87 - Usha Ramanathan offers the most radical hypothesis of the note ban yet - Catch News

Usha Ramanathan offers the most radical hypothesis of the note ban yet

SUHAS MUNSHI

@suhasmunshi | First published: 22 November 2016, 0:35 IS

This may be the most radical hypothesis of government's demonetisation policy offered yet. The proposition, which explains the origins and future of the currency ban, sounds like the script of a sci-fi movie. Somewhere in it, is a group of a few people trying to control the fate of billions of Indians.

And black money doesn't figure anywhere in it.

Noted expert on law, poverty and human rights, and an active critic of the Aadhar policy for last several years - Usha Ramanathan - says that in order to understand demonetisation one has to go back to the founding of Aadhar and the Unique Identification Authority of India (UIDAI) programme.

It is all about data. Lots of it. Specific data of millions of Indians. Now suppose this huge repository of data, accessible to the makers of UIDAI programme, was to be used to create an application - like Unified Payment Interface - that made money transfer very easy.

Also read - Agenda driving Modi govt's demonetisation move is clear: activist Bezwada Wilson

It would allow instant transfer of money from bank to individual, individual to individual and government to individuals. Such a bold move, made on such a large scale, would not only force the economy to go 'cashless' or 'paperless', it would also in time make banks redundant.

And if, just then, there were to be a severe cash crunch in this economy, it would only catalyse the move to such an application.

But this would also give you reasons to fear for your personal data being compromised and monetised on a mass scale.

In this interview with Catch, Ramanathan asks us to suppose a scenario like this and claims that we haven't even begun to realise the biggest problem with the demonetisation scheme.

At the face of it, demonetisation seems to be a big positive for several reasons. But there are many things that we don't know about it.

We still don't have any explanation by the government about why this was done. Why 86% of the cash flow couldn't have been phased out strategically. Something as big as this should have gone through the Parliament.

There is no indication of who advised the prime minister about this. On the political front, we only have opposition and justification.

The government has been converting all services to cash transfers at a time when the banking system in India isn't ready. When successive governments' apathy has destroyed the postal service in the country. When inflation is under control and the value of Rupee isn't sliding down.

At such a moment, to suck out 86% of the cash flow in one go doesn't make sense.

But if you begin to look at the whole thing in context of the UIDAI project, demonetisation begins making sense.

How does the UIDAI project connect with this?

To understand what demonetisation is about, you first have to understand what the big technological fight in the world right now is about. It is about data. New Fintech (Financial technology) firms are fighting to acquire specific data of individuals; to use it to market their products among other things.

Fintechs are willing to give you their services without charges, if only you give them information about yourself.

Acquiring specific data of millions of people, which is what happened through Aadhar programme, across the country, is like acquiring a goldmine. Now if you can get all these people online, you create for yourself an invaluable asset.

Once you do that, you can build a platform [or an API] for people to create apps, giving them a share of your data. Apps that could have access to one billion people. Imagine the potential worth of such data!

This gives rise to big businesses and forces the economy towards a 'cashless' economy, or an economy with less cash.

This system allows you to transfer money not from bank account to bank account, but from Aadhar number to Aadhar number. All it would require your Aadhar number, a bank account, say a Jan Dhan account and a mobile number.

Banks, as we understand them become redundant. You wouldn't need to visit any bank. Everything becomes virtual, like Paytm. You wouldn't know where Paytm office is nor would you have to visit it, unlike banks where physical presence is required sometimes.

So what's wrong in a virtual banking system? Wouldn't it be easy to manage every financial transaction through your phone instead of dealing in cash and signing forms?

Look closer at the method with which this new world of economy is being introduced. First Aadhar was a voluntary exercise, then it was made compulsory. Aadhar was not mandatory to avail government offered services, now it is.

Fears of your personal data being compromised was quite real in case of Aadhar, in this case there will be additional fears of your financial data being sold and monetised by others will be as real.

In a similar fashion the state is using all its power and coercive forces to lead us in this specific direction. And this is not the only problem with it.

The same fears that arose that the time of Aadhar, get multiplied several times over if private companies like National Payments Corporation of India (NPCI), which is a company registered under companies act, not RBI, get their hands on your private financial data.

And if they make it mandatory that all financial transactions be done through apps based on their interface - Unified Payment Interface (UPI).

Look up the names of people behind all these ventures - UIDAI, NPCI, UPI etc - and you'll realise that they are the same group of people. The same group of people, a while back, talked about it taking just 100 individuals to change the system. They are trying to do this now - deciding the fate of this country.

What is worse still is that a large part of the population is not covered through regular banking. They have no access to either banks or internet. If the government decides to send benefits of schemes such as - MGNREGA, pensions, scholarships, Public Distribution System - through such an electronic interface, a lot of people are going to be left out.

Are any other economists or experts in this field who share your ideas?

I don't think so and I can't believe nobody is looking in this direction.

According to you Aadhar has been followed by Unified Payment Interface. What do you think will follow it?

Health. They will go for health sector next.

Edited by Aleesha Matharu

86 - The Electronic Leash by Usha Ramanathan

85 - The Law Needs to Catch Up With Aadhaar, But Not in the Way Jaitley is Promising - The Wire

The Law Needs to Catch Up With Aadhaar, But Not in the Way Jaitley is Promising

BY USHA RAMANATHAN ON 03/03/2016 • 2 COMMENTS

The budget speaks of giving the UID system “statutory backing”. However, it is clear the intention is to find a way to accelerate its use, not deal with the glaring problems that have already surfaced in its rollout across the country

Collecting iris scans for the Aadhaar card. 

Photo: Kannanshanmugham

In his budget speech (2016-17), the finance minister spoke of a law that will give “a statutory backing to the Aadhar platform” and incorporate the “Aadhaar framework”. It is to be through a law that carries the title Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016.  All benefits, subsidies or services from the Consolidated Fund of India “should be through Aadhaar platform”. This is in the revised list of business in Parliament for today, 3 March 2016. In a connected move, the National Identification Authority of India Bill 2010 is to be withdrawn in the Rajya Sabha.

This, it appears, is how the government proposes to get past the Supreme Court’s direction that aadhaar is not to be mandatory, and that no one may be denied any service only because they do not have an aadhaar number.

If this is what is intended, it is not going to address the absence of a law on the UID project. This would only be about giving statutory basis to the use of Aadhaar. The erstwhile UPA government did that while enacting the National Food Security Act in 2013, when the law spoke of “leveraging ‘Aadhaar’ for unique identification, with biometric information of entitled beneficiaries ….”

A series of orders of the Supreme Court has, however, categorically restricted the use of Aadhaar to certain specified services, including PDS, and even there only if the use of Aadhaar is voluntary and not mandatory. The court’s caution was prompted by the seriousness of the concerns that was brought before it. These include concerns about exclusion, ownership of data, privacy as personal security, the role of companies with close connections with foreign security establishments, untested technologies and experimenting on a whole population, rampant outsourcing, absence of regulation and monitoring, surveillance, cost, personal data as property of an agency, and the as-yet obscure status of the UIDAI.

There is as yet no law that governs the UID project. This means that there are no norms or legal principles within which the UIDAI, and the government, and even private agencies, have to act. It also means that, if the technology fails, or is compromised, or there is identity fraud, or identity theft, or misuse of data, or wrongful exclusion or erroneous identification, or breach of privacy – and these are merely illustrative – there is little in law to protect the interests of an affected person. There is no one answerable if a wrong identification results in loss or harm to any person; nor if a false negative results in an entitlement being denied. A few years ago, there was briefly some mention of who would bear the liability for wrongful inclusion or exclusion, but that just wafted off and vanished.

It is not that there was no attempt to bring in a law.

When the project was first established in January 2009, it was by an executive notification. Significantly, it said that the UIDAI would ‘own’ the database; it did not mention biometrics; and it did not speak of the UIDAI enrolling people. In fact, in a meeting of the Empowered Group of Ministers on November 4, 2008 which was a prelude to settling the notification, they were specific that UIDAI was to work to standardise various governmental databases, and was “not (to) directly undertake creation of any additional database”. In July 2009 when Nandan Nilakeni became the UIDAI’s chairperson, that changed to accommodate his ambition of creating an entirely new database of residents. In September 2009, a letter setting up a Biometrics Standards Committee said that the UIDAI had decided upon biometrics as the means to provide “unique” IDs. On September 29, 2010, the gathering of personal data to be held, and according to the 2009 notification, “owned” by the UIDAI, was begun.

Two months after the enrolments had been launched, the National Identification Authority of India Bill 2010 was introduced in the Rajya Sabha. The Parliamentary Standing Committee on Finance chaired by Mr Yashwant Sinha, to which the bill was sent for consideration, gave its report on December 11, 2011 roundly rejecting the bill, and, the project.

There were many reasons why: that the passage of the law had been inexplicably delayed; that the project had carried on despite a bill pending in parliament; that ‘illegal’ immigrants too were being enrolled; that there was no clarity of purpose; that the NPR and the UID remained unreconciled; that the collection of biometrics had not been debated in parliament and the Citizenship Act and Rules had not been amended to permit such collection; that biometrics is expected to fail to the extent of 15% because of “a large chunk of the population being dependent on manual labour”; that the Ministry of Home Affairs had raised serious security concerns; that there were apprehensions that what was claimed to be voluntary could become a case of denial of even food entitlements if they do not have an Aadhaar number; that linking Aadhaar to entitlements would not solve the problem of correct identification of beneficiaries; that experience and analysis of the project in the UK had not been drawn upon.

“The committee would, thus,” the report said, “urge the government to reconsider and review the UID scheme as also the proposals contained in the bill in all its ramifications and bring forth a fresh legislation before parliament”.

That was not done. Instead, in the fading months of 2012, it was announced that a slew of services would be unavailable to people who were unable or unwilling to produce an Aadhaar number. A spate of petitions found their way to the Supreme Court which, as an interim measure, attempted to tame the coercion that was beginning to be practised by various governments. The first such order was on September 23, 2013. 

Then, again, prompted by reports that the court’s order was being violated, on March 24, 2014 and March 16, 2015. In August 2015, when arguments commenced before a bench constituted to hear the matter, the attorney general made what many consider a preposterous claim – that two decisions of larger benches of judges in 1954 and 1963 had said that the right to privacy was not in the Indian constitution and that later decisions of smaller benches which upheld the right to privacy were wrong in so doing. The three judges acceded to the request that the question of privacy be referred to a larger bench.

On August 11, 2015, the judges also decided that the use of the Aadhaar number be confined to PDS and LPG distribution, and to instances where a court directs that the data be handed over to an agency investigating a crime. This was then widened to extend to a few more areas such as the NREGA, pensions, Jan Dhan Yojana and Employees Provident Fund Organisation on October 15, 2015. Since 11 August 2015 Aadhaar numbers are not to be used, neither voluntarily nor mandatorily, for any purpose other than those specifically mentioned; and, where it is allowed to be used, it should only be voluntary. These series of orders have been systematically ignored and contempt petitions to this effect are pending in the Supreme Court. The numbers enrolling has grown amidst this coercion and the threat of exclusion and the denial of entitlements.

Problem with biometrics

It is not only the absence of a law, and the orders of the court that are a problem to be met by the government. First there is biometrics.

In January 2013, the rape of a child in a school toilet in Goa caused an outcry. The police investigation having produced no results, the case was handed over to the CBI. The CBI said they had found a random palm print, to identify which they asked that the UIDAI give them the biometrics database of all persons who had enrolled in Goa. A magistrate so ordered. The UIDAI rushed to the Bombay high court protesting this order, arguing that such disclosure would jeopardise the privacy interests of those on its database (they relied on the arguments against them in the Supreme Court, to support them in the high court!) And they said that the way the database was constructed, it could not help in forensic investigation. The Bombay high court was not sympathetic. So the UIDAI appealed to the Supreme Court.

In the Supreme Court, there was general mirth that the UIDAI was actually arguing on the ground of privacy, but the judges did accede to the plea that biometrics on the database should not be handed over to anyone without the individual’s consent. This was on March 24, 2014. On August 11, 2015 the judges changed their minds and said that the information with the UIDAI could be used “as directed by a court for the purpose of criminal investigation”.

The UIDAI website as refreshed on August 13, 2015, however, suggests that there is a problem with biometrics. Seven years after the project was launched, and six years after biometrics began to be collected, there is an admission that biometrics is not all that it is made out to be. The UIDAI page speaks of “UBCC and Research”. “Biometrics features are selected to be primary mechanisms for ensuring uniqueness”, it reads. “No country has undertaken to build a national registry at the scale and accuracy as UIDAI initiative. Nature and diversity of India’s working population adds another challenge to achieving uniqueness through biometric features. Like other technology fields such as telecommunication, we do not have experience like developed countries to leverage for designing UIDAI’s biometrics systems…Therefore, it is necessary to create a UIDAI Biometrics Centre of Competence that focuses on the unique challenges of UIDAI”. The ‘mission’ of the UBCC is “to design biometrics system that enables India to achieve uniqueness in the national registry. The endeavour of designing such a system is an ongoing quest to innovate biometrics technology appropriate for the Indian conditions”. (emphasis added)

Surely the finance minister must have been apprised of the state of knowledge on biometrics? Aadhaar is a number attached to biometrics. As RS Sharma, the then mission director of UIDAI and currently the TRAI chief, said to Frontline in November 2011, “Capturing fingerprints, especially of manual labourers, is a challenge. The quality of fingerprints is bad because of the rough exterior of fingers caused by hard work, and this poses a challenge for later authentication.” This would mean that a person may be enrolled and may be given a number; but their inability to authenticate themselves, that is, to assert that they are who they say they are would depend on whether biometrics will work.

Recent experience reveals that this is indeed a problem. In May 2015, 22% of PDS cardholders attached to 5358 fair price shops did not take their rations. The social audit team did a quick audit on May 29 and 30, 2015 and found that among the major reasons for not collecting their rations was

• Fingerprint authentication failure in 290 of 790 cardholders
• Aadhaar ‘mismatch’ in 93 instances

and this was in districts of Andhra Pradesh where enormous efforts had been made to clean up the system to ready the PDS for the Aadhaar system.

It is a documented fact that the UID project adopted biometrics when nothing was known about whether it could work as a unique identifier. In January/February 2010, in a “notice inviting applications for hiring of biometrics consultant”, the UIDAI had admitted: “There is a lack of a sound study that documents the accuracy achievable on Indian demographics (i.e. larger percentage of rural population) and in Indian environmental conditions (i.e. extremely hot and humid climate and facilities without air-conditioning). In fact we could not find any credible study assessing the achievable accuracy in any of the developing countries….The ‘quality’ assessment of fingerprint data is not sufficient to fully understand the achievable de-duplication accuracy”. And so on. Yet, they had set their minds to using biometrics. Which now brings us to the UBCC.

Has the Finance Minister been introduced to these documents?

Problem of last mile delivery

Then there is the business correspondents story. In 2009, an RBI report on business correspondents identified a set of issues in implementing the BC model: one, the operational risk and increased costs of cash handling by the BCs. Two, that beneficiaries of the BC services are mostly illiterate and susceptible to misguidance. Three, viability of the BC model. Four, regulatory issues. Five, multiple risks associated with the BC model including credit risk, legal risk, liquidity risk and reputational risk. Seven years later, and the Economic Survey 2015-16 says that the “Jan-Dhan-Aadhaar-Mobile” agenda is currently jammed by the last mile challenge of getting money from banks into beneficiaries hands especially in rural India. The government is advised to invest in last mile financial inclusion by further improving BC networks and promoting mobile money. “Paying beneficiaries is the issue, not identifying them”, the Survey says.

In 2011 and 2012, the Ministry of Home Affairs repeatedly raised the antennae on the security risks of the UIDAI’s system of enrolment, till it faded, unanswered, into silence. The UIDAI’s contract with companies such as L-1 Identity Solutions and Morpho to hold, manage and use the personal data has been red-flagged in the Supreme Court. The government has claimed in the court that privacy is not a fundamental right, and that is yet to be heard and resolved by a larger bench of the court. The strategy overview document of the UIDAI in 2010, and the TAG-UP report chaired by Nandan Nilakeni show that the intention is for the UIDAI to slide into becoming a monopolistic private company that will have the UIDAI database as its property – which explains why the 2009 notification says the UIDAI will “own” the database. There have been violations galore of the Supreme Court’s repeated orders against compulsion and, since 11 August 2015, against the restricted areas where Aadhaar may be used, which the court is yet to adjudicate. And, since the government has claimed in court that people do not have a fundamental right to privacy, it believes the project can march ahead undeterred by concerns about privacy – that surely will have to be decided before the use of Aadhaar is expanded.

The BJP, when in the opposition, had objected to undocumented migrants being enrolled in the UID data base. That, it seems, is water under the bridge. Now all that needs to be said is that “the Aadhaar number or authentication (sic) shall not, however, confer any right of citizenship or domicile”. Everyone may be enrolled and get numbers, domicile, illegality no bar. Interesting turnaround.

There is still no law to replace the National Identification Authority of India Bill 2010, no law on privacy and no data protection law. The current proposal to make the “Aadhaar platform” the basis for accessing entitlements is oblivious to the uneasy state of biometrics which the UIDAI now admits it is researching, and the problems besetting the business correspondent model.

Usha Ramanthan is a legal researcher.

85 - Aadhaar is like drone warfare versus hand to hand combat, profiling becomes all that more eaiser: Usha Ramanathan - Business Standard

Aadhaar is like drone warfare versus hand to hand combat, profiling becomes all that more eaiser: Usha Ramanathan

Interview with independent law researcher

Nitin Sethi 

April 1, 2016 Last Updated at 00:18 IST

Usha Ramanathan, an independent law researcher studying Aadhaar since 2009, speaks to Nitin Sethi about the problems she believes are built into the platform. 

Edited excerpts:

You have been a strong critique of the Aadhaar platform. Your principle concerns are…

One, the process has been deeply problematic. The various concerns that the last time we were able to express as people – the standing committee’s job is to listen to people, experts and experiences – we have had six years since the enrolment began. That experience has to be reflected in the way we make the bill today. That process got short-circuited and that is hugely problematic.

Second, if you look at the definition of services, benefits and subsidies – it covers almost everything, including a gift which will be seen as a benefit – even for that they can say get an Aadhaar number. So they are covering any activity that we might have and putting it under the bill.

Third, there are requiring agencies under the law and these are going to use Aadhaar for authentication of various kinds – these can be anybody including a person, a private entity or the government. So almost anyone can use this authentication system.

We recognise that the project consist of two things. One is the biometric the other is the numbering scheme.  The idea that every citizen in this country is to be numbered is the primary thing in the project. The second part is that every database should have the number embedded in it so it becomes easy to collate information about people, easy to profile people and launch surveillance if you want.

Interestingly the law also provides that UIDAI will make rules of how to omit or deactivate the number. In the context in which the law has been brought, it amounts to civil death if all services are linked to this number.

It has been said and written by Mr Nilekani too that the biometric data will not be given to anyone. This has been made to appear as if it is a protection of the citizen. What we are finding is it’s a shield that the UIDAI is putting in place because it doesn’t want its database to be subject to any kind of scrutiny.

Why do you think that is so?

There are phases and I shall tell you what happened in these phases. In 2009 they decide on using biometrics without having done their studies on it. Normally you would do your pilot studies and slowly test it out. In this case, in 2010 document they say we have tried in a few places and the results are encouraging and that is it. There is nothing more. In 2009 December you have the biometric standards committee which says we tested 25,000 people for just enrolment and authentication was not in the picture. They said 2-5 per cent of these people did not have biometrics that worked. They said if you were to make sure that you enrol them properly, then maybe the percentage will improve but it will not be enough for improvement so you would have to add another biometric, the Iris. You can think of Iris because it is getting out of proprietary domain now, you may want to try it. Yet they say you have to conduct your tests before you decide this.  But they just adopted it. In Jan-Feb 2010, there is a notice inviting biometrics consultant to help figure out how to use it. In that document they openly say that the NIST that environmental and demographic factors will decide how the biometrics will work – calloused hands, ambient temperatures, if you use chemicals, the kind of rural and urban lives – all these will make a difference. They say that it’s not been tested either in India or in the entire developing world. So they have launched with it but we don’t know whether it will work or not.

The number of things have happened since then  - the proof of concept of enrolment and authentication, Iris – in each of these there are number of problems are set out.

How we came to know is when in Goa a rape of a child in school, the police didn’t do its investigation properly and the case was handed over to the CBI. The CBI says we found a random palm print. They get an order from local magistrate that all those who have enrolled in Goa their biometric should be handed over to police. The UID runs to high court saying no you can’t do this. Asked why, it says one because we have to protect the privacy. In Supreme Court they were denying right to privacy. Then they say the biometric data cannot be used for forensics. The way we have to collect and maintain database it can’t be used for biometrics. By then the demand is scaled down, CBI is not asking for the whole database, but says check these sets of fingerprints against your database. UID refuses and the Bombay HC says what’s your problem, let the scientist come and check if it can be matched. They go running to the Supreme Court and they get it embargoed in March 2014. When in August 2015 the court passes and order saying you can’t use Aadhaar for anything other than LPG and PDS – even that voluntary – there the court slips in that however you may have to give this information if a court asks for it in a criminal investigation.

Then UIDAI tells us they have established a centre called UBCC, Unique Biometrics Competence Centre. IN that they say the nature and diversity of working population of India makes biometrics a challenge. The mission of this UBCC is to try keep doing research so that we can make this biometrics work for the people of the country. You are going to bank this whole system on that biometric?

They decided to fix an identity that is to be do with biometric and numbering. The agency does not reveal all the glitches it’s facing but you go out to Rajasthan. In many places 20-40 per cent is the maximum that biometric works. The rest is not working. Yet, they have not taken that evidence in to account when making this law.

They have protected the UIDAI by not inscribing in that an independent audit – something whether the system works for the poor or not.

Another really serious problem, is that this is not about government benefits alone. This is the new data transaction. It’s a new property and there are multiple ways in which data mining can be done using this UID.  You have that clause 57 which says that any private company or person can use this system. This was pointed out in Parliament but they refused to take it out because this is intended for the market. This is one of those neo-liberal techno-utopias. They got a few partial privacy clauses that they put in – it doesn’t have consent. We do not have an opt-out clause. We don’t have many things that the A P Shah committee said we need to do.

Very interestingly, every official of the UIDAI will be treated as a public servant under the Indian Penal Code – which means you cannot prosecute a person without the sanction of the government. The only person who can launch prosecution is the UIDAI. What if there are problems with the UIDAI itself? One cannot ask any questions of it?

As it is when it comes to these companies which have been operating the system – there is nothing in place to define who you can use, the extent to which you can outsource work etc – all these issues have been raised earlier.

In fact they can outsource and have these companies handling, managing and dealing with our data and information.

Is the concerns about privacy limited to only a section of society considering the state already has the capability of monitoring data when and if it wants on an individual through physical means?

Privacy is about personal security. Privacy in this case, with the database, is about national security. You are creating this whole data base of the citizenry. Which you say to the best of ability you shall protect and beyond that we don’t know. Last year in Washington the whole biometric data got hacked and stolen and they are still trying to grapple with the consequences and implications of that are. Here you are creating a database with the national security question that you can’t run away from.

If the state wants to find out something about you it probably can about an individual. It might be possible but they shall have to do some work to collect it. But it is like the difference between hand to hand combat and drone warfare. You know what the nature of power is. In this case profiling will become so easy. When the natgrid was being proposed, what would the natgrid be doing, it would using the UID to access multiple databases to provide you information in real time from 22 databases to 11 security agencies. When we talk of privacy with Aadhaar it is not just about the number but the databases that will also be linked to the UID number.

They are asking for mobile phones, they are asking for email addresses they are asking for bank account numbers. It’s been made the individuals responsibility to keep updating the information that changes. Then there is authentication agencies. You may not even come to know who all are authenticating you for what purpose. This number is going to open up the possibility of various databases in which your number is linked today to collate. This is a facility that the project is providing to the state and but it is also providing for private players.

You see this eventually going to a mobile-based platform of authentication. We are seeing on the field biometrics is working patchily and you have the Andhra Pradesh food and civil supplies study that showed 22 per cent of rations were not lifted after introduction of Aadhaar. When they went and did the study on that they found that 50 per cent of the people had fingerprint problems. Another percentage of them who had an Aadhaar mismatch. So if there are two databases and those two are not saying the same thing, the person who suffers is not those maintaining the database but you. We have seen this already happen.

Remember this project is a number linked with a biometric. So if the biometric does not work what is left? It opens up the system to huge fraud and exclusion. So now they have started encouraging everyone to fill in their mobile numbers. So the mobile phone number linked to the UID number will tell you it’s that person.

If they want to continue with the biometric experiment without entirely relying on it because they can’t provide the identity they shall have to look somewhere else and indications are it would be the mobile phone.

It’s an interpretation of what I am reading. One thing I have to say of this project, almost everything they have done or they are doing has been said and written somewhere or the other and if the policy makers have not read it only shows how excellently the idea has been marketed.

Some contend that aadhar has worked and reached the 1 billion mark because so many people wanted to have an identity document that is easy to come by?

First of all its reached this number because people have got bullied and threatened with exclusion. We have gone to these permanent enrolment centres and seen every time the Supreme Court says that you don’t compel them to get the numbers and people believe this time the government will follow the orders there is a slump in enrolment. Then when they find the government is not adhering to the ruling the enrolment goes up again. Its coercion. Earlier people were not so bothered one way or the other with Aadhaar but since it became coercive many have got irritated with it.

By their own admission. They have given this in an RTI and given this as a statistics to the court, they have an introducer system for anyone who didn’t have any other document. It’s only 0.03 percent that needed this introducer system all the others were able to produce some or the other document. Mr Nilekani has often said that all other IDs that you have are linked to something where as this is an identity platform that can work across everything. But, if you take the voter ID – people were able to show that voter ID wherever they needed to establish their identity. They used it for voting but they were able to use it for identification everywhere.

The confusion seems to continue. I heard it in the Parliamentary debate too with some calling it the Aadhaar card. It’s not a card, it’s a number. The Attorney General told in the court that card you can show it may be like a photo ID in a train or something but otherwise it has no value. He is right it has no value. When Reetika Khera and Jean Dreze did their sample study of a 1,000 people they showed that less than 1 per cent didn’t have any IDs. Many had multiple IDs.

Which is why when the biometric linked to the Aadhaar card fails to work it actually threatens to shrinks the idea of identity for people.

UID and its portability of benefits?

The idea of portability of say benefits, especially PDS you lose it on migration. When a scheduled tribe person moves from one state to another he or she loses the benefits as the other state does not recognise him as a scheduled tribe therefore they are not entitled to the benefit. The problem is political and

But in the case of PDS say if I from a state was able access my grains in Delhi or Mumbai as a migrant?

The problem today with wanting to have portable PDS is that not you being unable to show you are a beneficiary but that the ration shops will have to have the grains for that number of people who are going to come and collect it. So if say a thousand workers migrate from Odisha to Maharashtra to do some work and they want to collect their PDS there, the shops there have to be stocked with the grains for a 1,000 more people.

What if this was resolved by converting this entirely to a cash subsidy?

In many parts of the country you shall not have supply and shops. The second thing is cannot provide protection against inflation. Third, take the case when for the first time they said they shall give cash as subsidy in the bank accounts against subsidised kerosene in Rajasthan. They found that either the cash didn’t reach on time or it some that did not get the subsidy so people just backed off from buying subsidy. Demand naturally fell as people didn’t have the money to buy. What we are missing often is that people who need these subsidies don’t have a buffer. If the state is not going to be there to provide for them…maybe 10 years down the line when everyone is relatively more prosperous and we reach say the kind of state Brazil is in, where only a small portion of people – 7 per cent who need the support – we can think of something like this. Today I don’t think we are anywhere ready for it. Before 47 per cent -77 per cent of the people needing some kind of direct assistance from the state. This is the state backing of saying let the people deal with it. People can’t deal with the market. This is why you have these closed systems right?

ALSO READIt's time to get an Aadhaar card

How Aadhaar legislation will help plug leakages in welfare schemes like PDS

Aadhaar gets a boost

By 2016, biometrics to plug PDS leakages

84 - INTERVIEW: USHA RAMANATHAN Threat to citizen rights - FrontLine

INTERVIEW: USHA RAMANATHAN

Threat to citizen rights

Interview with Usha Ramanathan, legal researcher.
By V. SRIDHAR

The grand Indian project for a “unified” identity regime has, since its inception, been grounded in two key propositions. The first is the notion that the targeted delivery of state-sponsored benefits and services will plug the “leakages”, which will ensure that only “genuine” beneficiaries will access state-distributed and subsidy-laden benefits. Thus, Aadhaar was visualised as the tool that would make sure that the benefit distribution system would operate efficiently. The other critical aspect of Aadhaar has been its techno-utopian foundation—that this is a magic wand to abolish poverty.

The independent legal researcher Dr Usha Ramanathan has written, campaigned and spoken extensively on various issues lying at the intersection of legal jurisprudence, civil rights and poverty. She was a member of the Expert Group on Privacy at the Planning Commission and a member of a committee (2013-14) set up by the Department of Biotechnology to review the draft Human DNA Profiling Bill, 2012. She has been a consistent critic of the philosophical, social, legal and economic foundations of the Aadhaar project.

Here, in this telephonic interview with Frontline, Usha Ramanathan argues that the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, abridges the rights of citizens and threatens to impose severe hardships on the poor, who are supposed to be the prime beneficiaries of the legislation. Excerpts:

What is your opinion as a legal researcher on the move to present the Bill as a money Bill—both legally and as a political manoeuvre?

Nobody seriously believed that the 2016 Bill was a money Bill. The words “Consolidated Fund of India” were slipped into a few provisions to justify introducing it as a money Bill. But, while the Bill in Clause 7 says that the government may make enrolment on the Aadhaar database a condition for getting subsidies, benefits and services, this Bill does not itself provide for any subsidies or benefits or services. What the Bill does is to make the UIDAI [Unique Identification Authority of India] a statutory entity, legalise the collection and databasing of demographic and biometric information of residents, expand the use of the UID number beyond the state to “any body corporate or person”, provide protection to officials of the UIDAI from prosecution and create some offences. The hallmark of a money Bill, which is to make money available to the executive to carry out its work, is nowhere present in the legislation.

In resolving a “dispute” about whether a Bill is a money Bill or not, the Speaker’s task is to decide whether the Bill conforms to what Article 110 of the Constitution says. A money Bill—that article is categorical—has to be “only” about the matters listed there, and this Bill is not about any of those matters at all. Maybe, the Speaker of the Lok Sabha had been advised that the Juvenile Justice Act had been passed in 1986 as a money Bill and so constituted a precedent. This, however, was proven wrong, but only after Jairam Ramesh found out otherwise and corrected Arun Jaitley in the Rajya Sabha. Now, it is either for the President to hold back on signing it into law and ask the government to remedy the mistake— maybe apologise to Parliament and restart the process of making the law. Or it may have to go to court and be judicially reviewed. That the money Bill route was taken to stifle debate is one of the tragic ironies of this project.

The Aadhaar legislation has been passed by Parliament even as a bench of the Supreme Court is considering a challenge on the grounds that it violates the right to privacy. Does the law now tilt the field against this challenge?

It is significant that just when the UID case was being heard in the Supreme Court, the Attorney General argued that privacy was not a fundamental right. He succeeded in putting under a cloud a right that has been part of our constitutional jurisprudence for over 40 years. And yet, at the same time that this argument was being made in the Supreme Court, the government was arguing in another courtroom that privacy being a fundamental right, Section 499 of the IPC [Indian Penal Code], which makes defamation a crime, should not be struck down. There the government was presenting itself as a protector of citizens’ fundamental right to privacy!

The UIDAI has been protesting that there are no privacy problems because all that the authority will do is respond to an authentication request with a “yes” or a “no”. This is not true, and the Bill reflects a part of the problem. The UIDAI collects and organises a database of demographic and biometric information, and it reserves the right to collect other data. So, the collected data have already expanded to include mobile numbers, e-mail addresses, bank accounts and other details of citizens. When the UIDAI receives the authentication requests, it has information about where the request is coming from—banks, employers, hospitals, airline companies, the Railways, shops, or even the Election Commission.

The 2016 Bill legalises “data sharing agreements”. The bureaucrats can then decide when and under what circumstances the information ought to be shared in the “national interest”. A court can direct the sharing of information, including authentication records. The government can take over from the authority “if persistently defaulted in complying with any direction given by the Central government”. The now-infamous Clause 57 permits “any body corporate or person” to “use” the Aadhaar number in pursuance of any law “or any contract to this effect”. Wherever the Bill provides for information to be taken from the UIDAI, the UIDAI has to be heard by the court or the government or an official. But the person whose data are being handed over is not only not heard, he/she is not even to be informed, either immediately or after a length of time.

There is no opt-out provision and no question of ever getting off the database. You cede control to the UIDAI once you enrol. The law endorses the one-sided control of citizen information.

But Aadhaar’s proponents claim “core” biometrics would not be disclosed under any circumstance—national security included?

The biometric history of the UID project tells its own story. There is a reason why the UIDAI is keen not to have the biometric database scrutinised, or even seen, by anyone but itself. This is not for the protection of the interests of those on the database. The willingness to share demographic and authentication data, get into data-sharing agreements and allow any person to access the UID database tells us that.

The admitted truth is that biometrics is still being researched. No one is yet sure of the value of the biometrics of such a vast and diverse population. The provision that “core biometrics”—which is everything other than the photograph—will not be given to anyone for any reason— never mind if it is a matter of national security or forensic need—is to shield the faults and fallacies, uncertainties and sure misses from scrutiny.

Why do I say this? Just go back to the time the UIDAI decided to adopt biometrics as the measure of uniqueness. That was in September 2009. What was known about it then? Very little. In January-February 2010, a notice inviting a biometrics consultant was candid:

“[The] National Institute of Standards and Technology [NIST, in the United States] has spent considerable efforts over the past 10-15 years in benchmarking the state-of-the-art extractor and matching technology for fingerprint, face, and iris biometrics on the Western population. While NIST documents the fact that the accuracy of biometric matching is extremely dependent on demographics and environmental conditions, there is a lack of a sound study that documents the accuracy achievable on Indian demographics [that is, larger percentage of rural population] and in Indian environmental conditions [extremely hot and humid climate and facilities without air-conditioning]. In fact we could not find any credible study assessing the achievable accuracy in any of the developing countries…The ‘quality’ assessment of fingerprint data is not sufficient to fully understand the achievable de-duplication accuracy.”

In December 2009, the Biometrics Standards Committee set up to report on the possibilities of achieving uniqueness during enrolment said that of the 25,000 people whom it had checked to see if the technology could deliver, 2 to 5 per cent had no biometrics that worked. So it suggested that maybe one more biometric could be added and maybe that could be the iris but that it should be tested before being adopted. And crucially, iris was included as an added biometric before tests or studies were undertaken. In the next few years, the proof of concepts on enrolment [2010-11], fingerprint authentication [March 2012] and iris authentication [September 2012] showed a system still at the stage of study and experimentation. The Parliamentary Standing Committee on Finance, which reported on the 2010 Bill, rejected it partly because of the use of “untested technology”. In 2011, the Mission Director of the UIDAI said:

“Capturing fingerprints, especially of manual labourers, is a challenge. The quality of fingerprints is bad because of the rough exterior of fingers caused by hard work, and this poses a challenge for later authentication.”

This bothered the Standing Committee, too, because it was plain that the difficulties in authentication would result in large-scale exclusion and denial since a large proportion of those needing state assistance are precisely those doing manual labour.

In 2013, the CBI [Central Bureau of Investigation] got an order from a magistrate to get the biometric database of all persons enrolled in Goa. This was in connection with the case of the rape of a child in school. The CBI said it had found a random palm print that it wanted verified. In a litigation that was appealed all the way to the Supreme Court, the UIDAI argued against the order asking it for access to its database in order to assist criminal investigations. It cited two considerations: one, privacy and two, that the way they collected and stored meant that data could not be used for forensic purposes. Initially, in May 2014, the Supreme Court directed that the biometric data of a person should not be shared without the consent of its owner. However, on August 11, 2015, the court modified this order by making an exception when directed by a court for the purpose of a criminal investigation.

On August 13, 2015, the UIDAI website was refreshed. The website now hosts a section on “UBCC and Research”. [UBCC stands for the UIDAI Biometrics Centre of Competence.] The text reads: “Biometrics features are selected to be primary mechanisms for ensuring uniqueness ... No country has undertaken to build a national registry at the scale and accuracy as UIDAI initiative. Nature and diversity of India’s working population adds another challenge to achieving uniqueness through biometric features. Like other technology fields such as telecommunication, we do not have experience like developed countries to leverage for designing UIDAI’s biometrics systems…Therefore, it is necessary to create a UIDAI Biometrics Centre of Competence that focuses on the unique challenges of UIDAI.” The “mission” of the UBCC is “to design biometrics system that enables India to achieve uniqueness in the national registry. The endeavour of designing such a system is an ongoing quest to innovate biometrics technology appropriate for the Indian conditions”.

ARE LEAKAGES REALLY PLUGGED?

At a popular level—and this appears to be its ideological underpinning—the notion that it is the most effective way to check “leakages” of benefits to citizens appears to have caught on, especially among those who are swayed by what can be termed techno-utopianism.

A study commissioned by the Andhra Pradesh Civil Supplies Department in 2015 to find out why almost one-fourth of those entitled to rations had not collected rations found fingerprint authentication failure in 290 of 790 cardholders, and Aadhaar “mismatch” in 93 instances. In the hundred days that the Jawaabdehi Yatra toured Rajasthan from December 1, 2015, the number of people reporting that they did not receive their rations or pensions because of failed fingerprint authentication or Aadhaar mismatch [where the information on the Aadhaar database and that on the public distribution system database, for instance, do not tally] was disturbingly high. There were others who had had to visit the shop four or five times before they got their rations because of fingerprint authentication problems.

Advocates of Aadhaar, including Nandan Nilekani, say the system being cashless, paperless and presence-less makes it ideal for plugging leaks.

If direct benefit transfer is introduced in place of the PDS, the last mile is still dependent on a banking correspondent or other such agent who will use an authentication system to decide whether or not or how much to hand over to the individual. The term micro-ATM is highly misleading because it is not anything like an ATM we know. It is indeed micro; but there is nothing automatic about it; in fact, it is through an agent who dispenses the monies. The risk of moneys being siphoned off, especially because of low literacy levels, particularly financial literacy, and the desperate vulnerability of the poor is being deliberately underplayed.

By making Aadhaar paperless—it is a number attached to a biometric—the project places barriers to identifying oneself when collecting rations, pensions, job cards, and so on. This may well suit the system, but it leaves people at the mercy of a technology that is still being tested, a technology with limitations for the working class that are already being demonstrated across the country. And, alongside with experimenting with this system of identification, it is setting at nought other ways people have had of identifying themselves to the system, such as with ration cards, or kisan cards, or voter IDs.The project was promoted with the claim that it would give a portable identity to migrant workers. We have not seen too many signs of portability yet, more than seven years after the project began. The large number of workers in the construction industry, for instance—and it is their biometrics that is expected to make their ID portable.

As for being presence-less, it appears Nilekani would have the government disappear behind a computer monitor. It is this absence that is already the problem. The supervision and reporting on a project such as this is largely missing. There is no one to take the problems to if and when they crop up. Technology is a useful tool. However, when it is interposed between the people and an administration, it is not necessarily empowering. But, techno-utopia has no patience for nuance or substance.

ISSUES RAISED IN COURT

What issues are raised in the cases in the Supreme Court?

The cases raise many issues of constitutional importance. One of these is the fact that a project of this nature and scale had been launched and had proceeded without a law prescribing its mandate and limits. Now there is a law, but it doesn’t address many of the concerns; in some aspects, it exacerbates the problems; these still have to be considered and adjudged by the court. There are two main streams in this project. One is biometrics. From early on, it was recognised that biometrics was untested technology, even by the UIDAI’s own admission, and that its imposition through the project was an experiment on the entire population. Two, with the “numberising” of the population and the insertion of the number in every database, citizens are exposed to tracking. Once it is in a range of databases, it makes it possible to do data mining, convergence of data, profiling, tracking and networking and trading in personal data. Use of this number, and of the UIDAI’s services, by the government and by private persons and agencies is a part of how this “ubiquity” will be achieved. That people are being asked to part with their number and personally identifiable information wherever anyone may demand it is among the insecurities generated by the project. These issues remain to be resolved by the court.

The use of companies such as L-1 Identity Solutions, Accenture and Morpho is already under challenge in the Supreme Court, especially for their proximity to foreign intelligence agencies including the CIA [Central Intelligence Agency], the U.S. Department of Homeland Security and the French government. One strange response to an RTI [Right to Information] request about how firms of such provenance could have been engaged for this project said that the authority had no means of knowing which country these companies were from; they had registered offices in India, and that is all that was on their applications! These are matters of national security before the court.

Exclusion, especially of the working class and the poor, is getting more established with experience. The court is also yet to decide on the contempt petitions filed in the pending cases which address the issue of coercion and exclusion that the project has brought with it.

The biometric, demographic and authentication data with the UIDAI is one level of privacy invasion. Seeding this number in multiple databases and the profiling and tracking that facilitates it is another. It is not only poverty and political dissent that this will target. One way to understand the implications of the ubiquity of this number is through the National Intelligence Grid [NATGRID]. Its mandate has been to give information in real time from 21 databases—and this can be expanded to include 11 security and intelligence agencies. This is not under any law, and it has been declared to be a security organisation and therefore outside the remit of the RTI Act. We often hear people say, if you have done nothing wrong, why should you care if everything about us is known? Well, it is not what we think is of interest to us that counts in such situations; it is how we are construed by those who have an interest in us. And this is not what we put out about ourselves; it is about how databases reflect us. These too are before the court.

There is a fundamental principle being argued in court: that the Constitution is not about the power of the state but about the limits of the power of the state over the people. The idea of transparency, too, is being contested. While the RTI Act aspires to make the state transparent to its people, the UID project works at making the individual not just visible, but to be profiled and tracked by the state and by private companies and persons. The matter was referred to a Constitution Bench on the question of privacy; the court is still to hear and decide this question.

COURT ORDERS FLOUTED

The database has reached a hundred crore. What now?

First, this database was built up by flouting the orders of the court. The court said time and again the UID number should not be made mandatory, and that was consistently ignored. Even the Election Commission got into the game in March 2015 until a contempt petition halted it in its tracks. This, therefore, is not a legally constituted database.

Second, when the UIDAI decided that it wanted to do its own enrolment—and not only help in the standardising of the governmental databases, as was its original mandate—it was said that all other existing government databases were full of errors but this would be the one that would be perfect. The manner of enrolment through thousands of enrollers (27,000 enrolment stations at one count), the hurry, the process which has no patience with verifying documents, the lack of monitoring of enrollers and registrars: all this explains why errors abound. In January 2012, P. Chidambaram, as Home Minister, refused to give credence to the UID database because the process was porous and the data unreliable. By end-January, there was a rapprochement between the Home Ministry and the UIDAI and they decided to share the country 50:50. That tells us something about how the project has proceeded, and the worth of its database.

Three, if the creation and maintenance of this database raises national security risks, it makes sense to dismantle it. Four, take a look at who is a resident in the 2016 Bill: it is a person who has resided in India for 182 days in the 12 months preceding the application. There was no such criterion, and no such check, in enrolments so far. The UIDAI Mission Director is reported to have said that consent, which has to be obtained from a person when being enrolled, will only apply to those who enrol after the law comes into force; the law, according to him, ratifies everything that the UIDAI has done so far. So will it also ratify a database that is not verified if the person is a “resident”?

What other aspects of the law are of concern?

The breadth of the definitions of subsidies, services and benefits covers almost the entire universe of our lives—and both private persons and companies and government can demand the number as a condition. The law allows the UIDAI to do what it will through regulations —it includes adding more biometrics, more fields of personal data, and extends way beyond. The individual has no means of asking, finding answers to or contesting what the UADAI does. When an offence, including data theft and identity fraud, is committed, the individual can do nothing. It is only the UIDAI that can take a complaint to a court. There is a clause that lets the UIDAI make regulations to “omit” or “deactivate” the number. This is what is called “civil death”.

This project began without a feasibility study. It left open questions of constitutionality and civil liberties and was based on untested technology. It was aggressively promoted, using the power and resources at the command of the state. That is why it has met with opposition from many quarters. One of the tragedies of this project pertains to how it has successfully made a villain of the recipient of state support. It has institutionalised the notion of the “undeserving” poor, which threatens to promote, instead of curtail, the extent of deprivation in the country.