Category: Aadhar

Legality of Linking Social Media Accounts to Aadhar

Posted on by Tech Law Forum @ NALSAR

This post has been authored by Saara Mehta, a fifth year at the National Law Institute University, Bhopal. It discusses the legality of linking social media accounts to the government’s Aadhar scheme. 

On 20thAugust, 2019, the Attorney General of India, K.K. Venugopal, submitted to the Supreme Court that there was a need to link the social media profiles of users with their Aadhar numbers, and if required, have platforms like Facebook and WhatsApp share this number (which acts like a unique identity) with law enforcement agencies to help detect crimes. This, he argued, is needed to check fake news, defamatory articles, anti-national content, etc. This post aims to examine the legality of this potential move in the light of the Puttaswamy decisions, as well as the fundamental rights enshrined in Articles 19 and 21.

Read more

Metadata by TLF: Issue 4

Posted on by Tech Law Forum @ NALSAR

Welcome to our fortnightly newsletter, where our Editors put together handpicked stories from the world of tech law! You can find other issues here.

Facebook approaches SC in ‘Social Media-Aadhaar linking case’

In 2018, Anthony Clement Rubin and Janani Krishnamurthy filed PILs before the Madras High Court, seeking a writ of Mandamus to “declare the linking of Aadhaar of any one of the Government authorized identity proof as mandatory for the purpose of authentication while obtaining any email or user account.” The main concern of the petitioners was traceability of social media users, which would be facilitated by linking their social media accounts with a government identity proof; this in turn could help combat cybercrime. The case was heard by a division bench of the Madras HC, and the scope was expanded to include curbing of cybercrime with the help of online intermediaries. In June 2019, the Internet Freedom Foundation became an intervener in the case to provide expertise in the areas of technology, policy, law and privacy. Notably, Madras HC dismissed the prayer asking for linkage of social media and Aadhaar, stating that it violated the SC judgement on Aadhaar which held that Aadhaar is to be used only for social welfare schemes. 

Facebook later filed a petition before the SC to transfer the case to the Supreme Court. Currently, the hearing before the SC has been deferred to 13 September 2019 and the proceedings at the Madras HC will continue. Multiple news sources reported that the TN government, represented by the Attorney General of India K.K. Venugopal, argued for linking social media accounts and Aadhaar before the SC. However, Medianama has reported that the same is not being considered at the moment and the Madras HC has categorically denied it.

Further Reading:

  1. Aditi Agrawal, SC on Facebook transfer petition: Madras HC hearing to go on, next hearing on September 13, Medianama (21 August 2019).
  2. Nikhil Pahwa, Against Facebook-Aadhaar Linking, Medianama (23 August 2019).
  3. Aditi Agrawal, Madras HC: Internet Freedom Foundation to act as an intervener in Whatsapp traceability case, Medianama (28 June 2019).
  4. Aditi Agrawal, Kamakoti’s proposals will erode user privacy, says IIT Bombay expert in IFF submission, Medianama (27 August 2019).
  5. Prabhati Nayak Mishra, TN Government Bats for Aadhaar-Social Media Linking; SC Issues Notice in Facebook Transfer Petition, LiveLaw (20 August 2019).
  6. Asheeta Regidi, Aadhaar-social media account linking could result in creation of a surveillance state, deprive fundamental right to privacy, Firstpost (21 August 2019).

Bangladesh bans Mobile Phones in Rohingya camps

Adding to the chaos and despair for the Rohingyas, the Bangladeshi government banned the use of mobile phones and also restricted mobile phone companies from providing service in the region. The companies have been given a week to comply with these new rules. The reason cited for this ban was that refugees were misusing their cell phones for criminal activities. The situation in the region has worsened over the past two years and the extreme violation of Human Rights is termed to be reaching the point of Genocide according to UN officials. This ban on mobile phones, would further worsen the situation in Rohingya by increasing their detachment with the rest of the world, thus making their lives at the refugee camp even more arduous.

Further Reading:

  1. Nishta Vishwakarma, Bangladesh bans mobile phones services in Rohingya camps, Medianama (4 September 2019).
  2. Karen McVeigh, Bangladesh imposes mobile phone blackout in Rohingya refugee camp, The Guardian (5 September 2019).
  3. News agencies, Bangladesh bans mobile phone access in Rohingya camps, Aljazeera (3 September 2019).
  4. Ivy Kaplan, How Smartphones and Social Media have Revolutionised Refugee Migration, The Globe Post (19 October 2018).
  5. Abdul Aziz, What is behind the rising chaos in Rohingya camps, Dhakka Tribune (24 March 2019).

YouTube to pay 170 million penalty for collecting the data of children without their consent

Alphabet Inc.’s Google and YouTube will be paying a $170 million penalty to the Federal Trade Commission. It will be paid to settle allegations that YouTube collected the personal information of children by tracking their cookies and earning millions through targeted advertisements without parental consent. The FTC Chairman, Joe Simons, condemned the company for publicizing its popularity with children to potential advertisers, while blatantly violating the Children’s Online Privacy Protection Act. The company has claimed to advertisers, that it does not comply with any child privacy laws since it doesn’t have any users under the age of 13. Additionally, the settlement mandates that YouTube will have to create policies to identify content that is aimed at children and notify creators and channel owners of their obligations to collect consent from their parents. In addition, YouTube has already announced that it will be launching YouTube Kids soon which will not have targeted advertising and will have only child-friendly content. Several prominent Democrats in the FTC have criticized the settlement, despite it being the largest fine on a child privacy case so far, since the penalty is seen as a pittance in contrast to Google’s overall revenue.

Further Reading:

  1. Avie Schenider, Google, YouTube To Pay $170 Million Penalty Over Collecting Kids’ Personal Info, NPR (4 September 2019).
  2. Diane Bartz, Google’s YouTube To Pay $170 Million Penalty for Collecting Data on Kids, Reuters (4 September 2019).
  3. Natasha Singer and Kate Conger, Google Is Fined $170 Million for Violating Children’s Privacy on YouTube, New York Times (4 September 2019).
  4. Peter Kafka, The US Government Isn’t Ready to Regulate The Internet. Today’s Google Fine Shows Why, Vox (4 September 2019).

Facebook Data Leak of Over 419 Million Users

Recently, researcher Sanyam Jain located online unsecured servers that contained phone numbers for over 419 million Facebook users, including users from US, UK and Vietnam. In some cases, they were able to identify the user’s real name, gender and country. The database was completely unsecured and could be accessed by anybody. The leak increases the possibility of sim-swapping or spam call attacks for the users whose data has been leaked. The leak has happened despite Facebook’s statement in April that it would be more dedicated towards the privacy of its users and restrict access to data to prevent data scraping. Facebook has attempted to downplay the effects of the leak by claiming that the actual leak is only 210 million, since there are multiple duplicates in the data that was leaked, however Zack Whittaker, Security Editor at TechCrunch has highlighted that there is little evidence of such duplication. The data appears to be old since recently the company has changed its policy such that it users can no longer search for phone numbers. Facebook has claimed that there appears to be no actual evidence that there was a serious breach of user privacy.

Further Reading:

  1. Zack Whittaker, A huge database of Facebook users’ phone numbers found online, TechCrunch (5 September 2019).
  2. Davey Winder, Unsecured Facebook Server Leaks Data Of 419 Million Users, Forbes (5 September 2019).
  3. Napier Lopez, Facebook leak contained phone numbers for 419 million users, The Next Web (5 September 2019).
  4. Kris Holt, Facebook’s latest leak includes data on millions of users, The End Gadget (5 September 2019).

Mozilla Firefox 69 is here to protect your data

Addressing the growing data protection concerns Mozilla Firefox will now block third party tracking cookies and crypto miners by its Enhanced Tracking Protection feature. To avail this feature users will have to update to Firefox 69, which enforces stronger security and privacy options by default. Browser’s ‘Enhanced Tracking Protection’ will now remain turned on by default as part of the standard setting, however users will have the option to turn off the feature for particular websites. Mozilla claims that this update will not only restrict companies from forming a user profile by tracking browsing behaviour but will also enhance the performance, User Interface and battery life of the systems running on Windows 10/mac OS.

Further Readings

  1. Jessica Davies, What Firefox’s anti-tracking update signals about wider pivot to privacy trend, Digiday (5 September 2019).
  2. Jim Salter, Firefox is stepping up its blocking game, ArsTechnica (9 June 2019).
  3. Ankush Das, Great News! Firefox 69 Blocks Third Party Cookies, Autoplay Videos & Cryptominers by Default, It’s Foss (5 September 2019).
  4. Sean Hollister, Firefox’s latest version blocks third-party trackers by default for everyone, The Verge (3 September 2019).
  5. Shreya Ganguly, Firefox will now block third-party tracking cookies and cryptomining by default for all users, Medianama (4 September 2019).

Delhi Airport T3 terminal to use ‘Facial Recognition’ technology on a trial basis

Delhi airport would be starting a three-month trial of the facial recognition system in its T3 terminal. This system is called the Biometric Enabled Seamless Travel experience (BEST). With this technology, passenger’s entry would be automatically registered at various points such as check-in, security etc. Portuguese company- toolbox has provided the technical and software support for this technology. Even though this system is voluntary in the trial run the pertinent question of whether it will remain voluntary after it is officially incorporated is still to be answered. If the trial run is successful, it will be officially incorporated.

Further Reading:

  1. Soumyarendra Barik, Facial Recognition tech to debut at Delhi airport’s T3 terminal; on ‘trial basis’ for next three months, Medianama (6 September 2019).
  2. PTI, Delhi airport to start trial run of facial recognition system at T3 from Friday, livemint (5 September 2019).
  3. Times Travel Editor, Delhi International Airport installs facial recognition system for a 3 month trial, times travel (6 September 2019).
  4. Renée Lynn Midrack, What is Facial Recognition, lifewire (10 July 2019).
  5. Geoffrey A. Fowler, Don’t smile for surveillance: Why airport face scans are a privacy trap, The Washington Post (10 June 2019).

UK Court approves use of facial recognition systems by South Wales Police

In one of the first cases of its kind a British court ruled that police use of live facial recognition systems is legal and does not violate privacy and human rights. The case, brought by Cardiff resident Ed Bridges, alleged that his right to privacy had been violated by the system which he claimed had recorded him at least twice without permission, and the suit was filed to hold the use of the system as being violative of human rights including the right to privacy. The court arrived at its decision after finding that “sufficient legal controls” were in place to prevent improper use of the technology, including the deletion of data unless it concerned a person identified from the watch list.

Further Reading:

  1. Adam Satariano, Police Use of Facial Recognition Is Accepted by British Court, New York Times (4 September 2019).
  2. Owen Bowcott, Police use of facial recognition is legal, Cardiff high court rules, The Guardian (4 September 2019).
  3. Lizzie Dearden, Police used facial recognition technology lawfully, High Court rules in landmark challenge, The Independent (4 September 2019).
  4. Donna Lu, UK court backs police use of face recognition, but fight isn’t over, New Scientist (4 September 2019).

Read more

Dr. Usha Ramanathan’s Talk on the UIDAI Litigation

Posted on by Tech Law Forum @ NALSAR

[Ed Note : The following post is based on Dr. Ramanathan’s enlightening talk  at the NALSAR University of Law, Hyderabad. It has been authored by Karthik Subramaniam and Yashasvi Raj, first year students of the aforementioned university, who,  in a slightly longer but informative read aptly put forth Dr. Ramanathan’s views on the Aadhar issue and its judicial journey.

Dr. Usha Ramanathan, an internationally recognized legal expert, is currently research fellow at the Centre for the Study of Developing Societies and professor at the Indian Law Institute. Since 2009, she has consistently brought forth the loopholes in the Aadhar project, exposing its shoddy functioning.]

Read more

A Perfect Eden

Posted on by Tech Law Forum @ NALSAR

[Ed Note : The following post has been authored by Anupriya Nair, a second year student of NALSAR University of Law. In an interesting and chilling read, Anupriya talks about the potential emergence of China-inspired social credit systems in India which essentially monitor our actions to tell us how trustworthy we are. What exactly does this entail? Read to find out more!]

Unlocking Novel Frontiers of Digital Control: The Potential Emergence of Social Credit Systems in India

Development of technology has begun to tread the fine line between liberation and oppression of society. In other words, the ever-evolving digital sphere has led us to face the paradox of having means to achieve new levels of inclusivity (liberation) while running an exponentially large risk of highly intrusive surveillance (oppression).

This dilemma was addressed in Charlie Brooker’s dystopian series Black Mirror. In an episode “Nosedive”[1], Brooker depicted a society in which every member possessed a personal score ranging anywhere between 0 to 5. These personal scores were determined based on rankings from people who viewed the member’s profile and rated their posts. Further, a change in this score could result in significant socioeconomic consequences.

Given the importance of the score to the quality of life of an individual in society, every human interaction was transformed into an exercise of disingenuous camaraderie, for fear that a stray remark would result in a poor rating, creating a world where everybody strived to be trustworthy and respectful towards one another, creating a perfect Eden.

This perfect Eden could be a reality for China by 2020. The Communist Party, with the aim of building a socialist utopia under its able guidance, has been developing a social credit system in which it intends to inculcate a culture of “trustworthiness” and “sincerity” into its society.

This system of social credit would involve the government monitoring every digitally traceable action of an individual, making it a powerful force that collects copious amounts of sensitive information on nearly every interaction made by an individual. The system would consequently assign each individual a numerical score that acts as a direct indicator of one’s “trustworthiness”.

One of the most prominent state-approved pilot projects currently in place is run by Zhima Credit (Sesame Credit), the subsidiary financial wing of the world’s biggest online shopping platform, Alibaba. Users of the Alibaba mobile app may voluntarily request to be provided with a social credit score based on not only their credit history, but their behaviour as well.

The need for such a social credit system arises out of the lack of a traditional functioning credit system that is generally built based on mortgage and credit card bill payment patterns of individuals. In China however, consumers primarily use cash and the country’s central banking regulator (The People’s Bank of China) doesn’t maintain adequate financial records of their consumers either. Since adhering to the traditional mode of credit scoring is not a viable option for the citizens of China, they decided to opt for other means of determining their credit risk. The Zhima system thus has a large number of citizens volunteering to avail the social credit facility provided by Alibaba. A poor Zhima score cannot get a citizen blacklisted, given that the government concluded that it would not be permissible to allow a private corporation to have control over such sensitive areas.

China, in addition to the eight firms authorized to conduct such alternative credit score programmes, has a local government approved social credit score regime in place as well. Although the government contends that the regime has been designed to be “objective” in nature, it ultimately draws a parallel to the understanding of what constitutes “good” and “bad” behaviour according to the government. Further, the scores in this regime operate on a 1000-point scale and can have an impact on the socioeconomic benefits available to a person, their implications ranging from an individual’s opportunity to apply for a government job, to sending their children to an elite private school.[2] The scores are therefore an omnipotent, omnipresent and omniscient force to be reckoned with.

As stated in a high-level policy document released in September, the overriding principle that this social credit regime aims to follow at its core is: “If trust is broken in one place, restrictions are imposed everywhere.”[3]

Some elements of the social credit system appear to be making its way to India with the Income Tax department reportedly chalking out a new policy where “honest” and consistent taxpayers will be rewarded. As per the proposal by the Central Board of Direct Taxes, honest taxpayers are to receive priority treatment in accessing public services at places such as airports or railway stations. According to the Press Trust of India, “honest” taxpayers could be issued special identification numbers or be flagged as a special part of the maiden taxpayer facilitation proposal in their permanent account number (PAN).

Evidently, apart from creating a metric to determine one’s credit score, the primary vision of the implementation of a social credit system is to strive to achieve a utopian future for society. The question is, at what cost are we willing to adopt to this process of Eden-ification? Just as the Aadhar has previously been labelled as a mass surveillance tool, a social credit system would involve the collection and storage of highly sensitive personal information which could indeed become a target for hackers as previously demonstrated by various flaws and reported hacks within the Aadhar database itself.

Apart from the surveillance and privacy concerns, there is also the possibility that this system would imbibe a sense of disingenuity in its users. The best course of action inevitably involves understanding the “objective” system and using it to your advantage. This results in a number game of sorts where everyone is after a higher score instead of genuinely striving to become a better person out of one’s own volition.

Finally, the standards set in a social credit system cannot be “objective” given that the quality being standardised is trustworthiness. There is no objective panel from society or democratic process being utilised to set the standards of “trustworthiness” or “socially acceptable behaviour” in society. This is obviously a wrongful imposition of power. Further, those involved in the actual creation of these “objective” standards have an unfair advantage in earning a higher score due to their proximity to the programme itself.

In conclusion, it is not wrong to strive to build a perfect Eden for ourselves. The issue lies with the highly problematic and abuse-prone means by which we intend to reach our goal of doing so.

References – 

[1] Joe Wright, (Director). (2016, October 21). Nosedive [Television series episode], In Laurie Borg (Producer), Black Mirror. Netflix.

[2] Alice Vincent, Black Mirror is coming true in China, where your “rating” affects your home, transport and social circle, The Telegraph, Dec. 15, 2017, https://www.telegraph.co.uk/on-demand/2017/12/15/black-mirror-coming-true-china-rating-affects-home-transport/ (last visited Nov 21, 2018)

[3] China’s plan to organize its society relies on ‘big data’ to rate everyone – The Washington Post, https://www.washingtonpost.com/world/asia_pacific/chinas-plan-to-organize-its-whole-society-around-big-data-a-rating-for-everyone/2016/10/20/1cd0dd9c-9516-11e6-ae9d-0030ac1899cd_story.html?utm_term=.76106c42e93e (last visited Nov 21, 2018)

Read more

Comments on the Srikrishna Committee Report and the Draft Data Protection Bill 2018 – II

Posted on by Tech Law Forum @ NALSAR

[Ed Note : The following post, the second post in the series of posts containing comments to the Report and Draft Bill, 2018  published on the MeitY website, has been authored and compiled by students of NALSAR University of Law. This post contains comments on the Report and Draft bill in relation to the AADHAR issue. 

The first post in the series can be found here. Keep watching this space for more posts in the series!]

With the Supreme Court upholding the constitutional validity of the Aadhaar Act and scheme on the 27th of September, 2018, a significant impact will be felt by the Data Protection Bill. If one looks at the larger aim of a Bill like the Data Protection Bill, it is to recognize that an individual’s data and their rights over it are of utmost importance. With the Apex Court upholding the validity of Aadhaar albeit certain caveats, a thorn is created in the larger realization of the Bill’s goal. Principally, the limitation of the role of Aadhaar by the judgment would secure rights in terms of who uses available data and the interference of private parties. However, the fact that biometric data collection is still a valid process creates doubts regarding the conflicting nature of the aims of data protection and Aadhaar.

The sheer amount of private and confidential data amassed in one singular database has given rise to concerns over data security and its privacy. Many critics have pointed out that the use of biometric data instead of smart cards is a mechanism of choosing surveillance over the use of e-governance technologies.

1. Consent, AADHAR and Data Protection 

The idea of consent does not present itself when a data subject is mandatorily required to register themselves with the Aadhaar programme. The Supreme Court held that Aadhaar is essential for filing Income Tax Returns (ITR) and to obtain a new PAN Card. Accountants in Nottingham exclaimed that the recent judgment makes linking of Aadhaar to PAN also mandatory which again takes away the idea of choice in giving out information that concerns personal data. Thus while in theory the programme remains voluntary, in practice it simply is not, as most services are linked to the PAN Card, including crucially opening a bank account.

Especially with reference to the provision of subsidies and benefits, Aadhaar has become ‘the’ identification metric. Failure of Aadhaar authentication has resulted in the loss of the subsidy or the benefit. The government has refused to use in other forms of identification as an alternative for the same. Therefore, the idea of consent embodied under Section 12 of the Draft Bill is violated. Even if on a central level Aadhaar is made non-mandatory for the provision of certain services, there are many State-level provisions that are necessarily linked to solely the Aadhaar – most painfully sometimes in denying education to students.

2. The AADHAR infrastructure and purpose of limitation  

Section 5 of the Data Protection Bill is the ‘purpose limitation’ clause. Section 5(1) states that ‘personal data shall be processed only for purposes that are clear, specific and unlawful’. A very obvious counter to this is presented in the form of Aadhaar. The nexus that the Government draws upon to justify Aadhaar is the linking of it to subsidy and welfare benefit schemes. While Aadhaar has become mandatory for the same, there is no limitation as to what extent the purpose can be determined until which it is legitimate for making Aadhaar mandatory. The creation of an Aadhaar number associated with an individual is itself the individual giving up on certain rights that concern their biometric data and physical markings. Even if the Aadhaar is made for the singular purpose of accruing social welfare benefits, the fact that every new scheme may seek the same makes the idea of purpose determination difficult if not impossible. The scope available to the Government for drawing out information under the guise of the Aadhaar is notably expanded.

The Aadhaar Act will have to be amended in order to ensure the autonomy of the UIDAI.

  1. Exceptions in the Bill for the Aadhaar Act

The Aadhaar project engages in a balancing exercise between the individual’s right to privacy and the state’s right to intrude upon that privacy but ultimately comes out heavily in favor of the latter. While the idea of a data protection Act appears to be based upon ensuring a fair and meaningful exercise of the right to privacy, this cannot be achieved unless the unjustifiable privacy incursions of Aadhaar are adequately dealt with. The Bill includes several exceptions to the requirement of consent for the processing of data, some of which pertain, inter alia, to the provision of welfare benefits and not merely state security exemptions (Section 42) or prosecution of offenses. This would bolster the functioning of Aadhaar to such an extent as to abrogate a (vulnerable) data subject’s expectation of privacy.

Sections 13 and 19 of the draft Bill are particularly relevant in this regard. While Section 13 allows for the processing of personal data even without consent for the exercise of “any function, for the delivery of services or benefits or issuance of certificates”, Section 19(b) in a similar vein allows for the processing of sensitive personal data (which includes biometric data) if it is “strictly necessary for… any function of the State authorized by law for the provision. The use of such broad and sweeping terms is reminiscent of the broad and sweeping ideals of any service or benefit to the data principal”. Similarly, Section 17 allows the Data Protection Authority (DPA) to process data for “reasonable purposes”, which as per the accompanying illustrative list includes such uses as credit scoring and debt recovery which could be easily taken from the Aadhaar database which, even after the judgment, intrude into multiple areas of everyday life. Hence, it is always advisable to know what must you must know before filing for bankruptcy as it can help you to overcome from being an insolvent. These are some of the things out of what should I know about bankruptcy. This merely strengthens a DPA that is already tasked with far too excessive levels of powers. By providing this increased scope for data interference and exceptions from being governed from the personal right to privacy, there is an increased scope of arbitrary action. Even in the presence of remedies to the same, there will still inevitably be a number of data privacy casualties as a product of this nearly unlimited power.

The key question to be answered in this regard is whether Aadhaar is, in practice, necessary to carry out the function of the State, and this remains extremely contentious (particularly in light of the purpose limitations laid out in Section 5 of the draft Bill). In light of the fact that notifications of breach of data are to be made only in the likelihood of ‘harm’ being caused to the data principal as under Section 32, this is even more troubling.

The draft Bill also states that personal and sensitive personal data can be processed if in accordance with an explicitly mandated Indian law, and this clearly justifies the Aadhaar in its entirety now that the court has validated its existence. Alarmingly, Section 45 does not discuss the requirement of consent when it comes to the large-scale use of data for research or archival purposes (seen to be a ‘national treasure’), which clearly gives further credence to the idea of a project premised upon mandatory collection of personal data.

These exceptions provide greater scope for surveillance, an issue the Bill remained silent on with regards to the Aadhaar.

  1. Role of UIDAI

The draft Bill appears to have strengthened the status of the UIDAI particularly in relation to matters of dispute settlement, by placing the burden upon the data fiduciary i.e. the UIDAI to approach the courts. While the Committee report recognizes the need to ensure the autonomy of the UIDAI, adjudicatory power has been proposed to be granted to the UIDAI (in addition to the power of other Adjudicatory Officers) and at the same time, the exclusivity of allowing the UIDAI to file complaints has been maintained. This only strengthens the legitimacy of privacy incursions by the UIDAI by allowing it to effectively have discretion over claims of data breaches.

The next post can be found here.

Read more