Despite the phenomenal budget it operates under, however, there are some things it hasn’t tried to do (apart from counting accurately and thoroughly), and one is to actually ask people how they feel about their privacy being subjected to the worst risks imaginable for people living in a nation that is rapidly moving towards a market economy.

Fortunately, IDRC, the Canadian nation’s fund for developmental activities, decided to fund Privacy International, one of the world’s most active groups in the field of privacy protection, to discover just how much people in Asian countries were aware of the inroads being made into personal privacy through the kind of commercialisation being unleashed through economic ‘reforms’. One of the many projects this eventually broke down into involved research in India.

How Privacy Matters

We identified Dr Ponnurangam K., a young professor who was just returning to India from the USA, to work at the Indraprastha Institute of Information Technology, Delhi, to lead the research. While in the USA, as part of his doctoral work, he had visited India in 2004, which is when we met, and done some preliminary research through discussions with people like me (and probably a lot of people who aren’t like me). He set up the PreCog labs at IIITD, working in areas relating to the provision of computer and personal security technologies there.

He began his research by talking to stakeholders, then set up focus group discussions, which elicited the set of questions then exhaustively administered to 10,427 people across the country, the largest, and perhaps the first, such survey ever undertaken. The results came out today, November 23, 2012, and are quite revealing. The actual survey results are available here, a pdf file, but the overview can be found on this page.

Among the interesting findings are the fact that 80% of the respondents reported awareness of identity theft, although large percentages are also cavalier about mobile security and in general also trusting of the government. Recent initiatives such as UID and NATGRID do not seem to raise as much concern as their awareness might indicate, with statements like they must be necessary since the government is executing them.

Curiously, the concerns about privacy revolve strongly about the Internet, with mobile phones and telephony appearing to seem less threatening. However, this concern is centered around markers like passwords, with email IDs, names, dates of birth etc coming across as less recognisable as ‘personally identifiable information’. Physical privacy intrusions such as cameras in public places and so on were low down in terms of raising concern or even awareness. People with generally high awareness of privacy also recognise issues relating to mobile phones, and delete the data on them before selling them in the secondary market.

The awareness of privacy risks on social networks are also low, but people do report concern about photographs, and are wary of having them disseminated through social links. However, the risks of financial transactions leaking PII are known, possibly due to the number of frauds that have attracted publicity in recent years. Yet a significant number of people (15%) think there is no issue with printing the user’s date of birth, name and even phone number in plain text on the card.

Trust in the government’s role extends to reporting comfort with the government’s decision to roll out the security  network interlinking project called NATGRID, or with the issue of personal identity numbers, called Aadhaar. This probably rests to some extent upon the mistaken belief that the country has specific laws protecting privacy, when in fact there is a Constitutional reference that has not been consistently or fully affirmed by successive Supreme Court rulings. Since PK did an earlier study on privacy perception in 2004, one relevant conclusion that can be drawn is that trust in the government is eroding.

Put together, the findings are quite interesting: this government is moving inexorably in a direction that is going to cause people to lose faith in government itself, a serious problem in a country riven with economic disparity and its attendant exclusionary structure.

A random pick of three news items, each of which discusses the public availability of free wireless connectivity in mass transit systems. In London and New York, the service provider is a third-party private, for-profit, agency, while it is not mentioned in the article on northern Ireland, but seems to be the transit company itself.

Now, as many people would know, wifi is not currently the most protected and secure wireless connectivity option possible, but nearly all modern portable devices can connect to it ‘out of the box’. Northern Ireland has an almost century-long history of violent civil strife, with a lengthy death toll by suicide bombing, shootouts and even modern missiles etc. Nobody needs reminding about New York’s repeated experiences with violent terror attacks, including possibly the largest death toll in the world from a single incident, the destruction of the World Trade Center. London has suffered from decades of terror attacks, mostly a direct result of the now-abating civil strife in Ireland.

I doubt that anybody is wearing rose-colored spectacles imagining that there will never be another terror attack in these places. But they have made the implicit decision that providing convenient connectivity so that working people can be productive even while using mass transit facilities is an integral factor in a society that aspires to be stable and attractive for its people.

What then ails India? We have the most antediluvian rules restricting the use of wifi in public places. Security agencies regularly sweep public service providers to ensure that accessibility is restricted, that users must be logged in registers after providing independently verifiable identities, harass private citizens who believe that allowing their own contracted connectivity be shared with neighboring poor people is a selfless act of charity, and generally structure wireless connectivity to be crow-barred onto cellular telephony, for which data services are a high-priced luxury (and an afterthought, technically).

Have wifi facilities ever been misused in a terror attack in India? As far as I can recall, it has happened more than once, to convey emails claiming responsibility after an attack, the impugned emails being sent to media outlets for publicity. Without doubt, the police are thus deprived of the chance to use the emails to track down the perpetrators. However, this is the only justification for restricting wifi, preventing its growth in a country that prides itself on its tech-savvy population, one that is deprived at every turn of growing that savviness in its own, innovative, creative, and entrepreneurial manner. I would be very surprised to hear an argument from any student of developmental economics that the country can progress while the reins of power and influence are kept in the hands of a piddling few people, some of whom are obscenely rich billionaires, while many of the others feed from their troughs.

Our other achievement of note is the 2G scam, where the country notionally lost hundreds of thousands of crores in potential revenue by channeling artificially scarce licenses to a few (allegedly) bribe(I mean, of course, ‘rent’)-paying telecom companies, who provide the expensive (and pretty slow) data connectivity that is economically inaccessible to the greater portion of Indian residents. At least that money would have been available to be redistributed through several million government servants, and not a fraction of it going to a handful of politically well-connected parasites, although I myself believe that fostering self-reliance is a far better track, one the present dispensation seems desperate to avoid riding.

We are a developing country, we claim, and I suspect we make a lot of unnecessary effort to ensure that we remain one. But will anyone bell the FUD cat?

Hape is not, as the Quick Reader may imagine, the last of the items (the others, like hape, were also evil) to emerge from Pandora’s box, in the Greek myth.

All round the world, business content and business processes are being digitised and made available to stakeholders, often in a highly restricted manner, ie on some kind of subscription basis. Subscribers do so, often paying money, in the faith that they get, in return, some sort of exclusive or protected access.

Quite often, in order to do so, they also voluntarily make available some kind of personal information (it varies, of course, depending on the need).The people who put together the service then store this digitised information and make it available as a part of their subscriber verification.

It works like this: if you are who you claim to be, then you should know [this] about you, because you gave us that information. If you don’t know [this], it isn’t you, so please (the please is optional, and mostly absent, I have observed) go away.

That’s all very well.

What underlies all of this is a tremendous amount of faith, faith in the quality of business processes used by the people who manage that service, that they will keep their part of the bargain – which is sometimes expressly stated, and sometimes implicit – to hold the information securely. And, a lot of the time, that is exactly what happens.

Until it hapens.

Hape is a word coined by my fellow listmember, Dinesh Bareja, to describe what happens when that trust is belied. To quote from his entertaining post:

“The Theory of Hape (abridged):

Every system or technology environment is built with known or unknown holes all over waiting to be penetrated and exploited.
After a hape, weak controls and dirty data are exposed to the world, and management [people] have to run around trying to save their reputation, jobs and more.”

These words somehow reminded me of India’s shining hope, the UIDAI, a quasi-legal organisation foisted on the country by the Planning Commission. The latter, an august body is not known for its cowboy antics, has quixotically chosen the path less often trod, that of mandating a special purpose vehicle, an Authority of India, with the task of ensuring that every resident of India gets a unique identification, a number that cannot possibly be allotted to anyone else, a passkey to all manner of delights, fancifully branded Aadhaar (foundation).

Of course, to work, whoever is charged with delivery of a particular service must be sure that the person quoting the number is actually who she says she is. Or he is, if you object to commonly accepted gender-free phraseology.

Enter the verifier. In its wisdom, UIDAI has decided that this shall take the form of biometric markers – fingerprints will do the job.

Or not. Turns out that fingerprints, the stuff of crime novels for well over a century, are well left there, in works of fiction.

Fingerprints have some problems: 1. they are not immutable, they can change with time, depending on the kind of work the person engages in, and also the state of health; 2. they may not be unique (no study of very large populations has ever been conducted, so the belief in fingerprinting is no more real than a belief in the Flying Spaghetti Monster – or no less real, to be sure); 3. fingerprint recording machines are not very pragmatic for countries like India (shaky electricity, poor hygiene, poor housekeeping); 4. digital fingerprints are based on algorithms that have never been applied to very large populations, so they may be even less perfectly unique than the fingerprint patterns themselves; and so on.

Enter the iris. This central part of the human eye turns out to be even more uniquely patterned than the fingerprint, and luckily, its digital version is also more perfectly matched to the real thing, than in the case of fingerprints. Except. This has also not been researched and scientifically established.

Somewhere in all this hype, one little factor seems to be missing – the act of verification. Each nodal point where it is needed will have to be equipped with a biometric scanner and Go/No-Go display device that will need to communicate very fast (oh, very fast indeed) with a digital store to immaculately match those credentials.

Recalling this, I was struck again by something in Dinesh’s post:

“THE EMPEROR’S NEW CLOTHES: A story about an egoistic king [who] believes he was wearing a robe that was invisible to the lower classes [ie anyone who wasn't royal enough], whereas he wasn’t wearing anything.”

Actually, the story is also about the clever pair of rascals who japed the king into blindly and faithfully accepting their story (and swiping a few bags of gold, but that is another story, hopefully not part of the modern Indian saga).

So, in the new clothes being sold, like a pup, to the country, there is some new fabric, that didn’t belong in the old fable. This is the inviolability of digital storage systems.

To be sure, there are millions of digital storage systems around the world into which no-one has ever been broken. Why then worry about the one (or ones) in which the digitsed personal information of 1.2 bn+ folks are going to one day be stored?

UIDAI has a simple answer: the information itself won’t be stored there, their store will only link the biometric information with the number. Of course, since other bits of personal information may or may not be pertinent, depending on the service being offered, the storage system will also provide a linking service between dozens of ‘silos’ of information. A silo is the charming geeky term for an information store that, figuratively, stacks up vertically, insulated from other such stores.

Interlinking stores is not a very good idea. That’s the general recommendation of security experts. Digital security experts. Dinesh’s post was probably triggered by the clever attack on the digital store maintained by an American cybersecurity firm (the matter is subjudice, so I’m protecting myself legally by not providing links here) by an anonymous network of cyberexperts (yes, there is a clue in that phrase, I’m not leaving my Devoted Readers entirely in the dark).

That story illustrates my point: the inviolability of digital stores is very closely linked to the value of the store. Very few people are interested in breaking into a pile of old clothes, they want stuff that can be traded for real value (in the case above, it was the value of very publicly embarrassing the cybersecurity firm, flushing out details of some very dodgy ethical practices).

What could the value of UIDAI’s store be, in this real world? After all, UIDAI is going to serve the poor. “Aadhaar will empower poor and underprivileged residents in accessing services such as the formal banking system and give them the opportunity to easily avail various other services provided by the Government and the private sector.”

Sounds very innocuous, and not very attractive to a would-be thief.

Till one reads between the lines. Bank accounts, mobile phones, payment systems – all are, already or in the pipeline, features of the modern economy that will be ‘facilitated’ by Aadhaar. There’ll be more, but this is quite enough, eh?

Now that’s a treasure!

And to close, let me leave my Patient Reader with this last thought from Dinesh’s post:

“Hape is inevitable.”

Surprisingly, for most people who hardly ever need to think twice about such an obvious attribute of free people, this right is fast vanishing around the world, and most dismayingly, in democratic countries.The second meeting followed hard on the heels of the first, and at the same venue, the Amorita Resort just off Alona beach. This was organised by the Association for Progressive Communications, an NGO that has been at the heart of keeping the Internet open and freely available for people around the world.

Although for most people today, networking implies computers and the Internet, APC was put together before the Internet had much meaning or relevance for social activism, when the Cold War still cast its fading shadow across the world. It enthusiastically adopted the networking capabilities of the Internet when it did become possible, and has fought an uphill battle to ensure that its potential is brought to all people in the world, not just those empowered by economic supremacy.

I have had the luck to be at several conferences and workshops put together by APC across South Asia over the past decade or more, in India, Pakistan and Bangladesh. PI, which has been part of APC almost since the beginning, was invited to take part in the Networking and Learning Forum, the invitation being extended to everyone at the PI meeting, although most of our organisations are not formally members of APC.

The PI meeting was primarily a review of the ongoing awareness initiative across Asia. It involves eight countries directly, stretching across the region, from Pakistan in the west to Australia and The Philippines on the edge of the Pacific.

One thing that made this meeting special was the fact that PI officially turned 21 while we were together. We celebrated with a quiet evening of fellowship, together with all the people from APC who had arrived by that time, on the 17th of March. Unfortunately, several of the representatives could not stay back, and we missed them.

Another very nice thing about this meeting was that APC too is celebrating its 20th birthday year, having come together in 1989, and formalised during the following year. APC very quickly took to the Internet once it got started, and established itself within formal international fora as a non-governmental interlocutor. Quite an incredible achievement, but that is not its only milestone. It is also strong with women from every continent, who have steadily and purposefully fought for equality and respect in very male-centric professions and conclaves.

I’m in this picture, together with nearly everyone who attended, wearing a tee shirt with a cartoon by the talented Chris Slane. The APC celebration took place on the concluding night of the Forum, on the 20th, which was fortunate for the remaining Indians and several others from PI, who left the next morning.

Not all, as Shahzad Ahmed, from Bytesforall (the South Asian network originally started over a decade ago by Partha Sarker – Bangladesh, Fred Noronha – India and Zunaira Durrani – Pakistan) stayed on for APC’s internal meetings, and to be elected a Council member of APC. Congratulations, Shahzad!

Being present at both these meetings, was both emotionally and intellectually challenging and fascinating, in equal parts. All across Asia, the kind of intrusiveness and careless adoption of ubiquitous surveillance of the citizenry, that was once portrayed as being part of the paraphernalia of totalitarian autocracies, is now seen as routine, as a matter of course, in country after country that proclaims its adherence to democratic values. Such occasions provide a wide experience of the techniques that occasionally have worked to stem the tide, mostly in European countries, where the emergence of the EU has also seen the widespread adoption of actionable guides to democratic and citizen-centric governance. On the other hand, there are forces within Europe too that seek to return the Asian world to the kind of repressive and regressive environments that once characterised colonialism.

How can the positive examples be replicated in Asia? As the well-known saying goes, the impossible just takes a little longer. The learning and the sharing we got, from the experiences of our fellow researchers into Asian levels of privacy awareness, from the fearless people who have led PI for two decades, and from the APC participants for whom the principles of ‘ahimsa’ and peaceful action are a core belief, are a vital step forward on that rocky road.

One of the participatory exercises (among a set of discussion based learning and experiential exchanges) involved creating posters that tied into a handful of themes. Artistic expertise was not so much the objective as delivering the message. Nagarjuna and I tried to convey a holistic spirit towards learning in our poster, one that invited collaboration. The PI team put up a poster too, but for some reason it was taken down before the judging round, and reappeared mysteriously at the end, at which point it got a special award for creativity and pertinence (a bag of excellent Bohol Free Trade coffee, if you’re interested). I don’t have a picture of it, unfortunately, but hopefully PI will upload it somewhere.

Other than networking, learning from each other’s experiences, and sharing some of the trials and triumphs of the human spirit that have brought us this far, some of us had the chance to very briefly sample some of the island’s beautiful land and sea ‘scapes. The main island, Bohol, to which Panglao is appended (by a couple of narrow causeways, the source of much local pride), is rich with history, being credited with the first peaceful agreement between the people of the islands and the Spanish, which took place only a few decades after Magellan’s global crossing came to a violent end on Cebu, across a small sea (almost an inland sea) from Bohol.

The agreement did not bring lasting peace, largely because the Spanish also brought with them a crusading religion and, as is probably an inbuilt habit of colonisers, an overbearing attitude. Boholanos are credited with what must be one of the world’s longest armed resistance movements led by a single person, lasting almost 85 years. Today the island is mostly peaceful, due to the continuing efforts of local activist groups, including many of the people who helped make the two conferences stunningly successful and enjoyable, although it has had its share of violence in the recent past, part of The Philippines’ emergence from colonisation. Most of the last century found the islands ruled by the USA, following a war with Spain.

Originally a mix of Islam (brought by sea-trading – and colonising – Arabs), and tribal faiths, Bohol is today largely Roman Catholic and Islamic, with a charming flavour of the original tribal customs infusing the celebrations of both major faiths. To casual outsiders, it is almost impossible to guess the faith of an islander, not even from the names, which are mixed between Spanish, Islamic and ethnic. Some of us had a chance to do a little touring, and I must say the ancient churches are fairly oppressive in construction, perhaps because they were built from huge blocks carved from calcified coral.

The colour of the sea around Bohol is incredible, a clear jade green near the shore changing to a deep blue a few meters further out. This part of the island chain is largely made from ossified coral, with a handful of volcanic mounts that delineate the Pacific Rim of Fire.

Simple and very effective outrigger boats, made from lightweight woods and bamboo, make boatrides across the sea remarkably comfortable, if very noisy, due to their unsilenced diesel engines. Dolphins and whales abound, and in the coral reefs, an enormous variety of tropical fish and other sea animals in fantastic colours and shapes. Even for the inexperienced (like me) snorkeling is very simple and inexpensive, while scuba diving is very accessible for the adept with more time.

Bohol is also known for its curious coral formations, the Chocolate Hills. These round grassy mounds, well over a thousand, fill one region of the island, and are truly a remarkable sight. The colours of the hills change from green to brown in the summer, and lend them the name.

Other than seafood, Bohol is known for its raffia, honey, coffee and chocolate, and a variety of fauna and birds that once thronged the rich tropical forests, especially mahogany. Islanders today are making huge efforts to revive the mahogany and other biodiversity, ravished by commercial exploitation for centuries. Almost completely vanished is the tarsier, a nocturnal simian barely the size of a small fist.

All this, and more, we learned in a tour conducted by Panglao’s own Doris Obena, an amazingly knowledgeable and sensitive person. A burgeoning Fair Trade movement makes local chocolate, honey and coffee available through shops that ensure better returns for agriculturists and handicraft artisans. It is not an easy task, as we have seen in India with our own struggling cooperatives, to counter the pernicious effects of absentee ownership on trade and cultivation.

The utter disregard of the country and its people implicit in this kind of facile performance is stunning and salutary, especially in light of the public agitation that has spread across northern Africa and parts of Asia, with citizens of many countries taking to the streets to express their disgust at the way that they have been taken for granted, by governments and leaders that claim to have their best interests at heart. Some of the perpetrators of such callousness now find themselves scrabbling to escape, together with untold amounts of wealth stolen from their hapless countries.

That the Indian public has so far been a little more forgiving of such small degradations is a current feature, not a guarantee.

Today, February 28, 2011, I am trying to be equally forgiving.

Of course, Bills are meant to be discussed threadbare in Standing Committees formed of Parliamentarians designated for the purpose, and it is the result of their deliberations – with amended and restructured wording adjudged most acceptable to the House – that actually comes up for vote. This is a good thing, generally, as it avoids the House itself from getting bogged down in sometimes not very fruitful debate – not everyone can be fully aware of all the implications of every matter where laws are needed.

Unfortunately, the truth is that the House spends most of its time in precisely such fruitless discussions, and the real business, the creation of laws to implement a long-term strategic national policy, is swept away in a welter of triviality.

This is the fate of the country’s IT policy, the synthesis of the features of a rapidly changing technology with the immediate as well as the future needs of the people of this country. Nothing could signify this more than the fact that the IT Act 2008, comprising amendments to the Act of 2000 that were proposed in 2006 (the original name of the Bill was, in fact, the IT (Amendment) Act of 2006), could not be passed until 2008, and the rules to actually enforce the Act have come up for public discussion in a period that ends today, two and quarter years after passage of the Act.

After all that, only three weeks have been given for the public to actually respond, and I only learned about it on Friday, three days ago. So here I am, trying to figure out why other people seem to be upset by this draft.

The draft rules are posted up here, with links to three documents archived in Portable Document Format (.pdf), which is readable on any modern browser, very helpful. They could have been made available in HTML5 compliant format, of course, even more helpful, but Rome wasn’t built in a day, as they say.

We Indians have learned through bitter experience that such ‘people-facing’ improvements come about only gradually, and that the servants of the people tend to live in ivory towers, answerable only to themselves, oblivious to the winds of change blowing outside.

Since the documents themselves are hosted for public access, I won’t reproduce them here in their entirety, simply the bits that I feel deserve comment.

However, in order to actually comment on the rules, it is necessary to read the Act itself, and there are, naturally, two versions of this, the original Act (ITA 2000, for brevity), and ITAA 2008 (which even the Ministry refers to by its original title, ITA 2006, although it wasn’t actually passed in the House of Parliament until Dec 2008, not endorsed by the President until Feb 2009, and then only notified in October 2009.

These are very kindly hosted by the Ministry as pdfs images of the original copies as released in the Gazette of India, which is, of course, a paper document, thus making it almost useless as a reference. Thankfully, legal service organisations have already done the hard work of uploading digital versions of the actual content, from where I have copied the relevant text.

Section 43 A

Compensation for failure to protect data (Inserted vide ITAA 2006)

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, not exceeding five crore rupees, to the person so affected. (Change vide ITAA 2008)

Explanation: For the purposes of this section
(i) “body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities
(ii) “reasonable security practices and procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
(iii) “sensitive personal data or information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

The wording of the Act is curious, and close to obnoxious, actually. It carefully defines the potential offender as a body corporate, inclusively defining all the permutations and combinations recognised by company law in India. It leaves out, very deliberately, bodies that belong to us all, the citizens of India, held for us by the President of India or by the other subsidiary corporatised entities such as undertakings and so on.

This is a particularly odd omission, in the light of the gradual admission or discovery that the government routinely wiretaps and records voice and data interactions, numbering in the hundreds of thousands. All of this is supposedly done under carefully crafted permissions and oversight, yet hundreds of such conversations have been flagrantly revealed in the public domain, perhaps with the active connivance of some government employees (this is a surmise, as the matter is in court, and no such evidence has emerged).

At least one of these conversation has been alleged, by one of the interlocutors, in a petition filed in the Supreme Court, to be entirely private and unrelated to the alleged offenses in respect of which the recordings were made. Needless to say, such recordings are nowadays made almost completely in digital mode, and the dividing line between ‘telephony’ and ‘computer resources’ (as defined in the Act) has become very blurred indeed.

So what are the proposed Rules pertaining to this section?

Firstly, the intermediary shall observe following due diligence while discharging its duties.-
(1) The intermediary shall publish the terms and conditions of use of its website, user agreement, privacy policy etc.
That seems innocuous enough.
It goes on to say:
(2) The intermediary shall notify users of computer resource not to use, display, upload, modify, publish, transmit, update, share or store any information that [contravenes any other law in force, detailing them fairly exhaustively].

And so on. All of these are apparently designed to protect citizens from misuse of their personal information by other privately owned bodies (including individuals). What they actually do is impose enormous restrictions on the ability of information providers to host content that could conceivably be at odds with the government in power ie implicit censorship.

Subclause (12) is interesting in a different way, because it asks ‘the intermediary’ to notify CERT-IN – and to share details – of breaches in security (that might lead, obviously, to leakage of such personal information of subscribers. The context is very clearly expressed). Some government websites (income tax, election commission and others) themselves are in almost continuous breach of such security. The draft Rules seem to deliberately exempt the government from protecting its citizens, in an Act designed precisely to do that!

Subclause (13) is delightful in its vagueness, that intermediaries shall not deploy or install or modify the technological measures or become party to any such act which may change or has the potential to change the normal course of operation of the computer resource than what it is supposed to perform thereby circumventing any law for the time being in force. The emphasis is mine.

Who is going to determine what a computer, a general purpose computer, is ‘supposed’ to do, or what it ‘normally’ does? Such modifications become acceptable if their purpose is to secure the computer resource. Who is going to prove that the purpose is actually to ‘secure’ the resource? This looks like an enormous potential for lawsuits, government-sponsored intimidation and in general, restriction of technological development in India.

The creation of a well-constructed cyberlaw ought to be to promote, not restrict, the development of technological advances in the country. As it is, the country has almost completely missed out on the development of digital voice technologies for communication, that have made serious inroads into the domination of older, almost outmoded, analogue technologies, and it would be disastrous to have such continuance of blinkered restrictions, especially in the context of a law designed to nurture the country and its people in an environment of cyber technologies.

Finally, to strike a slightly minor note, the title of the relevant pdf file hosted by the Ministry is due_dilligance4intermediary07_02_11. It is quite disgraceful, imho, to have such misspellings, without any evidence of checks and quality control.

Let’s move on.

Section 79

Exemption from liability of intermediary in certain cases
(1) Notwithstanding anything contained in any law for the time being in force but subject to the provisions of sub-sections (2) and (3), an intermediary shall not be liable for any third party information, data, or communication link hosted by him. (corrected vide ITAA 2008).

The next two subsections cover the conditions in which this applies, and in which it doesn’t apply, respectively.

However, the Rule talks only about entities securing collected personally identifiable information. And it does so in a really curious manner. It makes it mandatory for the intermediary to follow the dictates of the international security standard IS/ISO/IEC 27001, declaring that this ‘has been adopted’ for use in the country.

Standards in India are normally prescribed by the Bureau of Indian Standards, and the nomenclature to be used is prescribed by that agency (standards follow the nomenclature BIS[nnnn]. Well-known cyber-lawyer ‘Naavi’ has pointed out that the 27001 document happens to cost USD 160, not a trivial sum for a small organisation in India, especially one that may not actually have any international business interests.

This appears to be a subtle nudging of business towards larger corporations, by raising the cost of doing business beyond an affordable level for the MSME sector (the prescribed upper limit of penalty for a breach of security that results in leakage of PII is Rs 5 crores, meant to be a compensation to the person(s) whose information is put at risk).

The subheading of this particular set of rules is ‘Reasonable Security Practices and Procedures’, but the definition of ‘reasonable’ is arguable.

On the other hand, if the PII of hundreds and thousands of citizens is put at risk by some organisation, by an identifiable lack of adequate security, is Rs 5 crores going to be enough? The country is still riven by the measly compensation legally determined for the thousands of people killed and injured by the 1984 Bhopal gas tragedy, and the last thing we need is another legal blockage to equitable compensation. This Rule seems to err on both sides of the limit.

Today’s draft Rules conclude with the duties and responsibilities of cybercafes, to be called the Information Technology (Guidelines for Cyber Cafe) Rules, 2011.

Cybercafes are to be licensed, under the rules, and the ‘appropriate government’ shall notify the agency to carry out this task. This certainly implies that cybercafes shall be centrally administered under these rules, an extraordinary choice for what is often – actually, almost always, except for a handful of big corporations that have tried to get into it – a very small business.

The next point is that cybercafes shall not permit users who do not carry one of 7 different kinds of identity document (seven alternatives are listed, but are numbered from one to six, another glaring typographical error). In lieu of such identification documents, the user must be photographed by the cybercafe, such digital photographic image forming a part of the user’s registration with the cybercafe. Children (the rules do not define ‘child’) who do not possess a photographic identity card (this wasn’t specified for adults, but all seven alternatives happen to be photo-identity cards) must be accompanied by an adult who does.

The next condition is almost risible: the cybercafe must ensure it has adequate measures to assure itself that the identity of its users is established. This is something the Government of India has been flagrantly unable to do for decades, and I really wonder whether the person who drafted this classic had a thinking cap, because it couldn’t have been worn.

The cybercafe must maintain logs (a log register) for a year, and submit copies on monthly usage logs in both hard and soft form to the designated agency (note it hasn’t been designated yet, and this seems oddly reminiscent of the confusion around digital certificates and digital signatures). Over and above this, the cybercafe owner shall be responsible for maintaining logs in extraordinary detail for six months, per user.
(i) History of websites accessed using computer resource at cyber cafe
(ii) Logs of proxy server installed at cyber café
(iii) Mail server logs
(iv) Logs of network devices such as router, switches, systems etc. installed
at cyber café
(v) Logs of firewall or Intrusion Prevention/Detection systems, if installed.

Helpfully, CERT-IN has already prepared a document to ‘help’ cybercafes follow this rule, and it is hosted at http://www.cert-in.org.in. This guideline attempts to provide (it says) some insights into the issues related to Auditing and Log Management and suggest best practices for enabling and maintaining Auditing and logging on Windows hosts, Linux hosts, Microsoft IIS server, Apache Web server, Oracle 10g database Server and Microsoft SQL Server 2005. Implementation of these best practices will enable administrators to acquire vital information to identify and respond to the computer security incidents.

This doesn’t sound quite like a document intended to help security agencies investigate crimes, yet (see further on) that is clearly the purpose for which the rules are framed, for it is the police or equivalent that will certify cybercafe compliance!

The next few rules relate to organising the space in the cybercafe to prevent users from maintaining privacy. In fact, with the intention of preventing users from viewing ‘pornographic sites’, the subsections describe how to ensure that users have no privacy at all. Unfortunately, pornography has not been defined under Indian law, to the best of my knowledge.

The subclause following is even more odd, as it prohibits the user from ‘tampering’ with the computer system settings. What could these be? That is not defined, nor is the word ‘tamper’. Simply choosing between two available printers could amount to tampering with settings, for instance. Booting up from a secure OS on a pen drive could also amount to ‘tampering’, and yet pen drive computers are quite possibly one of the directions that computing may take, enabling millions of people to securely access shared computer resources (eg power supplies, microprocessors, networks, printers and other peripherals) relatively inexpensively, without sacrificing personalisation or privacy.

All of this is to be inspected and supervised, according to subsection 7, by a police officer not below the rank of inspector. Presumably such officers are competent to inspect (‘at any time’) the logs and other technical functioning of the cybercafe. The rules do not prescribe any qualification at all for such officers, other than their rank.

Are these rules drafted to improve the functioning of cybercafes, or is there some implicit agenda relating to involving cybercafe users (and owners, of course) in crime investigations?

Summary

In short, the rules as drafted appear to be exceptionally vague. I hope this is not deliberately so, even though it is uncomfortably obvious that it has taken a long time to come up with this draft, a period markedly low on public consultation.

Equally uncomfortably, I can’t help feeling there is a needle of suspicion that the rules impose a large measure of censorship and control on content on online services (unknown for any other form of media available in India), leaving service providers (including cybercafes) open to potential harassment and worse. As I pointed out, earlier restrictions blindly applied (and still in force, by the way) led to Indian technologists in India losing out on a lucrative business opportunity.

For the government to avoid pushing Indian enterprise towards conglomeration and away from distributed and disseminated business models (a key part of IT business everywhere), it must avoid sketchily drawn up (and poorly drafted, full of typos and more) rules like this. Moreover, if the Net is to be treated on par with other forms of media, whose reach, determined by their physical formats, is regrettably low in India (despite being among the largest media consuming countries in the world), the government needs to avoid imposing censorship in the name of ‘protecting’ our sensibilities.

The UID project is in many ways a global watershed, expecting to assign a unique number to every resident of the country, well over 1.2 bn people, a staggering concept, the scale of which has itself been used to justify taking on the project (by equating the immensity of the challenge to its worth). Considering my association with Privacy International, my concern is well-founded on grounds of potential destruction of personal privacy, but this is a very difficult viewpoint to defend in India, which does not have a specific privacy law, and for which the existing Constitutional protections (alluded to, not spelt out) have not always been strongly defended by Indian courts.

An international project, studying Privacy in Asia, seeks to ameliorate this situation, by getting to grips with comprehending Indian attitudes (ie, within the ambit of Asian attitudes). However, given that the UID project is gathering steam and proceeding willy-nilly, it is imperative to make every effort to bring it to a halt, at least a temporary halt, until sufficient information is available.Surprisingly little awareness exists about the UID project itself, about which whatever little is known is largely the ‘party line’ handed out by the UIDAI’s PR effort, itself extremely high profile. To try and stem the tide, volunteer organisations are working to bring crucial information into the public eye, that casts doubt about the UIDAI project, its intentions, and its likely results.

I was part of 3 public meetings, in Pune and in Mumbai, just last week, conducted with Dr Usha Ramanathan, a legal researcher from Delhi and Prof R Ramkumar, a professor from the Tata Institute of Social Sciences in Mumbai.

The first meeting was at Symbiosis Institute, a ‘deemed’ university. There were 5 panelists, Dr Usha Ramanathan, Prof R Ramkumar, a professor from the Tata Institute of Social Sciences in Mumbai, Prof JG Krishnayya, widely acknowledged as the ‘father’ of e-Governance in India, Prof Lalit Kathpalia, the director of the Institute, and myself. The panel was moderated by Anupam Saraph, the CIO of Pune city, and organised by Open Spaces, a very active NGO in Pune, together with the Symbiosis Institute of Computer Studies and Research. It was well attended, with about 50 people present, including students, mediapersons and general public.

About the other panelists: Usha and Ramkumar are fairly widely known (to a limited audience) as opponents of the UID project, Ramkumar having authored an article in Frontline (a popular magazine) in July 2009, shortly after Mr Nandan Nilekani was appointed as chair of the UID Authority of India, a quasi-governmental organisation. Usha has also written and lectured widely. Prof Krishnayya has run the Systems Research Institute in Pune for decades, and this was Mr Narayanamurthy’s first workplace, before he left to start Infosys with Mr Nilekani and 5 others (this link, from a news report published on 21 Jan about a function held to felicitate Prof Krishnayya’s 75th birthday, is interesting as it hints at the relationship between the infosys founders and Prof Krishnayya). Prof Kathpalia has joined academia after about 23 years in the IT sector, including 5 years with Infosys.

Mr Saraph began by introducing the UID project, a subject close to his heart as he has been running an ‘identity’ project in Pune city, aimed at assisting its migrant population, since his appointment 3 years back. As he informed us, Mr Nilekani, whom he also knows personally, was briefed about the existence of this project as soon as he was appointed, but has failed entirely to take note of it or to interact with Mr Saraph. One of the initiative’s chief characteristics is its lack of dependence on a central database, and the second is its entirely voluntary (opt-in) nature. The objective has been to help Pune residents get bank accounts etc in the absence of the documents specified by the Reserve Bank of India’s ‘Know Your Customer’ norms, and flowing from this, other services, as needed, from government agencies (bank accounts that remain unauthenticated under the KYC protocol are frozen, and if fresh, will not be sanctioned).

Mr Kathpalia expressed the belief that a central identity authenticating service was essential to ironing out the kinks in delivery of public services, especially subsidies, in which leakages are felt to severely damage effectiveness, despite the vast budgets.

Prof Krishnayya described the Indian demographic scenario, which broadly divides the country into three very large groups. The Urban sector lives in vary large cities, the semi-urban in smaller cities, and the Rural lives in villages and hamlets with less than 3,000 residents, typically very widely dispersed. The design of public services delivery must take into account the very different conditions each of these geographical dispersals impose on systems, but this has largely been lacking, he feels.

Usha laid out several procedural problems with the project, beginning with the fact that it has been undertaken without even a feasibility study. This lacuna, which might conceivably be a key part of Mr Nilekani’s objective of driving the project ahead at all speed, is being dealt with by using each of its initial phases as opportunities for streamlining. However, problems being thrown up are being wilfully ignored, defeating the purpose of streamlining, especially as they indicate the presence of deep structural and conceptual flaws in Mr Nilekani’s vision (which was expressed in a book he published at the end of 2008, Imagining India, believed to be the reason the Indian Prime Minister invited him to head the project). She has also personally witnessed enrollment processes of migrant workers in Delhi, and observed appalling compromises and the use of coercive techniques to finish the work, with lack of oversight and training resulting in callous disregard of the existing identity information put together by migrant workers for themselves, in some cases, over decades.

Ramkumar described his interactions with Mr Nilekani at the project definition stage, at a retreat attended by senior government officials. He is convinced that Mr Nilekani is now completely impervious to suggestions that this project is flawed, including serious problems with his grasp of the root problems of delivery of public services. This may not even be the purpose of the project, which Ramkumar’s research has revealed is rooted in the Kargil war, a border skirmish with Pakistan in 1999, following which the then government (now in the opposition) proposed to issue the Multipurpose National Identity Card to border residents, evidently to prevent infiltration by undercover militants. A secondary purpose was to stem illegal immigration, most significantly from Bangladesh, which shares a very large land border with India. The issues of foreign militants and immigrants are a popular topic to drum up political support, most typically by right-wing political ideologists, and hardly ever countered by political thinkers representing other viewpoints.

The trouble with MNIC or any other such card concepts is that the Census Act specifically protects the privacy of censused people, thus this database is inaccessible for the purpose of issuing citizen identity cards. To get around this, the Citizenship Act of 1955 was amended in 2004 to enable the creation of the National Population Register, a database of Indian citizens. The exercise is to kick off this year, 2011, by using census data collection staffers to ‘double up’ as NPR data gatherers, thus bypassing the privacy provisions of the Census Act. The ‘right-wing’ government (actually a coalition of interests) was defeated in the following General Elections, but is unlikely to significantly oppose (and hasn’t done so) moves by the present government to create such a database.

The present talk of social service delivery comes across as a smokescreen to cover the underlying ‘national security’ need. In fact, it is very conveniently placed to ease the exit of direct government participation in services delivery, substituting this with an outsourcing model with which Mr Nilekani is well familiar, having helped build Infosys’ commercial business on just this basis. This also explains the surprising lack of public discussion, as this is a very radical policy change, likely to be highly contentious. Widespread corruption within the subsidy schemes also explains why their implementing agencies are poorly positioned to criticise the UIDAI approach, which effectively places the blame for leakage of money and goods on the end-users, the poverty-stricken beneficiaries of those schemes.

Aside from subsidies and services delivery, the UIDAI approach also harps on financial inclusion, ie, bringing the majority of the Indian population within the ambit of the mainstream banking system. As has happened in other parts of the world, the banking system is growing towards increasing automation and lessening emphasis on personal interactions, and this has seen a drop-off in the number of retail branches available per capita. The informal rural banking system, run by moneylenders, is being edged out by microfinance institutions, but these too have proven difficult to operate, with high rates of interest resulting in defaults and the rise of coercive techniques to extract repayments.

The UIDAI project is seen as a fillip to the mainstream banking segment, which will gain a vast number of new accounts to which subsidy payments will be credited directly by government agencies. There is no onus to create branches, as ‘agents’ are being appointed to disburse cash to accountholders, for which identity authentication systems are necessary in order to minimise fraudulent diversions. Such systems are also needed in order to open the bank accounts in the first place, as the documents demanded by the mainstream banking system as identity authenticators are mostly unavailable for the rural poor. Instead, the UID number is being touted as the perfect substitute, and the banking system is already making plans to compulsorily apply the UID number as an identifier. The ‘voluntary’ nature of enrolling for a UID number is thus creeping into a mandatory registration, without which modern life (bank account, telephone services, utilities) life will be impossible.

My contribution comprised an outline of the technology issues relating to the implementation of this project, ending with a summary of its project management flaws. Primarily: biometric information, both fingerprints and iris scanned, is completely unknown and largely unresearched as a tool for use in unique identification. While iris scanning is pretty new, about a decade or so, fingerprints have been used to identify repeat offenders by police/security forces around the world, and as a part of forensic investigation at crime scenes, and their use in access control systems has emerged in parallel only fairly recently, with the introduction of digital emulations of fingerprint patterns. Interestingly, the future of fingerprints in forensics is now in severe doubt, as court cases in the US have revealed that the procedures are fundamentally flawed. Iris scanning is akin to airport bodyscanning, in that the processes are being put in place in various places around the world, without any scientific basis or reason to believe that they are valid or foolproof, while being fundamentally an extreme invasion of personal space (in the case of bodyscanning, also invasive in terms of potentially hazardous radiation exposure). Other biometric identification systems, that at least in theory ought to be more accurate, such as DNA fingerprinting, are far too expensive and slow for this application.

About project management, the lack of a preliminary feasibility study, resulting in a project taking off without a tightly designed process, serious flaws in the process design, including a flagrant lack of process audit during enrollment, the current phase, and the lack of infrastructure to take advantage of ‘voluntarily’ proffered PII to assure tailored delivery of public services. As all these things are supposedly ‘in the pipeline’, the overall design of this project seems to be in the risky Ready, Shoot, Aim style, with ‘problems’ being ‘taken care of’ in due course (the ‘quotes’ are actual phrases used by Mr Nilekani in several interviews).

The other two meetings, with different audiences in Mumbai, covered much of the same ground, excepting that I was not myself a featured speaker or panelist. Instead, a biometrics expert, JT D’Souza, selling biometrics-based access control systems for secure locations, demonstrated how simple it is to spoof fingerprints, using extremely cheap commonplace materials and a little ingenuity. A video capture of the spoofing demo has been uploaded to YouTube.

The first meeting was held in St Xavier’s, a well-known Mumbai college (actually, arguably the best known college in the city). It was primarily for students, and the meeting hall was packed with students from the Economics, Sociology and Mass Media faculties. The post-presentation interaction was also very lively.

The second meeting was for the press, held in the Press Club, Mumbai, a favoured location for non-PR (ie not commercially sponsored) events here. It has resulted already in two news reports from the mainstream press in Mumbai city, and another from Chennai.

An important addition at this last meeting was pointing out the dubious connection between this project and L-1 Identity Systems, a US based company awarded the job of de-duplication, despite 1. its spotty record with other government bodies such as the New York State DMV, which slammed it (in a previous corporate avatar as Viisage Systems) for validating forged driving licenses, and 2. the presence on its board and in top-level positions of former senior persons from US intelligence agencies and armed forces, including Mr George Tenet, former chief of the CIA, whose submissions proved instrumental in assigning legitimacy to the invasion of Iraq, but were subsequently proven to be false, and former Joint Chiefs of Staff head Gen. Colin Powell, who as Secretary of State, actually presented the same false evidence to the United Nations. Last year’s report of World Bank funding for L-1 Identity Systems-focused identity projects in emerging economies, purportedly to improve the quality of delivery of government services, is disquieting, under the circumstances.

No wait, that’s not quite right. It was 2 o’clock in the afternoon, actually.

However, it was certainly dark and stormy, Mumbai’s wettest day this monsoon, with 16 measured cm of rain, most of which seemed to be pelting down my collar as I arrived at the Moneylife Foundation’s Shivaji Park offices on 17th August 2010.

I went there to interact with people who wanted to learn more about Aadhaar, India’s multi-billion dollar IT project, that promises to assign unique identity numbers for each resident of India. Keen readers of this blog will have doubtless noted that it was the subject of the previous blogpost too.

Sucheta Dalal, the crusading journalist who edits the magazine Moneylife together with Debashis Basu, has set up the Foundation to assist people who feel lost and abandoned in India’s race to become a superpower, at least from the point of investing and financial matters. It lends assistance to complain and follow up with India’s huge and faceless institutions, covering insurance, banking and more, the faces of which have changed and are continuing to change at a bewildering pace.

It also provides a platform for public interactions and study, in a large and well-equipped book-lined room that seats about 50 people comfortably. That afternoon, I had prepared a presentation expected to last about an hour, posing the questions about financial inclusion asked in my previous blog and more, from 2:30 to 3:30 pm, with a further hour set aside for interaction and discussion, till 4:30 pm. The presentation is about the UID project, naturally, as seen from the viewpoint of an IITian (I am an alumnus of IIT Delhi), given that one of the heavy selling points of the project is UIDAI chairman Nandan Nilekani’s IIT (Bombay) qualifications.

At about 2:35 pm, with only a handful of people seated, Sucheta suggested I begin, feeling the unexpectedly heavy rain would probably discourage most of the 40 or so people who had confirmed attendance. As it happened, because I was just recovering from a bout of malaria, I was rejigging the speaking arrangement a bit so I could talk while sitting down, instead of standing at the neat podium, installed in a corner by the projection screen. Anyway, in a couple more minutes, I was ready to begin.

To my surprise, the room was now half full, and before I had got past the introductory slide, it was more or less packed. I thanked Ram Krishnaswamy and Samir Kelekar in particular, two of the host of IITians who have helped with research and interaction to distill some of the salient issues surrounding this vast public enterprise, in that opening slide.

We are graduates of three different IITs, separated by space and time, both in college years, age and present location, as are many other of our alumni who interact by email only, spread as we are throughout India and the world. Actually, the three of us have never even met. What we share is our apprehensions about many aspects of this scheme.

Almost from the beginning, the interaction began, led by questions and clarifications from Dr Prakash Hebalkar, also an IITian, who heads Mahindra Lifespace Developers, a huge private sector company, part of the Mahindra & Mahindra engineering group. He was one of the few people in the room I had met before. The rest were mainly from the engineering and civil sector.

I thought it was much more useful to allow interactions to continue together with the presentation, and tried to ensure these remained within the purview of each slide, as I had loads more information to share about various aspects of Aadhaar and its rollout, and these were detailed in succeeding slides.

As a result, an hour later, we were just halfway through the slideshow, and Sucheta suggested a break for refreshments in the next room.Dr Hebalkar was in the middle of a question, so I thought it was best we finish it before breaking.

Not a great idea, because about 20 minutes and several slides later, we noticed once again that we hadn’t actually yet taken a break. I suggested that people use either of the exits from the room to move to the antechamber and get their tea and coffee and come back, as we continued our interaction.

I must say, this too was not a great idea, because it was clear that hardly anyone wanted to miss a word. Anyway, I think about half the people did slip out to get something down their throats before the slideshow came to its end, at around 4:30 pm.

Even then, a large number of people stayed on to carry on discussing issues surrounding the project. There were some great ideas and suggestions for completing adnumbering of people, if it can be handled safely and securely, such as completing the Election Commission’s Voter Identity Project with rectitude and sincerity, or extending the Census to use universal enumeration instead of the present half-baked and random numbering systems. These ideas came from several women present, who work at the grassroots in both slums and rich areas, to empower houseworkers and senior citizens. We finally closed down the interaction at 5:30 pm.

It is clear that the amount of misinformation and simple lack of clarity about the UID project is immense, a tribute to its high-powered and heavily financed publicity campaign, that has resulted in over 400 articles in the mainstream Indian media to date. One of the objectives of the Authority is to disseminate what they ingenuously call the “right” information, and several aspects of the rightness of this information were eye-openers for this audience.

I hope that we and others like us will be able to interact again and again, as soon as possible, with more such audiences in other parts of India. I very much fear that the country is getting inextricably committed to spending an unconscionable amount of money(USD 2bn this fiscal, and USD 12bn by 2015) to undertaking an enterprise that has been likened to The Manhattan Project, the vast wartime exercise to build the atomic bomb.

That, too, involved the rapid development of hard to handle technologies and materials (as this one involves hard to handle technologies, processes and concepts), and it is doubtful the world is the better off for it, other than ongoing improvements in our understanding of basic science (which did not actually need The Bomb to achieve). Over the past few months we have been watching Aadhaar’s targets become a moveable feast, from tangible cards to frangible numbers, and I am not alone in worrying that this bomb might blow up in our faces.

A friend of mine, Ram Krishnaswamy, has tracked well over 400 articles extolling the merits of the project, and gathered them at the blog “Aadhararticles.blogspot.com”. Specific references are linked in this blogpost.

Rather than reassure, however, they raise questions in the mind about the worth of the project. Ram and I decided to work together to compile some key questions. A detailed version of our study has been published in print, in MoneyLife, the magazine brought out by crusading journalists Sucheta Dalal and Debashis Basu, here and here. This blogpost reflects that article (which is part of an ongoing series). It also reflects some additional information about Q2 below received after it was originally written, and is updated as of Friday, 20 August, 2010.

Q1. Will the intended beneficiaries truly be people who live below the poverty line?
Q2. Will UID meet the needs of the poor?
Q3. How will UID contribute to the country’s economy?
Q4: Is UID (enumeration via a single reference high technology archive) the best way to reduce inefficiencies and prevent money leakages in subsidy programs?
Q5. How effective is the conduct of the pilot studies being carried out?
Q6. Will adequate precautions be taken to safeguard the database?

What is Aadhaar?

What is UID?: The Aadhaar scheme (the brand name has recently been assigned) proposes to assign each Indian resident a unique 12-digit number, thus enumerating Unique IDentity for all. Since the current population of India stands at around 1.2 bn people, in addition to which several millions of foreigners are temporarily based here (some welcomed, others not so, some for weeks, typically on holiday, others for months and years, on business or for many other reasons), UIDAI has set an initial target of issuing some 600 mn unique numbers within five years, ie around 2015 (Making a unique impression).

It seems an ambitious target, and certainly, the scale and cost (Rs 45,000 cr for the first phase) by themselves are ambitiously large.

One might be forgiven for thinking that, possibly, the size of this project, touted as the world’s largest single IT project ever commissioned, is more important than finishing it successfully. So much so, that it is hard for me to define what success might mean.

Q1. Will the intended beneficiaries truly be people who live below the poverty line?

Several press releases and announcements say the primary purpose is social welfare: a problem of dividing wealth equitably. Of course, ‘wealth’ is not really in the picture, India is just trying to guarantee everyone the bare minimum needed to live healthily. Benefits in cash or kind are distributed under various schemes, such as the National Rural Employment Guarantee Scheme, Sarva Shiksha Abhiyaan, National Rural Health Mission and Bharat Nirman.

One of the problems with all these projects, initiatives and schemes is apparently the difficulty of ensuring that benefits are given wholly to the specific people identified as qualifying for specific programs, typically persons living below the poverty line. Such people are easily disenfranchised by an endless cycle of verification of records, ruining efforts made to ensure fair distribution, and is one of the reasons that real delivery rates falter, between 6 and 15 per cent, as estimated by the late Prime Minister Rajiv Gandhi and others.

With Aadhaar, this problem is expected to be dealt with firmly. Aadhaar is a one-time verification system, against which all records will be inextricably linked (Unique Identification Number Project: Cautious Optimism). Any scheme wishing to verify a beneficiary or applicant, given the number, need only check a few critical details – for instance, name, fingerprints and now, perhaps, iris scans – in order to quickly assure the identity. Actually, largely due to the additional need found for iris scans to reduce error rates, the per-user cost estimate has shot up from Rs 31 to Rs 450.

Now, here’s an interesting statement : “The UID will become the single source of identity verification”(Law Resource India). It means that once residents are enrolled, they can use the number in many places – they will be spared the hassle of repeatedly providing supporting identity documents for each service they wish to access.

However, it is pertinent to note that the services that will actually, in the near term, be simplified by Aadhaar numbers, are obtaining a bank account, passport, driving license, and the like (Law Resource India). The public distribution system, the NREGS and other public benefits services have neither budgets nor plans to harmonise their systems with Aadhaar referrals.

It seems clear that, after spending this huge amount of money and putting in all this effort, the UID will, in the initial few years, primarily benefit people who access relatively sophisticated and upmarket services.

What should be particularly sobering is the fact that the home page of the project, which states the Mission, has no mention of benefits, to the poor or anyone else: the task is limited to issue of an unique identifier for all. There is no explanation of why this is a priority. The Mission statement reads: “The role that the Authority envisions is to issue a unique identification number (UID) that can be verified and authenticated in an online, cost-effective manner, and that is robust enough to eliminate duplicate and fake identities.”

Further down, both cost-effectiveness and robustness are examined.

Q2. Will UID meet the needs of the poor?

If a poor person gets money that is due to him directly in his bank account, he will have no reason to plead with tyrannical local officials or grovel before his elected representatives (Against insecurity – UID is a Good Idea).

Sadly, banking in India barely scratches the surface: the total number of bank branches as of March 2009, the latest published figures I could find (Source: Reserve Bank of India), was just over 66,000, and less than half of these were in rural areas, which account for around 70 % of the population.

A quick back-of-the-envelope calculation shows that each and every rural branch would need to service over 22,700 persons. Assuming a family of 4 with a single wage-earner, that would mean over 8,000 accounts – clearly beyond their reach, in a land where urban customers struggle to get decent and timely bank services from branches who need to reach only around 10,000 customers each.

In fact, if we assume that by the time the UID scheme actually reaches the remoter regions, that at least one other adult member is also getting either a job or compensation under NREGS, the number of accounts would creep up beyond urban levels. If disbursements are to be paid mandatorily to bank accounts (the process to be simplified using UID), it sure won’t target the poorest of the poor.

I’ll go one step further: talk about bank accounts is risible. Rural banking is so far from a reality that any leveraging of it for the poorest is highly unlikely.

One emerging solution is microbanking, but microbanking organisations will need to upgrade their technology considerably to deliver services, if UID referrals are to be included. Microbanks are also not included within the broad banking framework, meaning that security measures in place ensure they cannot access clearing house operations, and other such enablers of modern banking, without which none of this leveraging can happen.

The upgrade cost of banking operations is not factored into UID budgets, nor is UIDAI mandated to drive the changes that are needed in the banking system, without which the UID referral is irrelevant.

Q3. How will UID contribute to the country’s economy?

This (Unique ID for Indians – Boon or Bane?) is a big vision project through which government services can be provided, tracked and accounted, together with enabling a multitude of private sector products and services that rely on accurate and positive identification of consumers.

Various departments, based on their needs, will refer to this number. The UID will help remove duplicate names from their service lists. While this would help clean up lists for NREGS (National Rural Employment Guarantee Scheme), senior citizen Pension Schemes, PDS (Public Distribution System) etc, it may also help clean up benami (faux) bank accounts etc. Informally, the Income Tax Department is said to have projected an additional tax collection of about Rs.40,000 crores annually!

These claims might be true, were the scheme intended to act against the continuing use of unaccounted money for trading. In that case, the target community would only be the economic ‘arrivistes’, the people who already have enough money to regularly feel the need to spend or acquire it by underhanded means. This would include all government officers, their extended families, politicians, businesspeople, agriculturists controlling upwards of 25-50 hectares of land, and so on.

In fact, the projected gains, in terms of enhanced income tax collection, simplifying transactions and dealings with government agencies for cash-related activities and so on primarily benefit this economically stable or upwardly mobile class.

However, the scheme is sought to be justified on the basis of deliverables to the downtrodden, not to uncover the moneys conceivably being hidden by the well-off.

It is doubtful whether this project will really boost the country’s economy directly, or will assist it by reducing the outgo on avoidable subsidies, a combination of both these things, or whether the true objective depends on who asks the question.

It seems far more likely that the unstated purpose of the scheme is to target the upwardly mobile class, but to do that, all Indian residents will have to be induced, by one means or another, to register themselves “voluntarily”.

Q4: Is enumeration via a single reference archive the best way to reduce inefficiencies and prevent money leakages in subsidy programs?

Most articles about Aadhaar (see, for instance, The Unique Identity number — putting all eggs in one basket?) harp on the superior quality of technology to be used, and that this will significantly cut the cost, time and hardship of necessary verifications.

The reality is somewhat different: to suggest that the UID assignation process will be robust enough to eliminate duplicate and fake identities, and can be verified and authenticated in an easy, cost-effective way, is somewhat premature, if not simply hype.

Some of the potential flaws in the process are listed briefly:

(a) digitally stored fingerprints are not image scans of real fingerprints, they are digital maps, reduced to a finite number of ‘points’. This computerised system was designed decades ago to cut down the time and effort needed to manually match thousands of prints of previously convicted criminals with a criminal suspect, not to provide perfect identifiers;
(b) digital representations of biometrics invariably allow for both false positives and negatives, as the original purpose is either to facilitate security pass-throughs for a relatively small number of people (convenience), or to rapidly filter through large numbers of images by pre-matching each image to a reduced set of digital markers;
(c) the value addition of iris scanning is unknown for testing on such a scale. The immediate cost is stupendous: per-identity costs go up from about Rs 31 to about Rs 450, but the results are not known, as such testing has never been done. This is quite different from scaling up a relatively reliable known procedure: iris scanning may well be quick and reliable (even after optimising it with a digital shortcut, and securing it from man-in-the-middle attacks during data transfers), but this is currently untested.

Again, it must be emphasised that the purpose here is mission-critical: every single genuine person must be allowed to move ahead with whatever activity is being filtered, without fail, or else the expenditure on UID is wasted.

Similarly, every single fraudulent attempt must be detected and stopped, without fail. Neither achievement is even claimed at this point in time.

By the time the database is created and verification scanners become commonplace, we could end up with a database with a population that exceeds the census figures, and UIDAI will again have to spend again for de-duplication, which would involve knocking on doors of suspected fraudsters (and genuine applicants who may have failed one of the tests or another, for a host of reasons) for identification. This is the present problem, that databases of applicants cannot be absolutely verified.

And it is not even as though the government is blind to the problem. Recently, the Rural Development Ministry launched its own revamped enumeration exercise to identify the poorest of the poor (who qualify for the designation ‘below the poverty line’, or BPL). This exercise is carried out every five years, and the current process is being revamped to eliminate the failures of previous surveys.

Q5. How effective is the conduct of the pilot studies being carried out?

Reports indicate that the rural studies being undertaken in several states fall short of standards of both accuracy and confidence. The National Census exercise, which has been merged this time with the National Population Register, at the urging of the UIDAI, is also contentious.

It is crucial, for a participatory democracy, that those surveyed be honestly and fully informed about the purpose of collecting personal information on such an intrusive and massive scale. Unfortunately, this appears not to be the case, as respondents later claim they were told that they would get free photographs and eye tests, or that this survey would assure them subsidies or the supply of free essentials.

Similarly, respondents of the National Census have been surprised to find that they are expected to reveal details of religion and caste, an enumeration that is against the letter and spirit of the Constitution of India. This has been sidestepped by replacing the census exercise with the creation of the National Population Register, a crucial component of the proposed UID database.

While doing this is evidently legal, it goes beyond the ambit of the Census. As such, it compromises the integrity of an institution that has an honorable and long history (the current Census is the 15th).

A recent article in the mainstream media describes how the trial runs take place: due to the lack of reliable electricity, officials take down data on laptops and even on paper, “to be transported to Bangalore some 75km away and filed electronically.” Will this data be erased from the laptops, and will the paper be destroyed? There’s not a word of caution in this article, which like many in this publication and others like it, seems uncritically laudatory of the mission (and by extension, its superhero-like leader). The thought of such personal information being casually or even criminally accessed, uncommonly easy due to the lack of safeguards, is frightening, or should be.

Q6. Will adequate precautions be taken to safeguard the database?

No system is completely immune to attack or, for that matter, internal leakages, other than one completely sealed off from outside links. Since a centralised digital identity store can only work when incoming data can be matched to the information in the database, one must take for granted that it will be prey to such attacks. This is the bane of all e-Governance scheme designs (Unique ID for Indians – Boon or Bane?).

Legally, there is no effective deterrent for such attacks. Worse, insiders (ie government personnel) are specifically protected by their sovereign work contracts from legal action, except with the specific permission of their superior officers. The existing laws on cybercrimes have not been tested against leakages in government systems, because their Draconian provisions (search and seizure without warrant, massive penalties) do not even apply to government servants.

There are three kinds of database faults: creational (deliberate or accidental falsification of identity, resulting in diversion of benefits from those entitled to them); design-based (incorrect verification due to compromise of the verification process, including man-in-the-middle attacks on data transfers); and procedural (for instance, when telecommunication faults or natural disasters create a need for rapid re-routing of verifications to alternate, or manual, methods). In the absence of an effective legal redressal framework, the process needs review, and should not proceed beyond the research stage.

Even at the research stage, the lack of judicial protection for the Constitutional right to personal privacy deserves highlighting. The conduct of research and live pilot studies inevitably places citizens and residents of India at risk of loss of privacy, particularly with regard to sensitive personal information, including biometrics. Much of this information is needed to safeguard property, ownership, both fixed and movable, especially money itself, and the addition of UID must be wholly positive, or else, not put property at risk.

UIDAI officials have repeatedly stated that such protection must be created, but its lack does not daunt them in practice from carrying out trial activities that in themselves place ordinary people at lifelong risk from abuse of personal information.

The consequences of wrongful identity matching, once UID becomes the standard reference point, are really harsh on the individual, and the current legal environment (civil cases take years and decades to resolve) is not up to the task of providing remediation.

For this reason alone, without completely foolproof systems in several areas of both technology and law (idealistic at best, if not far-fetched), going ahead with the UID is a deplorable waste of money.

To summarise, Ram and I narrowed down on six simple questions, to clear doubts about the deliverable merits of the Aadhaar scheme.

We find that firstly, it is not likely to provide benefits to the poorest of the poor in India, and secondly, is not designed to do so, definitely not in its first phase. We find that it is likely to benefit, on the contrary, the upwardly mobile part of the population, and the government, in the narrow terms of revenue collections, that may get enhanced due to the ease of tracking such well-off people and their financial transactions.

As far as solving the terrible problems that plague the delivery of benefits to the poor is concerned, a single reference point for verifications is neither the best solution known, nor is the exceeding difficulty of building and operating a centralised database achievable at a reasonable cost and effort. The systemic leakages that plague the delivery of social benefits hardly need misidentification, and that too, deliberate misidentification originating from faux beneficiaries. There is no clarity, therefore, on whether making this effort is sensible at all.

There is also no clarity on whether it will be possible to adequately safeguard the database, from its creation to its subsequent use as the ultimate reference. We found serious concerns with the methods being used to gather data in the pilot studies, that point to the possibility of future abuse, as well as manipulation of ill-informed people, in order to make them cooperate.

But this post is about spectrum usage, and energy. Odd combination. Eager readers of my tireless prose might wonder, since I have already posted here about alternate energy conversion routes, and about spectrum, at length (friends assure me it is entirely too much length, in fact. As Garth Brooks put it, I’ve got friends. On the other hand, maybe I don’t have a lot of readers).

The other evening, in fact, I was over at a friend’s place, and she happened to mention in broad terms where our* refined fossil fuel oils are consumed, in response to my questioning about diesel in cars and trucks (yes, she knows).

Typical cell tower installed on building roof

A major consumer of diesel, one that did not even exist before 1994, is mobile switches – cellular switchgear. Despite the fact that the rural rollout is still way behind what it could have been, had it not been for a particularly opprobrious system of licensing and spectrum allocation, these gadgets, seen everywhere in cities and towns, ugly masts festooned with strangely disturbing grey antennae in different shapes and sizes, account for a significant amount of diesel consumption.

*In India, I mean

Of course we all know that 24/7 electricity is an almost unknown phenomenon in India, aside from at a handful of urban conglomerations, like, for instance, Mumbai. Since there isn’t anywhere quite like Mumbai, it may well be that it is the only place where anything other than 24/7 electricity is likely to draw newspaper reports. Still, it hadn’t impinged on my consciousness that the cell-towers need to be well juiced, whether or not the grid power delivers, or else communications, such as they are, will cease.

Now, has this little but important fact come to the attention of anyone else? I mean, by anyone else, the nabobs of the powers-that-be, who dole out licenses and spectrum, whose delays in reallocating spectrum between current users and the proponents of 3G services means that 3G will be an irrelevant technology by the time it finally arrives. Do these worthies think it relevant to nudge cellphone service providers towards more responsible energy-use policies?

Look, if the answer was yes, then this would be a press release, not a blogpost. Wake up.

Here’s a small suggestion. For existing license holders, we need an energy audit: how much of cell-tower energy comes from fossil fuel consumption (total amount and per-tower consumption, measured at the tower, so it must include grid-power drawn from fossil fuel consumption as well)? Then demand an annual improvement as a condition for licensing, and impose financial penalties on failure to maintain continuous improvement, or to file reports on time. Make payment of these penalties a precondition for renewal of spectrum allocation. For new licensees, demand a minimum value right from the word go, based on the overall previous year’s consumption reports across the entire industry.

Wait, you may well think, what about the other users of spectrum, shouldn’t they also be nudged towards lean energy practices?

I say yeah! For sure, anyone using as much spectrum and energy as cellular services should also be made to pay for it. The biggest consumer in this respect is probably the military. In fact, anytime the issue of shortage of scarce spectrum resources comes up, fingers point at the military.

As far as I am concerned, the military pays in ways we can’t even imagine already, although that is not and should not be an excuse for profligate behaviour. Still, there is no great harm in the country understanding what it really costs to protect the state, and also perhaps to demand some kind of proper accounting for it. It would be interesting to learn whether this kind of accounting (not accountability!) has ever been demanded in the past. SnoCats and coffins make for good headlines, but the real money goes elsewhere, which is why arms dealers manage to continue in business long after they have been found engaged in the most knavish deeds. A step must be taken somewhere, and spectrum may be the place to start. It may happen that spectrum usage has actually one of the tiniest budget impacts for the military, in which case it is a good place to check out the quality of an audit, before rolling it out to bigger ticket items.

But I digress (to tip a baseball cap in fond tribute to Tom Lehrer). We should have a good, if not an excellent, communication system all along our coastline. There are four principal users of our coastal waters: commercial goods transporters, industrial fishing vessels, small fishing vessels and the military (including the Coast Guard etc). Perhaps offshore natural resource extraction also plays a big role as far as consumption of spectrum and energy goes, but I would tend to imagine it isn’t very large compared to the others, as a chunk, except in certain specific geographical areas.

The commercial goods people (international shippers) already have a decent comms system in place, mainly using satellites, and so do the military (at least, I hope they have, for I haven’t checked). That leaves the industrial and small fishing vessels. Both use diesel in large amounts, but only the former uses spectrum in any meaningful quantities, relative to the numbers and economic value add.

Which is a real shame, for it is the small fisherfolk whose ordinary lives are conducted in an environment of extraordinary risk, till recently almost completely unaided by any decent organised support system, and very sparingly aided with energy from fossil fuel. They need an easy-to-use, reliable and mission-critical comms system, one that is energy efficient to boot. The last ‘improvement’ anyone needs is to have to spend just to stay in the same place.

I have something in mind to muse about, pertaining to the efficient sharing of spectrum, in this context. I had, in fact, planned to write it now, but this post is probably too long already, so I will cease and desist for the moment.

Watch this space.

FM broadcasting, being roughly medium wave transmission, works in line-of-sight principally, which means that signal attenuation  with a host of interfering material objects, such as trees and houses, is brutal on the one hand, and that the horizon is the effective limit, on the other. Stray signals will occasionally travel much further than that, but not very reliably.

More power will cause a better signal at longer distances, but not much. The marginal increase of cost with power is exponential, directly opposite to the marginal increase in reach. Given these constraints, it becomes obvious that the greatest efficiency for a poor community comes from very low powered transmitter stations. I have enthusiastically discussed this at great and wordy length in another blogpost here. Our own work, at Radiophony, indicates that such stations may be as small as a square kilometer in reach, for such a throwaway cost, that to actively prevent such stations flourishing is in itself a travesty of freedom.

But I digress.

The announcement, at the dawn of 2003, brought about a great degree of excitement, as the numbers of radio stations possible were, according to the government, as high as 4,000. Subsequent announcements made it clear this number was being thought of as a preliminary target, something that might be achieved in a couple of years or so.

Nowadays, six years down the line, figures for the upper limits on Indian community radio stations are bandied about in public places, even by persons who have worked hard to gain international recognition in the world of community radio. Just recently, a senior officebearer of the Asia-Pacific focus group within AMARC, which is the French acronymed-name of the world association of community radio broadcasters, said he hoped the Indian government would find ways to put support in place, so that the potential target for 5,000 stations of 50 Watt capacity each, which he characterised as ‘the potential for the broadcast spectrum in the country’, could be met.

To some eyes, it may certainly look like an ambitious target, especially considering the number of stations licensed under the Community Radio Policy have barely topped 50 so far (54, in September of 2009).

Yet.

How meaningful is this figure, in terms of using a ‘limited’ spectrum capacity? The total bandwidth, by international agreement, is just about 20 MHz, while the technology permits broadcasting at neighboring frequencies with not less than 200 KHz separation. One of the most dense FM regions in the world in the city of New York in the US, which hosts around 72 working stations.

Still, we don’t need to go across the world, to find out what people are doing with the spectrum. Look at Thailand: a land area (discounting water bodies etc) of 511,771 sq km, and population of about 65 million. Well over 2,000 stations (wikipedia) broadcast currently, down from an estimated 3,000 a couple of years back, in the teeth of active restrictions, due to policy disputes at the highest levels of government. Put in simple terms, it amounts to one community station per 250 sq km, or 0ne station per 32,500 people (ie, considering all the people in the country, not just the ones within listening distance).

India, on the other hand, has a land area of 2,973,190 sq km, and a population of around 1,170 million, counting projections of around July of 2009. The target of 5,000 stations thus amounts to barely one station per 600 sq km, or one station per 234,000 people. Not quite reaching for the sky, is it?

Several years ago, on the email list popularly used between supporters of community radio, I worked out the estimated potential capacity of low power broadcast radio in India. The true FM capacity of the country worked out to over 900,000 stations of ~5W*, reaching a pragmatic zone of about 5 km in dia each, to adjust for 50W stations, which will reach a zone of about ~25 km in dia. This is 25 times the effective area of reach of 5W stations, hence we must cut down the total to 1/25th, or 4%.

That is still 36,000 stations, give or take a few hundreds.

My working out this calculation does not imply that I am in favour of 50W stations per se, and I will get back to this point below.

[*I had originally assumed about 100 channels per fixed area, resulting in 1.25 million stations for the country, but after discussions with practiced US broadcasters, reduced this number to 72. Accordingly the 1.25 million got cut down by 25%, about which I had subsequently posted to the list].

This willingness by the ‘haves’ of our country to accept lower targets of accomplishment devils just about every single reasonable attempt being made in the country to get the ordinary people, the disenfranchised and exploited, the most basic chance to pull themselves together to reach the very basement level of empowerment: a voice. Put this together with the divisiveness between commercial and non-commercial, and educational and ‘broader’ purpose objectives, and the situation in FM gets quite vitiated.

Plain vanilla economic arguments towards the division of use of spectrum give, in effect, more to the ‘haves’ in terms of super-powerful transmission capacities (for a price, but meeting the price is much easier for them). Unfortunately, this cruelly cuts down the options for those in more straitened circumstances, because powerful radio stations invariably drown out, or ‘interfere’, with signals from lower powered stations in the vicinity.

Much worse, it effectively reduces every need in the country to an economic need, and transforming the government’s main purpose from governance to revenue collection. What a travesty!

While I do not have anything against some stations being more powerful, for those few places in the country that have low population density in high-foliage (or other high-attenuation contributory factors) geographies, to take it as the norm is simply a waste of a fantastic resource, simply because it is there.

What is quite depressing, vis-a-vis the quality of discussion in many fora, including the one specifically set up to share concerns and support between community radio enthusiasts, is the sniping that keeps cropping up between supporters of ‘educational’ and ‘community’ broadcasting, as practices. This is a prime example of the confusion that hierarchical governmental systems tend to foster, in order to cling on to their implicit or de facto autarchy, which has no place in a democratic civilisation. Apparently, democratic civilisation is our national choice, as recent arrests (on the grounds of sedition, or espousing sedition) of intellectuals who favour other approaches show.

This situation was brought about by simply placing limits on technologies, by ascribing different price points to the radiated power. In other markets (the 3G auctions that keep getting postponed, even though vastly superior 4G telephony technology is now nearly ready to become commercially available, and the fact that GSM technology in and of itself does not need to be purveyed or deployed by national-sized megacompanies), the allocation of parcels of frequency is the market-shaping determinant, rather than sheer broadcast power.

On the list, the discussions haven’t even begun to question the government’s fiat accompli of allocating some FM frequencies to some organisations at the national level. Nobody seems interested in questioning why commercial stations are allowed 1. tsunami transmitters that drown out all less expensive options in the vicinity and 2. fixed frequencies across the country.

What does a fixed frequency deliver, in terms of value propositions? The ability to create a brand around a frequency? How many of these commercial chains still rely on frequency branding to promote their channels, and how is it in the nation’s interest to lower their costs of advertising in national newspapers and other media? Of course, it does not affect the cost of advertising in local media. I really don’t know why the private sector companies played along with the government, when the terms of frequency allocation became to shape up, earlier this decade. Anyway, they seem to be stuck with that foolishness.

What does opening up the spectrum to low power transmission do for the country, and its people?

A brief list:

1. Allow small groups or communities of people to express themselves through an inexpensive technology, providing them with their own choices of entertainment and useful information.
2. Empower such small groups with the management and creative expertise needed to meet the needs of their own special listener groups, without forcing them to install a complete educational framework before getting started (international readers of this blog may be surprised to know how pathetically incomplete the education sector coverage remains, never mind the more specialised learning environments that include management and creativity).
3. Regularise the use of FM spectrum for a host of occasional, local and community-oriented activities, such as local music performances, simultaneous multiple language translation of non-local language content by external speakers, public speeches in general, religious gatherings and so on. Such applications are often employed in India, although it is illegal here, apparently (the rules are not clear), but they are permitted in many countries around the world, often for nominal fees.

At present, such commonsense, inexpensive and inoffensive usage of spectrum is either proscribed or discouraged, for reasons that remain undebated in public fora, for the simple reason that the agenda at such fora is often set by the current controllers of spectrum (ie, the government). While representations at such fora have been made several times, it does not seem to be recorded in any responsible form by the government itself.

The FM band remains tightly in the control of the government and the revenue generating private sector, with applications for the common good either poorly served, or not at all. It is truly unfortunate that this situation now finds endorsement from representatives of community media.