There is confusion and ambiguity about the Unique Identity aka Aadhar project implemented in India by UIDAI. This post is an attempt to compile the questions and concerns from various sources. I will update the post with clarifications when available & try to keep updated with recent developments. My personal opinions or ideas will not be added & will try to ignore anything that sounds illogical. Credit to authors will be given at all times when its possible to find the authors & this post is under Attribution-ShareAlike 2.5 India for India & under Attribution-ShareAlike 3.0 Unported in all other countries.

Concerns:

Here are some questions on Aadhaar which not answered at al1. The UID was promoted as a `voluntary’ `entitlement’. Now, people are being threatened that they canot access any services or institutions unless they are enrolled for a UID. This has not happened only because states have so decided, but are based largely on the reports of various committees.


2. This coercion has been introduced into a project where no feasibility study has been done till date. On 28 September, 2010, 17 eminent citizens had raised questions about the launch of a project of this nature without even a report on feasibility. The Parliamentary Standing Committee had raised similar concerns. There are no answers yet,and yet the coercion has become the norm.

3. The Standing Committee on Finance roundly rejected the National Identification Authority of India Bill 2010, by its report presented to Parliament on December 13, 2011. It also said that the UID project needs to be sent back to the drawing board, citing various deficiencies in its plan and execution.

The UIDAI and government have chosen to ignore the report. There is still no law. And the UID project, and the compulsion that has been introduced, are occurring beyond the protection of the law.

4. Proof of Concept studies were done only after the project was already underway. While doing the PoC on enrollment (uploaded in February 2011, over 4 months after enrollment had begun), the report says, they did not include arecanut workers and other plantation workers because this would only complicate the sample. How can such a study find validity. Also, the findings of the study are not substantiated; the evidence is not available, and those reading the report critically have found it to be self-serving.

The Fingerprint Authentication report (March 2012) and the Iris Authentication report (September 2012) suffer from similar problems. And unreasonable assumptions have been used to make it appear like the technology can be made to work: for instance, it is said in the report that iris never changes! A study by two professors at Notre Dame demonstrates that this is in fact untrue, and that those who have been saying it have done so because no longitudinal studies had been done thus far, since this is such recent technology!

5. The UIDAI, is pushing for `re-engineering’ all systems and `seeding’ all data bases with the UID number to make it `ubiquitous’. This will make all systems dependent on the UID system functioning. Already, the inability to authenticate people is showing signs of requiring the use of `manual override’, which is a magnificent source of `leakage’ and of exclusion of those the systems does not authenticate. This unseemly haste to shift to untested and undependable technology is a source of grave concern.

6. The seeding of the number everywhere also raises privacy concerns. UIDAI has not denied that the UID project raises serious privacy issues. But UDAI has sidestepped the issue, saying that it is an issue wider than the UID project and needs a general law, and so he will not worry himself about it.

Whatever his assumption of responsibility to ensure the protection of privacy — and in this case it would include concerns of profiling, tracking, tagging, convergence of data, data mining, the state and all manner of people gaining access to this data bank that is being created especially in the context of data becoming a transactable commodity — must precede consideration of any such project. Instead, there is no law governing the project and the uses to it which it may put; and there is no law on privacy either.

7. While still on privacy, it is being propagated that `the poor have no use for privacy’. This casual dismissal of such a right, especially given how vulnerable the poor, including classes of migrants, homeless, jhuggi dwellers, casualised workforce, for instance, are needs to be confronted.

8. There is much concern about the companies to whom the UIDAI has given contracts. There are companies like L1 Identity Solutions whose favoured customer has been the CIA, where a former director of the CIA, George Tenet, was even on their Board. Accenture Securities Ltd, another company shortlisted for the project, is on Smart Borders Project with the US Homeland Security. US law requires all agencies to provide any information demanded of them to the Homeland Security if asked.

When the UIDAI was sent an RTI asking why they had enlisted foreign companies such as these in the project, the answer was that they had no way of knowing whether they were foreign companies — because the way invited participation did not elicit this information!

The absence of a law means that there is nothing binding them to a legal structure within which we could hold them.
The contracts with these companies are being denied for public perusal in the name of `confidentiality’

9. The rampant outsourcing in the project means that all manner of people handle our data, including biometric data, and there is little that we can do when it is traded, misused, shared, lost ….

In January 2011, the Home Ministry had said that they could not use UIDAI data because it was insecure, unverified and could pose a security threat. Then they patched up their differences and decided to share the country 50:50! As citizens, though, the rapprochement does not answer the problems raised by the Home Ministry.

Where are the answers?

 

Confusion between NPR & UID projects.

 

It seems there is confusion regarding the purpose two identical projects and no one seems to know the difference.

 

Court orders requesting clarification:

 

Ownership of data

It seems there is no clear answer as to who owns the data and recent news articles like “Your data, going on sale soon” discusses about these ownership issues.

Safety of data collected

There are numerous incidents of data collected being found discarded. The biggest such reported event is this one : Maharashtra loses data of 3 lakh UID cards

 

 

What is the difference between a Bill and an Act ?

 

Legislative proposals are brought before either house of the Parliament of India in the form of a bill. A bill is the draft of a legislative proposal, which, when passed by both houses of Parliament and assented to by the President, becomes an Act of Parliament. As soon as the bill has been framed, it has to be published in the news papers and suggestions are invited from the general people, and after going through the suggestions of the people the bill is amended and then Bill may be introduced in the Parliament by ministers or private members. The former are called government bills and the latter, private members’ bills. Bills may also be classified as public bills and private bills. A public bill is one referring to a matter applying to the public in general, whereas a private bill relates to a particular person or corporation or institution. The Orphanages and Charitable Homes Bill or the Muslim Waqfs Bills are examples of private bills. – wikipedia.org

US Patriot Act & security of Indian citizen data

In a nutshell, the act can force companies registered in the United States or their subsidiaries elsewhere to share any or all data to law enforcement agencies. A detailed description can be found here: USA Patriot Act

This is a major issue for many technology companies including Google, Apple, Microsoft, Facebook, Yahoo, Salesforce, Data.com etc. The act is in clear violation of EU data protection regulation, UK privacy act which clearly states individual data can be stored only in UK or safer harbors but access must not be allowed. Swiss regulations makes this more complicated. As far as India is concerned IT act 2000 and its 2008 amendments  and not talking about any of these issues. The privacy law is still under scrutiny. There are incidents of many firms deciding against doing business with US based companies of which some are listed below.

  1. European Firm Refuses To Go On the Microsoft Cloud Due to PATRIOT Act Concerns
  2. Microsoft admits Patriot Act can access EU-based cloud data
  3. PATRIOT Act and privacy laws take a bite out of US cloud business

Now lets back to our context. This simply means that other countries can access all our biometric data without any permission whatsoever from us or our government. If one thinks, this is OK, then this discussion is definitely for such people.

The question has been raised here long back but I am not sure how and why we are going to circumvent it. Here is a discussion about it which even activists seem to be not noticing – The Trouble With Big Brother’s Eye

 

To be added:

Time period of validity of a bill, Reasons for a bill not be presented in Parliament, Is there a provision under RTI to find out why a bill is not presented to the parliament.