Usha Ramanathan works on the jurisprudence of law, poverty and rights. She writes and speaks on issues that include the nature of law, the Bhopal Gas Disaster, mass displacement, eminent domain, civil liberties including the death penalty, beggary, criminal law, custodial institutions, the environment, and the judicial process. She has been tracking and engaging with the UID project and has written and debated extensively on the subject. In July-September 2013, she wrote a 19-part series on the UID project that was published in The Statesman, a national daily.
Her work draws heavily upon non-governmental experience in its encounters with the state; a 6 year stint with a law journal (Supreme Court Cases) as reporter from the Supreme Court; and engagement with matters of law and public policy.
She was a member of: the Expert Group on Privacy set up by the Planning Commission of India which gave in its report in October 2012; a committee (2013-14) set up in the Department of Biotechnology to review the Draft Human DNA Profiling Bill 2012; and the Committee set up by the Prime Minister's Office (2013-14) to study the socio-economic status of tribal communities which gave its report to the government in 2014.
Wednesday, April 20, 2016
Thursday, April 7, 2016
85 - The Law Needs to Catch Up With Aadhaar, But Not in the Way Jaitley is Promising - The Wire
- Fingerprint authentication failure in 290 of 790 cardholders
- Aadhaar ‘mismatch’ in 93 instances
Wednesday, April 6, 2016
85 - Aadhaar is like drone warfare versus hand to hand combat, profiling becomes all that more eaiser: Usha Ramanathan - Business Standard
Aadhaar is like drone warfare versus hand to hand combat, profiling becomes all that more eaiser: Usha Ramanathan
84 - INTERVIEW: USHA RAMANATHAN Threat to citizen rights - FrontLine
INTERVIEW: USHA RAMANATHAN
Interview with Usha Ramanathan, legal researcher.
By V. SRIDHAR
The grand Indian project for a “unified” identity regime has, since its inception, been grounded in two key propositions. The first is the notion that the targeted delivery of state-sponsored benefits and services will plug the “leakages”, which will ensure that only “genuine” beneficiaries will access state-distributed and subsidy-laden benefits. Thus, Aadhaar was visualised as the tool that would make sure that the benefit distribution system would operate efficiently. The other critical aspect of Aadhaar has been its techno-utopian foundation—that this is a magic wand to abolish poverty.
The independent legal researcher Dr Usha Ramanathan has written, campaigned and spoken extensively on various issues lying at the intersection of legal jurisprudence, civil rights and poverty. She was a member of the Expert Group on Privacy at the Planning Commission and a member of a committee (2013-14) set up by the Department of Biotechnology to review the draft Human DNA Profiling Bill, 2012. She has been a consistent critic of the philosophical, social, legal and economic foundations of the Aadhaar project.
Here, in this telephonic interview with Frontline, Usha Ramanathan argues that the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016, abridges the rights of citizens and threatens to impose severe hardships on the poor, who are supposed to be the prime beneficiaries of the legislation. Excerpts:
What is your opinion as a legal researcher on the move to present the Bill as a money Bill—both legally and as a political manoeuvre?
Nobody seriously believed that the 2016 Bill was a money Bill. The words “Consolidated Fund of India” were slipped into a few provisions to justify introducing it as a money Bill. But, while the Bill in Clause 7 says that the government may make enrolment on the Aadhaar database a condition for getting subsidies, benefits and services, this Bill does not itself provide for any subsidies or benefits or services. What the Bill does is to make the UIDAI [Unique Identification Authority of India] a statutory entity, legalise the collection and databasing of demographic and biometric information of residents, expand the use of the UID number beyond the state to “any body corporate or person”, provide protection to officials of the UIDAI from prosecution and create some offences. The hallmark of a money Bill, which is to make money available to the executive to carry out its work, is nowhere present in the legislation.
In resolving a “dispute” about whether a Bill is a money Bill or not, the Speaker’s task is to decide whether the Bill conforms to what Article 110 of the Constitution says. A money Bill—that article is categorical—has to be “only” about the matters listed there, and this Bill is not about any of those matters at all. Maybe, the Speaker of the Lok Sabha had been advised that the Juvenile Justice Act had been passed in 1986 as a money Bill and so constituted a precedent. This, however, was proven wrong, but only after Jairam Ramesh found out otherwise and corrected Arun Jaitley in the Rajya Sabha. Now, it is either for the President to hold back on signing it into law and ask the government to remedy the mistake— maybe apologise to Parliament and restart the process of making the law. Or it may have to go to court and be judicially reviewed. That the money Bill route was taken to stifle debate is one of the tragic ironies of this project.
The Aadhaar legislation has been passed by Parliament even as a bench of the Supreme Court is considering a challenge on the grounds that it violates the right to privacy. Does the law now tilt the field against this challenge?
It is significant that just when the UID case was being heard in the Supreme Court, the Attorney General argued that privacy was not a fundamental right. He succeeded in putting under a cloud a right that has been part of our constitutional jurisprudence for over 40 years. And yet, at the same time that this argument was being made in the Supreme Court, the government was arguing in another courtroom that privacy being a fundamental right, Section 499 of the IPC [Indian Penal Code], which makes defamation a crime, should not be struck down. There the government was presenting itself as a protector of citizens’ fundamental right to privacy!
The UIDAI has been protesting that there are no privacy problems because all that the authority will do is respond to an authentication request with a “yes” or a “no”. This is not true, and the Bill reflects a part of the problem. The UIDAI collects and organises a database of demographic and biometric information, and it reserves the right to collect other data. So, the collected data have already expanded to include mobile numbers, e-mail addresses, bank accounts and other details of citizens. When the UIDAI receives the authentication requests, it has information about where the request is coming from—banks, employers, hospitals, airline companies, the Railways, shops, or even the Election Commission.
The 2016 Bill legalises “data sharing agreements”. The bureaucrats can then decide when and under what circumstances the information ought to be shared in the “national interest”. A court can direct the sharing of information, including authentication records. The government can take over from the authority “if persistently defaulted in complying with any direction given by the Central government”. The now-infamous Clause 57 permits “any body corporate or person” to “use” the Aadhaar number in pursuance of any law “or any contract to this effect”. Wherever the Bill provides for information to be taken from the UIDAI, the UIDAI has to be heard by the court or the government or an official. But the person whose data are being handed over is not only not heard, he/she is not even to be informed, either immediately or after a length of time.
There is no opt-out provision and no question of ever getting off the database. You cede control to the UIDAI once you enrol. The law endorses the one-sided control of citizen information.
But Aadhaar’s proponents claim “core” biometrics would not be disclosed under any circumstance—national security included?
The biometric history of the UID project tells its own story. There is a reason why the UIDAI is keen not to have the biometric database scrutinised, or even seen, by anyone but itself. This is not for the protection of the interests of those on the database. The willingness to share demographic and authentication data, get into data-sharing agreements and allow any person to access the UID database tells us that.
The admitted truth is that biometrics is still being researched. No one is yet sure of the value of the biometrics of such a vast and diverse population. The provision that “core biometrics”—which is everything other than the photograph—will not be given to anyone for any reason— never mind if it is a matter of national security or forensic need—is to shield the faults and fallacies, uncertainties and sure misses from scrutiny.
Why do I say this? Just go back to the time the UIDAI decided to adopt biometrics as the measure of uniqueness. That was in September 2009. What was known about it then? Very little. In January-February 2010, a notice inviting a biometrics consultant was candid:
“[The] National Institute of Standards and Technology [NIST, in the United States] has spent considerable efforts over the past 10-15 years in benchmarking the state-of-the-art extractor and matching technology for fingerprint, face, and iris biometrics on the Western population. While NIST documents the fact that the accuracy of biometric matching is extremely dependent on demographics and environmental conditions, there is a lack of a sound study that documents the accuracy achievable on Indian demographics [that is, larger percentage of rural population] and in Indian environmental conditions [extremely hot and humid climate and facilities without air-conditioning]. In fact we could not find any credible study assessing the achievable accuracy in any of the developing countries…The ‘quality’ assessment of fingerprint data is not sufficient to fully understand the achievable de-duplication accuracy.”
In December 2009, the Biometrics Standards Committee set up to report on the possibilities of achieving uniqueness during enrolment said that of the 25,000 people whom it had checked to see if the technology could deliver, 2 to 5 per cent had no biometrics that worked. So it suggested that maybe one more biometric could be added and maybe that could be the iris but that it should be tested before being adopted. And crucially, iris was included as an added biometric before tests or studies were undertaken. In the next few years, the proof of concepts on enrolment [2010-11], fingerprint authentication [March 2012] and iris authentication [September 2012] showed a system still at the stage of study and experimentation. The Parliamentary Standing Committee on Finance, which reported on the 2010 Bill, rejected it partly because of the use of “untested technology”. In 2011, the Mission Director of the UIDAI said:
“Capturing fingerprints, especially of manual labourers, is a challenge. The quality of fingerprints is bad because of the rough exterior of fingers caused by hard work, and this poses a challenge for later authentication.”
This bothered the Standing Committee, too, because it was plain that the difficulties in authentication would result in large-scale exclusion and denial since a large proportion of those needing state assistance are precisely those doing manual labour.
In 2013, the CBI [Central Bureau of Investigation] got an order from a magistrate to get the biometric database of all persons enrolled in Goa. This was in connection with the case of the rape of a child in school. The CBI said it had found a random palm print that it wanted verified. In a litigation that was appealed all the way to the Supreme Court, the UIDAI argued against the order asking it for access to its database in order to assist criminal investigations. It cited two considerations: one, privacy and two, that the way they collected and stored meant that data could not be used for forensic purposes. Initially, in May 2014, the Supreme Court directed that the biometric data of a person should not be shared without the consent of its owner. However, on August 11, 2015, the court modified this order by making an exception when directed by a court for the purpose of a criminal investigation.
On August 13, 2015, the UIDAI website was refreshed. The website now hosts a section on “UBCC and Research”. [UBCC stands for the UIDAI Biometrics Centre of Competence.] The text reads: “Biometrics features are selected to be primary mechanisms for ensuring uniqueness ... No country has undertaken to build a national registry at the scale and accuracy as UIDAI initiative. Nature and diversity of India’s working population adds another challenge to achieving uniqueness through biometric features. Like other technology fields such as telecommunication, we do not have experience like developed countries to leverage for designing UIDAI’s biometrics systems…Therefore, it is necessary to create a UIDAI Biometrics Centre of Competence that focuses on the unique challenges of UIDAI.” The “mission” of the UBCC is “to design biometrics system that enables India to achieve uniqueness in the national registry. The endeavour of designing such a system is an ongoing quest to innovate biometrics technology appropriate for the Indian conditions”.
ARE LEAKAGES REALLY PLUGGED?
At a popular level—and this appears to be its ideological underpinning—the notion that it is the most effective way to check “leakages” of benefits to citizens appears to have caught on, especially among those who are swayed by what can be termed techno-utopianism.
A study commissioned by the Andhra Pradesh Civil Supplies Department in 2015 to find out why almost one-fourth of those entitled to rations had not collected rations found fingerprint authentication failure in 290 of 790 cardholders, and Aadhaar “mismatch” in 93 instances. In the hundred days that the Jawaabdehi Yatra toured Rajasthan from December 1, 2015, the number of people reporting that they did not receive their rations or pensions because of failed fingerprint authentication or Aadhaar mismatch [where the information on the Aadhaar database and that on the public distribution system database, for instance, do not tally] was disturbingly high. There were others who had had to visit the shop four or five times before they got their rations because of fingerprint authentication problems.
Advocates of Aadhaar, including Nandan Nilekani, say the system being cashless, paperless and presence-less makes it ideal for plugging leaks.
If direct benefit transfer is introduced in place of the PDS, the last mile is still dependent on a banking correspondent or other such agent who will use an authentication system to decide whether or not or how much to hand over to the individual. The term micro-ATM is highly misleading because it is not anything like an ATM we know. It is indeed micro; but there is nothing automatic about it; in fact, it is through an agent who dispenses the monies. The risk of moneys being siphoned off, especially because of low literacy levels, particularly financial literacy, and the desperate vulnerability of the poor is being deliberately underplayed.
By making Aadhaar paperless—it is a number attached to a biometric—the project places barriers to identifying oneself when collecting rations, pensions, job cards, and so on. This may well suit the system, but it leaves people at the mercy of a technology that is still being tested, a technology with limitations for the working class that are already being demonstrated across the country. And, alongside with experimenting with this system of identification, it is setting at nought other ways people have had of identifying themselves to the system, such as with ration cards, or kisan cards, or voter IDs.The project was promoted with the claim that it would give a portable identity to migrant workers. We have not seen too many signs of portability yet, more than seven years after the project began. The large number of workers in the construction industry, for instance—and it is their biometrics that is expected to make their ID portable.
As for being presence-less, it appears Nilekani would have the government disappear behind a computer monitor. It is this absence that is already the problem. The supervision and reporting on a project such as this is largely missing. There is no one to take the problems to if and when they crop up. Technology is a useful tool. However, when it is interposed between the people and an administration, it is not necessarily empowering. But, techno-utopia has no patience for nuance or substance.
ISSUES RAISED IN COURT
What issues are raised in the cases in the Supreme Court?
The cases raise many issues of constitutional importance. One of these is the fact that a project of this nature and scale had been launched and had proceeded without a law prescribing its mandate and limits. Now there is a law, but it doesn’t address many of the concerns; in some aspects, it exacerbates the problems; these still have to be considered and adjudged by the court. There are two main streams in this project. One is biometrics. From early on, it was recognised that biometrics was untested technology, even by the UIDAI’s own admission, and that its imposition through the project was an experiment on the entire population. Two, with the “numberising” of the population and the insertion of the number in every database, citizens are exposed to tracking. Once it is in a range of databases, it makes it possible to do data mining, convergence of data, profiling, tracking and networking and trading in personal data. Use of this number, and of the UIDAI’s services, by the government and by private persons and agencies is a part of how this “ubiquity” will be achieved. That people are being asked to part with their number and personally identifiable information wherever anyone may demand it is among the insecurities generated by the project. These issues remain to be resolved by the court.
The use of companies such as L-1 Identity Solutions, Accenture and Morpho is already under challenge in the Supreme Court, especially for their proximity to foreign intelligence agencies including the CIA [Central Intelligence Agency], the U.S. Department of Homeland Security and the French government. One strange response to an RTI [Right to Information] request about how firms of such provenance could have been engaged for this project said that the authority had no means of knowing which country these companies were from; they had registered offices in India, and that is all that was on their applications! These are matters of national security before the court.
Exclusion, especially of the working class and the poor, is getting more established with experience. The court is also yet to decide on the contempt petitions filed in the pending cases which address the issue of coercion and exclusion that the project has brought with it.
The biometric, demographic and authentication data with the UIDAI is one level of privacy invasion. Seeding this number in multiple databases and the profiling and tracking that facilitates it is another. It is not only poverty and political dissent that this will target. One way to understand the implications of the ubiquity of this number is through the National Intelligence Grid [NATGRID]. Its mandate has been to give information in real time from 21 databases—and this can be expanded to include 11 security and intelligence agencies. This is not under any law, and it has been declared to be a security organisation and therefore outside the remit of the RTI Act. We often hear people say, if you have done nothing wrong, why should you care if everything about us is known? Well, it is not what we think is of interest to us that counts in such situations; it is how we are construed by those who have an interest in us. And this is not what we put out about ourselves; it is about how databases reflect us. These too are before the court.
There is a fundamental principle being argued in court: that the Constitution is not about the power of the state but about the limits of the power of the state over the people. The idea of transparency, too, is being contested. While the RTI Act aspires to make the state transparent to its people, the UID project works at making the individual not just visible, but to be profiled and tracked by the state and by private companies and persons. The matter was referred to a Constitution Bench on the question of privacy; the court is still to hear and decide this question.
COURT ORDERS FLOUTED
The database has reached a hundred crore. What now?
First, this database was built up by flouting the orders of the court. The court said time and again the UID number should not be made mandatory, and that was consistently ignored. Even the Election Commission got into the game in March 2015 until a contempt petition halted it in its tracks. This, therefore, is not a legally constituted database.
Second, when the UIDAI decided that it wanted to do its own enrolment—and not only help in the standardising of the governmental databases, as was its original mandate—it was said that all other existing government databases were full of errors but this would be the one that would be perfect. The manner of enrolment through thousands of enrollers (27,000 enrolment stations at one count), the hurry, the process which has no patience with verifying documents, the lack of monitoring of enrollers and registrars: all this explains why errors abound. In January 2012, P. Chidambaram, as Home Minister, refused to give credence to the UID database because the process was porous and the data unreliable. By end-January, there was a rapprochement between the Home Ministry and the UIDAI and they decided to share the country 50:50. That tells us something about how the project has proceeded, and the worth of its database.
Three, if the creation and maintenance of this database raises national security risks, it makes sense to dismantle it. Four, take a look at who is a resident in the 2016 Bill: it is a person who has resided in India for 182 days in the 12 months preceding the application. There was no such criterion, and no such check, in enrolments so far. The UIDAI Mission Director is reported to have said that consent, which has to be obtained from a person when being enrolled, will only apply to those who enrol after the law comes into force; the law, according to him, ratifies everything that the UIDAI has done so far. So will it also ratify a database that is not verified if the person is a “resident”?
What other aspects of the law are of concern?
The breadth of the definitions of subsidies, services and benefits covers almost the entire universe of our lives—and both private persons and companies and government can demand the number as a condition. The law allows the UIDAI to do what it will through regulations —it includes adding more biometrics, more fields of personal data, and extends way beyond. The individual has no means of asking, finding answers to or contesting what the UADAI does. When an offence, including data theft and identity fraud, is committed, the individual can do nothing. It is only the UIDAI that can take a complaint to a court. There is a clause that lets the UIDAI make regulations to “omit” or “deactivate” the number. This is what is called “civil death”.
This project began without a feasibility study. It left open questions of constitutionality and civil liberties and was based on untested technology. It was aggressively promoted, using the power and resources at the command of the state. That is why it has met with opposition from many quarters. One of the tragedies of this project pertains to how it has successfully made a villain of the recipient of state support. It has institutionalised the notion of the “undeserving” poor, which threatens to promote, instead of curtail, the extent of deprivation in the country.