar) is not isolated. In the context of citizenship, it is directly connected with the NPR including by giving numbers back to the NPR. It is a collaborative exercise.
This is why the scheme is being criticized as being between a half–truth and a complete lie. Those who do not make it to getting a UID number or whose biometrics do not work would be threatened with not being recognised as citizens.

Clause 7: - The Authority may engage ‘one or more entities’ to establish and maintain the Central Identities Data Repository and ‘to perform any other functions as may be specified by regulations’.
Comment: - Unlike the Election Commission, for instance, the Authority is only acting as an outsourcing agency. So, information is going to be handled, maintained, managed, updated, protected by other ‘entities’.
Currently, we know, for instance, that it is a range of technology companies that are being brought in to do the ‘de-duplication’. Accenture, L-1 Identity Solutions, TCS, Google, Yahoo and Microsoft have all indicated their interest. It is evident that this is a corporate project and not a state project that concerns democracy and the country’s population. L-1 Identity Solutions, for instance, is well-known for its links with the CIA, which is its most-favored client. Many of its employees are drawn from retired personnel in the US Intelligence establishment. Accenture again is on a Smart Borders project with US Homeland Security.
The MoUs and contracts have to be scrutinized to see if Parliament would actually endorse them. There are many issues, including violation of rights including that of privacy and security that are involved in the agreements/MoUs.

Clause 8: – Onus on “Aadhaar number holders” to “update their demographic information and biometric information”.
Comment: - Apart from the onus, what is meant by ‘updating biometric information”? Is it that biometric information is expected to change? If so, does this biometric capture have to be done at regular intervals? How often?
Is it also about new biometric information that may become mandated if a person is to have an Aadhaar number? There is simply no information and certainly no clarity about this. But this much is clear; it is not going to be a one-time exercise.

Clause 9: - The Authority may not, till the law is changed, gather data about the ‘prohibited’ list of information, including ‘income’ and ‘health’.
Comment: - But other agencies, acting as registrars/ enrollers may do so. [See NPR, SGs including Orissa, MoUs with banks, LIC]. In fact the MoUs specifically encourage Registrars to gather additional information while capturing data for the UID. This is a dubious role that the UIDAI is playing which requires investigation. This is exacerbated by the agreement to give their UID number to the Registrar after de-duplication.
This is a provision that will deliberately deceive especially those who believe that the UID is harmless because it captures a limited range of information, when we consider that the UIDAI has in its own MoUs with Registrars, been encouraging them to increase the basket of information.

Clause 10: - Special measures to issue Aadhaar number to ‘women, children, senior citizens, persons with disability, migrant unskilled and unorganised workers, nomadic tribes or to such other persons who do not have any permanent dwelling house and such other categories of individuals as may be specified by regulations.”
Comment:
 a) This sounds good, but the procedure is inherently flawed.  Those without documents will have to depend on an NGO to act as “Introducers”. Without the NGO/Introducer, the poor would be excluded. Apart from what this does to those who do not find empathetic NGOs (and the NGO needs to know them), it is also not clear what is the responsibility of the Introducer – it has not been given in the Bill, or anywhere else.
b) Interestingly, although the Bill does not refer to the Introducer system, the protocol of ‘information held by the UIDAI includes the name and number of the Introducer’. And, as said earlier, the responsibility of the ‘Introducer’ has not been spelt out.

CHAPTER III
NATIONAL IDENTIFICATION AUTHORITY OF INDIA

Clause 12: - The “Authority shall consist of a Chairperson and two part time Members to be appointed by the Central Government”
Comment: - The casualness of the appointment process is only one startling feature. 
a)     The Authority will, in sum total, be just one person with two part time people. What is the role envisaged for the Authority?
b)     What kind of monitoring and oversight and protection can they guarantee?

Clause 13: - The Chairperson and Members of the Authority shall be persons of ability, integrity and outstanding caliber having experience and knowledge in the matters relating to” technology, governance, law, development, economics, finance, management, public affairs or administration”.
Comment - What does this indicate? That it does not matter who is appointed? There is a wide opening in this provision for corporate control of the project. The Civil Services have been sidelined to merely the performance of day-to-day work on the project [See Clause 20]. This is a vague provision and allows for too much latitude with the appointing authority.

Clause 14: - The Chairperson and the Members appointed under this Act “shall hold office for a term of three years from the date on which they assume office and shall be eligible for re-appointment: Provided that no person shall hold office as a Chairperson or Member after he has attained the age of sixty-five years”
Comment:
a)     The provision says that Mr. Nandan Nilekani may stay on ‘for the term for which he had been appointed”.  What is that term?
b)     Wherever we read ‘Chairperson and Members’ it is important to remember that is the Chairperson and two part time Members! And since they are only part time, only the  Chairperson shall not hold any other office – the part time Members, of course, may, and in fact, by having them as part time, they  will or are expected so to do (Clause 14(4)].

Clause 15(1): - The Central Government may remove from office the Chairperson, or a Member, who—
(a)  is, or at any time has been adjudged as insolvent;
(b) has become physically or mentally incapable of acting as the Chairperson or, as the case may be, a Member;
(c) has been convicted of an offence which, in the opinion of the Central Government, involves moral turpitude;
(d) has acquired such financial or other interest as is likely to affect prejudicially his functions as the Chairperson or, as the case may be, a Member; or
(e) has, in the opinion of the Central Government, so abused his position as to render his continuance in office detrimental to the public interest.
Comment: - There is no insulation from the ‘Central Government’. This is about subjective satisfaction of the Central Government. And, the Central Government can decide whether or not to act on it.

Clause 16: - Restrictions on Chairperson and Members on employment with or on behalf of, or in advisory capacity, or on board of any associated organization with work under the Act-but this can be waived by “previous approval of the central government”. 
Comment: - Given the corporate interest in the project, these restrictions are too weak; this weakness is not being sufficiently addressed in the Bill.
The UIDAI has, on its staff, people who are on ‘sabbatical’ and volunteering during leaves from various corporates (amongst others), and these are part of the technical coterie. Such persons are outside the purview of this Bill.

Clause 17: - Functions of Chairperson.
Comment: - All power is vested in with one person, which is the Chairperson.

Clause 18(2): The Chairperson, or, if for any reason, he is unable to attend a meeting of the Authority, the “senior most Member” shall preside over the meetings of the Authority.
Comment: - This clause does not reflect the extremely restricted composition of the Authority. For instance, all matters to be considered at a meeting of the Authority are to be decided by majority of votes of the Members present and voting and ‘in the event of equality of votes, the Chairperson, or in his absence, the Member presiding over shall have the second or casting vote’.

Clause 18(5): About direct or indirect pecuniary matters coming up before the Authority, the Member is to disclose ‘interest’ and is only not to take part in the proceedings.
Comment:- This is in contrast with the prohibition on taking up employment after ceasing association with UIDAI (Clause 16).

Clause 19: - No act or proceeding of the Authority shall be invalid merely by reason of—
(a) any vacancy in, or any defect in the constitution of, the Authority;
(b) any defect in the appointment of a person as a Member of the Authority; or
(c) any irregularity in the procedure of the Authority not affecting the merits of the case.
Comment: - So, interests of the Chairperson or Member cannot be kept away and their presence does not invalidate any procedure adopted. There are two factors that make this especially significant:
a.     The power of the Authority to give contracts, and
b.     That the UIDAI depends entirely on outsourcing.

Clause 20(1): - Chief Executive Officer of the Authority, to be not below the rank of the Additional Secretary to the Government of India, and who shall be Member-Secretary of the Authority.
Comment: - This is the role given to the Civil Services.  

Clause 20(3): - Government officers working with the Authority shall be paid according to the regulations with the approval of the Central Government.

Clause 21(1): - The Chief Executive Officer shall be the ‘legal representative’ of the Authority and shall be responsible for—
(a) the day-to-day administration of the Authority;
(b) implementing the work programmes and decisions adopted by the Authority;
(c) drawing up of proposals for the Authority’s work programmes;
(d) the preparation of the statement of revenue and expenditure and the execution of the budget of the Authority.

Clause 22(1): – “All liabilities shall be deemed to include all debts, liabilities and obligations of whatever kind”.
Comment: - There has been no projection of budget, or expected expense, on the project. This is a project with no projected cost, uncertain benefits, and we don’t even know if there will be continuing costs, how much they will be, and who will bear them.

Clause 22(2): Without prejudice to the provisions of sub-section (1), all data and information collected during enrolment, all details of authentication performed, debts, obligations and liabilities incurred, all contracts entered into and all matters and things engaged to be done by, with or for such Unique Identification Authority of India immediately before that day, for or in connection with the purpose of the said Unique Identification Authority of India, shall be deemed to have been incurred, entered into or engaged to be done by, with or for, the Authority
Comment: Therefore all data and information collected during enrollment, all details of authentication performed, debts, obligations and liabilities incurred, all contracts entered into and all matters and things engaged to be done by, with or for such UIDAI immediately before the day, for or in connection with the UIDAI, shall be deemed to have been incurred, entered or engaged to be done by, with or for, the Authority. This is like ratification. They each need to be studied. The contracts and MoUs, especially, have to be scrutinized, since there are several problems with them. For instance, L-1 Identity Solutions, which is connected with US intelligence agencies, and Accenture, which is on the Smart Borders project with the US Homeland Security Department, have been given contracts for the ‘de-duplication’, i.e., the protocol of personal information along with photograph, fingerprints, and iris scan will be handed over to them for de-duplication.
The MoUs disclose various aspects of invasion of rights that must be carefully studied by Parliament before it can consider endorsing them.

Clause 23(1): The Authority shall develop “policy, procedure and systems for issuing Aadhaar numbers to residents and perform authentication thereof under this Act.”
Comment: –These are unguided powers which do nothing to set out boundaries for subordinate legislation.

Clause 23(2):
(a) specifying, by regulation, demographic information and biometric information for enrollment for an Aadhaar number and the processes for collection and verification.
Comment: - This means that the ‘Authority’ can decide to expand the details that they will collect for their database. This ‘creeping’ expansion is made possible by this provision.

Clause 23(2):
(c) appointing of one or more entities to operate the Central Identities Data Repository (CIDR);
(d) generating and assigning Aadhaar numbers to individuals;
(e) performing authentication of the Aadhaar numbers;
(f) maintaining and updating the information of individuals in the Central Identities Data Repository in such manner as may be specified by regulations;
(g) omitting and deactivating of an Aadhaar number and information relating thereto in such manner as may be specified by regulations;
Comment: – These are the extent of powers and must be considered by the Parliament before they are given sanction.

Clause 23(2):
 (h) Regulations will specify the usage and applicability of the Aadhaar number for delivery of various benefits and services as may be provided by regulations;
Comment: UID has been marketed as a means to deliver to systems like the PDS and MGNREGA. Yet, nowhere in the Bill is the connection made. In the Regulations, the Authority may consider matters of usage of the number in relations to “benefits and services”. This heightens the doubt that PDS and MGNREGA have been used by the UIDAI only for marketing the idea. This needs a closer look. In the meantime, the corporate interest in the UID has become clear, with ‘Visa’ credit services declaring that they are going to make their services accessible to all UID number holders including the poor. How do profit and the poor come together for Visa?

Clause 23(2):
(i) specifying, by regulation, the terms and conditions for appointment of Registrars, enrolling agencies and service providers and revocation of appointments
Comment: - The MoUs precede/ predate this. Should there not be limits on what may be contracted?


CHAPTER IV

Clause 24: Grants by Central Government

Clause 25: Other fees and revenue
Comment: The UIDAI expects to be making profits on the fees it will change for each authentication which it decides should be on payment. This refers to ‘fees or revenue collected by the Authority, but sets no criteria on the basis of which charges may be levied. It also does not recognize the costs of each authentication nor say who is to bear the cost. How are the poor expected to pay?

Clause 26: Accounts and audit.

Clause 27(2): Returns and annual report, etc
The Authority shall prepare, once in every year, and in such form and manner and at such time as may be prescribed, an annual report giving—
(a) a description of all the activities of the Authority for the previous years;
(c) the annual accounts for the previous year; and
(d) the programmes of work for coming year.
CHAPTER V
IDENTITY REVIEW COMMITTEE

Clause 28(3): Three Members in the Review Committee to be appointed by a committee consisting of—
(a) the Prime Minister, who shall be the chairperson of the committee;
(b) the Leader of Opposition in the Lok Sabha; and
(c) a Union Cabinet Minister to be nominated by the Prime Minister.

Clause 28(5): The Members of the Review Committee shall hold office for a term of three years from the date on which they enter upon office, and shall not be eligible for re-appointment.
Comment: - Compare this with Clause 14, where the Chairperson and the two part time Members who constitute the ‘Authority’ are appointed by the ‘Central Government’ and they shall each be eligible for reappointment till they are 65.

Clause 28(6): The Central Government may by order remove from office any Member of the Review Committee, who —
 (b) has become physically or mentally incapable of acting as a member;
 (d) has acquired such financial or other interest as is likely to affect prejudicially his functions as a member; or
(e) has, in the opinion of the Central Government, so abused his position as to render his continuance in office detrimental to the public interest:
Provided that a Member shall not be removed under clause (d) or clause (e) unless he has been given a reasonable opportunity of being heard in the matter.
Comment: The committee of Prime Minister, Leader of the Opposition and a Union Minister is to appoint, and the ‘Central Government’ may remove from office. Since it does not have to be a unanimous decision, the Prime Minister would have a decisive voice.
Removal for ‘physical incapacity’ is a standard that is much lower than it is in other legislations that carry a similar clause. It also does not account for the changes that have happened in law and in public policy in the matter of treatment of persons with disability.

Clause 29(1): The Review Committee shall ascertain the extent and pattern of usage of the Aadhaar (UID) numbers across the country and prepare a report annually in relation to the extent and pattern of usage of the Aadhaar numbers along with its recommendations thereon and submit the same to the Central Government.
Comment: There are no limitations on the extent and usage of this number. The intention as reflected in the public statements by the present Chairperson of the UIDAI, is to make the usage extensive and pervasive. This does not account for the consequences of
-        convergence of information from different, distinct silos of information which will become easy through the usage of UID numbers.
-        breach of privacy
-        breach of notions of confidentiality, for instance which medical records are brought within the usage of UID. The UIDAI document on ‘UID and Public Health’ indicates this.
-        UID becoming the means of ‘ tagging’ and ‘profiling’ people
-        abuse or misuse of the information that the use of this number may facilitate
-        surveillance
The possible misuses are not even mentioned.
Students at a public meeting on 2nd December 2010 demanded to know how the MoHRD could plan to track them from elementary school upwards, with their UID numbers appended even to their mark sheets, and as part of Midday Meal Scheme records. They demanded to know if any understanding of the social consequences of such tracking had emerged. The fact is that none has.

CHAPTER VI
PROTECTION OF INFORMATION

Clause 30: - Security and confidentiality of information
Comment: This clause merely leaves it to the Authority to ‘ensure the security and confidentiality of identity information of individuals’. It is significant, especially in this context, that the corporate entities with which contracts have been signed for biometric – related technology and ‘de-duplication’ include L-1 Identity Solutions and Accenture. [8]
Questions about the kinds of due diligence that has (or has not) been exercised need to be asked. These entities are contracted to receive all information that the UIDAI has gathered and effect ‘de-duplication’ after which the number will be allotted.
It is significant that there are at least three entities that will have access to the demographic, biometric and UID number of persons who are enrolled: the Registrar, UIDAI and the ‘de-duplication’ agency. If more than one Registrar collects the details of any person, then the number of entities who will have access to the information which includes biometrics and the UID number increases. Enrollers too would have the data with them. This is how the project is being rolled out. This makes data theft only a subsidiary issue, since, even in the process of data collection, it passes through so many hands.
It is also significant that, while any individual who steals or parts with information may face penalties if he/she is found out and prosecuted [this will not be within the capacity of most people who enroll for a UID number, because of technological and access issues], the UIDAI faces no sanctions if they fail in their duty to protect data.[9]

Clause 31: Alteration of demographic and biometric information: when either changes, the UID number holder may request the Authority to change it in their records
Comment: - The uncertainties about biometrics concern how it will work when it is spread over as large a population as 1.2 billion. (So far, the maximum number covered has been 50 million people, according to the Report of the Biometrics Committee of the UIDAI). It is also uncertain how biometrics may alter with age, illness and occupation. These have not even been tested. There is a distinct possibility that periodic collection of biometrics will be necessary if the biometrics are to work. This possibility has not been acknowledged and, so, not provided for.
If, for instance, the exercises have to be repeated every five, or ten, or fifteen years, that has huge policy implications, including cost, which are not being considered. This would have been explained in a Feasibility Report; but, since no feasibility study preceded the project, and it has not been done till now, there is no means of informing policy and law makers about its implications.
Corruption, inefficiency, leakage and inaccuracy in relation to other documents and processes have been cited as reasons that justify the UID project. How this will prevent the problems that have been identified is not explained anywhere. In the context of Clause 31, it becomes important to seek an explanation as to how these problems will affect those who seek to alter the information in the CIDR. This also makes it clear that enrollment and updating are not a one–time exercise, although public statements by the UIDAI seem to suggest otherwise.

Clause 32: Access to own information and records and of requests for authentication.
Comment: This is a very important aspect of the right to privacy, and control over use of data about oneself. It would be impossible to find out who has been assessing the CIDR about oneself unless this information was to be readily available to the UID number holder.
However, there is another aspect of access to data through the UID number which is addressed neither in this provision nor anywhere else. Registrars, enrollers and de-duplicating agencies, and others who get information from them, will not need to refer to the CIDR for authentication. The networking of demographic and biometric information that this makes possible is one aspect of ‘convergence’ of data from different, discrete, databanks (‘silos’). Neither in this provision, nor anywhere in this Bill, is it made unallowable
-        for Registrars, Enrollers, De-de-duplicating agencies to retain any information that they collect/ process for the UIDAI
-        for any of them to network using the access the data that they have
-        for ‘convergence of data from discrete silos to be done’.
If these are not expressly prohibited by law, may be treated as being permitted.
The capital MoUs that the UIDAI has entered into with various agencies including State Governments, banks and the LIC, have a clause by which the UIDAI suggests that these entities – as Registrars – to collect information beyond that required for rolling out the UID number. This is not a clause that is within the authority of the UIDAI to provide. It is also a direct invitation to profile, and tag, every person enrolling for the UID.
The claims of the UIDAI that UID number is not a means of ‘profiling’, and ‘converging’ information about people does not hold true in this context.

Clause 33:– Disclosure of information (a) by order of competent count, and (b) when made in the ‘interests of national security in pursuance of a direction to that effect issued by an officer not below the rank of Joint Secretary or equivalent in the Central Government after obtaining approval of the Minister–in–charge’.
Comment: The documents, comments and statements and interviews issuing from the UIDAI and its personnel have consistently refused to address what it means to give officers of the state the use of the data held by the UIDAI in the CIDR in the name of national security. This clause is an admission that officers of the Central Government may access the information including identity information – by citing ‘national security’.
This is a matter beyond concerns of privacy. It is a provision that gives officers of the Central Government the power to
-        tag
-        track
-        profile
-        mount surveillance
-        use as they deem fit, information – including demographic and biometric information,
This will also directly feed into the National Intelligence Grid (NATGRID) that has been set up by the Home Ministry expressly to mount pervasive surveillance.
It is significant that the NATGRID gives information about people that is in 21 databases, to eleven security agencies, including the RAW and IB over which there is no superintendence or oversight. The UID number will allow the security agencies to expand their reach beyond the 21 data bases through the process of ‘convergence’ from different ‘silos’ that the UID number will make easy.
If the UID number is only about delivery of services, rights and entitlements to the poor, then, like the Census Act, this Bill too should be prohibiting the use of the UID number, and the data held in the CIDR, for anything other than authentication. However, Clause 33 expands the use of the data held in the CIDR to various purposes beyond that for which it is being avowedly collected.
Significantly, Mr. Sam Pitroda, who seems to be tasked with implementing a Public Information Infrastructure project currently estimated to cost Rs. 27,000 crores said, in a recent interview: “The UID will tag every person, the GIS will tag every place, and the PII will tag every institution”. This has repercussions on the federal structures of government too, which have not been considered.

Chapter VI
OFFENCES AND PENALTIES


Clause 34: - Impersonation at the time of enrollment- including by providing ‘false demographic….or biometric information’.

Clause 35: - Impersonation by changing information.

Clause 36: – Unauthorisedly collecting identity information
Comment: None of these define what constitutes ‘impersonation’. The responsibility of the ‘Introducer’ for accuracy of information is not set out.

Clause 37: – Penalty for disclosing identity impersonation

Clause 38: – Penalty for unauthorized access to CIDR
Comment: This clause sets out the many things that can result in identity loss. Yet, even as some penalty is provided to a person when caught, there is no remedy for a person whose identity is lost, stolen, altered or impersonated.

Clause 39: Penalty for tampering with CIDR

Clause 40: Penalty for manipulating biometric information

Clause 41: Offences by companies

Clause 43: Offence or contravention committed outside India
Comment: This clause acknowledges that the offences are capable of being committed beyond the territorial limits of the State.
The centralization of data, and holding it in a virtual space, means that hacking, stealing, destroying or tampering with data is not an improbability.
This is acknowledged, also, in the kinds of offences set out in this chapter.  

Clause 44: - Offences to be investigated by police officer not below the rank of Inspector of Police

Clause 45: - No penalty under this law to prevent imposition of any other penalty or punishment under any other law

Clause 46: - Cognisance of offences - Cognisance only on complaint made by the authority or any officer or person authorised by it
Comment: - This clause gives the Authority the exclusive right to lodge complaints for prosecution, indicating that no individual can lodge a complaint even if there is a violation that affects them. For instance, if there is identity theft or wrongful handing over of information from the database, even the complaint against the Authority can only be lodged by the Authority. Unlike regulatory laws, such as labour laws, where an Inspectorate is created is created to monitor the working of an organization, in this Bill there is no autonomous, independent or external regulator.

Chapter VIII
MISCELLANEOUS

Clause 47(Omitted)- In the UIDAI’s draft Bill “exemption from wealth, income, profit, and gains taxes” was provided for. It is reported that when Cabinet cleared the Bill they did not endorse this Clause, and it was, consequently, dropped.

Clause 47(1): -
Power of the Central Government to supersede authority
a.     “On account of circumstances beyond the control of the Authority it is unable to discharge the functions or perform the duties imposed on it by or under the provisions of this Act”; or
b.      The Authority has “persistently defaulted in complying with any direction given by the Central Government under this Act” or “in discharge of the functions or performance of the duties imposed on it” or for financial difficulties, or
c.     If circumstances exist which render it necessary in the public interest so to do.
d.     This may be for a period of six months at a time, and, before superseding the Authority, the Authority shall be given a reasonable opportunity to make a representation against the proposed supersession.
Comment: Consequences of default, being unable to discharge the functions or circumstances that may require that, in the public interest, the Authority should be superseded are too serious to be left open-ended. With these possible scenarios being acknowledged in the Bill, the project itself is brought into question.

Clause 48: – Members, officers etc. to be public servants.
Comment: – This will provide them the extraordinary protections that are currently in place with respect to prosecution, sanction and good faith. This will add one more obstacle to persons seeking to protect their identity and information from misuse, abuse or unauthorized use and against breaches of privacy.

Clause 49: – Power to Central Government to issue directions and the Authority to be bound by such directions. Provided that the Authority shall, as far as practicable, be given an opportunity to express its views before any direction is given.

Clause 50: - Authority has the power to “delegate to any member, officers of authority, or any other person” all powers except the power to make Regulations.
Comment: Given the sensitivity of the information held and the various issues that have been raised but not resolved, this broad power to delegate is extraordinary.

Clause 51: – Protection of action taken in good faith
Comment: This protects the Central Government or the Authority or the Chairperson or any member or any officer or other employees of the Authority from nearly any action taken, unless clear ill-intent can be demonstrated, which, as is known, is a very high threshold.

Clause 52: Rule making powers of the Central Government
Comment: This is essentially about formats in which the authority is to take oath and give the information mandated.

Clause 53: – Power of Authority to make regulations. This includes matters concerning biometric information, demographic information, procedure for authentication, and CIDR, “the manner of updating biometric information and demographic information”.
Comment: The project document does not account for the scale of population, and periods of time, over which biometric information may need to be updated.

Clause 53(2)(n): – The usage and applicability of the Aadhaar number for delivery of various benefits and services under clause (h) of subsection (2) of section 23.
Comment: The UIDAI has been saying that it will merely produce the UID number and it is for the various agencies to decide how to use it. In the Bill, however, they are retaining the power to make regulations in this regard. It is also significant that the ‘rights, entitlements and services’ are not set out in the law but are left to the agencies of the government and of private entities.

Clause 54: – Rules and Regulations to be placed before Parliament

Clause 55: – The provision of this Act shall be in addition to and not in derogation of any other law for the time being in force.

Clause 56: – The Power of the Central Government to “remove difficulties” in giving effect to the provisions of the Act.
Comment: - The link between the Right to Information Act 2005 and the present Bill is not clear. RTI activists have questioned the Bill in that it seems to take the power away from the CIC in determining the kinds of information that may be withheld and that which will have to be given to an applicant seeking information. A Privacy Law is still under consideration, and that too will have its effect on this law.                       

Clause 57: – Savings
Comment: Anything done under the notification that set up the UIDAI “shall be deemed to have been done or taken under the corresponding provision of this Act”. This especially necessitates the cross-checking of various things done by the UIDAI especially since it may have serious consequences in connection with identification of persons, who the information is handed over to, with whom contracts have been entered, the state of pilot studies, the non-existence of a privacy law, the relationship with NATGRID and the possible connection with the Draft DNA Profiling Identity Bill, 2007.



[1] “No empirical study is available to estimate the accuracy achievable for fingerprint under Indian conditions” (Page 44) and “…it is strongly recommended that carefully designed experiments and proper statistical analysis under pilot should be carried out, to formally predict the accuracy of biometric systems for Indian rural and urban environments” (Page 52), Biometrics Standards Committee Report.
[2] “Subsequently, a pilot study was done, and 250,000 fingerprints were collected and analysed. The committee’s conclusion: “There is good evidence to suggest that fingerprint data from rural India may be as good as elsewhere when proper operational procedures are followed and good quality devices are used ... (but) the quality drops precipitously if attention is not given to operational processes […] In the pilot study, 2-5% of subjects were found to not have any biometric data. “Missing biometrics is a license to commit fraud,” the study notes”, Missing biometrics create unique problems for UID project (ET, July 17, 2010).
precipitously if attention is not given to operational processes […] In the pilot study, 2-5% of subjects were found to not have any biometric data. “Missing biometrics is a license to commit fraud,” the study notes”, (Missing biometrics create unique problems for UID project; ET, July 17, 2010).
[3] Ibid.
[5] All MoUs with Registrars have the following clause, “At the time of collecting data for the purpose of the UIDAI, the Registrar may collect data from the resident that is required for the purpose of their business/service operations”
[6] “The Press Trust of India has reported that the Orissa government has decided to include at least a dozen-odd specifications to the UID number, like Ration Card number, BPL/APL number (below poverty line/above poverty line), NREGA data (National Rural Employment Guarantee Scheme), Driving License number, PAN number, Photo I-card number, Passport Number, Kissan and credit card number, LPG consumer number, Rashtriya Swasthya Bima Yojana number (National Health Insurance Scheme), Pension ID number and Pass Book number”, (http://www.moneylife.in/article/9594.html)
[7] (http://economictimes.indiatimes.com/infotech/ites/Missing-biometrics-create-unique-problems-for-UID-project/articleshow/6178480.cms)
[8] Please find a brief note on these companies appended.
[9] Also see Clause 46(1), supra.

_____________________________________________


USHA RAMANATHAN 


September 25th 2010


UID is an Identity Crisis in the Making - Tehelka Magazine 
Aadhaar article no: 547

Usha Ramanathan - Independent Law Researcher

AN EXERCISE is currently underway to enter every resident in India on a database. In a few years, the unique identification (UID) is intended to become a ubiquitous number, to be used in many operations: enrolling in a school, maintaining a bank account, ticketing for travel, seeking treatment in a hospital and having one’s death recorded in a mortuary register.

The sales pitch for the UID is, like most advertisements, intended to mislead. Enrolment is said to be voluntary. But, and as is now acknowledged, other agencies may refuse to provide a service if an individual is not enrolled, making it compulsory. The Working Paper of the UID Authority of India (UIDAI), which has been the basis of many discussions, starts with a claim that the UID will bring down barriers that prevent the poor from accessing services; but quickly adds: “UID will only guarantee identity, not rights, benefits and entitlements.”

The Public Distribution System (PDS) is the moral fulcrum on which the UID poises itself. Yet, the UIDAI admits to its interest in PDS being closely linked with completing its enrolment targets. Listing the ‘benefits to the UID’ that can flow to it from PDS: “The ration card is today the most prevalent form of identity in rural areas. If the UID enrolment is integrated into the process of the creation of a beneficiary database for PDS, the coverage of UID will improve significantly.” This is such a giveaway.

As with banks, those who have no documents to 
vouch for them would face exclusion

The potential that the number may have to enable tracking, profiling, mounting surveillance and ‘convergence’ of information, which will aid market profiling, is being studiously ignored. There are deeply disconcerting facts about the project that should wake up even those dwelling in the slumber of denial.

There has been no feasibility study preceding the setting up of such a pervasive project. There has been no cost-benefit analysis of the project. All calculations are of the back-of-theenvelope variety. Data theft is a serious threat. But other than asking us to leave it to the experts, there is nothing more that we know before we give information to the UIDAI. We have as yet no law relating to privacy.

The infallibility of biometrics, including fingerprints and iris scan, is still being tested: evidence has begun to emerge that callused hands, corneal scars and cataract induced by malnourishment may leave many millions outside this pattern of identification. Even as enrolment is poised to begin, authentication is still an unstudied field.

The promise of inclusiveness is belied by the ‘approved’ introducers; that is, where the poor are unable to provide any supporting documents to prove their identity, a network of approved introducers are to “introduce and vouch for the validity of a resident’s information”. UIDAI’s website admits this idea has been borrowed from the account opening procedure in commercial banks.

So, as with banks, those who have no documents to vouch for them would be threatened with exclusion. Where being a legal resident is to be closely tied in with having a UID number, it could render the poor vulnerable to having the legitimacy of their staying in the country being placed in the shadowy terrain of illegality and exclusion.

In an interview telecast on 14 August, UIDAI chairman Nandan Nilekani explained: “I think the core thing will be our ability to show that it is beneficial for people to have this number. If our ‘customer’, the resident of India, sees value in this number, if he sees that possessing it will bring in a material change in his life, he will come and take it. If he doesn’t do that, then we have lost what seems to be a marketing battle.” The State may have some explaining to do.

ILLUSTRATION: ANAND NAOREM




_________________________________________________ 


24th July 2010
A unique Identity Bill by Usha Ramanathan

A Unique Identity Bill By: Usha Ramanathan
Vol XLV No.30 July 24, 2010
India’s unique identification number project has been sold on the promise that it will make every citizen, the poor in particular, visible to the State. But the UID project raises crucial issues relating to profiling, tracking and surveillance, and it may well facilitate a dramatic change in the relationship between the State and the people. The Unique Identification Authority of India has not acknowledged these concerns so far. And now, nowhere in the proposed draft bill that it has prepared have these issues been addressed nor have clauses been drafted to prevent abuse of information that will be collected by the agency. With so many questions on the project – regarding biometrics, security and privacy – yet to be answered, it is far from time for parliamentary approval. As has been observed, the Constitution is expected to provide the citizen with dignity and privacy; but these are missing in the UID project.
In February 2009, the unique identification number (UID) project was set up within the Planning Commission. Since August (July) 2009, when Nandan Nilekani was appointed as its chairperson, the Unique Identification Authority of India (UIDAI) has been propagating the idea of the UID which each resident in India will be given.
The project pegs its legitimacy on what it will do for the poor. It promises that it will give the poor an identity, with which they may become visible to the state. The UID number is expected to plug leakages, including in the Public Distribution System (PDS), ease payments to be made under the National Rural Employment Guarantee Scheme (NREGS), and enable achievement of targets in consonance with the right to education. Service delivery is a central theme in its promotional literature. The raising of expectations is, however, tempered by a quick caveat that the “UID number will only guarantee identity, not rights, benefits, or entitlements”.
The UID database is intended to hold information including the name, address and biometrics of the person. It has been reiterated with remarkable regularity that the UIDAI will not be gathering information that could lead to profiling, so, religion, caste, language and income, for instance, will not be brought on to the UID database.
The UIDAI has strained every nerve to explain that it will not be a database from which others may derive information about any person. The UIDAI will merely “authenticate”, i  e, it will give a “yes” or “no” answer when asked whether a name, address and biometric indicator tally. That is, it will attest to the veracity of the identity being asserted by a person by checking on its database. If the details tally, it will say no more.
The operation for being invested with an identity goes through stages: enrolling with a enroller/registrar who will set down the basic biographic details such as name, address, father/guardian’s name (and UID number), mother’s name (and UID number) and collect the biometrics – photographs, all 10 fingerprints and iris scan, de-duplication (which will be done by the UIDAI to make certain that there is one identity for one person), updating the database whenever any change occurs in relation to the information on the database (for instance, when there is a name or address change, the responsibility for which will rest with the individual).
The UIDAI has said that getting on to the UID database is voluntary. That is, it is clarified, there will be no compulsion from the UIDAI. But, if other agencies make the UID number essential in their transactions, that is a different matter. The UIDAI has been signing memoranda of understanding (MOUs) with a range of agencies including banks, state governments and the Life Insurance Corporation of India (LIC) to be “registrars”, who then may insist that their customers enrol on the UID to receive continued service.
Given the dramatic changes that the UID could bring to the relationship between the state and the people, it should cause concern that there has been so little public debate around the UID. There is an unquestioned benignness that is being attributed to the project, which could be explained in part by the image of Nandan Nilekani, whose salience to the project could foster a sense that this is a project around technology, and not about identity. The rhetoric has stayed focused on the poor, which has lent the project legitimacy and there has been no discussion from within the establishment on the possible downsides.
One concern that has been raised consistently is on the question of privacy – that information held in a central repository could result in breaches of privacy. The invasion of privacy that technology has facilitated and routinised in recent years has eroded the relevance of traditional notions of privacy. The experience with abandoning the idea of privacy is relatively recent, and it will be a while before its value is reconstituted and the idea resurrected. The introduction to the UID has been in terms of investing every resident with an identity, as a single stop for authenticating identity, as a de-duplication exercise, for plugging leakages, as a tracking device, and as a wage transferring device.
There are, however, other concerns that have been voiced and which remain unresolved. They include the contexts of convergence, national security, the national population register (NPR), and the shaky edifice of biometrics on which this superstructure is being built.
Convergence
The UID literature does not use the word, yet convergence is a predictable and inevitable consequence of the UID project. Convergence is about combining information. There are various pieces of information that we hand over to a range of agencies when buying, say, a railway ticket, maintaining a bank account, registering in a university, getting work at an NREGs worksite, taking out an insurance policy, buying a motorcycle, paying telephone bills, etc. Currently, with only the name and a possibly correct address, it will not be easy to profile a person or track them. The information is held in what are called “silos”, that is, discrete towers holding information that has been handed over by an individual in relation to a defined purpose. If it were possible to create bridges to link these silos, it would wrest control of information on the individual and make it available, metaphorically and literally, at the tap of a computer key.
There is a dark joke making its rounds which would be funny, but is not, and it runs like this:
Operator: Thank you for calling Pizza Plaza. May I have your...
Customer: May I place an order?
Operator: Can I have your multipurpose ID card number, sir?
Customer: It is, hold on ... 21356102049998-45-54610
Operator: Welcome back from Japan, Mr Singh.
Customer: May I order your Seafood Pizza...
Operator: That's not a good idea, sir.
Customer: Why would you say that?
Operator: According to your medical records, sir, you have high blood pressure and even higher cholesterol level.
Customer: What? ... What do you recommend then?
Operator: Try our Low Fat Pizza. You’ll like it.
Customer: How would you know that?
Operator: You borrowed a book titled Popular Dishes from the National Library last week, sir.
Customer: Oh ... Have three family size delivered. How much would that cost?
Operator: That should be enough for your family of 5, sir. That will be Rs 500.
Customer: Do you accept payment by credit card?
Operator: I'm afraid you have to pay us cash, sir. Your credit card is over the limit and you owe your bank Rs 23,000 since October last year. And that's not including the late payment charges on your housing loan.
Customer: I guess I have to run to the neighbourhood ATM and withdraw some cash before your guy arrives.
Operator: Oh, no, sir. Your records show that you've reached your daily limit on machine withdrawal today.
Customer: Never mind, just send the pizzas, I'll have the cash ready. How long will that take?
Operator: About 45 minutes, sir, but if you can't wait you can always come and collect it in your Nano. Will there be anything else, sir?
Customer: No... By the way... make sure you send the 3 free bottles of cola as advertised.
Operator: But, sir, your health records say you're a diabetic.......
Customer: #$$^%&$@$% ^
Operator: Please watch your language, sir. Remember on 15 July you were con-victed     of using abusive language at a policeman...?
It was reported last year that Apollo Hospitals had written to the UIDAI and to the Knowledge Commission to link UID numbers with health profiles of individuals and offered to manage the health records (Business Standard, 27 August 2009). It has already embarked on a project “Health Superhighway” that reportedly connects doctors, hospitals and pharmacies, who would be able to communicate with each other and access health records. This, then, is no longer hypothetical. The UID is poised to be the bridge between silos of personal information.
This convergence of information may be efficient for business and meet standards of efficiency, but there are those who would argue that it profiles individuals and exposes them to market and other forces in ways which are intrusive, and which could make them insecure, and unsafe.
National Security
Surveillance is a concern, and a term that is missing altogether in the UIDAI documents.
There are three initiatives that, together, form a pattern that is disturbing. The UID only produces a number which is a tag that is poised to be “universal” and “ubiquitous”. Its capacity to link disparate pieces of information is difficult to dispute. Place this in the context of the National Intelligence Grid (NATGRID), and the Home Minister P Chidambaram’s statement begins to sound ominous. “Under NATGRID”, he is reported as having said, “21 sets of databases will be networked to achieve quick seamless and secure access to desired information for intelligence and enforcement agencies” (The Hindu, 14 February 2010). This is to enable them “to detect patterns, trace sources for monies and support, track travellers, and identify those who must be watched, investigated, disabled and neutralised”. Many of these intelligence agencies, including the Research and Analysis Wing (RAW) and the Intelligence Bureau (IB), are neither creatures of the law, nor are they subject to oversight. And they are outside the Right to Information Act.
Vice-President Hamid Ansari, quoting an intelligence expert, reportedly asked: “How shall a democracy ensure its secret intelligence apparatus becomes neither a vehicle for conspiracy nor a suppressor of traditional liberties of democratic self-government?” (Times of India, 20 January 2010). By all accounts, the question has not been answered yet.
In November 2009, newspapers reported Chidambaram’s statement that the government would soon be setting up a DNA data bank. There has been no word on the subject since, but on 12 July 2010, the Indian Express carried news of an im patient debate that has erupted about speeding up DNA data banks to hold DNA data of convicts. This is just a stretch away from extending it to more classes of the population.
The use of science and technology to practise the politics of suspicion is a possibility that is finding its way into becoming a fact.
National Population Register
The Census has acquired a disturbing dimension with the NPR being appended to it. The NPR is not an exercise undertaken under the Census Act, 1948. It is being carried out under the Citizenship Act of 1955 and the Citizenship (Registration of Citizens and Issue of National Identity Cards) Rules 2003. Why should that matter? Because there is an express provision regarding “confidentiality” in the Census Act, which is not merely missing in the Citizenship Act and Rules. But there is an express objective of making the information available to the UIDAI, which marks an important distinction between the two processes. Section 15 of the Census Act categorically makes the information that we give to the census agency “not open to inspection nor admissible in evidence”. The ­Census Act enables the collection of information so the state has a profile of the population; it is expressly not to profile the individual.
It is the admitted position that the information gathered in the house-to-house survey, and the biometrics collected during the exercise, will feed into the UID database. The UID document says the information that the database will hold will only serve to identify if the person is who the person says he, or she, is. It will not hold any personal details about anybody. What the document does not say is that it will provide the bridge between the “silos” of data that are already in existence, and which the NPR will also bring into being. So, with the UID as the key, the profile of any person resident in India can be built up.
The Citizenship Rules 2003 strips the veneer of voluntariness from the UID. It classes every individual and every “head of family” as an informant, who will be penalised if every person in the household is not in the NPR, or if the information is outdated.
The NPR is also slated to collect biometrics – photographs, fingerprints, iris. The coercion in the Citizenship Rules is not the only aspect which is worrying. The rules also envisage an exercise in sifting the citizen from the resident. The person collecting the information is expected to exercise judgment in deciding whether the person whose details are being taken down may not be a citizen. If there is any doubt, such person will be categorised to be subject to further investigation. The NPR, like the Census, is carried out by laypeople, and the untrained mind is asked to discern and judge matters that could lead to inclusion, or statelessness.
At the tail end of June 2010, the UIDAI web  site uploaded a “proposed draft bill”: the National Identification Authority of I ndia Bill, 2010. Comments were asked to be sent within two weeks, by 13 July 2010. Various individuals and groups have sent in their comments, but have asked that the time to respond be extended so that they may discuss it and understand it more fully before taking their position on the Bill.
One of the provisions that has raised concern is clause 33, which reads:
33. Nothing contained in the sub-section (3) of section 30 shall apply in respect of –
(a) any disclosure of information (including identity information or details of   authentication) made pursuant to an order of a competent court; or
(b) any disclosure of information (including identity information) made in the interests of national security in pursuance of a direction to that effect issued by an officer not below the rank of Joint Secretary or equivalent in the Central Government after obtaining approval of the Minister in charge.
Although some commentators on the UID project (and that includes me) have written about surveillance, tracking, profiling and social and executive control of the people by the state and its agents, the UIDAI has not acknowledged these concerns so far. This is despite the “Awareness and Communication Report” which the UIDAI commissioned and which advised the authority on how to anticipate and sidestep the unease that people may have, registering that:
the idea of giving out information and affixing one’s thumbprint to a document without fully understanding its implications, compounded with the fact that too many non-state players are visibly involved could pose a barrier to enrolment as well. The fear of individuals being in the government’s radar and the ability of various groups to play on this fear is another likely challenge.
Neither the Bill nor any document produced in the process has, however, addressed any of these concerns. What is reflected in the document is only the need to ensure that these anxieties do not come in the way of completing the exercise.
Such a major shift in public policy surely cannot occur without a discussion preceding it, a deliberation on the import, and consequences, of such a change, and a reasoned decision taken on the matter. The constitutionality of such a move is questionable. Among the issues that are likely to arise, there are two that Justice Rajendra Babu raised in the presence of Nandan Nilekani and his team at a consultation held in the National Law School, Bangalore on 23 November 2009: the Constitution guarantees us dignity and privacy, he said. Both seem to have been given a miss in the way the UID project has been conceived.
The combination of UID, NATGRID and the emerging idea of the DNA bank, makes state control of a population a very real possibility. To treat every person as a suspect, and to create systems that would support such a practice, is a highly questionable act of a state. That the State and its agents have faced the charge of being communal, and of having been involved in torture, fake encounters, forced dis appearances and complicity in crime adds to the amalgam of concerns. The Bill does not acknowledge it, but those within the system cannot be prosecuted without “sanction” of the powers-that-be. It seems like a prescription for impunity where the protocol for protecting the data is breached from within the state apparatus.
Discussions around the Bill will have to deal with the issues thrown up by the introduction of the element of “national security”, especially as it is located within a web of UID, NATGRID and a DNA data bank.
Biometrics
The most disturbing aspect of the UID project is the linking of identity, and rights, entitlements, citizenship and recognition, to biometrics. The UID project has settled on three metrics: facial recognition through the photograph, fingerprints (all eight fingers and two thumbs), and the iris. The UIDAI documents reveal a state of ignorance, and unpreparedness, that is inexplicable. Quotes will set it out most clearly:
In the UIDAI’s “Notice Inviting Application for Hiring Biometrics Consultant”, for a period of six months starting March 2010, it was written: While NIST (the United States agency) documents the fact that the accuracy of biometric matching is extremely dependent on demographics and environmental conditions, there is a lack of a sound study that documents the accuracy achievable on Indian demographics (i  e, larger percentage of rural population) and in Indian environmental conditions (i  e, extremely hot and humid climate and facilities without air-conditioning)... The ‘quality’ assessments of fingerprint data is not sufficient to fully understand the achievable de-duplication accuracy. The next step is to acquire biometrics data from the Indian rural conditions in two sessions (with a time difference) and assess the matchability ...
That is, the capacity to capture biometrics with any accuracy has not even been tested yet, and the project already has Rs 7 crore committed to it for just this year, and the whole apparatus through the NPR moving for it. This demands
an explanation.
In a cryptic note, the Notice reads: “The biometric evaluations are statistical. The statistical significance of the results are required to be analysed for the UIDAI.”
That is, the margin of error is not yet known.
In “Ensuring Uniqueness: Collecting Iris Biometrics for the Unique ID Mission”, the report refers to the Biometrics Committee set up under the UIDAI which had, in January 2010, been non-committal about the use of the third biometric, since “...in the absence of empirical Indian data, it is not possible for the committee to precisely predict the improvement in the accuracy of de-duplication to the fusion of fingerprint and iris scores.” The document acknowledges “technology risks”, including the inability to guarantee biometrics of “high quality across its thousands of enrolment points”. This capture would help in enrolment, but not in authentication since the equipment will not be available in most places. The compromise: “for authentication, the use of fingerprinting will be sufficient”. This could spell trouble for calloused hands and marred fingerprints – which would include those doing manual labour and agricultural operations, whose fingerprints cannot be authenticated.
On 17 July 2010, the Economic Times reported that “people with ‘low-quality’ fingerprints and corneal/cataract problems” could “pose difficulties” for the project. “Millions of Indians working in agriculture, construction workers and other manual labourers have worn-out fingers due to a lifetime of hard labour” resulting in “low-quality” fingerprints.
The iris scan cannot be done on people with corneal blindness or corneal scars. A study done in 2005 at the All India Institute of Medical Sciences estimated six to eight million people in India had corneal blindness, and many more people would have corneal scars. A Hyderabad based eye institute identified cataract, which results from nutritional deficiency and prolonged exposure to sunlight and ultraviolet rays, and cataract surgery, as almost certain to affect the iris. This is about the people that the UIDAI projects as its main targets. A scientist with the Council of Scientific and Industrial Research is cited as suggesting that “they could use DNA fingerprinting in such cases”. Apart from the reduction of a people to a subject-population, these suggestions are inexcusably casual about using techniques that will be of no help to the person so identified.
The draft Bill does not deal with any of these concerns. In clause 3 (1), it declares that “every resident shall be entitled to obtain” a UID number, but nowhere in the Bill is there a clause that no agency may refuse services to a person because they do not have such a number, thus leaving the field open for compulsion. Nowhere in the Bill is there an acknowledgement of the extraordinary powers of surveillance, and i nvasion of privacy by government and private agencies that the UID will be facilitating, so there are no limits set on the uses of the number and of the networks of information it could be used to generate. So convergence is facilitated, and the person has no control over it, nor is it a wrong in law.
For those who are willing to place their faith in the UID clause 12 may cause them to pause. It reads: “The Authority shall consist of a Chairperson and two part-time members to be appointed by the Central Government”, and they may be re-appointed, or ejected, by the central government. There are sketchy offences of “intentionally” accessing the UID database and damaging, stealing, altering information or disrupting the data. But it provides no means by which a person whose data is stored to know that such an offence has been committed; and it does not allow prosecution to be launched except on a complaint made by the authority or someone authorised by it. Experience has revealed the failure of regulation; yet it is on regulation by the authority that a whole population is asked to place its trust. There is no grievance redressal mechanism mandated by law; it may be set up by regulation or it may not. There is a clause in passing that recognises that the data could reach people beyond the borders; but no idea at all on how to deal with that situation.
The demographic information gathered may not be elaborate at the start, but clause 23(b) leaves an opening for expanding the demographic and biometric data that may be collected. Most damning is the passing reference in the general “powers and functions of authority” to the use of the UID number “for delivery of various benefits and services as may be provided by regulation”. That is all there is to indicate that service delivery to the poor is the object of this exercise. The issues on which the UID project is piggyback riding for its legitimacy are too serious to be trivialised.
The MoUs the UIDAI has entered into with “registrars” that include banks, state governments and the LIC have been signed with no statutory backing and no legal power to collect, hold and transmit information from and about people.
Biometrics has not even been tested, despite Indian demographic and environmental conditions being known to make a significant difference to the quality of biometric capture. In a May 2010 paper prepared for the UIDAI – “A UID Numbering Scheme” – is written: “We expect the UID system to live on for centuries”. This, then, is a tagging device that is expected to last well beyond a person’s lifetime.
The non-seriousness of the Bill, and the refusal to confront the hard issues, are a slight to democracy which must be remedied before the project progresses to create a fait accompli. There are murmurs that the Bill is to be introduced in the monsoon session of Parliament. It would be trite to say that, when biometric accuracy is still in question, and so many questions remain unanswered, it is nowhere near time for parliamentary consideration, or approval.
Thanks to Pavithra Ramesh and Murali for acting as sounding boards.
Usha Ramanathan (uramanathan@ielrc.org) is an independent law researcher who works on the jurisprudence of law, poverty and rights.






________________________________________________ 


1st May 2010
 

Eying ID’s  by Usha Ramanathan
Aadhaar Article No 20


Three recent initiatives of the government need to be investigated before any decision about adopting them is taken.

In November 2009, newspapers reported Union Home Minister P. Chidambaram’s statement that the government would soon be setting up a DNA data bank. In December 2009, he announced the setting up of the NATGRID. “Under NATGRID”, he is reported to have said, “21 sets of databases will be networked to achieve quick seamless and secure access to desired information for intelligence and enforcement agencies.” The project is expected to be completed in 18 to 24 months. In July 2009, with Nandan Nilekani taking charge, the Unique Identification Authority of India (UIDAI) started its work on creating a database that would give every resident a number which is intended to become a unique, ubiquitous and universal identity. While the stated purpose of the DNA bank and the NATGRID is to meet the threat posed by terrorism, the UID is given a gentler visage; it is to be promoted as a means of removing “one of the biggest barriers preventing the poor from accessing benefits and subsidies”, which according to this understanding, is the “inability to prove identity”.

Are these benign arrangements of data to enable efficient functioning? What is it that makes some of us unable to recognise innocence in these sweeping “identity” controls that are being remorselessly let loose in our midst? Why is it that some cabinet ministers have voiced concerns about the possibility of misuse of NATGRID, as reported on February 14?
The motivation for the DNA bank fundamentally alters the characterisation of citizens and residents. It is based on the perception that the state is at risk from its citizens and residents, and any person could emerge as a terrorist. It is the politics of suspicion, which dramatically erodes the ideas of citizenship, privacy, and minimum-invasion-and-only-when-there-is-reason-why. The state has to be preemptively readied to catch whichever of its 1.4 billion citizens may commit an act of terror. This is notching up the control that the state, and its agents and agencies, has over each individual. Also, that the DNA test is not foolproof is known but often not acknowledged. So, beyond the problem of every citizen and resident as suspect, there is the possibility of error. Recent experience in India with DNA debacles demonstrate the corruptibility of forensic methods — there’s many a twist between the scene of the crime and the laboratory. Yet, the presumptions about the infallibility of science and technology — contrasted, often, with human imperfection — will shift the onus to a person accused on the basis of who the DNA bank suggests is suspect. There is danger of DNA and data theft; there is the fact and circumstance of corruption, inefficiency and failing systems which could make the data unreliable; there is, importantly, the irrelevance of this bank to those who enter the country uninvited and unnoticed, which leaves the bane of cross-border terror unaddressed.

The NATGRID converges data from a range of data-holders and places them in the hands of “intelligence” outfits. This is expected to enable them to detect patterns, trace sources for monies and support, track travellers, and identify those who should be watched, investigated, disabled and neutralised. David Headley is its target. And, to get him, all the discrete “silos” of information will be shared with the intelligence agencies. The problem is that the intelligence agencies are not open to question, and are outside even the Right to Information Act. So, while they will be fed information about us, we are not entitled to know who is saying what about us to them, how they are interpreting it, and, most significantly, what use they will make of this information. Place this kind of information in anybody’s hands, and its abuse by those who have access to it is inevitable. Concerns about privacy are cast aside and invasion of privacy made a public virtue. The NATGRID is an unqualified statement that the state has a right to know every detail about each of our lives, but we are expressly excluded from knowing what the state and its agencies believe about us, and what they do with what they know. It places extraordinary power in the hands of those who already have access to a vast share of state power that is unaccountable.

There has been much myth creation around the UID: that enrolment will not be mandated but will be voluntary; that it is pro-poor; that only basic information will be gathered. Scratch the surface of these assertions. The creation of the National Population Register, with its element of compulsion, is one aspect of this exercise in creating the UID data base. And there is one fact about the UID that is incontrovertible: that it provides an easy route for the market and the security agencies to identify and profile any person. That is how the UID fits into the larger scheme of monitoring and control and that, as the current discourse reveals, will be its central purpose.

There are those who ask: why should we mind if we have done nothing wrong? But this is not about doing right or wrong. Among many other concerns, it is about letting some persons and agencies know, accurately or mistakenly, all manner of things about oneself. It is about being tracked and tailed. It is about acknowledging that those who may get access to the system may not always be fair, responsible and accountable. It is about recognising that too much power over individuals is a dangerous thing. 

______________________________________________________ 


___________________________________________________ 


5th April 2010 Implications of registering, tracking, profiling by Usha Ramanathan
Aadhaar Article No 56


Data collection, including fingerprinting, for the National Population Register has been launched alongside the 2011 Census exercise and under different statutes. This is no innocent data collection in a vacuum. Set amidst NATGRID and UID, it conjures Orwellian images of Big Brother.
The relationship between the state and the people is set to change dramatically, and irretrievably, and it appears to be happening without even a discussion about what it means. The National Population Register has been launched countrywide, after an initial foray in the coastal belt. All persons in India aged over 15 years are to be loaded on to a database. This will hold not just their names and the names of their parents, sex, date of birth, place of birth, present and permanent address, marital status – and “if ever married, name of spouse” – but also their biometric identification, which would include a photograph and all eight fingers and two thumbs imprinted on it. This is being spoken of with awe, as the ‘biggest-ever' census exercise in history. 1.2 billion people are to be brought on to this database before the exercise is done. This could well be a marvel without parallel. But what will this exercise really do?
For a start, it is wise not to forget that this is not data collection in a vacuum. It is set amidst NATGRID (National Intelligence Grid), the UID (the Unique Identification project), and a still-hazy-but-waiting-in-the-wings DNA Bank. Each of these has been given spurs by the Union Home Ministry, with security as the logic for surveillance and tracking by the state and its agencies. The benign promise of targeted welfare services is held out to legitimise this exercise.
If the Home Ministry were to have its way, NATGRID will enable 11 security and intelligence agencies, including RAW, the IB, the Enforcement Directorate, the National Investigation Agency, the CBI, the Directorate of Revenue Intelligence and the Narcotics Control Bureau to access consolidated data from 21 categories of databases. These would include railway and air travel, income tax, phone calls, bank account details, credit card transactions, visa and immigration records, property records, and the driving licences of citizens. It is not insignificant that, when Vice-President Hamid Ansari quoted an intelligence expert and asked, “How shall a democracy ensure its secret intelligence apparatus becomes neither a vehicle for conspiracy nor a suppressor of the traditional liberties of democratic self-government?” and suggested that intelligence agencies be accountable and subject to parliamentary oversight, there was resistance among the agencies.
On February 14, 2010, The Hindu reported a discussion at a Cabinet Committee on Security meeting on the NATGRID proposal where “some Ministers raised queries about safeguards and said there was a need for further study.” There were concerns about privacy and potential misuse of information for political ends. “Highly placed sources,” it was reported, “said the main objections raised at the meeting, which was chaired by Prime Minister Manmohan Singh, revolved around the need to put in place a more elaborate safety mechanism for upholding the privacy of citizens. But discussions veered around to the political scenario in which a UPA regime might no longer be in power and in which the informational opportunities provided by NATGRID could possibly be misused by another ruling party.” That meeting ended inconclusively, asking that further consultations be held before deciding whether to go ahead with the proposal or not.
Sixty years should have been sufficient to get over being a ‘subject' of the state, and to attain citizenship. The state is sovereign vis-à-vis other states, but within the country it is the people who are sovereign. All this, however, becomes empty talk when the people have to report to the state about who they marry, when they move house and where, what jobs they do, how much they earn, where they travel, what their pattern of expenditure is, and who they live with. And to make tracking easier, there are the fingerprints and the photograph.
The NPR is not an exercise undertaken under the Census Act 1948. It is being carried out under the Citizenship Act of 1955 and the Citizenship (Registration of Citizens and Issue of National Identity Cards) Rules 2003. Why should that matter? Because there is an express provision regarding `confidentiality' in the Census Act, which is not merely missing in the Citizenship Act and Rules but there is an express objective of making the information available to the UID Authority, for instance, which marks an important distinction between the two processes. Section 15 of the Census Act categorically makes the information that we give to the census agency “not open to inspection nor admissible in evidence.” The Census Act enables the collection of information so that the state has a profile of the population; it is expressly not to profile the individual.
It is the admitted position that the information gathered in the house-to-house survey, and the biometrics collected during the exercise, will feed into the UID database. The UID document says the information that data base will hold will only serve to identify if the person is who the person says he, or she, is. It will not hold any personal details about anybody. What the document does not say is that it will provide the bridge between the ‘silos' of data that are already in existence, and which the NPR will also bring into being. So with the UID as the key (forgive the oscillating metaphor), the profile of any person resident in India can be built up.
Why is this a problem? Because privacy will be breached. Because it gives room for abuse of the power that the holder of this information acquires. Because the information never goes away, even when life moves on. So if a person is dyslexic some time in life, is a troubled adolescent, has taken psychiatric help at some stage in life, was married but is now divorced and wants to leave that behind in the past, was insolvent till luck and hard work produced different results, donated to a cause that is to be kept private — all of this is an open book, forever, to the agency that has access to the data base. And, there are some like me who would consider it demeaning to have this relationship with the state. For the poor, who often live on the margins of life and legality, it could provide the badge of potential criminality in a polity where ostensible poverty has been considered a sign of dangerousness. (This is not hyperbole; read the beggary laws, and the attitude of some courts reflected in the comment that `giving land for resettlement to an encroacher is like rewarding a pickpocket.')
The Citizenship Rules cast every ‘individual' and every ‘head of family' in the role of an ‘informant' who may be subjected to penalties if he does not ensure that every person gets on to the NPR, and keeps information about themselves and their ‘dependents' updated. There isn't even an attempt at speaking in the language of democracy!
The arrangement that emerges is that the NPR will gather data and biometrics of the whole population. This does not guarantee an acknowledgement of citizenship; it is only about being `usually resident.' This information will not be confidential, and will feed directly into the UID data base, which, while pretending to be doing little other than verifying that a person is who they say they are, will act as a bridge between silos of information that will help profile the individual. This will assist the market and, through NATGRID, the intelligence agencies, who will continue to remain unaccountable.
To do this, the UID has been given Rs. 1,900 crore in the current year's budget and the NPR has been allocated Rs. 3,539.24 crore. This will bring Orwell's Big Brother back to life; and we are asked to accept that each of us be treated as potential terrorists and security threats, for that is the logic on which this tracking and profiling of the individual is based.
( Usha Ramanathan is an independent law researcher who works on the jurisprudence of law, poverty and rights.)



____________________________________________________


6th January 2010 The personal is the personal by Usha Ramanathan
Aadhaar Article No 46


The air is thick with schemes that will enable the state, and its agencies, to identify every resident, and to track what they are doing. A home ministry project for creating a National Population Register which will be prepared along with the 2011 Census has been propelled through its pilot stage. Now, an ambitious programme has been launched to load all the residents of the country on to a data base, providing each of us with a unique identity number. What distinguishes this exercise from any other undertaken so far?

First of all, the intention is provide a Unique Identity Number to the whole population, including the just born. The state is to have data on each individual literally from birth to death; and beyond, for a person’s UID is not destroyed at death, merely disabled. The numbers are to be so generated that it will not have to be repeated for between a hundred and two hundred years.

The UIDAI, in its working paper, says that enrolment will not be mandatory, but acknowledges that in practice it is expected not to be voluntary. The ‘Registrars’, who will enroll people on to the data base, will be both private operators and government agencies, and they will be encouraged to insist that they will entertain only those who are willing to enroll. Over a short time, only those with UID numbers may find themselves able to access services. That is the effort.

The UID has nothing to do with citizenship. The information on the UID database is expected to be basic, and to cover all residents: name, date of birth, place of birth, gender, the name and UID numbers of both parents, address, date of death and photograph and fingerprints. This is because the UID is only to identify the individual to the agency that is looking for authentication.

Just on its own, it could even seem benign.

There are two phenomena that take the innocence out of the exercise. The first is ‘convergence’. ‘Convergence’ is about combining information. There are presently various pieces of information available separately, and held in discrete ‘silos’. We give information to a range of agencies; as much as is necessary for them to do their job. The passport agencies do not need to know how many bank accounts you have, or whether you drive a car. The telephone company need not know how you have insured your house. The police do not need to know how often you travel, not unless you are a suspect anyway. It is this that makes some privacy possible in a world where there are so many reasons why, and locations where, we give information about ourselves. The ease with which technology has whittled down the notion of the private has to be contained, not expanded. The UID, in contrast, will act as a bridge between these silos of information, and it will take the control away from the individual about what information we want to share, and with whom.

This is poised to completely change norms of privacy, confidentiality and security of personal information. There are already indications about how convergence will work. Consider the reports that the Apollo Hospitals group has offered to manage health records through the UIDAI. It has already invested in a company called Health Highway that reportedly connects doctors, hospitals and pharmacies who would be able to communicate with each other and access health records. In August 2009, Business Standard reported that Apollo Hospitals had written to the UIDAI and to the Knowledge Commission to link the UID number with health profiles of those provided the ID number, and offered to manage the health records. The terms ‘security’ and ‘privacy’ seem to be under threat, where technological possibility is dislocating many traditional concerns.

The second phenomenon is ‘tracking’. Once the UID is in place, and convergence becomes commonplace, the movement of people, their monies, their activities can be brought together, especially since transactions from buying rice in a PDS shop to receiving wages to bank withdrawals to travel could begin to require the number. There is a difference between people tracking a state, and the state, and the ‘market’ tracking people. The UID is clearly not what it is presented as being: it is not benign, nor a mere number which will give an identity to those who the state had missed so far.

Interestingly, the working paper of the UIDAI starts with a claim that the UID will bring down barriers that prevents the poor from accessing services and subsidies by providing an identity, but soon goes on to clarify that the “UID number will only guarantee identity, not rights, benefits or entitlements”. Given that it is the powerlessness of the poor, inefficiency, the perception of the poor as not deserving of support, sympathy or rights, and the status of illegality foisted on them that stops them from getting what is due to them, and given that corruption and leakages in the system mutate and persist, this quick stepping back is wise indeed.

In the excitement about technology being deployed to do something that has not been done anywhere in the world, the importance of privacy and protection from misuse of personal information is getting eclipsed.

It is significant that the UIDAI working paper makes no mention of national security concerns, and the surveillance, and profiling, possibilities it will create. Yet, the UID is not a project in isolation. The NATGRID, which the UID will facilitate, places the whole population under surveillance; and the home minister is talking about a DNA bank.

Fallibility, the difficulties inherent in reaching those in extreme poverty, the choiceless existence on a database and the possibility of undesirable others getting hold of information only add to the scariness of the scenario that we seem to have accepted without discussion, challenge or debate. And, once accomplished, we would have reached a point of no return.
The writer is an independent law researcher.