Use Aadhaar database to build population register: Govindacharya tells govt

The government should consider using the Aadhaar database to build a population register, K N Govindacharya, a former Rashtriya Swayamsevak Sangh ideologue, has said in a letter he wrote to Home Minister Amit Shah as nationwide protests continue against a new citizenship law.

Aadhaar numbers of about 1.25 billion citizens can be used to integrate with the last National Population Register data, Govindacharya has suggested in the letter, a copy of which was seen by Business Standard. The "union cabinet has sanctioned Rs 8754.23 crore for census operations and Rs 3941.35 crore for NPR purposes. Data integration will not only save the national resources but also avoid unnecessary inconvenience to the millions of people in India," he said.

NPR, which will collect demographic and biometric data, was thought of at a Chief Ministers' conference on internal security in 2001. With the backdrop of the Kargil war in 1999, it was felt that there was a need to separate citizens from aliens. A Multi-Purpose National Identity Card was to be provided to citizens and the idea of NPR was born.

His letter comes after Parliament on December 11 passed the Citizenship (Amendment) Act 2019 (CAA) to provide a path to Indian citizenship for Hindu, Sikh, Buddhist, Parsi, Jewish and Christian minorities from Pakistan, Afghanistan and Bangladesh. Critics say the law--and plans for a National Citizenship Register (NRC) --discriminate against Muslims and are an attack on the country’s secular constitution. The government has said no citizen will be affected and that there are no imminent plans for a register.

The NRC, a subset of NPR, was carried out in Assam on the orders of the Supreme Court in 2018. It sought to identify "doubtful citizens" and ended up excluding 1.9 million residents from the citizenship register. The CAA, 2019 was brought to provide a path to these residents but the exclusion of Muslims has become controversial as it adds a religious test to Indian citizenship.

This has led to widespread protests across the country, largely led by students, asking for CAA and NRC to be withdrawn.

As Aadhaar is not proof of citizenship but identity, using it with NPR can be useful for population mapping. Govindacharya suggests that the NRC be executed without verification and scrutiny of 137 crore population of India, many if whom can be further verified using data that is collected by State and Central governments such as voter lists, passport holders, driving licences, PAN cards, registered property, and so on.

"Voter List persons and their children may be around 130 crores, and who can be treated as bonafide citizens and part of NRC. Accordingly, Government can do the verification of documents of remaining 7 crore persons, which may be 5 per cent of the whole population," Govindacharya has suggested.

The inferences are based on research done by think tank Centre for Accountability and Systemic Change.

Essentially, an exercise like this would eliminate the need for every citizen to go through the hassle of verification, and will save the government huge expenditure.

He has also said that India does not have the resources to build high class detention centres for doubtful foreign nationals. "Instead of investing hugely on high class detention centres for illegal immigrants, prison improvements should be prioritised," Govindacharya said.

Linking Aadhaar with social media or ending encryption is counterproductive

Should Aadhaar be used as KYC for social media accounts? We have recently seen a debate on this question with even the courts hearing arguments in favour and against such a move. The case began in Madras High Court and later Facebook moved the SC seeking transfer of the petition to the Apex court. The original petition was filed in July, 2018 and sought linking of Aadhaar numbers with user accounts to further traceability of messages.

Before we try and answer this question, we need to first understand the differences between the different types of data on social media and messaging platforms. If a crime happens on an end to end cryptographically secure channel like WhatsApp the police may request the following from the provider to help solve the case:

1.Identity data: Phone numbers of the accused. Names and addresses of the accused.

2.Metadata: Sender, receiver(s), time, size of message, flag identifying a forwarded messages, delivery status, read status, etc.

3.Payload Data: Actual content of the text and multimedia messages.

Different countries have taken different approaches to solving different layers of the surveillance problem. Let us start with identity data. Some like India require KYC for sale of SIM cards while others like the UK allow anonymous purchases. Corporations also have policies when it comes to anonymous speech on their platforms - Facebook for instance enforces a soft real ID policy while Twitter does not crack down on anonymous speech. The trouble with KYC the old fashioned way is that it exposes citizens to further risk. Every possessor of your identity documents is a potential attack surface. Indian regulation should not result in Indian identity documents being available in the millions to foreign corporations. Technical innovations are possible, like tokenisation, Aadhaar paperless local e-KYC or Aadhaar offline QR code along with one time passwords. These privacy protective alternatives must be mandatory for all and the Aadhaar numbers must be deleted from previously seeded databases. Countries that don’t require KYC have an alternative approach to security and law enforcement. They know that if someone like me commits a crime, it would be easy to catch me because I have been using the same telecom provider for the last fifteen years. This is true of long term customers regardless if they are pre-paid or post-paid. The security risk lies in the new numbers without this history that confirms identity. These countries use targeted big data analytics to determine risk and direct surveillance operations to target new SIM cards. My current understanding is that when it comes to basic user data - all the internet giants in India comply with what they consider as legitimate law enforcement requests. Some proprietary and free and open source [FOSS] alternatives to services offered by the giants don’t provide such direct cooperation in India.

When it comes to payload data - it is almost impossible (meaning you will need supercomputers) to access the data unless the service/software provider breaks end-to-end cryptography. It is unwise, like some policy-makers are proposing, to prohibit end-to-end cryptography or mandate back doors because our national sovereignty and our capacity for technological self-determination depends on strong cryptography. A targeted ban or prohibition against proprietary providers might have a counterproductive consequence with users migrating to FOSS alternatives like Signal which won’t even give the police identity data. As a supporter of the free software movement, I would see this as a positive development but as a citizen I am aware that the fight against crime and terror will become harder. So government must pursue other strategies to getting payload data such as a comprehensive government hacking programme.

Meta-data is critical when it comes to separating the guilty from the innocent and apportioning blame during an investigation. For example, who was the originator of a message? Who got it and read it last? WhatsApp claims that it has implemented the Signal protocol faithfully meaning that they hold no meta-data when it comes to the messages and calls. Currently there is no regulation which mandates data retention for over the top providers but such requirements do exist for telecom providers. Just like access to meta-data provides some visibility into illegal activities it also provides visibility into legal activities. Therefore those using end-to-end cryptography on platforms with comprehensive meta-data retention policies will have their privacy compromised even though the payload data remains secure. Here is a parallel example to understand why this is important. Early last year, the Internet Engineering Task Force chose a version of TLS 1.3 that revealed less meta-data over one that provided greater visibility into the communications. This hardening of global open standards, through the elimination of availability of meta-data for middle-boxes, makes it harder for foreign governments to intercept Indian military and diplomatic communications via imported telecom infrastructure. Courts and policy makers across the world have to grapple with the following question: Are meta-data retention mandates for the entire population of users a “necessary and proportionate” legal measure to combat crime and terror. For me, it should not be illegal for a provider who voluntarily wishes to retain data, provided it is within legally sanctioned limits but it should not be requirement under law.

There are technical solutions that are yet to be properly discussed and developed as an alternative to blanket meta-data retention measures. For example, Dr. V Kamakoti has made a traceability proposal at the Madras High Court. This proposal has been critiqued by Anand Venkatanarayanan as being violative in spirit of the principles of end-to-end cryptography. Other technical solutions are required for those seeking justice and for those who wish to serve as informers for terror plots. I have proposed client side metadata retention. If a person who has been subjected to financial fraud wishes to provide all the evidence from their client, it should be possible for them to create a digital signed archive of messages for the police. This could be signed by the sender, the provider and also the receiver so that technical non-repudiation raises the evidentiary quality of the digital evidence. However, there may be other legal requirements such as the provision of notice to the sender so that they know that client side data retention has been turned on.

The need of the hour is sustained research and development of privacy protecting surveillance mechanisms. These solutions need to be debated thoroughly amongst mathematicians, cryptographers, scientists, technologists, lawyers, social scientists and designers so that solutions with the least negative impact can be rolled out either voluntarily by providers or as a result of regulation.

The writer is Executive Director, Centre for Internet and Society. Twitter: @sunilabraham

[Disclosure: The Centre for Internet and Society receives grants from Facebook, Google, Wikimedia Foundation and other non-profit foundations]

Rajya Sabha passes Bill on voluntary use of Aadhaar as identity proof

The Rajya Sabha on Monday passed the Aadhaar and Other Laws (Amendment) Bill, 2019 which allows voluntary use of Aadhaar as proof of identity for users to open bank accounts and get mobile phone connection.

The amendment was passed by a voice vote. Last week, the Bill was passed in the Lok Sabha amidst opposition from several quarters.

The newly passed Bill also gives the Unique identification Authority of India, the agency that administers Aadhaar, the power to now give directions as it may consider necessary to any entity in the Aadhaar ecosystem.

The Bill had also amended the Aadhaar Act to allow the people to register complaints in certain cases, including impersonation or disclosure of their identity, whereas the Aadhaar Act only allowed courts to take cognizance of an offence if UIDAI registered a complaint.

The Bill also provides for a steep Rs 1 crore penalty and a jail term for private entities violating provisions on Aadhaar data.

The Aadhaar and Other Laws (Amendment) Bill, 2019, was introduced in Lok Sabha on June 24.

The amendments provide for use of Aadhaar number for KYC authentication on voluntary basis under the Telegraph Act, 1885, and the Prevention of Money Laundering Act, 2002.

Aadhaar now alternative for payments above Rs 50,000: Revenue Secy Pandey

Aadhaar can now be quoted for cash transactions of above Rs 50,000 and other purposes in which the PAN was a must, traditionally, according to Revenue Secretary Ajay Bhushan Pandey.

Banks and other institutions will make back-end upgrades to allow acceptance of Aadhaar in all places where quoting PAN is now mandatory, Pandey said on Saturday.

This follows the Budget allowing interchangeability of PAN and Aadhaar. “Today you have 22 crore PAN cards which are linked to Aadhaar. You have more than 120 crore people who have Aadhaar. Supposing somebody wants PAN, he has to first use Aadhaar, generate PAN and then start using it. With Aadhaar the advantage would be he now does not have to generate PAN. So this is a great convenience,” he said.

Aadhaar bill gets Cabinet nod, to be introduced in next Parliament session

The Union Cabinet on Wednesday approved “The Aadhaar and Other Laws (Amendment) Bill, 2019” to replace the Aadhaar and Other Laws (Amendment) Ordinance, 2019. The amendments proposed are the same as those contained in the Ordinance promulgated by President Ram Nath Kovind on March 2, 2019. The Bill will be introduced in next session of Parliament.

Among others, it allows for voluntary use of Aadhaar as an identity proof for opening bank accounts as well as procuring mobile phone connections. The Bill seeks to give effect to the changes in the Aadhaar Act, such as giving a child an option to exit from the biometric ID programme on turning 18.

The amendment provides for stiff penalties upon violation of norms pertaining to Aadhaar, and violation of privacy. It prohibits storing of core biometric information and the Aadhaar number by service providers, in cases of individuals who have voluntarily offered the national ID as a means of authentication.

The proposed amendments would allow the use of Aadhaar number for authentication on voluntary basis as acceptable ‘Know Your Customer’ document under the Telegraph Act, 1885, as well as the Prevention of Money Laundering Act, 2002.

The changes proposed under the Ordinance, introduced in February, included a civil penalty of up to Rs 1 crore on entities that violate the provisions of the Aadhaar Act, with an additional fine of up to Rs 10 lakh per day in case of continuous non-compliance. The Ordinance was promulgated by the President on March 2.