» News » Snooping target: How UIDAI puts India at risk

Snooping target: How UIDAI puts India at risk

By Gopal Krishna
December 27, 2013 15:35 IST
Get Rediff News in your Inbox:

Isn’t National Intelligence Grid and UIDAI engineered by vested interests, asks Gopal Krishna.

The Devyani Khobragade row appears to be a motivated act ahead of the verdict of the US district court for the District of Columbia pointing out the unconstitutionality of the United States National Security Agency program of indiscriminately collecting electronic data and disclosures by Edward Snowden, a former contractor at the NSA, about a decades old intelligence alliance which has come to light. It has been revealed that India’s prime minister, President and almost all the ministers have all been under NSA surveillance. The court verdict was passed on December 16.

In the verdict, Judge Richard Leon rules, “I cannot imagine a more ‘indiscriminate’ and ‘arbitrary invasion’ than this systematic and high-tech collection and retention of personal data on virtually every single citizen for purposes of querying and analysing it without prior judicial approval. Surely such a program infringes on ‘that degree of privacy’ that the founders enshrined in the Fourth Amendment. The 68 page verdict is attached (external link).

This verdict is readily applicable to the ‘indiscriminate’ biometric and demographic databases being created in India by the Planning Commission’s Unique Identification Authority of India and by the home ministry’s Registrar General & Census Commissioner for National Population Register besides the National Intelligence Grid (NATGRID), the Indian incarnation of NSA.

Framers of India’s Constitution would be aghast at such ‘systematic and high-tech collection and retention of personal data on virtually every single citizen for purposes of querying and analysing it without prior judicial approval.’ Indeed these initiatives along with the bitterly opposed proposal of National Counter Terrorism Centre and Goods and Services Tax Network constitutes “abridgement of freedom of the people by gradual and silent encroachments by those in power” in our country.

The verdict of the US court attempts to safeguard the interests of its citizens. This is not applicable to non-US citizens because US laws do not recognise the rights of privacy of non-US citizens to be sacrosanct. This implies that rights of privacy of Indian citizens do not have protection either under the Indian laws, US laws or any international law at present.

In a RTI reply dated December 5, UIDAI shared the contract agreement dated on March 17, 2010 between UIDAI and with the consortium consisting of M/s Ernst & Young Private Limited and M/s Netmagic Solutions Pvt Ltd that announces that “we will provide a unique identity to over 113.9 crore people.” This is evidently a fraudulent announcement because UIDAI with which the agreement has been signed has mandate to provide unique identity to only 60 crore residents of India and not to 113.9 crore people.

The most startling disclosure from the contract agreement is its admission that ‘biometric systems are not 100% accurate’. It admits that ‘uniqueness of the biometrics is still a postulate’. In an admission that pulverises the very edifice on which UID/Aadhaar and the NPR rests, it writes, “The loss in information due to limitations of the capture setup or physical conditions of the body, and due (to) the feature representation, there is a non-zero probability that two fingerprints or iris prints coming from different individuals can be called a match.”

The contract agreement underlines it in bold letters. There appears to be an attempt at verbal gymnastics to hide the key message here. In simple words, “non-zero probability that two finger prints or iris prints” turning out to be a match means that there is a probability that biometric data of two different individuals can be identical.

Biometrics are the measurable biological (anatomical and physiological) or behavioral characteristics used for identification of an individual. Fingerprints are a common biometric modality, but others include things like DNA, irises, voice patterns, palm prints, and facial patterns, according to US Federal Bureau of Investigation. With the admission of fallibility of biometrics in the contract agreement which is rooted in scientific evidence, there emerges a compelling logic to abandon the exercise of creating database of biometric data for identification in favour of pre-existing 15 identity proofs on which Election Commission of India relies and which has been giving legality and legitimacy to Parliament and the government of India.

What the media in India and elsewhere in general seems to be failing to see through is that it is an engineered row meant to create a miasma wherein the new disclosures about the 5 Eyes alliance of five English-speaking countries comprising of the US NSA, the United Kingdom’s Government Communications Headquarters, Canada’s Communications Security Establishment Canada, the Australian Signals Directorate and New Zealand’s Government Communications Security Bureau. The intelligence partnership was formed in the aftermath of the Second World War ahead of transfer of power to India by UK. These ‘eyes’ did not need to infiltrate India’s intelligence system because they were embedded there from the outset. In view of the same, the conception of converging “the entire country into one single communication entity” introduced in 1975 with the help of a UN agency whose complicity with these “five eyes” stands exposed needs to be revisited to outwit cyber Trojan horses.

It must be noted that companies like Ernst & Young, UK and Safran Group, France who have got contract from UIDAI are from the countries which are part of this alliance. The core question is that if our President and prime minister appear seemingly unperturbed in the face of glaring evidence of they having been subject of surveillance, how they can be trusted for safeguarding the right to privacy of citizens?

In a relevant development, on December 5, The Economic Times reported that India’s the Intelligence Bureau has questioned issuing of UID/Aadhaar number to foreigners and refugees from other countries. Notably, it is not clear as to how many citizens of the nine countries of the intelligence gathering alliance are currently residing in India. The IB raised these objections on November 6 at a meeting of senior officials of the investigative agency, the home ministry and UIDAI. The UIDAI has argued that any non-resident Indian or foreign citizen living in India can apply for Aadhaar since it is only meant for establishing identity and not citizenship.

This submission of UIDAI is an exercise in sophistry. The fact is that UIDAI is working with Election Commission to merge the electoral database with the Centralised Identity Data Repository of UID/Aadhaar numbers. Relying on the prime minister’s patronage, UIDAI appears to be taking even the IB for a ride. The home ministry is rightly arguing that since ultimately both CIDR of UIDAI and NPR data is going to be collated the issue of citizenship is likely to get confounded. What is apparent is that this confusion is part of the design and not a product of default. The IB is right in seeking background checks of private players involved with the UIDAI. It must be done before it is too late or before it becomes structurally subservient to foreign agencies due to the unfolding ‘solutions architecture’.

There is a need for Parliament, the Supreme Court, state legislatures and high courts to examine whether or not biometrics provides an established way of fixing identity of Indians. Has it been proven? A report ‘Biometric Recognition: Challenges and Opportunities’ of the National Research Council, US published on September 24, 2010 concluded that the current state of biometrics is ‘inherently fallible’. That is also one of the finding of a five-year study. This study was jointly commissioned by the US’s Central Intelligence Agency, the US Department of Homeland Security and the Defence Advanced Research Projects Agency.

Another study titled “Experimental Evidence of a Template Aging Effect in Iris Biometrics” supported by the CIA and other US agencies widely accepted fact that iris biometric systems are not subject to a template aging effect. The study provides evidence of a template aging effect. A ‘template aging effect’ is defined as an increase in the false reject rate with increased elapsed time between the enrollment image and the verification image.

UIDAI had constituted a committee to review the state of biometrics to ‘serve the specific requirements of UIDAI relating to de-duplication and authentication’ and to ‘obtain consensus (for) widespread propagation of biometrics in governmental and private sectors’.

In a related development, the National Database and Registration Authority, under the ministry of interior, Pakistan is also undertaking a similar exercise. Is it a coincidence that both the countries are undertaking the exercise at the same time? Will it prevent drone attacks and the ignominy of mouthing verbal opposition to such assaults on its sovereignty? The core question is: what has improved in Pakistan due to NADRA’s citizens’ database except facilitating precision targets by drones?

Even before Planning Commission’s UIDAI and MHA’s NPR conceptualized their biometric and demographic database, NADRA claimed that it had successfully profiled all its citizens. The whistle-blower website Wikileaks revealed that the citizens’ database was handed over to US agencies. In case of India, there will be no need for a database handing over ceremony because the database is given to the security agencies through their proxies who in turn are subservient to legislative will of the US, France and the UK unlike India.

Big data companies from the countries of the intelligence alliance are looking for databases of diverse kinds. UIDAI says that hosting the data on a private network "does not necessarily lead to violation of privacy and security," what if the private network happens to be a big data companies like MongoDB, In-Q-Tel, L1, Safran and Accenture?

If government’s reply is still the same, it should come out with a White Paper explaining in what circumstances are security and privacy violated and what aspect of its breach is acceptable and tolerable and what aspects are non-negotiable and constitute acts of treason. If storage and mining of biometric data by these companies is legal and legitimate, the question is why does government consider this data to be “national assets”?

It has been reported based on disclosures of Snowden that US and UK intelligence forces have hacked and planted spyware on more than 50,000 computer networks worldwide and their number is expected to reach over 85,000 by the end of 2013.

In such a backdrop, instead of counting the numbers of those residents of India enrolled/imprisoned under biometric aadhaar and NPR for NATGRID or NCTC at their own cost, national energy ought to focus on questions like: Does the government, Parliament and state assemblies know as to how many citizens and companies of UK, USA, Canada, Australia, New Zealand, Denmark, France, the Netherlands and Norway are currently residing/operating in India at present? How many of them are non-traceable?

Get Rediff News in your Inbox:
Gopal Krishna
The War Against Coronavirus

The War Against Coronavirus