Updates

Vol. 2: Delinking Aadhaar, Data Protection, and more!

Volume 2. August 2018

I. Wishing you had never linked Aadhaar to your bank account, and wishing you could delink?

Many people linked their Aadhaar numbers to their bank account under coercion and fear of losing access to their financial assets. However, for those now wondering how safe such linking, here is some hope - it is indeed possible to delink your Aadhaar and bank account! Download and complete this one-page form, and submit it to the manager at your bank branch. You could ensure you get SMS confirmation that Aadhaar has indeed been delinked!

II. CAN AADHAAR EXIST IN A DATA PROTECTION REGIME?

Aadhaar insufficiently cut to size by Srikrishna Committee recommendations; Rethink Aadhaar to participate in public consultation

The Ministry of Electronics and Information Technology (MeitY), headed by Ravi Shankar Prasad, constituted a Committee of Experts to deliberate on a data protection framework for India on 31st July 2017, chaired by ex-Justice B N Srikrishna of the Supreme Court. Rethink Aadhaar had made submissions to this Committee. Almost a year after it was constituted, the Committee submitted its report and a draft data protection bill on 27th July 2018. The report is 213 pages in all (including annexures and an appendix) and the bill is 67 pages long (including prescribed amendments to other existing Acts in order to ensure no conflict with the proposed bill). The bill has been published solely in English and no other language. The Committee has invited comments with the last date of submission being 10th September.

The report is unsatisfactory respect to Aadhaar, unsurprising given the Committee was stacked with people who have publicly espoused views in support of Aadhaar. The recommendations envisage the UIDAI in a regulatory role (like TRAI, SEBI, etc), which is unacceptable because the UIDAI is also the implementing agency. The Committee effectively suggests that the UIDAI regulate itself. The track record of the UIDAI so far inspires little confidence that they will do a good job in self-regulation. The Committee also recommends that individuals should be able to approach the Data Protection Authority (DPA) with grievances against the UIDAI. It must be remembered that, as per the current Aadhaar Act in force (the constitutionality of which has being challenged in the Supreme Court, with the judgment pending), anybody with a grievance against the Aadhaar Act, 2016, has to go to the UIDAI itself for redressal!

The report takes into account Virtual IDs (VIDs) and offline verification even though the report itself says, "there is no statutory backing for such announcements as on date and it is unclear as to how they are to be effectively implemented." Further, after accounting for VIDs, it still allows for certain entities to access the Aadhaar number itself for functioning. This defeats the purpose of creating VIDs if certain entities can still combine databases using their access to the Aadhaar number. If VIDs are being advocated, they must be made applicable in all cases without exception. Short of destroying the Aadhaar, the next best thing to ensure inability to combine databases for profiling might be to use VIDs everywhere without exception. But it must be noted here that even if Virtual IDs are used everywhere all-the-time thereby making it quite difficult for most people to combine databases, the UIDAI itself will still have the metadata of authentication logs and anyone with that data will still technically have the capability to profile Aadhaar users.

The proposed offline verification technology using QR codes could be applied to any and all other IDs to ensure their genuineness thereby removing the need for one more ID such as Aadhaar. If no Aadhaar number or biometrics is being used in this mechanism, then what is the need for Aadhaar itself?

The draft of the Data Protection bill sets a high bar in certain cases, such as:

  • Section 12 (2) says that consent (to sharing data) must be capable of being withdrawn. This would imply that those who have Aadhaar and wish to now opt-out should be able to do so.

  • Section 12 (3) says that provision of any service shall not be made conditional to processing of data not necessary for that purpose. This could be read to mean that Aadhaar should not be mandatory.

This high bar is then seemingly watered down in the case of Aadhaar as following:

  • Section 13 (2) will allow the state to authorise by law processing of personal data for provision of services and benefits or issuance of certifications, licenses or permits by the state to the citizen. Although this seems reasonable enough the next point makes the exemption for government services even more broad in the case of Aadhaar.

  • Section 19 seeks to allow processing of sensitive personal data (which is what Aadhaar numbers would be classified as under this bill) if it is “strictly necessary” for the provision of services and benefits authorised by law. This seems to be allowing the state an exception in the case of Aadhaar to make it mandatory by law and thereby impractical to opt-out.

  • Curiously, although Section 12 (3) can be thought to imply that Aadhaar cannot be made mandatory for any service, the bill also states that the person withdrawing consent (and thereby opting out of Aadhaar) would be responsible for implications of withdrawal of consent. One wonders if this means that the individual withdrawing consent would then be held responsible if the government then denies any service on this account.

Other provisions state that personal data breaches (which the report acknowledges have been rampant in Aadhaar) will have to be reported to the Data Protection Authority (DPA) which will then determine if the individual(s) whose data has been compromised and the public at large are to be informed of the breach or not. One would imagine that all breaches should be reported to at least the individual(s) affected by default.

The report says, "The right to object to processing; right to object to direct marketing, right to object to decisions based on solely automated processing, and the right to restrict processing need not be provided in the law". Since one of possible commercial uses of Aadhaar (because, supposedly ‘data is the new oil’) is for such targeted marketing and making decisions that affect individuals by analysing ‘big data’, it is sad that the Committee recommended against providing safeguards against this in the law.

It might appear that Committee has tried its best to save Aadhaar. Media reports also reinforce this apprehension. Two notes of dissent were published in the report. Ms. Rama Vedashree says, “In addition to the above-mentioned points, the report under chapter 7 and the associated appendix, suggests sweeping amendments to the Aadhaar Act; these need a thorough review. I suggest a separate public consultation exercise by the government to examine these amendments.” Prof. Rishikesha T Krishnan of IIM Indore noted that “[t]he observations and recommendations regarding the Aadhaar Act are outside the scope of the committee’s work.” Ironic, considering Aadhaar is one of the primary factors that led to the constitution of the Committee in the first place.

Nandan Nilekani (former Chairperson of the UIDAI) later suggested that the Supreme Court bench to decide on the constitutionality of Aadhaar should look at this Committee’s report. The Chief Justice of the Supreme Court, however, said, “I do not think that is required.


Going forward we hope that the government will give due regard to the pre-legislative process adopted in 2014 and have meaningful consultations with respect to the proposed data protection bill and the amendments to the Aadhaar Act 2016. Currently, the government has sought feedback on the recommendations of the Srikrishna Committee. Although the pre-legislative process clearly states that the “summary of feedback/comments received from the public/other stakeholders should also be placed on the website of the Department/Ministry concerned” MeitY has refused to share this information more than once. Justice Srikrishna justified this secrecy by comparing the process of drafting a law to taking a bath!

A list of articles published on Data Protection:

https://twitter.com/RohanV/status/1032148597297635328


III. “They have Bill Gates, we have Snowden!”

Whistleblower Edward Snowden fired his latest salvo at the UIDAI and Aadhaar emphasizing the potential for a civil death due to the pervasiveness of Aadhaar. Speaking on video at a journalism event, Snowden said that the UIDAI had created a mass surveillance system with Aadhaar. Watch the full video interview on Moneylife.

Given the support Aadhaar has received from the likes of Bill Gates, Snowden's comments are a shot in the arm for everyone agitating against Aadhaar. We continue to hope that such international criticism of Aadhaar will force some accountability.

IV. Face authentication: UIDAI’s latest “gimmick”?

While the very fate of Aadhaar is pending in the Supreme Court, while India is yet to establish a data protection regime, the latest measure mandating face recognition in addition to the existing fingerprint or iris (biometric) authentication is, as Yogesh Sapkale points out in Moneylife, only the latest in the series of gimmicks. These steps follow the circular on face recognition published by the UIDAI  on 15th January. The circular states that all Aadhaar User Agencies and Registered Device providers must comply or face action under section 42 and 43 of the aadhaar Act, 2016.  As things stand, the UIDAI seems intent on rolling out face authentication on Sep. 15, but is yet to publish any notification on the same.


A scathing editorial by the Times of India notes “In what is implicit acceptance of exclusion errors, Unique Identification Authority of India (UIDAI) has begun face recognition for Aadhaar authentication. UIDAI circulars since January harp on the need to make Aadhaar authentication “more inclusive” by performing facial recognition in addition to fingerprint/iris scans. In April, UIDAI told Supreme Court that authentication failure rates were 6% for fingerprint scan and 8.54% for iris scans. In July 2018, there were 71 crore fingerprint and 1.6 crore iris authentications indicating a whopping 4 crore fingerprint authentication failures last month.

These failures could have happened to people accessing rations or purchasing new SIM cards. Aadhaar was initially pitched as an efficient way of delivering welfare. But now, like Leviathan, it is extending its empire everywhere. Limiting Aadhaar to welfare and fixing the glitches must precede overreach. The trust quotient with Aadhaar is falling. Earlier, we were told fingerprints are almost foolproof but then iris scanners were introduced. Goalposts keep changing all the time. Or is it Aadhaar that is floundering?”


V. Rajasthan Govt. adds more fuel to the Aadhaar-for-surveillance fire

Caravan Magazine reported that, “A 30-year-old who tried to apply for the post of a librarian with the Rajasthan government this July was shocked when the state’s information technology department asked for access to his Twitter, Facebook or Gmail accounts as a pre-condition for the application. If he did not wish to share his social media information, the government’s web portal for job applications—Rajasthan Single Sign On, or RSSO—said, he would have to provide both his Aadhaar number and the biometric data registered with the Unique Identification Authority of India.”

The screenshot below illustrates the unfettered access the RSSO app demands of users.


VI. Ministry of Corporate Affairs clarifies: Aadhaar NOT mandatory for directors of companies

The notification dated 5th July 2018 is available here. The clarification issued by the Ministry of Corporate Affairs is recorded in the letter issued by the Institute of Company Secretaries

It appears that providing Aadhaar might still be mandatory for those directors who are already enrolled. Business Standard reports Angry directors mull legal action as Aadhaar is made mandatory.


VII. UIDAI’s use of advertisements


UIDAI’s use of advertisements was analysed in The Wire. Anandita Thakur and Karan Saini write “It is unsurprising, therefore, that the advertisements the UIDAI has commissioned over the last few years come from a moralistic high-ground, where nothing is wrong in Aadhaar-land and everything works as it’s supposed to. As we show below, these advertisements masquerade under the guise of serving a public good while conveniently sidestepping legitimate concerns regarding failures of the project.” The authors point out “The question arises, do these advertisements fulfill the purpose of serving a public good, or are they merely attempts at public-service-propaganda being paid for by taxpayer money? (Rs 30 crore was spent for an ‘image makeover’ of Aadhaar in the fiscal year 2014)”


VIII. Digital Security Tools and Tactics


Giving the increasing concerns around data security, we found Security in a Box useful. Let us know if you have come across any other tools and information we can learn from!


Finally, here are a couple of cases where there has been an official rethink on the use of Aadhaar: