I/II. https://scroll.in/article/830589/under-the-right-to-information-law-aadhaar-data-breaches-will-remain-a-state-secret
[In response to a right to information application filed last year in the course of Scroll.in’s Identity Project series, the Unique Identification Authority of India refused to share data on how many security breaches, intrusion attempts or security incidents it had detected or been notified of. It denied this information for both its Central Identities Data Repository, where it stores all core biometric information, as well as for the other databases it maintains.] IDENTITY PROJECT Under the right to information law, Aadhaar data breaches will remain a state secret Scroll.in's queries for information were dismissed on grounds of national security and confidentiality. 2 hours ago. Anumeha Yadav On February 18, Hindi news daily Dainik Bhaskar reported the arrest of six salespersons of telecommunications service provider Reliance Jio in Madhya Pradesh for selling SIM cards by using the Aadhaar data and fingerprint scans of other customers for between Rs 300 and Rs 1,000. A day earlier, security researcher Srinivas Kodali brought to the notice of the authorities that a website had leaked the Aadhaar demographic data of over five lakh minors. The website was shut down immediately. Yesterday I was informed about a website which was publishing #Aadhaar numbers of minors. We informed the authorities and brought it down. pic.twitter.com/9k2TK39x7n — Srinivas Kodali (@iotakodali) February 17, 2017 The researcher warned of the existence of several such parallel databases that stored identification data by linking to Aadhaar, and the lack of oversight over this. The two cases are the latest in a number of incidents in the past month that have raised questions about the security of the Aadhaar database – which contains the biometric data of over a billion Indians. The first signs of trouble came on February 24 with media reports that the Unique Identity Authority of India – which enrols residents, stores and manages their biometric data, and issues the 12-digit Aadhaar numbers – had, in a first, registered a complaint with the Delhi Police against Axis Bank Limited, Suvidha Infoserve, which is a business correspondent with Axis, and esign provider eMudhra. The three are accused of performing multiple Aadhaar transactions using stored biometrics in violation of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016, which prohibits the storage of such data. In all of the above cases, it is not clear if the individuals whose personal data was compromised were even informed of it. This leads to the question: what right to information does an individual have in the case of such a security breach? Information blackout Section 6 of the Aadhaar (Sharing of Information) Regulations says: The Aadhaar number of an individual shall not be published, displayed or posted publicly by any person or entity or agency. However, at the same time, the Aadhaar Act lacks any provision for a mandatory notice to an individual in case of a breach of his or her information – which was a recommendation of the Justice Shah Committee on Privacy in 2012, which was set up to lay the ground for a comprehensive new privacy law. Thus, under the law, Aadhaar users have no right to be informed when a crime related to their personal data occurs. And they cannot approach a court directly because under Section 47 (1) of the Aadhaar Act, the Unique Identification Authority of India has the exclusive power to make complaints in case of any violation or breach of privacy. In the case of Axis Bank and the other two firms, the Authority has temporarily stopped them from conducting Aadhaar-based transactions while the investigation is on, but it is not clear if any notice has also been sent to the individuals whose stored biometrics were used illegally by the firms. Regarding the leak of data of five lakh minors, security researcher Srinivas Kodali said he was not aware if the parents of the children had been informed about the breach after he alerted the authorities. “They should have notified parents of all minors whose data was on the website, issued them new Aadhaar numbers, but this has not happened, as far as I know,” he said. “The authorities have not even formally acknowledged that I notified them that this data was leaking.” What’s more, information regarding breaches and security-related incidents is not accessible even under the Right to Information Act. ***In response to a right to information application filed last year in the course of Scroll.in’s Identity Project series, the Unique Identification Authority of India refused to share data on how many security breaches, intrusion attempts or security incidents it had detected or been notified of. It denied this information for both its Central Identities Data Repository, where it stores all core biometric information, as well as for the other databases it maintains.*** [Emphasis added.] The Unique Identification Authority of India denied sharing information on data breaches under an RTI query filed by Scroll.in. The Unique Identification Authority of India denied sharing information on data breaches under an RTI query filed by Scroll.in. While denying the information, the Authority cited Section 8 (1) (a) of the Right to Information Act, which mentions national security and states: 8 (1) Notwithstanding anything contained in this Act, there shall be no obligation to give any citizen, (a) information, disclosure of which would prejudicially affect the sovereignty and integrity of India, the security, strategic, scientific or economic interests of the State, relation with foreign State or lead to incitement of an offence. It also cited Section 7 of the Aadhaar (Data Security) Regulations that deals with confidentiality of “procedures, orders, processes, standards and protocols” on security. Similarly, the Authority refused to share information on security practices, citing Section 8 (1) (1) of the Right to Information Act, and Section 7 of the Aadhaar (Data Security) Regulations. “…data being national asset and sharing the systems in place can affect the security interest of the UIDAI and may lead to incitement of an offence,” it noted in its reply to Scroll.in’s right to information application. The Authority also declined sharing information on practices maintained for data security in reply to Scroll.in's RTI query. The Authority also declined sharing information on practices maintained for data security in reply to Scroll.in's RTI query. No disclosure Legal experts said this absence of proactive disclosure in the Aadhaar system was in contrast with international norms on data protection and transparency towards users. Chinmayi Arun, executive director of the Centre for Communications Governance at the National Law University, Delhi, said that in the United States, every time a breach takes place, the authorities have to follow proactive disclosure requirements. “Other countries like the US that are used to sell the idea of government databases to Indian citizens do not run their databases with such wilful carelessness, they are required by law to publish it and inform citizens,” she said. “Here, the government refuses to make the UIDAI tell citizens when a stranger has stolen their personal data. The UIDAI refuses to divulge the most basic security breach statistics when asked under the RTI. The haphazard security of the biggest biometric database on earth should worry everyone.” According to technology lawyer Apar Gupta, “the UIDAI is a blackbox that cannot be opened even after a system crash”. He said, “In Aadhaar, there is no proactive duty to publish the data breach as an individual notification to the affected Aadhaar user, no legal obligation to even publish aggregate data at the end when the breach is rectified, no reporting requirement to any other government department.” Gupta pointed out that Aadhaar lacks an oversight mechanism, and a bounty reporting system that rewards those who find and report security flaws in its system – all measures that would encourage vulnerability testing to prevent hacks and exploitive acts. On the contrary, reporting security flaws may land one in trouble, as in the case of entrepreneur Sameer Kochhar. Last week, the Authority registered a police complaint against him after he published an article and video on his web magazine on February 11 demonstrating how Aadhaar systems were vulnerable to replay attacks in instances where firms registered with the Authority resorted to illegally storing biometrics locally. The Delhi Police are investigating the charges made by the Authority against Kochhar under Section 37 of the Aadhaar Act, which deals with the intentional disclosure of “identity information collected in the course of enrolment or authentication”. Lawyers and technical experts have criticised the Authority’s decision to take action against an individual for reporting a security vulnerability in Aadhaar. II. https://scroll.in/article/830946/not-just-mid-day-meals-aadhaar-made-mandatory-for-11-more-schemes-violating-supreme-court-ruling [Said legal scholar Dr Usha Ramanthan: “They are making it clearer and clearer that the Unique Identification project is not about inclusion or reaching one’s entitlements, but coercion and exclusion. Now that they have reached children, I hope people will realise what this project is about.”] IDENTITY PROJECT Not just mid-day meals: Aadhaar made mandatory for 11 more schemes, violating Supreme Court ruling Disabled citizens getting scholarships and women rescued from sexual trafficking seeking job training will now have to produce UID. 42 minutes ago. Mridula Chari , Anumeha Yadav & Shreya Roy Chowdhury Days after news broke of the central government mandating that children will not be served mid-day meals at school without Aadhaar cards from June, it turns out that five central government ministries have in the last week issued a series of 14 similar notifications for 11 schemes, including access to primary and secondary education. In this, the central government continues to violate a Supreme Court order of October 2015 specifying that the Universal Identification Document, commonly known as Aadhaar, cannot be made mandatory for any government scheme. It can only be used as voluntary identification for five specific government programmes: public distribution scheme, National Rural Employment Guarantee Act, National Social Assistance Programme, Jan Dhan Yojana and for LPG subsidies. No schemes of this sort are among the 14 notifications from the Ministries of Social Justice and Empowerment, Human Resource Development, Health and Family Welfare, Labour and Employment, and Women and Child Development issued since February 21. The notifications follow a similar format: they describe the general benefits of Aadhaar, the scheme and its beneficiaries, and lay out a deadline for enrolling in Aadhaar to continue accessing these schemes. None of the notifications specify the particular benefits of Aadhaar for that particular scheme. Proof of Aadhaar or Aadhaar enrolment is now necessary for accessing these government schemes. Proof of Aadhaar or Aadhaar enrolment is now necessary for accessing these government schemes. While most deadlines for application range from the end of March 2017 to 2018, the Labour ministry’s notifications mandate beneficiaries to apply for Aadhaar by the same date on which the ministry issued the notification. Privacy in question Beneficiaries of government schemes who will have to apply for an Aadhaar number and have their status logged into the Aadhaar database include immensely vulnerable groups such as children between 6 and 14 years old, women rescued from sexual trafficking, and even disabled citizens who wish to apply for or continue getting scholarships or government-funded aids and appliances. Other beneficiaries listed in these notifications include adults who are not literate and seek skill training, health workers, aspiring women entrepreneurs and those seeking career guidance and jobs. The notifications have also raised concerns of privacy of beneficiaries, such as women rescued from trafficking and other groups. In February, several instances of security weaknesses in Aadhaar, through leak of demographic data of children and instances of private firms illegally storing biometrics have come to light. “This manipulation at the highest level is not good for the country and democracy,” said Bezwada Wilson, National Convenor of the Safai Karmachari Andolan and one of the petitioners in the Supreme Court case against the mandatory implementation of Aadhaar. People from the most discriminated against communities like ragpickers and safai karmcharis do not want their identity to be revealed, Wilson noted. Pointing out the privacy issues in surrendering biometric details to the government, he added, “Tomorrow, I can become doctor or a journalist. Why should I reveal what I have done previously?” Education rights ‘violated’ For education activists, making Aadhaar enrollment mandatory for accessing an umbrella scheme like the Sarva Shiksha Abhiyan is a “clear violation” of the Right to Education Act. The Sarva Shiksha Abhiyan, funding for which is shared by the Centre and most states in a 60:40 ratio, is meant to support the implementation of Right to Education and help achieve universal elementary education. Consequently, its funds go toward a very wide range of activities including building new schools and maintaining existing ones, supplying textbooks and uniforms, paying teachers and running special training centres for out-of-school children. All children in public schools in the six-14 age-group are likely to be beneficiaries and, therefore, required to produce Aadhaar cards. Lawyer and education activist Khagesh Jha pointed out that the act itself was created to “remove barriers to education” and has been interpreted to mean that no documents will be required for a child in the six to 14 age-group to take admission in a school. “This is violation of the fundamental right and of the Act,” he said. He also added that this is the first barrier – in the shape of a required document – being introduced in schools across India. In some states, including Delhi, Aadhaar has already been made mandatory and scholarships and other amounts are transferred directly into bank accounts linked to the unique identity numbers. “When no document is required for enrollment, how can they ask for Aadhaar to access a scheme like SSA?” asked Ambarish Rai of the Right to Education Forum. “To get an Aadhaar card, in practice, you are asked to produce residence [and identity] proof. Many families do not have any. Landlords hesitate to endorse applications. Migrant families will be excluded in the process.” Signing up There are two ways in which a resident can enrol oneself in Aadhaar: by producing two existing valid ID or, for those unable to produce such ID, by the “introducer system” through an introducer appointed by a registrar. A Right to Information query filed by Scroll.in, the Unique Identification Authority of India shows that till 2016, when over 105.1 crore residents had enrolled, only 8,47,366 – or 0.08% – got Aadhaar through “introducer system.” Over 99.9% had to show two pre-existing ID to obtain an Aadhaar. Disabled children, already out of school in large numbers, will be further deterred. “As per the last sample survey by IMRB-Social and Rural Research Institute [2015], 28% of disabled children were out of school,” observed Radhika Alkazi of Astha, an organisation that works with disabled children. “There are already huge barriers to getting into school and staying on. Adding one more pre-condition is cruel.” Aadhaar number has been made mandatory for accessing a range of schemes of the Department of Empowerment of Persons with Disabilities under the Ministry of Social Justice and Empowerment, including pre and post-matric scholarships, free coaching and travel allowances. The scheme for distributing aids and appliances been added to the SSA in the case of disabled children. “Certification is already such a cumbersome process and now more people will give up along the way,” said Alkazi. “The irony is, we now have a new act. While policies are being strengthened, on the ground they are being constantly undermined.” Rai suspects the process of linking the schemes is intended to help weed out “fake enrollments and beneficiaries”. Till now, funds for most functions were released on the basis of enrollment reported by schools. “Now they want to track all children in that age-bracket,” he added. “But this exercise is dangerous and will lead to many being excluded. Unique IDs have nothing to do with enrollment, retention or quality.” The time allowed for applying for Aadhaar is not sufficient either, felt activists. For most education or related schemes under the Ministries of Human Resource Development and Social Justice and Empowerment, the deadline is June 30. Teachers or staff-members employed under Sarva Shiksha Abhiyan have to enroll Aadhaar up too and by June 30. “Three-and-a-half months for a country like India is nothing,” said Alkazi. But beneficiaries of adult education schemes – Saakshar Bharat for skill-development and another one supporting NGOs and private organisations in the field of adult education – have till the end of the month.” ***Said legal scholar Dr Usha Ramanthan: “They are making it clearer and clearer that the Unique Identification project is not about inclusion or reaching one’s entitlements, but coercion and exclusion. Now that they have reached children, I hope people will realise what this project is about.”*** [Emphasis added.] -- Peace Is Doable -- You received this message because you are subscribed to the Google Groups "Green Youth Movement" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send an email to [email protected]. Visit this group at https://groups.google.com/group/greenyouth. For more options, visit https://groups.google.com/d/optout.
