Tyranny of Aadhaar newsletter Mar 2018 edition, volume 1

The Tyranny of Aadhaar newsletter brings you the real state of Aadhaar roll-out and how it affects crores of Indians across states. So far, the only real beneficiary of Aadhaar is: the State & Corporates, not the citizens. We share relevant data, and findings from the ground on experience of citizens in the Aadhaar project to sift through the false claims made about the biometrics project.

Dear friends and subscribers, The March 31, 2018, deadline for linking Aadhaar to various essential services is nearing, which we are sure is a cause for anxiety. We hope this comprehensive newsletter will help you navigate the Aadhaar mess - as always, please feel free to write in with your questions and concerns. (Download the newsletter as a pdf here.)

Are you about to give in and enroll for an Aadhaar, thinking that the deadline is still March 31?

Or, if you have an Aadhaar, are you panicking about linking it to EVERYTHING?

Advisory after the Hearings in SC on March 8 2018

The SC Constitution Bench has ordered Aadhaar cannot be mandatory for NEET, or any other exam, and will discuss extending the deadline beyond March 31 next week.

Hold on – do not link your Aadhaar anywhere yet!

Right from the judgment in the Aadhaar-PAN linking case last year, it has appeared that not having an Aadhaar is the favorable situation, with the SC asking those already having Aadhaar to comply with new rules. However, there is ample reason to avoid linking your Aadhaar, not least because the deadline will be extended – again!

Wait, even if I have an Aadhaar, I should not link?

We believe that the Aadhaar scheme is about surveillance - the government wants Aadhaar to profile citizens through data. We must avoid linking Aadhaar everywhere to ensure our data is not available to anyone who gets to know our Aadhaar.

Petitioners have requested suspension of all Aadhaar enrolment and linking until the conclusion of the case. The ensuing Court order may halt all future Aadhaar linking, preventing data accumulation!


Court updates

In the two days of further hearings this week, the constitution bench of the Supreme Court ordered that Aadhaar cannot be made mandatory for the National Eligibility cum Entrance Test, or any other exam, and directed the CBSE to post a circular on its website to that effect. The Bench will also discuss extending the Aadhaar linking deadline beyond March 31 at the conclusion of Senior Advocate P. Chidambaram's submissions challenging the Aadhaar Act's passage through Parliament as a Money Bill. 

Earlier, Senior Advocate Arvind Datar argued that the PMLA Rule 9 requiring Aadhaar linking for bank accounts violated the right to property besides being discriminatory, and contrary to the RBI's own master directions on using 6 officially valid documents (OVDs) for the KYC procedure. He also challenged the Aadhaar-PAN linking on the grounds of arbitrariness which the recent judgments on Triple Talaq (Justice Nariman's opinion) and the Right to Privacy upheld as a valid ground for striking down legislation. Justice Sikri, who had earlier - in Binoy Viswam vs Union of India - declined to test the Aadhaar-PAN linking on arbitrariness, agreed that the judgment in that case would have to be revisited. 

The court will resume hearings on March 13. 


Parliament updates

Per its #Budget2018 proposals, the Union government’s spending on Aadhaar is likely to be eight times the spending on cybersecurity - in 2017-18 it spent 6 times on Aadhaar as on cybersecurity.

Last year, MEITy informed Parliament’s Departmental Standing Committee on IT that it had received only INR 900 crore against its proposed allocation of Rs.1938 crore for UIDAI. When asked whether this allocation was sufficient, the Ministry responded that the saturation of Aadhaar numbers had made enrolment less viable commercially for UIDAI’s ecosystem partners, necessitating UIDAI’s support for ICT infrastructure and for seeding Aadhaar in different databases. The Ministry therefore asked for another INR 300 crore which the Standing Committee recommended without requesting details about either the expenses or the projections.

Interestingly, the Committee also enquired about creating a revenue model for UIDAI which currently does not charge for its e-KYC and authentication services. The Ministry responded that it is studying different pricing models. The Committee recommended coming up with a self-sustaining financing model which would reduce UIDAI’s reliance on public funds. The Ministry’s response to the Committee’s question about UIDAI’s impact on getting legal status for the privacy and security of citizen data was an explanation of how the Aadhaar Act provided a sufficient mechanism and that all possible steps are being taken to ensure privacy and security of citizen data. Again, the Committee accepted this response despite the many concerns raised about cybersecurity. Even though it enquired about the role of Aadhaar in digital payments and e-KYC, the Committee’s only recommendation was that these must be promoted, with hardly any concerns on the safety of transactions despite the RBI providing data on financial e-frauds (16468 cases in 2015-16, 8689 cases in 2016-17, till December 2017).






Privacy and security


A hacker managed to access Telangana's NREGA database and, through this, to the APIs used to connect with the UIDAI’s Aadhaar database. “Using API keys of Aadhaar, anyone can make a fake Aadhaar app and upload the same on Google Play Store."


 Dr S. Ananth of the RBI-established Institute for Development & Research in Banking Technology has said in his paper that a “major challenge for UIDAI is to protect the data under its control since the biometrics is now an important national asset. Thanks to Aadhaar, for the first time in the history of India, there is now a readily available single target for cyber criminals as well as India’s external enemies. In a few years, attacking UIDAI data can potentially cripple Indian businesses and administration in ways that were inconceivable a few years ago. The loss to the economy and citizens in case of such an attack is bound to be incalculable.The problem is now compounded with the linkage of bank account, driving license, phone number and a host of other services to Aadhaar. It means that the Aadhaar number will be available in databases of each and every service provider. Hence, any breach of the database of one provider has the potential to compromise the details of the Aadhaar numbers."


Sri Krishna Committee finally releases its meeting minutes

The meeting minutes released by the Sri Krishna committee show that it has already considered a draft Data Protection Bill. This draft Bill could not have taken into account feedback from the consultations held in January 2018 since the meeting held in October 2017 has discussed this draft. Therefore, it is imperative that this draft Bill be made available for further comments from the public. In the spirit of transparency, democracy and public participation, Rethink Aadhaar urges the committee to make the draft Bill public.

It also emerges from these minutes that the Vidhi Centre for Legal Policy played a key role in the drafting process. The same organisation also - rather shoddily - drafted the 2016 Aadhaar Act. Being among those concerned about Aadhaar we find this ominous - the Data Protection Act should not be reduced to an enabler for Aadhaar.

The minutes of the meeting were obtained through an RTI filed by Anjali Bhardwaj. The entire document can be accessed here.

Reminder: Rethink Aadhaar wrote to the Committee earlier asking for broader representation on the committee since most Committee members have publicly supported Aadhaar. Further, the conduct of this Committee has been far from transparent. The Rethink Aadhaar response to the White Paper on Data Protection framework for India may be found here.


Engage with us on Twitter: