The mandatory biometrics registration in Chardham Yatra scheme of Uttarakhand shows how the ability of citizens and residents to partake of public service as consumers also becomes dependent upon implied waiver of their privacy rights otherwise guaranteed by the law
A few weeks back, the Government of Uttarakhand aired an FM radio jingle inviting pilgrims to undertake the Chardham Yatra, while also mentioning as fine print, that biometric registration would be mandatory for all pilgrims. The jingle encouraged interested persons to check the official website www.uttarakhandtourism.gov.in for more information; however, despite repeated visits to the website, requisite details remained unavailable till the writing of this note, particularly on important legal and public policy aspects such as: (i) purpose and justification for such mandatory biometric registration; (ii) the language and form of consent to be obtained from pilgrims for sharing (or withholding of sharing) of their sensitive personal information vis-à-vis third party access to biometric information; (iii) privacy protection infrastructure put in place for securing sensitive personal information; and (iv) identity of the agency authorised to handle, store and secure personal biometric information so gathered. Interestingly, all these elements comprise informed consent requirements that are mandated under Rules 4 and 5 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the IT Rules).
One news item mentioned that the scheme would be implemented by the Uttarakhand Tourism Development Board (UTDB), a “body corporate” as per section 3 of the UTDB Act, 2001 read with section 43A of the Information Technology Act, 2000 (the IT Act), operations that the UTDB had apparently further outsourced to a private Indian company; while another report claimed that the registration process remained for “name sake” only. More details about actual providers of the underlying technology for biometric registration and/or authentication could not be located on official websites.
Law of Fingerprint Sharing in India
In order to fully appreciate various potential implications of mandatory biometric registration and/ or authentication, an introduction to existing privacy provisions protecting biometric information in India may be useful. The basic law is contained in Sections 3 and 5 of the Identification of Prisoners Act, 1920 (the IOP Act), which protect citizens and residents from forcible disclosure of their fingerprints to police officials. Essentially, the only four ways a police officer can obtain a person’s fingerprints are: (i) to obtain her/ his consent; (ii) to arrest her/ him in connection with an offence punishable with rigorous imprisonment more than an year; (iii) where a person has been ordered to give security under the Code of Criminal Procedure, 1973; or (iv) to obtain a (appealable and challengeable) court order.
These protections are reinforced by Section 72 of the IT Act, which lays down penalties for breach of confidentiality and privacy—both fines and imprisonment—where electronic personal information is disclosed by an official or private agency without the consent of the person concerned. Importantly, these protections are in addition to the overall protection under Article 20(3) of the Constitution of India, whereby no person accused of an offence can be forced to be a witness against her/ himself. Read together, there is clearly a strong framework for privacy protection of fingerprints already in existence in India, irrespective of whether the fingerprints are available only with the person her/ himself, or whether they are available with any entity that happens to come have come in possession of an electronic form for some other purpose (e.g. biometric office attendance systems).
The only possible downside to the Indian legal position is that these strong privacy protections contained in laws enacted by the Parliament contrast sharply with various parts of the (subsidiary) IT Rules issued by the Department of Information Technology; and the latter’s provisions allow, inter alia: (i) public officials tasked with investigation or national security functions to access personal fingerprints directly from a body corporate holding such information without intimation or consent of the person concerned; and (ii) the body corporate itself to share with its contractual partners or any other agency personal fingerprints based on legal requirements or contractual understanding, without intimation of consent of the person concerned—issues discussed in detail by this author elsewhere in an academic paper on the subject . The IT Rules thus have an unintended effect of derogating important constitutional and legal protections available to India’s citizens and residents, in contradiction to the provisions of the parent IT Act itself—a contra-intuitive aspect that was highlighted in a memorandum by the Centre for Internet and Society (CIS) to the Committee on Subordinate Legislation of the 15th Lok Sabha () last year, but any decisions thereon are still not known.
Possible Legal Implications of the Scheme
Given that the IT Rules facilitate, in effect, implied sharing of sensitive personal information held by a body corporate with law enforcement/ national security agencies and/ or their contractual partners without intimation or consent of potential pilgrims, a scheme for mandatory biometric registration as practised in Uttarakhand implies, inter alia, the following:
(i) firstly, that only those persons willing to waive their privacy rights under the IOP Act and the IT Act would be permitted to undertake the pilgrimage and avail of public services; and (conversely)
(ii) secondly, that any Indian citizen or resident not willing to waive such privacy rights would be prevented from undertaking the pilgrimage, thus potentially interfering with her/ his constitutional right to freedom of movement. As a corollary, if a person registers her/ his biometrics at the first check-post of entry, but changes his/ her mind later at any consequent stage, s/he may not be able to return unless s/he is willing to share her/ his fingerprint upon exit: thus implying, in a strictly legal sense, that the State could end up virtually incarcerating a person between two checkposts unless pilgrims have waived their privacy rights under the IOP Act and the IT Act.
An added legal complication is the doubtful nature of “informed” personal consent, if any, obtained by the State and private agencies at the time of such bulk registration or authentication. In a practical situation where lakhs of (largely legally illiterate) persons would line up at the checkposts eager to undertake the Yatra, it may be difficult to conclude if consent obtained under such circumstances would fulfil the “informed consent” requirements imposed by Rules 4 & 5 of the IT Rules.
Potential Public Policy Implications of the Scheme
The public policy implications of mandatory biometric registration under the Chardham Scheme are equally interesting:
Firstly, given that technologies for electronic de-duplication and authentication of personal fingerprints are not available in India, and were in all probability licensed by the Indian company from foreign entities without any associated technology transfer, the Chardham Scheme could well be the only government scheme anywhere in the world where delivery of public services and identity verification of citizens becomes completely dependent upon foreign proprietary technology platforms.
Secondly, given that the number of such foreign technology holders is really less than a handful and given the absence of meaningful technology transfer, cartelisation and rent-extraction could become severe in the near future once such a scheme has stabilised, leading to almost permanent vendor lock-in with concomitant public policy implications.
Thirdly, in complex public projects, the registration, de-duplication and authentication functions have hitherto typically been assigned to separate arms-length entities so as to prevent conflict-of-interest; but such conflicts could indeed be serious in the Chardham case, where one single company is apparently able to control all these sensitive functions.
Fourthly, it may be difficult for operators facing queues of eager pilgrims to have sufficient time for ensuring proper identity or address verification, implying that secondary identity and address verification may anyway have to be undertaken by concerned state agencies while handling disputes and claims arising out of any unfortunate incidents and mishaps during the pilgrimage—leading to extra and duplicated burden on pilgrims and their families.
The possible legal and public policy implications of the Chardham Scheme as outlined above—making public services delivery contingent upon implied waiver of privacy rights, and creating state dependency in perpetuity on foreign technology platforms—are thus complex and challenging indeed: they together create a situation where the ability of citizens and residents to partake of public service as consumers also becomes dependent upon implied waiver of their privacy rights otherwise guaranteed by law.
Given that professional legal advice may not be easily available to state governments in general, proper public consultations at the time of programme design could perhaps have better informed the decision-making process. In fact, early this year, the Committee of Secretaries in the Government of India made a recommendation for mandatory public consultations prior to policy formulation by default—an important feature of most national and state/ provincial governments in almost all developed countries, but one that is yet to be fully embedded and integrated into public policy-making processes in most states of India.
In that sense, the Chardham case highlights the imperative need for full public disclosure and prior meaningful discussions on proposed schemes and policies by state governments before their adoption, so that public interest and legal rights of citizens remain fully protected while rolling out innovative or ambitious programmes for public services’ delivery that could end up with adverse unintended consequences for citizens as consumers of such public services.
NOTE: Views contained in this short academic note are purely personal; and do not reflect the official position or policy of the Government of India or any of her departments or agencies.
(Sandeep Verma is a civil servant and holds an LLM with highest honours, having specialised in Government Procurement Law from The George Washington University Law School, Washington DC.)
One of the key flaws in the design is that these bonds do not enjoy tax benefits the way some of the other debt investment products enjoy, or as tax free bonds life PPF do
The inevitable has happened. The Reserve Bank of India (RBI) has finally acknowledged that the Inflation Indexed Bond, launched with pomp and fervour last year, has been given a very cold reception by retail investors. The bond launched last year with the name Inflation Indexed National Savings Securities-Cumulative (IINSS-C) was not lapped up by investors as the regulator thought had expected. This has been admitted by none other than RBI Deputy Governor HR Khan who told reporters on Thursday that, “We had launched inflation indexed bonds that were not successful. We are coming out with the revised version”. It is pertinent to note that RBI had increased handling commission for entities involved in distribution of these bonds from 1% to 1.5% in cases where subscription of more than Rs100 crore was achieved by the entity concerned.
But in spite of all this, things did not work out the way they should have. Why did this happen? After all, we are a country which has very high inflation and beating inflation has been one of the challenges that most investors face. Investors take many investment risks to beat inflation. So when a product was made available to them which was focused on beating inflation, why did they not accept it?
The regulator has its own answers which are neither very convincing nor the real cause for the failure of these bonds. For those who are not aware, it is important to note that in USA and many other countries these bonds are very popular and these bonds often tend to get fully subscribed when issued. Now let us look at the regulator's explanation for the poor response to these bonds. According to the regulator, the timing of the launch of the inflation indexed bonds last time was possibly wrong, and there were issues with the public's understanding of the product. Another factor that added to the unpopularity of these bonds, according to the regulator, is the coupon payout on these bonds. which is cumulative.
Timing has nothing to do with the success of this product, which has been successful in countries across the world. Also, there was no understanding issue, most of the investors realised that these bonds won’t beat inflation even though the bonds are indexed on inflation. In fact, investors were smart enough to reject these bonds.
One of the key flaws in the design of these bonds is that these bonds do not enjoy tax benefits the way some of the other debt investment products enjoy, or as tax free bonds life PPF do. For investors in the 20% and 30% tax bracket, these bonds are not too attractive, as the interest earned is subject to taxation which makes post-tax return from these bonds unattractive, compared with some of the other investment products such as PPF or tax-free bonds.
In order to earn high post-tax return from these bonds, the investors in the 20 percent and 30 percent tax bracket would always need inflation rates to remain on the higher side, which is against the basic premise on which the RBI has been formulating its monetary policy in the recent years. Though the RBI cannot do much to make these bonds tax-free, it can definitely impress upon the government to consider making these bonds as tax-free.
Most of the debt products in India pay cumulative returns only. PPF, NSC, and bank fixed deposits all pay cumulative returns. Investors are not at all discomforted by the frequency of payment in long term debt instruments as long as return is as promised. Even making quarterly or half yearly payments to them will not achieve the objective of attracting investors.
Another aspect that has gone unnoticed at the RBI end is the complexity associated with buying these bonds. RBI guidelines say that these bonds will be held in Bond Ledger Account i.e. BLA. While investors need not open any account for these bonds, isn’t it uncomfortable for the investors to again hold one more instrument in some other way. Why not use a demat account to hold these bonds.
Last but not the least, why use only branches of State Bank of India, associate banks, nationalised banks, three private sector lenders (i.e. HDFC Bank, ICICI Bank and Axis Bank) and SHCIL for distribution of these products. Handling commission offered on these bonds is very good and many distributors will agree to sell these bonds and ensure that the target is achieved.
(Vivek Sharma has worked for 17 years in the stock market, debt market and banking. He is a post graduate in Economics and MBA in Finance. He writes on personal finance and economics and is invited as an expert on personal finance shows.)
The merger of online and offline data is bringing more intrusive tracking
The marketers that follow you around the web are getting nosier.
Currently, many companies track where users go on the Web—often through cookies—in order to display customized ads. That's why if you look at a pair of shoes on one site, ads for those shoes may follow you around the Web.
But online marketers are increasingly seeking to track users offline, as well, by collecting data about people's offline habits—such as recent purchases, where you live, how many kids you have, and what kind of car you drive.
Here's how it works, according to some revealing marketing literature we came across from digital marketing firm LiveRamp:
A retailer—let's call it The Pricey Store—collects the e-mail addresses of its high-spending customers. (Ever wonder why stores keep bugging you for your email at the checkout counter these days?)
The Pricey Store brings the list to LiveRamp, which locates the customers online when the customers use their email address to log into a website that has a relationship with LiveRamp. (The identity of these websites is a closely guarded secret.) The website that has a relationship with LiveRamp then allows LiveRamp to "tag" the customers' computer with a tracker.
When those high-spending customers arrive at PriceyStore.com, they see a version of the site customized to "show more expensive offerings to them." (Yes, the marketing documents really say that.)
Tracking people using their real names—often called "onboarding"—is a hot trend in Silicon Valley. In 2012, ProPublica documented how political campaigns used onboarding to bombard voters with ads based on their party affiliation and donor history. Since then, Twitter and Facebook have both started offering onboarding services allowing advertisers to find their customers online.
"The marriage of online and offline is the ad targeting of the last 10 years on steroids," said Scott Howe, chief executive of broker firm Acxiom at a conference earlier this year.
Last month, Acxiom—one of the country's largest data brokers, which claims to have 3,000 data points on nearly every U.S. consumer—agreed to pay $310 million to purchase onboarding specialist LiveRamp. Acxiom and LiveRamp declined to comment for this article, citing the need to remain quiet until the acquisition is complete.
Companies that match users online and offline identities generally emphasize that the data is still anonymous because users' actual names aren't included in the cookie.
But critics worry about the implications of allowing data brokers to profile every person who is connected to the Internet. In May, the Federal Trade Commission issued a report that found that data brokers collected information on sensitive categories such as whether an individual is pregnant, has a "diabetes interest," is interested in a "Bible Lifestyle" or is "likely to seek a [credit-card] chargeback."
Previously, data brokers primarily sold this data to marketers who sent direct mail—aka "junk mail"—to your home. Now, they have found a new market: online marketing that can be targeted as precisely as junk mail.
"Will these classifications mean that some consumers will only be shown advertisements for subprime loans while others will see ads for credit cards?" Federal Trade Commission Chairwoman Edith Ramirez said at a press conference. "Will some be routinely shunted to inferior customer service?"
The FTC has called for Congress to pass legislation requiring data brokers to allow consumers to access their information and to opt out of targeted marketing. Currently, many data brokers don't offer people either one.
The Direct Marketing Association, which represents the data broker industry, doesn't offer a specific opt-out for onboarding. It does offer a global opt-out from all of its members' direct mail databases, but it only requires members to remove people's data for three years after they opt-out.
Some companies offer their own opt-outs. Twitter allows users to opt out of onboarding by unchecking the "promoted content" button in their account settings. LiveRamp offers a so-called " permanent opt-out" for users who do not want to be targeted via their e-mail address.
Facebook does not offer a specific opt-out for onboarding. Instead, it suggests users opt out of the data brokers themselves. A Facebook spokesman says that users who don't like specific targeted ads can avoid seeing them again by clicking an 'x' on the top right corner of the ad and following the links to the advertisers' opt-out page.
Want to know more about the market for your data? Read ProPublica's guide to "Everything We Know About What Data Brokers Know About You" and learn how you can opt-out from data brokers.
Courtesy: ProPublica.org (http://www.propublica.org/article/why-online-tracking-is-getting-creepier)