Frederick FN Noronha फ्रेड्रिक न on Fri, 16 Sep 2016 16:38:10 +0200 (CEST)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> INDIA: Adhar... India's much-debated biometric and demographic data

   The Unique Identification Authority of India (UIDAI) is a central
   government agency of India.^ Its objective is to collect
   the biometric and demographic data of residents, store them in a
   centralised database, and issue a 12-digit unique identity number
   called Aadhaar to each resident.^^ It is considered the
   world's largest national identification
   number project.^^

   As of March 2016, the original legislation to back UIDAI is still
   pending in the Parliament of India.^ However, on 3 March
   2016, a new money bill was introduced in the Parliament for the
   purpose.^ On 11 March 2016, the Aadhaar (Targeted
   Delivery of Financial and other Subsidies, benefits and services) Act,
   2016, was passed in the Lok Sabha.^ On 26 March, 2016,
   The Aadhaar (Targeted Delivery of financial & Other Subsidies, Benefits
   & Services) Act, 2016 was notified in the Gazette of India.^

   Some civil liberty groups, like Citizens Forum for Civil
   Liberties and Indian Social Action Forum (INSAF), have opposed the
   project on privacy concerns.^^^^

   On 23 September 2013, the Supreme Court of India issued an
   interim order saying that "no person should suffer for not getting
   Aadhaar" as the government cannot deny a service to a resident if s/he
   does not possess Aadhaar, as it is voluntary and not
   mandatory.^ In another interim order on 11 August 2015, the
   Supreme Court of India ruled that "UIDAI/Aadhaar will not be used for
   any other purposes except PDS, kerosene and LPG distribution
   system" and made it clear that even for availing these facilities
   Aadhaar card will not be mandatory.^^^

   * * *

   Aadhaar authentication on phones is for manufacturers to decide: Ajay Bhushan Pandey

   Interview with Chief executive officer, Unique Identification Authority
   of India

   Nitin Sethi |  New Delhi

   September 16, 2016 Last Updated at 00:25 IST

   Ajay Bhushan Pandey
   Govt pushes for mobile phones with vernacular language access
   Aadhaar law has good data protection & privacy provisions: A B P Pandey

   I have long said we need a privacy law but Aadhaar has safeguards:
   Nandan Nilekani

   India's Aadhaar mandate for smartphone makers may rile global firms
   Why is the UIDAI cracking down on individuals that hoard Aadhaar data?
   Ajay Bhushan Pandey, CEO of UIDAI speaks to Nitin Sethi on the way
   forward for Aadhaar now that allregulations are in place and addresses
   some controversies that are dogging theplatform.

   You have the regulations in place now to operationlise the entire
   Aadhaar law?
   Yes, when Aadhaar Act says certain actions such as enrolment,
   authentication, privacy, will happen as per regulations.
   To operationalise the act, the regulations had to be put in place. This
   week we have done so to make all provisions of the act operational.
   There are still no regulations in some areas, such as a grievance
   redress mechanism? What other such things are left to detail out?
   In case of regulations in several places we have said that something or
   the other will be done as per process approved by the UIDAI or
   specifications approved by UIDAI.

   Already there are specifications and processes in place. Now these
   regulations will have to be read along with those process or mechanism
   document. Today we already have those documents in place.

   The regulations say that all processes that were being followed so far
   and are not inconsistent with the act and the regulations will continue
   to have legal bearing.

   For example if you are using the enrolment software or hardware, what
   should be the specifications? All these cannot as such become part of
   the regulations. So in regulations we have said these specifications
   will be laid down by the authority and we had already laid them down

   So when will the grievance redress system become functional?
   Actually if you see, we already have a grievance redressal system
   within the UIDAI. We have a call centre. Any resident can call 1947 and
   can register their grievance.

   Today every day we get 1.5 lakh calls every day. Of these 50% are
   addressed through the automated system and the rest need handling by

   We monitor every week the nature of the difficulty people are facing?
   What is the predominant complaint at the moment?
   That changes from time to time. Currently people are concerned where
   they can get Aadhaar or that they have enrolled but not received it. We
   devise our media strategy accordingly to educate people and if some
   corrections have to be made within our system we try to address that as
   a systematic issue besides attending to the individual problem.

   Another area where these regulations are silent is what happens in the
   case of biometric failure? Or does it exist elsewhere in your processes?
   Biometric failure are at either at the time of enrolment or
   authentication. We have a detailed document about what happens when a
   person does not have a biometric or only a partial biometric. Our
   regulations prescribe what is available should be taken and Aadhaar
   generated. If unfortunately a person does not have any biometric then
   we have a mechanism in place in our process document.

   Coming to authentication, if the biometric does not happen we have a
   detailed process document. Say if one finger print does not work. We
   have a system of best finger detection process. In cases where none of
   the fingers can be authenticated then Iris can be used. These protocols
   to handle such cases are in the process documents.

   But are these protocols for biometric failure part of your contractual
   agreement with entities that use authentication?
   It is a question of education and training. This contractual agreement
   was there that they adhere to all guidelines and processes of UIDAI.
   Now the same thing is included in the regulations, so it's at a higher

   So if at a ration shop if the authentication system fails and someone
   is unable to get her or his rations, as grievance redress where would
   he or she go?
   I would address this problem in this manner. If a person's
   authentication fails then what is required to be done by the person on
   the other end. He can find out which is the best finger and ask him to
   give the best finger. If none of the fingers are working then the Iris
   can be used.

   But Iris scanners are not being used.
   We are recommending and saying if you come to me with a grievance we
   can deal with it only systematically. In case finger prints are not
   working he should be able to authenticate through iris, which is not
   very costly. A stand-alone costs around Rs 2,000. This is one. If
   supposing that doesn't work. We have seen in many places, particularly
   in Andhra Pradesh when programme was being rolled out, the
   authentication did not work because of signal issues.

   Some makeshift kind of antenna helped in boosting the signal. We had
   detailed discussions with BSNL and others to maybe create towers

   Today AP has 28,000 ration shops and 6 crore population. All of them
   are taking ration through biometric authentication and they are not
   facing problems of such a large scale.

   How much is the biometric authentication failure rate?
   In the range of 4-5% which they are able to address manually. AP is big
   enough state. AP is more advanced than most other states on count of

   I wouldn't say that because in rural areas of Andhra Pradesh it won't
   be as good. If it can be tackled up to this level in Andhra Pradesh
   then most other states can also reach this level of efficiency except
   maybe some few states such as those in the northeast.

   So you get audit report of each entity that is using authentication to
   see what is the failure rate?
   Yes. We get that. We get total macro picture and also entity wise also
   of which entity is having higher failure rate and which has lower and
   we advise them how to improve.

   Are these available in public domain for people to see?
   I don't know, I will have to check with the mutual agreements. From
   UIDAI side we don't publish these reports. The entities themselves may
   be doing it.

   But they are not doing so, I checked with all the states doing PDS
   through Aadhaar.

   I would have to check with the contracts if confidentiality is not
   there then we might as well put it out but frankly this aspect we shall
   have to check.

   The other aspect we have also found some amount of failure is the
   backend and communication infrastructure which is to be put in place.

   Otherwise it will get blocked there and tied up.

   In Rajasthan's case, there is an answer in Parliament that states that
   the backend infrastructure is not in place to ensure biometric
   authentication for PDS.
   That is actually what we found out. We have advised them officially
   about it. If Andhra Pradesh has reached this point, it is not happened
   overnight. It is not a small job. These problems are part of the work
   in progress because people are doing it for the first time. These
   problems would come but the idea is to identify these problems and
   address them. So in Rajasthan we diagnosed that in few cases it was
   because of biometric failure but it was also because of

   Does the food ministry here use this data to see how the use of Aadhaar
   is working or impeding delivery of supplies to people?
   Right now the food ministry is in various stages in different states.
   Some states they are digitising, in some they are collecting Aadhaar or
   validating it. In some states they are procuring the machines. In some
   states they are in the stage of using it. We are in the position to
   help them. There is a few states where a full scale operation is in
   place such as Andhra Pradesh and Telangana. If AP can do it for 6 crore
   people and the failure is not to the level that there is a huge hue and
   cry then it means that the system can work in most states. What we
   periodically do is take the teams from other states to where it is
   working to showcase and help learn.

   What are the areas where Aadhaar can now be made mandatory or universal
   One is the LPG. It is in full readiness. Around 15 crore consumers they
   have done seeding of 13 crore roughly.

   Remaining can be asked to enrol for Aadhaar, as the act requires to
   either give Aadhaar number or if he doesn't have one to enrol for one.
   Also we have provided that in case someone does not have an Aadhaar
   number the entities or concerned departments can enrol the people right
   there through their own machinery.

   UIDAI does enrolment through its registrars and now we have empowered
   state governments and departments to do their own enrolment by setting
   up their centres of the residual beneficiaries who are not in large

   The main fear of making Aadhaar mandatory was that some people may get
   excluded. That has been addressed in the regulations and responsibility
   has been cast on the concerned department that if you are asking for
   Aadhaar number and a beneficiary doesn't have it you provide facility
   for enrolment.

   If he still doesn't get one then you take action as per the law. 
   So scholarships could be the next area. Scholarships are availed by the
   educated lot. Students are available in schools and colleges so if they
   need to be enrolled it can be done.

   Similarly in case of schemes such as MNREGA. Out of 10 crore active
   workers Aadhaar has been collected for almost 7 crore workers. Now all
   workers are coming for work every day so if anyone doesn't have Aadhaar
   their enrolment can happen.

   So in MNREGA too Aadhaar can be enforced very quickly?
   Absolutely. In other major schemes as well such as ICDS or Sarv Siksha
   Abhiyan or Rashtriya Ucchh Siksha Abhiyan scheme.

   Children can be enrolled at schools. Wherever you have a population
   that is coming out to a centre it is easy to enrol those who need to be

   Wherever 90% of beneficiaries have Aadhaar the remaining 10% can be
   enrolled through these departments or centres.

   So where is the challenge for Aadhaar to reach?
   Challenge will be there where Aadhaar enrolment coverage is lesser than
   the national average, particularly where earlier work was being done by
   the National Population Register.

   There the task is to first increase enrolment  to reach a certain
   saturation level.

   We heard the chief economic advisor talking about writing a chapter in
   the next economic survey on delivering cash instead of benefits in
   kind? Is Aadhaar platform ready to do so by 2018 if required by the
   I haven't heard about it. But I shall tell you about the infrastructure
   that is available for any kind of cash transfer. Today 32 crore people
   have their Aadhaar numbers linked to bank accounts on NPCIL platform.

   What does that mean? These 32 crore people can be transferred cash in a
   secure manner directly into their bank accounts by any government.
   Out of these 32 crore people can use micro ATM to withdraw money ' they
   are cash transfer compliant. What is

   happening every month is that more than a crore people are coming on to
   this platform.

   Then the push is, under different schemes and departments people's
   Aadhaar are linked to their bank accounts then they too become cash
   transfer compliant for all kinds of purposes. LPG has 13 crore people
   seeded. If your bank account is linked to Aadhaar for any purpose or
   benefit then you become cash transfer compliant for all purposes.
   So you are saying connecting 1.2 billion people's accounts...
   I am not sure we need to reach that level because not everyone is going
   to be beneficiaries but only those who are needy and requires benefits
   is mapped on through one programme or the other.

   So how does this cashless, paper-less and presence less cash transfer
   as Mr Nilekani proposes take place?
   The biggest problem with any credit system is the lack of credit
   history and identity of the person. If you want to give credit to
   someone you want to confirm his identity, location and what is the
   credit history of that person. This problem is not much for those who
   are well to do. It's for the ones who really need the credit most. They
   have a problem of identity and also credit-worthiness. Aadhaar will
   provide identity. And supposing your credit history from various
   services providers is also linked to Aadhaar you can.

   You mean in terms of what subsidies one is getting from different
   government schemes that can be used for repayment?
   Number one that and number two supposing he has a bank account linked
   to Aadhaar then if he has already taken certain credit earlier, how has
   he behaved. If say a person needs credit for land improvement then has
   he taken such loans earlier and how he has behaved and if he has land
   records'�all these can be assessed. So if all those things are actually
   linked using Aadhaar then the decision to give micro-credit becomes
   possible. Aadhaar can finally do this.

   But here is the catch. When we are saying that all this other
   information about someone is linked and attached to his Aadhaar number
   and can be accessed then where is the privacy?  The Aadhaar
   architecture, regulations and act addresses it. How?
   If you have given your Aadhaar number for one purpose it can only be
   used for that purpose. It cannot be disclosed or used for another
   purpose for any other purpose. Say if an Aadhaar holder has done ten
   different transactions with ten different authorities, these
   authorities cannot share the details without prior consent of the
   person. So if I need microcredit I will give a specific consent that
   you can check my records with these 10 authorities.

   So that is where a consent manager comes in to place?
   Yes, and our Aadhaar regulations provide for this. What it says is,
   based on consent different entities can share the data and maintain a
   log for this. The consent is required each time. So there would be a
   strong privacy protection and at the same time people can use this
   mechanism to allow access to others to their transaction histories.
   While you provide for these privacy safety latches, if someone still
   breaches my privacy and shares my data what options do I have?
   Under the Aadhaar law any such breach is a criminal offence and a
   person can be punished. There is a process for this. 

   So I would need to go to UIDAI authority and file a complaint?
   At this point of time yes you shall have to come to UIDAI if there is a
   violation of the Aadhaar law.

   Because only the authority can act on it'�
   The complaint has to be filed by UIDAI or any officer authorised by it.
   Over a period of time we shall create a whole mechanism and authorise
   several others to act on the complaints on behalf of UIDAI.

   Why can only UIDAI file a complaint and not the person who suffered the
   breach of privacy, considering UIDAI authority is the delivery agency
   and it is being asked to check breach of its functioning ? Why can't I
   go and file an FIR saying my privacy has been breached?
   Under the general criminal law the police officer understands the
   issues of say what is grievous bodily injury or assault and therefore
   they are in a position to act. But this is a specialised act. Let us
   say a person goes to complain about Aadhaar law then the person should
   be able to understand whether an offence has been committed or not.

   This is a problem in all specialised laws not just UIDAI. Take other
   economic crimes it all requires someone should understand that
   violation has been committed and a complaint should be lodged. So that
   was the logic, that this is a specialised area and before the
   investigative machinery is set into motion there is a pre-check by a
   specialised body.

   What is the controversy over UIDAI asking for biometric authentication
   through its protocols being imposed on phone companies and operating
   systems, such as those of Google?
   We initiated a discussion with all device manufacturers and those
   providing operating systems. We want to make Aadhaar universally
   available. So, what we said to them, if they want, we can provide
   Aadhaar authentication facilities through their devices. I gave them
   the example of how GPRS has become a de-facto standard across
   smartphones.  So what we have said is, in case a device manufacturer
   or an operating system provider is interested we can make their devices
   Aadhaar enabled. If that happens people can sign in and carry out
   Aadhaar-based transactions from their phones too. If they want, they
   can put it in some of their devices and not in others or maybe in one
   model or choose not to do so. Ultimately it is the people who will
   decide what they want.

   If a company has five smart phone models and one has Aadhaar
   identification in the future the consumer may decide to buy that one
   and not the other one. So, we are not mandating that phones have it, we
   are merely saying we are willing to provide support for it.

   Are they facing technical problems with encryption requirements?
   We are working on it. This will require a lot of work. We have had
   three rounds of discussions with them. We need to work with all of them
   ' device manufacturers, operating system providers. We are talking to
   them that in case you decide to use Aadhaar how is the data kept and
   transferred in a secure manner and what should be the encryption
   mechanism. We shall have several more meetings before we decide what
   the best standard process to follow is. And this is something which
   will be only for those who are willing to participate.

   So you are not saying you shall make it mandatory?
   At least from the UIDAI side we have not said it shall be mandatory. We
   cannot make it mandatory under the law. If you see in every case we
   just offer the facility and the government decides if it wants it
   mandatory for some scheme or not. We say we just want to enable
   Aadhaar. If Aadhaar is going to be used on some platform or device it
   has to be standardised for authentication.


   _/  Frederick Noronha
   _/  P +91-832-2409490 M 9822122436 Twitter @fn Fcbk:fredericknoronha
   _/  Hear Goa,1556 shared audio content at

#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info:
#  archive: contact:
#  @nettime_bot tweets mail w/ sender unless #ANON is in Subject: