Defender of your Digital Freedom

All Posts | Jun 26,2017

Delhi Tech Talks [June 23, 2017; New Delhi]

On June 23, 2017, the second edition of Delhi Tech Talks – a collaborative series of quarterly discussions on the state of tech policy in India – was organized by the Centre for Communication Governance at National Law University, Delhi (CCG), Centre for Internet and Society (CIS), Digital Empowerment Foundation (DEF), HasGeek, Internet Democracy Project (IDP), and SFLC.in at the India International Centre, New Delhi. The overarching theme for this event was data protection, privacy and citizenship, in the context of Aadhaar.

Session 1: Aadhaar, Data Privacy, and What it Means to be a Citizen

The discussion comprised two panels, the first of which was titled “Aadhaar, Data Privacy and What it Means to be a Citizen”. This panel was moderated by Ms. Shuchita Thapar (Project Manager, CCG), and featured the following speakers: Ms. Anja Kovacs (Founder-Director, IDP), Mr. Pranesh Prakash (Policy Director, CIS), Ms. Zainab Bawa (Founder & CEO, HasGeek), Mr. Osama Manzar (Founder, DEF), and Ms. Chinmayi Arun (Executive Director, CCG).

Ms. Anja Kovacs began by highlighting the negatives of surveillance. She said that surveillance is not just a matter of privacy but also social justice, and explained the same from a feminist perspective. In light of the recent comments made by the Attorney General that Indians do not have an absolute right over their bodies, she explained the shifting perspective on the definition of “body”. Ms. Kovacs said that in the age of digital technology, the body is not just limited to the physical self but extends to multiple data doubles in the virtual world. With respect to Aadhaar and the collection of biometrics, she said that if the data reflection of our body does not work, we might be denied basic services by the State and this will influence the relationship between citizen and State.

Mr. Pranesh Prakash was of the view that moving towards digitalization is not necessarily awful. It is a consequence of urbanization and helps in the larger project of nation state building. He emphasized that the problem lies with the implementation of the Aadhaar scheme and not so much with the law. He maintained that he is not against the idea of a foundational identification system upon which other identification mechanisms are based. Mr. Prakash clarified that the issue with Aadhaar is not identification, but unchecked surveillance, though he also added that just because a technology can be used for surveillance does not make it bad per se. Instead, there should be discussions around privacy and accountability with respect to Aadhaar.

Ms. Zainab Bawa said that Aadhaar is like a looming ghost – on one hand there is a growing belief that it is extremely important for one to have an Aadhaar card and on the other hand there is a lot of mystery surrounding its nature. She talked about the politicization of the issue of Aaddhar and how a binary is being promoted by the Government through Aadhaar and demonetisation. The Government is propagating the idea that anything thats analogue is backward. She also pointed out the problem of authentication failure and the confusion among citizens with respect to grievance redressal. Lastly, Ms. Bawa raised the following questions: “What are the spheres of relationships where regulations are required to protect privacy? In the absence of law, can mathematics sometimes provide a more elegant solution for privacy?”

Mr. Osama Manzar started with his views on what it is like to be a citizen in times of technology. According to Mr. Manzar, being a citizen in India is a luxury, considering the number of people who are denied benefits for the lack of Aadhaar. He cited the example of four hundred women sitting in front of a computer for three days to access a printout that was supposed to show that they were paid their MNREGA wages. Mr. Manzar mentioned that Aadhaar is digital exclusion in the name of inclusion.

Ms. Chinmayi Arun spoke about the ideals of a democratic state and how Aadhaar is contrary to it. In the context of Aadhaar, she expressed her skepticism with respect to a project where the Government identifies a problem and then finds a solution that does not necessarily have anything to do with the problem. She said that democracy is based upon a delicate balance between the citizens and the State. Ms. Arun also mentioned the importance decentralization of power in a democratic State. She said that Aadhaar concentrates power and information in the Centre, and that this is incompatible with democracy. Further, Ms. Arun stated that democracy is about not trusting your Government, adding that this is not because the Government has harmful intentions but to maintain that delicate balance between the citizen and the State. It was also remarked by her that the previous draft of the Aadhaar Act had the provision of “ombudsman”, who could pull the plug on the entire system of Aadhaar. It has been removed from the new Act. Ms. Arun also gave the example of Germany, where a subject who is being surveilled is always informed of the same after the surveillance is complete. The subject can approach the court if he/she thinks that he/she has been illegally targeted by the State. This is contrary to what is followed in India, where there is no state accountability mechanism. Most of the safeguards that are considered fundamental in other countries is not implemented in India, said Ms. Arun.

Session 2: When Big Data Becomes Toxic

The second panel of the evening, titled “When Big Data Becomes Toxic” was moderated by Ms. Smitha Krishna Prasad (Project Manager, CCG), and had the following speakers: Mr. Anupam Saraph (Future Designer), Mr. Manish (Research Associate, Centre for Policy Research), Ms. Smriti Parsheera (Research Associate, National Institute for Public Finance and Policy), and Mr. Sukarn Singh Maini (Counsel, SFLC.in).

Mr. Anupam Saraph explained how Aadhaar is being used to facilitate benami transactions. He pointed out that the Reserve Bank of India (RBI) had initially refused to link Aadhaar with bank accounts, but information received through RTI revealed that they were compelled by the Ministry of Finance to allow the linking. He said that Aadhaar can be used to create multiple fake identities, hence enabling the creation of multiple fake bank accounts. Mr. Saraph highlighted that UIDAI signed an MoU with a non governmental agency called National Payments Corporation of India to create Aadhaar Enabled Payment System, which will enable transfer of funds from person to person instead of account to account.

Mr. Manish started by quoting an anecdote about his experience at a seminar on bonded labour. Representatives of the Government attending the seminar were asked to propose solutions to tackle the evil. Most of the labour secretaries from various states of India were of the view that the solution to tracing bonded labourers was to create a centralised database of such labourers with their Aadhaar details. Mr. Manish also explained how India has become a reluctant welfare state and that there is a push towards digitalization, especially with regard to financial services, post demonetisation.

Ms. Smriti Parsheera talked about big data and databases, and said that big data analysis can be utilized for a lot of good if done in the right way, though she also acknowledged the privacy and data protection challenges with big data. She touched upon the concern of bias with respect to big data analysis, citing the example of biases that creep into the criminal justice system. Lastly, she explained the link between big data and Aadhaar and how unidentifiable Aadhaar data analysis can be used for the benefit of research and analysis that can serve public good.

Lastly, Mr. Sukarn Singh Maini spoke about digital payments such as Unified Payments Interface and e-wallets, and privacy concerns attached to it. He also explained how big data analysis can be used for behavioural advertising. He spoke about Ministry of Electronics Information and Technology’s draft rules on e-wallets, the lack of a privacy and data protection legislation in India and the need for the same, and the need for the Supreme Court to form a bench to decide the pending issue of privacy.

All Posts | May 15,2017

Summary Report – Revisiting Aadhaar: Law, Tech and Beyond [May 9, 2017; New Delhi]

On 9th May, 2017, SFLC.in in association with IT for Change and Digital Empowerment Foundation, organized a panel discussion titled “Revisiting Aadhaar: Law, Tech and Beyond” at India International Centre, New Delhi. Saikat Datta, Policy Director, Centre for Internet and Society moderated the panel comprising Anivar Aravind, Founder/Director at Indic Project; Anupam Saraph, Professor and Future Designer; Prasanna S., Advocate; Shyam Divan, Senior Advocate, Supreme Court of India; Srinivas Kodali, Co-founder at Open Stats; Osama Manzar, Founder and Director, Digital Empowerment Foundation; Usha Ramanathan, Legal Researcher. The event was meant as a forum for stakeholders to discuss recent developments around Aadhaar and formulate community responses to the concerns therein.

The discussion started with a brief introduction by Mr. Prasanth Sugathan (Legal Director, SFLC.in) of SFLC.in’s work related to Aadhaar, covering among others, our catalogues of notifications making Aadhaar mandatory for various purposes, violations of the Supreme Court’s orders limiting the use of Aadhaar, and known breaches and leaks from the Aadhaar database. Mr. Saikat Datta on his opening remarks dealt with a number of interesting developments around the Aadhaar Project – such as the notification of the Aadhaar Act, Aadhaar enrolment being mandatory for availing various benefits and subsidies from the Government, and a series of incidents where individuals’ Aadhaar information was leaked from Government databases – and opened the panel for discussion.

Mr. Osama Manzar said that in the name of e-governance and automation, we have put all our data online. While this may be a great step towards digitization of data, he said it is exclusionary at the same time for anyone who lacks understanding of how technology works. Therefore, even though our focus is inclusion, we are effectively excluding people. We do not have the technological capacity and the capacity to realize that sometimes central databases do not match with biometrics and hence getting entitlements becomes difficult.

Mr. Anivar Aravind pointed out that Aadhaar is not an open source project, as none of the technological infrastructure that has been built by UIDAI so far is open for anyone to audit. The argument that Aadhaar must be saved in light of the significant financial investments already made into the project, does not hold up because Aadhaar is defective by design. Despite assurances that the Aadhaar project’s technical design has secured its database against leaks and breaches, a large number of data leaks have already been reported. Since Aadhaar is linked to centralized services such as Unified Payment Interface, Aadhaar Enabled Payment System, and Bharat Bill Payment System, these should be checked upon and regulated to protect consumer interests. Mr. Aravind said that today, the Government is asking us to trust them blindly without providing a system to audit the technical aspects of Aadhaar and the services linked to it.

Mr. Srinivas Kodali said he has been documenting issues around cyber security breaches and actively writing about them. He recalled an instance, where he had reported an early Aadhaar leak containing the information of 5-6 lakh children to the UIDAI and National Critical Information Infrastructure Protection Centre, and suggested that they do a forensic investigation into the leak, only to have no action taken. Mr. Kodali said he has been working on the scale of actual impact of Aadhaar leaks and that there is ample evidence of data leaks from Government databases. According to him, the security of the Aadhaar system is poor and prone to hacking. He also pointed out that people who built the Aadhaar system, now no longer work for the UIDAI and instead run businesses on top of the Aadhaar framework, thus creating conflict of interest.

On being asked about the Supreme Court’s response to the petitions filed against Aadhaar, Mr. Shyam Divan said that there is no accountability within the Court when it comes to how the roster is assigned. He also said that the Chief Justice of India feels there are not enough judges to spare for the 9-judge Constitution Bench, which is to examine crucial questions of law related to the citizens’ right to privacy in connection with the petitions filed against Aadhaar. Therefore, we are stuck in a difficult position and can only hope for interim relief. Mr. Divan pointed out that the judiciary needs to make its stance clear on the following issues: 1) Who does the body belong to? 2) Issues related to limited governance. 3) Right to Privacy. He added that Aadhaar is an untested technology and an instrument of oppression and exclusion. Even in the hypothetical absence of the Constitution of India, each one of us still has fundamental rights merely by virtue of being human, and these rights cannot be taken away by a project like Aadhaar.

Mr. Anupam Saraph said that the design flaws in Aadhaar start at the assumption that it is a database that identifies millions, which is false. There is no authority to certify proof of identity and address in Aadhaar. Unlike passport, driving license, ration card and other identification documents, there is no verification of Aadhaar details, except by private entities that we have no knowledge of. Also, registrars have the power to retain our data. There is no mechanism within the Aadhaar database to distinguish between citizens-non-citizens, terrorists and innocent citizens. He compared Aadhaar to acquiring AIDS; because it attacks its own citizens by lacking the ability to differentiate between aliens and non-aliens and denying individuals their rights and benefits. Further, he pointed out that recently, a minister admitted that 34,000 Aadhaar enrolment agencies had been blacklisted for indulging in malpractices. On an average, the data shows that thirty thousand enrolments are done by one enrolling agency. On multiplying thirty thousand by thirty four thousand, we get 1.2 billion which is almost the entire database. Therefore an audit is imperative to verify all the data held in the Aadhaar database. Mr. Saraph also mentioned that since the data collected by these rogue agencies is questionable, Aadhaar is a huge threat to national security and should have been shut down long ago. He suggested that we should take a leaf out of the British Parliament that repealed the Identity Cards Act, 2006 and the National identity Register that contained the biometrics and personal details of millions of card holders was publicly destroyed. Mr. Saraph said that we need to pass a legislation that debars Aadhaar in the interest of national security.

Mr. Prasanna S, pointed out that the Government has been coming up with contradictory narratives in an attempt to challenge the maintainability of the petitions filed against Aadhaar. Initially, when the project was challenged, they argued that the petitions were delayed and suffer from latches, but on the other hand, they also said that the petitions were premature as the Parliament had not passed the Bill then. They say Aadhaar is both voluntary and mandatory. On being questioned about authentication failure and leaks, the Government says these are teething problems, while they defend the project saying it is a fait accompli. He also elaborated on the new projects that are being built with Aadhaar as its foundation. Terming Aadhaar an evidence-collecting mechanism rather than a unique identity scheme, Mr. Prasanna said the project has been a systematic attack on consent since its inception. He highlighted that irrespective of whether we value consent or not, there are rights that need to be protected by the State. Quoting the jurist and philosopher Ronal Dworkin, he said rights give the law a claim to respect, and that without rights, law is just brutality.

Dr. Usha Ramanathan explained that Aadhaar is an “identification” project and not a “unique identity” project. It was brought into the Government by the private sector, therefore there are private ambitions floating out of it, so the government is satisfying a double-agenda. She said that the meaning of rights and restrictions have interchanged in these times. Over the years, restrictions have become more fundamental and the Government is shifting from rights to a governance framework. She was also of the view that individuals need to care more about the Aadhaar project and the manner in which it is being implemented. She highlighted the importance of civil disobedience and the need to learn a common humanity. She emphasized that blind obedience is the worst thing in a democracy – people should be encouraged to interrogate and question. She said that freedom cannot be compartmentalized, and that we need to take responsibility for everyone.

A number of interesting questions were asked and remarks were made by the audience, a notable few of which were:

  • Can Aadhaar enable the government to track down activists? Mr. Srinivas Kodali answered that while the Aadhaar system is certainly capable of being used to profile individuals, he doesn’t believe the UIDAI is actively doing so. However, the large scale collection personal information by private players for Aadhaar authentication etc. is still cause for concern, he said. Dr. Ramanathan added that with Aadhaar’s linkage to all kinds of essential activities and services, and with the Government reserving the right to disable Aadhaar cards, it is very easy for the Government to target activists and other dissenting voices through Aadhaar, should they wish to do so.

  • A petition has been filed in the Supreme Court challenging the money bill aspect of the Aadhaar Act. Will the court ever look into it? Mr. Shyam Divan answered that any reasonable person who looks at the Aadhaar Act will know its not a money bill. He said that he is hopeful the court will look into this aspect and not hide behind the argument that the Lok Sabha speaker’s call is final. It is the judiciary that is the final authority on this. Mr. Divan also remarked that the Aadhaar project is an architecture for hundred percent mass surveillance over the lifetime of Indian citizens. It is going to affect peoples’ political and social choices, and must therefore be challenged.

  • Is there any way to deactivate / cancel an Aadhaar number? To this, Mr. Prasanna suggested that Section 23 of the Aadhaar Act, which empowers the UIDAI to omit/deactivate Aadhaar numbers, may be invoked to request the UIDAI to deactivate an Aadhaar number. He made it clear however, that Section 23 merely reserves this broad power for the UIDAI and in no way creates an obligation to honor such requests.

  • The judiciary is unable to contain the massive violation of interim orders and the manner in which the project is being implemented. What does the common citizen do? Mr. Divan answered that we have to be optimistic and keep fighting – we must not give up hope. Mr. Anupam Saraph mentioned that if the court does not give a favourable judgment, then individuals have to start interpreting what civil disobedience means to them.

All Posts | Dec 01,2016

Digital Citizen Summit by Digital Empowerment Foundation

Our Counsel, Prasanth Sugathan was part of a panel on privacy at the Digital Citizen Summit organized by Digital Empowerment Foundation (DEF) in Bangalore on 11th November, 2016.  This session focused on digital privacy and other related concepts that have been brought into the limelight in recent times due to the emerging issues of big data, encryption, digital attacks, data mining, cyber security, anonymity, and surveillance. He was accompanied on the panel by Jimmy Schulz (ICANN ALAC Member and Deputy Chairman, ISOC Germany), Saikat Datta (Lead Researcher – Cyber Security), Arthit Suriyawangkol (Thai Netizen Network), Anja Kovacs (Director, Internet Democracy Project), and Deepak Maheshwari (Government Affairs, India & ASEAN Region, Symantec).