I/II.
https://scroll.in/article/830589/under-the-right-to-information-law-aadhaar-data-breaches-will-remain-a-state-secret

[In response to a right to information application filed last year in
the course of Scroll.in’s Identity Project series, the Unique
Identification Authority of India refused to share data on how many
security breaches, intrusion attempts or security incidents it had
detected or been notified of. It denied this information for both its
Central Identities Data Repository, where it stores all core biometric
information, as well as for the other databases it maintains.]

IDENTITY PROJECT

Under the right to information law, Aadhaar data breaches will remain
a state secret
Scroll.in's queries for information were dismissed on grounds of
national security and confidentiality.

2 hours ago.
Anumeha Yadav

On February 18, Hindi news daily Dainik Bhaskar reported the arrest of
six salespersons of telecommunications service provider Reliance Jio
in Madhya Pradesh for selling SIM cards by using the Aadhaar data and
fingerprint scans of other customers for between Rs 300 and Rs 1,000.

A day earlier, security researcher Srinivas Kodali brought to the
notice of the authorities that a website had leaked the Aadhaar
demographic data of over five lakh minors. The website was shut down
immediately.

Yesterday I was informed about a website which was publishing #Aadhaar
numbers of minors. We informed the authorities and brought it down.
pic.twitter.com/9k2TK39x7n

— Srinivas Kodali (@iotakodali) February 17, 2017
The researcher warned of the existence of several such parallel
databases that stored identification data by linking to Aadhaar, and
the lack of oversight over this.

The two cases are the latest in a number of incidents in the past
month that have raised questions about the security of the Aadhaar
database – which contains the biometric data of over a billion
Indians.

The first signs of trouble came on February 24 with media reports that
the Unique Identity Authority of India – which enrols residents,
stores and manages their biometric data, and issues the 12-digit
Aadhaar numbers – had, in a first, registered a complaint with the
Delhi Police against Axis Bank Limited, Suvidha Infoserve, which is a
business correspondent with Axis, and esign provider eMudhra. The
three are accused of performing multiple Aadhaar transactions using
stored biometrics in violation of the Aadhaar (Targeted Delivery of
Financial and Other Subsidies, Benefits, and Services) Act, 2016,
which prohibits the storage of such data.

In all of the above cases, it is not clear if the individuals whose
personal data was compromised were even informed of it. This leads to
the question: what right to information does an individual have in the
case of such a security breach?

Information blackout
Section 6 of the Aadhaar (Sharing of Information) Regulations says:

The Aadhaar number of an individual shall not be published, displayed
or posted publicly by any person or entity or agency.

However, at the same time, the Aadhaar Act lacks any provision for a
mandatory notice to an individual in case of a breach of his or her
information – which was a recommendation of the Justice Shah Committee
on Privacy in 2012, which was set up to lay the ground for a
comprehensive new privacy law.

Thus, under the law, Aadhaar users have no right to be informed when a
crime related to their personal data occurs. And they cannot approach
a court directly because under Section 47 (1) of the Aadhaar Act, the
Unique Identification Authority of India has the exclusive power to
make complaints in case of any violation or breach of privacy.

In the case of Axis Bank and the other two firms, the Authority has
temporarily stopped them from conducting Aadhaar-based transactions
while the investigation is on, but it is not clear if any notice has
also been sent to the individuals whose stored biometrics were used
illegally by the firms.

Regarding the leak of data of five lakh minors, security researcher
Srinivas Kodali said he was not aware if the parents of the children
had been informed about the breach after he alerted the authorities.
“They should have notified parents of all minors whose data was on the
website, issued them new Aadhaar numbers, but this has not happened,
as far as I know,” he said. “The authorities have not even formally
acknowledged that I notified them that this data was leaking.”

What’s more, information regarding breaches and security-related
incidents is not accessible even under the Right to Information Act.

***In response to a right to information application filed last year
in the course of Scroll.in’s Identity Project series, the Unique
Identification Authority of India refused to share data on how many
security breaches, intrusion attempts or security incidents it had
detected or been notified of. It denied this information for both its
Central Identities Data Repository, where it stores all core biometric
information, as well as for the other databases it maintains.***
[Emphasis added.]

The Unique Identification Authority of India denied sharing
information on data breaches under an RTI query filed by Scroll.in.
The Unique Identification Authority of India denied sharing
information on data breaches under an RTI query filed by Scroll.in.

While denying the information, the Authority cited Section 8 (1) (a)
of the Right to Information Act, which mentions national security and
states:

8 (1) Notwithstanding anything contained in this Act, there shall be
no obligation to give any citizen,

(a) information, disclosure of which would prejudicially affect the
sovereignty and integrity of India, the security, strategic,
scientific or economic interests of the State, relation with foreign
State or lead to incitement of an offence.

It also cited Section 7 of the Aadhaar (Data Security) Regulations
that deals with confidentiality of “procedures, orders, processes,
standards and protocols” on security.

Similarly, the Authority refused to share information on security
practices, citing Section 8 (1) (1) of the Right to Information Act,
and Section 7 of the Aadhaar (Data Security) Regulations. “…data being
national asset and sharing the systems in place can affect the
security interest of the UIDAI and may lead to incitement of an
offence,” it noted in its reply to Scroll.in’s right to information
application.

The Authority also declined sharing information on practices
maintained for data security in reply to Scroll.in's RTI query.
The Authority also declined sharing information on practices
maintained for data security in reply to Scroll.in's RTI query.

No disclosure
Legal experts said this absence of proactive disclosure in the Aadhaar
system was in contrast with international norms on data protection and
transparency towards users.

Chinmayi Arun, executive director of the Centre for Communications
Governance at the National Law University, Delhi, said that in the
United States, every time a breach takes place, the authorities have
to follow proactive disclosure requirements.

“Other countries like the US that are used to sell the idea of
government databases to Indian citizens do not run their databases
with such wilful carelessness, they are required by law to publish it
and inform citizens,” she said. “Here, the government refuses to make
the UIDAI tell citizens when a stranger has stolen their personal
data. The UIDAI refuses to divulge the most basic security breach
statistics when asked under the RTI. The haphazard security of the
biggest biometric database on earth should worry everyone.”

According to technology lawyer Apar Gupta, “the UIDAI is a blackbox
that cannot be opened even after a system crash”.

He said, “In Aadhaar, there is no proactive duty to publish the data
breach as an individual notification to the affected Aadhaar user, no
legal obligation to even publish aggregate data at the end when the
breach is rectified, no reporting requirement to any other government
department.”

Gupta pointed out that Aadhaar lacks an oversight mechanism, and a
bounty reporting system that rewards those who find and report
security flaws in its system – all measures that would encourage
vulnerability testing to prevent hacks and exploitive acts.

On the contrary, reporting security flaws may land one in trouble, as
in the case of entrepreneur Sameer Kochhar. Last week, the Authority
registered a police complaint against him after he published an
article and video on his web magazine on February 11 demonstrating how
Aadhaar systems were vulnerable to replay attacks in instances where
firms registered with the Authority resorted to illegally storing
biometrics locally.

The Delhi Police are investigating the charges made by the Authority
against Kochhar under Section 37 of the Aadhaar Act, which deals with
the intentional disclosure of “identity information collected in the
course of enrolment or authentication”.

Lawyers and technical experts have criticised the Authority’s decision
to take action against an individual for reporting a security
vulnerability in Aadhaar.

II.
https://scroll.in/article/830946/not-just-mid-day-meals-aadhaar-made-mandatory-for-11-more-schemes-violating-supreme-court-ruling

[Said legal scholar Dr Usha Ramanthan: “They are making it clearer and
clearer that the Unique Identification project is not about inclusion
or reaching one’s entitlements, but coercion and exclusion. Now that
they have reached children, I hope people will realise what this
project is about.”]

IDENTITY PROJECT

Not just mid-day meals: Aadhaar made mandatory for 11 more schemes,
violating Supreme Court ruling
Disabled citizens getting scholarships and women rescued from sexual
trafficking seeking job training will now have to produce UID.

42 minutes ago.
Mridula Chari ,  Anumeha Yadav  &  Shreya Roy Chowdhury

Days after news broke of the central government mandating that
children will not be served mid-day meals at school without Aadhaar
cards from June, it turns out that five central government ministries
have in the last week issued a series of 14 similar notifications for
11 schemes, including access to primary and secondary education.

In this, the central government continues to violate a Supreme Court
order of October 2015 specifying that the Universal Identification
Document, commonly known as Aadhaar, cannot be made mandatory for any
government scheme. It can only be used as voluntary identification for
five specific government programmes: public distribution scheme,
National Rural Employment Guarantee Act, National Social Assistance
Programme, Jan Dhan Yojana and for LPG subsidies.

No schemes of this sort are among the 14 notifications from the
Ministries of Social Justice and Empowerment, Human Resource
Development, Health and Family Welfare, Labour and Employment, and
Women and Child Development issued since February 21.

The notifications follow a similar format: they describe the general
benefits of Aadhaar, the scheme and its beneficiaries, and lay out a
deadline for enrolling in Aadhaar to continue accessing these schemes.
None of the notifications specify the particular benefits of Aadhaar
for that particular scheme.

Proof of Aadhaar or Aadhaar enrolment is now necessary for accessing
these government schemes.
Proof of Aadhaar or Aadhaar enrolment is now necessary for accessing
these government schemes.
While most deadlines for application range from the end of March 2017
to 2018, the Labour ministry’s notifications mandate beneficiaries to
apply for Aadhaar by the same date on which the ministry issued the
notification.

Privacy in question
Beneficiaries of government schemes who will have to apply for an
Aadhaar number and have their status logged into the Aadhaar database
include immensely vulnerable groups such as children between 6 and 14
years old, women rescued from sexual trafficking, and even disabled
citizens who wish to apply for or continue getting scholarships or
government-funded aids and appliances.

Other beneficiaries listed in these notifications include adults who
are not literate and seek skill training, health workers, aspiring
women entrepreneurs and those seeking career guidance and jobs.

The notifications have also raised concerns of privacy of
beneficiaries, such as women rescued from trafficking and other
groups. In February, several instances of security weaknesses in
Aadhaar, through leak of demographic data of children and instances of
private firms illegally storing biometrics have come to light.

“This manipulation at the highest level is not good for the country
and democracy,” said Bezwada Wilson, National Convenor of the Safai
Karmachari Andolan and one of the petitioners in the Supreme Court
case against the mandatory implementation of Aadhaar.

People from the most discriminated against communities like ragpickers
and safai karmcharis do not want their identity to be revealed, Wilson
noted. Pointing out the privacy issues in surrendering biometric
details to the government, he added, “Tomorrow, I can become doctor or
a journalist. Why should I reveal what I have done previously?”

Education rights ‘violated’
For education activists, making Aadhaar enrollment mandatory for
accessing an umbrella scheme like the Sarva Shiksha Abhiyan is a
“clear violation” of the Right to Education Act.

The Sarva Shiksha Abhiyan, funding for which is shared by the Centre
and most states in a 60:40 ratio, is meant to support the
implementation of Right to Education and help achieve universal
elementary education. Consequently, its funds go toward a very wide
range of activities including building new schools and maintaining
existing ones, supplying textbooks and uniforms, paying teachers and
running special training centres for out-of-school children. All
children in public schools in the six-14 age-group are likely to be
beneficiaries and, therefore, required to produce Aadhaar cards.

Lawyer and education activist Khagesh Jha pointed out that the act
itself was created to “remove barriers to education” and has been
interpreted to mean that no documents will be required for a child in
the six to 14 age-group to take admission in a school. “This is
violation of the fundamental right and of the Act,” he said. He also
added that this is the first barrier – in the shape of a required
document – being introduced in schools across India. In some states,
including Delhi, Aadhaar has already been made mandatory and
scholarships and other amounts are transferred directly into bank
accounts linked to the unique identity numbers.

“When no document is required for enrollment, how can they ask for
Aadhaar to access a scheme like SSA?” asked Ambarish Rai of the Right
to Education Forum. “To get an Aadhaar card, in practice, you are
asked to produce residence [and identity] proof. Many families do not
have any. Landlords hesitate to endorse applications. Migrant families
will be excluded in the process.”

Signing up
There are two ways in which a resident can enrol oneself in Aadhaar:
by producing two existing valid ID or, for those unable to produce
such ID, by the “introducer system” through an introducer appointed by
a registrar. A Right to Information query filed by Scroll.in, the
Unique Identification Authority of India shows that till 2016, when
over 105.1 crore residents had enrolled, only 8,47,366 – or 0.08% –
got Aadhaar through “introducer system.” Over 99.9% had to show two
pre-existing ID to obtain an Aadhaar.

Disabled children, already out of school in large numbers, will be
further deterred.

“As per the last sample survey by IMRB-Social and Rural Research
Institute [2015], 28% of disabled children were out of school,”
observed Radhika Alkazi of Astha, an organisation that works with
disabled children. “There are already huge barriers to getting into
school and staying on. Adding one more pre-condition is cruel.”

Aadhaar number has been made mandatory for accessing a range of
schemes of the Department of Empowerment of Persons with Disabilities
under the Ministry of Social Justice and Empowerment, including pre
and post-matric scholarships, free coaching and travel allowances. The
scheme for distributing aids and appliances been added to the SSA in
the case of disabled children. “Certification is already such a
cumbersome process and now more people will give up along the way,”
said Alkazi. “The irony is, we now have a new act. While policies are
being strengthened, on the ground they are being constantly
undermined.”

Rai suspects the process of linking the schemes is intended to help
weed out “fake enrollments and beneficiaries”. Till now, funds for
most functions were released on the basis of enrollment reported by
schools. “Now they want to track all children in that age-bracket,” he
added. “But this exercise is dangerous and will lead to many being
excluded. Unique IDs have nothing to do with enrollment, retention or
quality.”

The time allowed for applying for Aadhaar is not sufficient either,
felt activists. For most education or related schemes under the
Ministries of Human Resource Development and Social Justice and
Empowerment, the deadline is June 30. Teachers or staff-members
employed under Sarva Shiksha Abhiyan have to enroll Aadhaar up too and
by June 30. “Three-and-a-half months for a country like India is
nothing,” said Alkazi. But beneficiaries of adult education schemes –
Saakshar Bharat for skill-development and another one supporting NGOs
and private organisations in the field of adult education – have till
the end of the month.”

***Said legal scholar Dr Usha Ramanthan: “They are making it clearer
and clearer that the Unique Identification project is not about
inclusion or reaching one’s entitlements, but coercion and exclusion.
Now that they have reached children, I hope people will realise what
this project is about.”*** [Emphasis added.]


-- 
Peace Is Doable

-- 
You received this message because you are subscribed to the Google Groups 
"Green Youth Movement" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send an email to [email protected].
Visit this group at https://groups.google.com/group/greenyouth.
For more options, visit https://groups.google.com/d/optout.

Reply via email to