A more opaque Aadhaar

The Indian Express
July 15, 2019 
By Subasis Banarjee

Its technical design requires serious reconsideration, following amendments to the law.
Neither the Aadhaar holders nor the agencies responsible for service delivery have any control over either identity or authentication, causing understanding gaps and making grievance redressal difficult.
The Aadhaar amendment bill, which provides for voluntary use of Aadhaar for KYC (know your customer) under the Telegraph and Prevention of Money Laundering Acts, has now been passed by both Houses of Parliament. It has reinstated many of the provisions of Section 57 of the original Aadhaar Act which was struck down by the Supreme Court in September 2018 as unconstitutional.

Considering that Aadhaar virtual identities and offline authentication were introduced well before the judgment, the amendment comes with no major alteration in either design or use cases. Aadhaar undoubtedly is a technical and administrative achievement of an unprecedented scale, and KYC has been one of its more successful use cases.

However, the steamrolling of the legislative processes, without heed to the Supreme Court judgment or civil society concerns, appears to be closed-minded and brazen. Such disregard for dissenting opinions by planners and policy-makers is a definite cause for disquiet. Section 57 was struck down not only because of the procedural issue of passing Aadhaar as a money bill, but also due to serious concerns relating to privacy and proportionality. Moreover, the dissenting judgment of Justice DY Chandrachud found many other aspects of Aadhaar objectionable, including biometric authentication, and declared it to be unconstitutional in its entirety. In fact, very recently the Supreme Court of Jamaica also unanimously struck down their very similar National Identification and Registration Act as completely unconstitutional by heavily relying upon and extensively citing the dissenting opinion of Justice Chandrachud.

Clearly, there are several aspects of the Aadhaar technical design and its use cases that require serious reconsideration. Mandatory deployment of biometric authentication for everyday transactions in sectors like welfare, with no clear protocol for demarcating the false negatives from the true negatives, inevitably causes denial of service for some. The requirement of reliable online connectivity compounds the problem. While this gives Aadhaar a clear theory of exclusion, its theories of inclusion and efficiency in welfare are not adequately developed. Obviously, a lot more than Aadhaar needs to be in place to empower citizens to receive their entitlements.

A nation-wide digital identity limited only for de-duplication, authentication, KYC and limited fintech services is rather narrow. The Aadhaar design did not envisage using it for building online social, financial and asset registries, electronic health records etc. Consequently, the instrument lacks the robustness and privacy safeguards necessary to support such applications. The design also did not examine safe protocols for facilitating analytics for targeting of welfare, education and healthcare, econometric analysis, epidemiological studies, tax compliance etc., as the recent Economic Survey has suggested. This resulted in overreach with a narrow design, and ad hoc and extra-legal Aadhaar seeding in registries like the state resident data hubs (SRDHs), which ultimately had to be discontinued. Commercial use of Aadhaar linked data, also proposed in the recent Economic Survey, raises yet another set of very serious legal and technical questions.

The privacy attack surface in Aadhaar is inadequately modelled. There is no clear analysis of the minimum information that needs to be exchanged during authentication and KYC for various applications. Also, using the same identity across multiple applications may allow a correlation of identities across domains and illegal profiling. The voluntary-only use of virtual identities does not entirely mitigate the problem. Tracking and identification without consent may also happen through accessing the Aadhaar database and the authentication logs without legal sanctions. Moreover, because biometrics are not secret information, Aadhaar is vulnerable to illegal harvesting of biometrics, identity thefts and other frauds. The limited use of Aadhaar in welfare and KYC for phone and banking does not differentially add to the privacy risks of illegal profiling, because these databases can be linked even without Aadhaar. However, with the scope expanding and registries such as the SRDHs available, the privacy risks are considerable.

Lack of protection against insider threats, lack of clear policies on the use of virtual identities — especially on how the already linked Aadhaar information may be replaced, and whether or not only virtual identities will be linked henceforth — lack of any regulatory oversight and a data protection law raise some serious privacy concerns. As many have pointed out, the inadequate privacy safeguards can potentially give the government of the day unprecedented access to information and power over its citizens, threatening civil liberty and democracy.

Also, Aadhaar does not record the purpose of authentication. Authentication without authorisation and accounting puts users at serious risk of fraud because authentication or KYC meant for one purpose may be used for another, and there have indeed been such instances. Recording the purpose of authentication is crucial, even for offline use. Privacy by design is not achieved by self-imposed blindness. And, despite repeated demands from the civil society, there still is no publicly available comprehensive audit of either the enrolment process and the de-duplication efficacy, or of the exclusion rate due to Aadhaar.

Reference:-https://indianexpress.com/article/opinion/columns/aadhaar-amendment-bill-new-rules-uidai-5829226/

Comments

Post a Comment

Popular posts from this blog

India Joins Russia in Voting Against West-Backed Move to Expand Powers of OPCW

The Wire: June 28, 2018 New Delhi: India voted against a UK-backed move that will allow the global chemical weapons watchdog to apportion blame for illegal attacks, criticising the decision to grant “unchecked powers” to the head of the group which could be used for “partisan” purposes. On Wednesday, more than two-thirds of the member states of the Organisation for the Prohibition of Chemical Weapons (OPCW) voted to authorise the international body to identify the perpetrators and sponsors of a chemical weapons attack. It also specifically called on the OPCW’s technical secretariat to begin work on identifying the perpetrators behind the use of chemical weapons in Syria. The draft decision, sponsored by 30 countries, was adopted at the fourth special session of the conference of the states parties to the Chemical Weapons Convention at the Hague, with 82 in favour and 24 negative votes. While Europe, the United States and their allies voted ‘yes’, there was strong oppo...
Read more

As financial insecurity rises in urban India, so does investment in insurance

Image
Scroll.in March 13, 2020 Urban Indians are becoming less confident about their financial security. Up to 58% of them fret over financial independence post retirement, which is a 4% increase from last year. An equal share of urban Indians worry about meeting their daily medical expenses and sustaining their current lifestyle once they stop working. The findings are part of a survey published by Delhi-based Max Life Insurance in association with London-based consultancy Kantar. The firms surveyed 7,014 respondents in 25 cities, including six metros, nine tier-1 cities, and 10 tier-2 cities, between December 2019 and January 2020. Source: Max Life Insurance via Quartz The trends Source: Max Life Insurance via Quartz Source: Max Life Insurance via Quartz Source: Max Life Insurance via Quartz A significant share of urban Indians also say their families will have no financial support in the event of the breadwinner’s death. In such a scenario, around 57% believe the family sav...
Read more

ED tracks Swiss Bank A/Cs of Agusta scamster

The Poineer February 10,2019 Rakesh K Singh The Enforcement Directorate (ED) has tracked a dozen Swiss bank accounts in the name of Rajiv Saxena, who is key accused in the Rs 3,600 crore AgustaWestland VVIP chopper scam. The ED has also found out accounts held by  his family members and associates where the kickbacks in the now scrapped deal were allegedly parked. Two bank accounts are in the name of Rajiv Saxena’s  associates Pankaj Jain and Sumita Jain who are also the authorised signatories. The  third is in the name of another associate Ajit Singh Bubber, but Rajiv and his family members are authorised signatories. The remaining nine accounts are largely owned and operated by Rajiv, his family members and associates. Rajiv Saxena was deported by the UAE authorities on January 30 and the ED formally arrested him the next day and a court later granted his remand to the agency. He is currently undergoing custodial interrogation by the ED. The agency had in 2017...
Read more