UID/Aadhaar
Is your Aadhaar information being used without your consent?
As Aadhaar is increasingly used coercively to seek your identity information from Unique Identification Authority of India (UIDAI), the provisions of the Aadhaar Act that require you to provide consent are being pushed aside. Here is a quick guide to your consent rights and how to protect them.
 
Why does consent matter?
 
In a civilised society, each individual is entitled to dignity. Dignity of an individual is one of the basic rights of a human being and is guaranteed by the Constitution. When you interact with a person, be it a family member, friend or an outsider, both parties are expected to honour the dignity of the other. A person's willingness to interact is considered as consent. Consent, therefore, is essential to preserve dignity in civilised societies. Consent is also important to preserve the security of individuals.
 
Is Aadhaar Authentication legal without your consent?
 
When your Aadhaar number is used to authenticate you, the organisation requesting your Aadhaar information from the UIDAI is expected to obtain your consent. According to Chapter III 8 (2) (a) of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016, consent has to be restricted for purposes of authentication.  
 
According to the Act (section 8(2)) and Authentication Regulations (section 5), before authenticating, the service provider is expected to provide you the nature of the information that will be available to the requesting organisation  upon authentication from the UIDAI, the ways in which the information shall be used by the requesting organisation and alternatives to submission of identity information, should you not wish to use an Aadhaar number. 
 
Once you understand the nature of the information and manner in which it shall be used, according to the Authentication Regulations (section 6), the service provider is supposed to hand you a consent form, which you shall fill. The authentication regulations mandate that the service provider use a template provided by UIDAI to take your consent. The consent may be recorded either in paper form or electronic form. In either case, the requesting organisation is required to offer alternate methods of identification, should you not wish to use Aadhaar. The service provider is supposed to keep a log of consent information. And, according to Aadhaar Act (section 32(2)), you have a right to access that information, if you wish to, in case you are willing to undergo Aadhaar authentication.
 
The Aadhaar Authentication Regulations (section 16 (5)) gives you the right to revoke your consent to the organisation that has obtained your identity information from the UIDAI. When you revoke your consent, the requesting organisation would be required to delete your identity information that it obtained from the UIDAI. For example, if you decide to stop using your once favourite mobile connection for whatever reason, you can revoke the consent you granted them and inform them accordingly. Once they receive your request for revoking consent, they shall delete all your information received during e-KYC (know-your-customer) process, which you followed to get the connection in the first place. This ensures that your identity information is not misused. 
 
Interestingly, UIDAI, which provides the e-KYC service to authenticate you, does not provide any means to revoke your consent. UIDAI does not mention the turnaround time for completing the revocation request, too. The UIDAI-supplied consent form template does not mention any method to revoke your authentication. There is, therefore, no best practice available to requesting organisations to allow you to revoke your consent. This amounts to denial of your legal rights. 
 
On a related note, neither the UIDAI nor Government of India has defined standards to irrevocably delete your data from a service provider’s systems. Ask a cyber forensic expert, and he will show you how the deleted data can be recovered from disks. Even our Information Technology (IT) Act and subsequent rules are silent on this matter.
 
So it is illegal use of your Aadhaar number if your Aadhaar number has been used to obtain your identity information from UIDAI without your consent.
 
Can your identity information be used for any purpose?
 
There are three actors in the process of your authentication -- you, the service provider and UIDAI. Only two of the actors (you and service provider) know the purpose. You have a right to know how the data will be used by the service provider. The purpose of authentication has to be recorded by the service provider, but it is not sent to UIDAI (Aadhaar Act, section 32(3)). Since you do not digitally sign the purpose, it may be difficult to prove in a court of law whether your identity information obtained from UIDAI has been misused.
 
Organisations requesting your identity information from the UIDAI cannot include a phrase like “the usage will be subject to privacy policy and terms and conditions”, as the purpose of using the identification information must be explicit and unchanging under the Aadhaar Act.
 
Although, the Act says that the information can be used only for the purpose for which it is granted, there is no way for the UIDAI to enforce such requirements. The Act does not provide for an alternate redressal mechanism in case an organisation requesting your identity information misuses it. This leaves the users at the mercy of the service provider, without any remedies. Under section 47 of the Aadhaar Act, you are not allowed to approach courts except under authorisation of the UIDAI. It, therefore, leaves those with grievances without any remedies.
 
What UIDAI should do?
 
UIDAI should advertise in the media about the rights of citizens to provide and revoke consent for obtaining and retaining identity information using the Aadhaar number. In addition, UIDAI should learn from the experiences of other regulators to protect the Aadhaar holder from phishing and other frauds that illegally obtain and misuse identity information. 
 
UIDAI should acknowledge the design flaws in the Aadhaar framework, its application-programming interface (API) and various systems and processes built around it. The UIDAI cannot live in denial any longer. The rights of those with Aadhaar numbers depends on the actions of UIDAI to protect them. If users’ identity information is used without consent, it is UIDAI’s problem too. Such unauthorised use amounts to a leak of data from the UIDAI.
 
Various authentication agencies are audited as required under the Regulations. UIDAI should make the audit findings, particularly on consent, public. Such actions will enhance the trust of ordinary citizens in the processes of UIDAI.
 
Section 139AA of the Income Tax Act violates the Aadhaar Act and Regulations requirement to obtain consent, to specify purpose of use of identity information as well providing an alternative to authentication using Aadhaar. The UIDAI should move the courts to prohibit such illegal use of the Aadhaar number. 
 
How can you protect your right to informed consent?
 
You can deny any requesting organisation the use of your Aadhaar number to obtain the identity information stored with the UIDAI if they do not provide you with a form asking for your consent, or do not state the specific purposes to which the information will be used and do not provide you a mechanism to revoke your consent anytime. You can demand an alternate way to submit identity information if you do not wish to use the Aadhaar number. 
 
Now that you are aware of your rights, it is time to demand your rights. Always ask for clarifications, in written mode. When you leave a service, revoke your consent to the service provider and demand that it acknowledge the deletion of all records from its systems. If you have an Aadhaar, call 1947 now and ask them questions. If you are on social media, tweet to @uidai and @ceo_uidai with the hashtag #AadhaarFailures #NoConsent.
 
(Derick Thomas is a communication engineer with expertise in network architecture, privacy and secure communication technologies. He can be reached on https://twitter.com/derick_thomas)
 

User

COMMENTS

Mahesh S Bhatt

1 week ago

We are following US model of surveillance of common man & USA is failed Economic/Social ( 58% divorcee+ 74% out of wedlock kids) + war mongering economy using abusing power.We copy paste US model without good privacy laws/

our PM went to USA & got H1 B visa reduced even Infosys & Cognizant are hiring USA citizens &

Legal FM who protected Godhra is busy guiding a illiterate /failed economic PM to become Policeman who left his Wife and now he is busy attacking middle class/


After winning 325 seats in UP Yogi from of Lok Sabha who is hungry to rule but wears saffron all confused inexperienced
Only IIT Engineer MBA Parikkar demoted as CM from Defence because an Engineer will understand less technology than a Lawyer who defends.

Beautifully Illiterate Education Minister without degree was posted & now is doing textile.
Land Ordinance failed/Demonetization truths untold/all parties are corrupt &

Bully Jokular Party is Swatch Bharat Abhiyan cleaning Holy Ganges with sauchalayas.
Mahesh Bhatt

Mr Jitendra

2 weeks ago

5 crore EPFO Provident Fund members are being connected to their UAN and all 5 crore people have to submit their Aadhaar to their employer. Then either mostly the Employer must have all their employee's Aadhaar authenticated with UIDAI. Unless Aadhaar is authenticated with UIDAI, merely submitting Aadhaar number to EPFO is of no use. 5 crore PF members to authenticate their Aadhaar? System may fail! Any other mode of authenticating the Aadhaar is not available on the new UAN Member portal that was recently launched to replace the old UAN portal.
Complete mess by EPFO and the Labour Ministry. Now 5 crore PF members remain stuck. They are somehow trying to sabotage the PF money of the PF members.

vswami

2 weeks ago

Use of Aadhaar information, with certain, inherent potential and regressive consequence of misuse (that is, use strictly for any specific purpose other than for which it is consented to and parted with) has lately been a matter of the most concern to one and all. What, however, by and large, appears to have been glossed over, hence not seriously agitated against, is a similar concern in no less measure which, it is believed, does exist in respect of all other personal information parted with, simply for the asking of it. One has in mind several of them, address proof (say, copy of sale deed, or the like), mobile number, bank account number (s), so on; asked for say, opening of a new bank account , or online remittance of legal dues, e.g. payment of annuity by LIC.
Over to experts for an eminent opinion on such aspects as well.

Use Multi-factor Authentication for Security
As the name suggests, multi-factor authentication (MFA) is a mechanism for which the user is required to separate pieces of information or evidence to gain access. The most popular MFA across the globe is a two-factor or two-step authentication or 2FA, as it is popularly known. This is used for authenticating transactions using cards, netbanking transactions or even for emails or some websites. 
 
The MFA, typically, is required to have at least two of the following categories: knowledge (something the user knows), possession (something the user has), and inherence (something the user is). For example, for withdrawing cash from an automated teller machine (ATM), the user is required to have a plastic card (debit, ATM or credit). This is what they possess. Secondly, the user needs to know the personal identification number (PIN), which is knowledge or something the user knows. Using the 2FA transaction, the user can withdraw cash from an ATM.
 
Now, consider that you are making an online payment through your card to buy an item. You have your card number and your PIN (or card verification value - CVV). After submitting this information, you can opt for a one-time password or passcode (OTP) which is received on your mobile phone registered with the card issuer. Your payment will take place only after you enter the OTP. This is an example of MFA. 
 
MFA provides an added layer of security. Someone may steal your card and PIN, but will not be able to use it for transactions (except at an ATM or at point of sales —POS—terminal) that require validation through OTP. Most of the times, the OTP is sent through SMS and there may be some technical issues with the network that may prevent the message from reaching the user device. For such issues, the payment gateways or banks offer a chance to seek a fresh OTP. The user needs to use the latest OTP for such transactions. (As standard practice, never share the OTP with anyone, especially for transactions that you have not initiated.)
 
The third factor in MFA is inherence, or something that the user is. This involves use of biometrics, like fingerprints or retina scans. But the problem is that we still do not have scanners for authenticating biometrics within a stipulated time. Add to this, the cost and connectivity issues and the use of biometrics as part of MFA fails. Also, biometrics or similar authentication works well in a stipulated environment and for limited users. You can use fingerprints to unlock your mobile phone. However, when the time comes for using it for other authentication and verification, the payment gateway needs to compare your fingerprints with millions of other fingerprints to validate that you are who your fingerprints claim to be. A super difficult task, especially for a country with over a billion population! Some transactions are taking place through this method, but are dependent on a locally-stored database. 
 
Apart from financial service-providers, several others like Apple, Google, Microsoft, Amazon, Facebook and Twitter also offer MFA for login. Apple allows access to its multiple devices after entering the ID, password and the six-digit verification code received, either by text or a phone call. Similarly, Google allows the user to opt for a second authentication factor like a six-digit code, received either through SMS on the registered mobile or via a phone call. Recently, Google launched a service where the user just needs to tap on Google’s mobile app installed on the registered device. In addition, Google lets the user authenticate a particular device (PC or laptop) so that it can be used without the second authentication factor.  
 
Some users may find it cumbersome or time-consuming to use the multi-factor authentication, but being safe and secure is not easy. Remember, cyber criminals love people who are lazy about protecting themselves. But if you are punctilious about avoiding a serious theft like your identity, email ID, data or money, then it is better be safe than sorry and use MFA, wherever available. 

User

The Loot That Passes for Medicine
“This is the latest whiz kid among cardiac stents. Nowhere else in the world you will have a stent like this. I have done 56 so far. No complications at all, affordable too.”
 
This is how a cardiologist starts his live streaming video at the National Interventional Council (NIC) conference in a five-star hotel in Delhi; the conference organisers received several crores of rupees for the extravaganza. Newspaper advertisements and TV serials are old hat now. Medical advertisements and publicity look like kindergarten stuff. Now live streaming of a flamboyant cardiologist in a so-called medical conference, where normally the science of medicine is debated, is the ‘in’ thing. Even the Chinese device-maker, whose stent has not been passed by the great Food and Drug Administration (FDA), is one of the sponsors and must have also paid crores of rupees. 
 
How much will this brand ambassador, the flamboyant cardiologist, get? Where is medical ethics? What is the Medical Council of India (MCI), the watchdog responsible for keeping an eye on medical ethics, doing, apart from twiddling its thumbs? What ethics does MCI follow for itself in regulating medical education? What have we come to and what about the safety of patients who go to the hospitals? Today, a case can be made out for angioplasty, for anyone of any age, who goes to the hospital, as coronary artery blocks (not coronary artery disease) can be demonstrated in anyone, including children. In this scenario who is safe?
 
Pharma companies plotted to destroy cancer drugs to drive up prices. After purchasing five different cancer drugs from GlaxoSmithKline, Aspen Pharmacare tried to sell them in Europe for up to 40 times their previous price. That’s another headline (Sunday Times, 15 April 2017). Busulfan is an old medication for treating leukaemia. It used to sell in England for £5.20 a couple of years ago and now sells at £65.20. While bargaining for the rise in price of cancer drugs in Spain, the company wanted to raise the price by 4,000 times! When the government did not agree, the company threatened to stop supply of the cancer drug in that country. In fact, it might have been a great boon for the Spaniards to live without the dangers of these anti-cancer drugs!
 
The Cover Story of Outlook magazine dated 17 April 2017 exposes something even worse. We have been fighting a losing battle against vaccinations for decades. Outlook writes, under the headline, “When a Baby Is a Business Opportunity”: “Scared middle class India buys unwanted vaccines, some15 of them, as big pharma— mostly foreign—helps doctors to rake in the moolah with 30%-300% mark-ups.”
 
The more dangerous trend is that the Indian Academy of Paediatricians (IAP), the apex body of child specialists in the country, has now been found to be a partner in this venal business. On 20 January2017, Dr Vipin Vashista, a former convener of IAP, was unceremoniously eased out for blowing the whistle on the big money nexus in IAP. The Union health ministry, I am told, is in the know of things, but prefers to do nothing.  Maybe the ministry is afraid of the bigwigs in the vaccine business.
 
Are we willing to bring forth a generation of Indians with crippled immune system, thanks to so many useless and dangerous vaccines administered to them when they are born? Parents are confused in the cacophony of vaccine threats and advertisements. Another good soul fighting for the voiceless infants is Dr Jacob Puliyal in Delhi.
 
We are already in the dark ages of money which James Kennedy, a journalist, calls ‘monetary fascism’. “Milton Friedman and the Chicago School of Economics claimed to have refined and developed modern, scientific tools of ‘free market capitalism’; capable of unlocking ever greater rewards from Adam Smith’s simple, primitive concept of free markets… In truth, it was nothing more than a cloak of deception—providing cover for the unscrupulous behaviour of investment bankers, corporate raiders, speculators, off-shore corporation, debt mongers and bubble pushers (typically, one and the same). 

User

COMMENTS

Chandramohan Navalekar

1 week ago

you are doing great work of exposing such practices, this keeps the hope of some ethical practices to come up in future.

bharati

1 week ago

How do we support brave Drs like Dr Vipin Vashista? The media could write about him regularly, interview him, etc.

Rahul Pande

1 week ago

Kudos to money life for raising relevant and pressing issues.I feel fighting a losing battle but keep trying.

PRAKASH D N

1 week ago

More such problems will come up as Govt. does not want to invest in public health, leaving it to private sector to loot the public. Agencies which are required to act like M C I blinks it's eye as those heading the MC I has questionable background. Only public outcry with the backing of learned people like Dr. Hedge can save

Ashok Visvanathan

1 week ago

Have sympathy for the French fathers. A rumour got started decades ago that a baby which only drank EVIAN water would be very healthy. All french mothers give only Evian water to their babies. Evian water bottle in India used to be Rs 250 a few years ago.
The Evian company has never bothered to contradict the rumour.

Parikshit Bhandari

2 weeks ago

Great article Sir People Like you are God Sent and thanks to Moneylife for Promoting Such Articles.

Ramesh Poapt

2 weeks ago

great, sir!

Simple Indian

2 weeks ago

Another fine article by Dr. Hegde. It's a pity, medical practice, once one of two most respected professions, has stooped to such levels. Apart from the greed of MNC pharma cos it's also our own flawed medical system which is to blame for the situation. Govts in India should setup more medical colleges and hospitals which should be the backbone of our healthcare system, instead of having to rely on private clinics and hospitals which fleece patients and leave their families bankrupt by the time their treatment is over. Medical education in private colleges is hugely expensive, leaving graduates with no choice but to take up lucrative ways to practice, even if it's against their 'Hippocratic Oath' or medical ethics. All this to 'recover' the expenses incurred by them for their medical degrees, be it MBBS or MD/MS. Unless such systemic flaws are corrected, people will continue to get fleeced by dishonest and greedy doctors/clinics/hospitals/path labs.

Joginder Singh

2 weeks ago

THE loot is more rampant in the pre birth stage. Don't know about other parts of India, but in Punjab, most expecting mothers are advised to go for regular health check to private doctors and most are advised complete bed rest for full term and are told some scary complication thereby suggesting weekly check ups and tests. There used to be no complications when there were not so many clinics around. Now all these clinics have to earn crores and crores of rupees and hence complications have to increase and have increased, Patients are even scammed into getting admitted for the last semester to sell their rooms and delivery packages are marketed in lac's of Rupees. Health Care industry becomes huge Health Scare industry. Clinics having Trauma Centers extract even last drop of money from the relatives wallets - whether it takes leaving the dead on Ventilator for inflating the bills or pretending to inject most pricey injections costing thousands of rupees.

2 weeks ago

Please update on readers views on this issue.

CHETAN BALWIR

2 weeks ago

Dear Doctor,
Many corporate institutions have a compulsory annual health check up for their employees. Can you please give us your views on this.

Ankur Bamne

2 weeks ago

Why doesn't moneylife promote ethical investing if pharma companies are such big crooks? There was a divis labs in this years super stock portfolio. Please do not have these double standards. You want the stock to outperform, but also complain about the prices in the next issue. Please stop this double talk, and decide which way of the fence you want to be.

We are listening!

Solve the equation and enter in the Captcha field.
  Loading...
Close

To continue


Please
Sign Up or Sign In
with

Email
Close

To continue


Please
Sign Up or Sign In
with

Email

BUY NOW

The Scam
24 Year Of The Scam: The Perennial Bestseller, reads like a Thriller!
Moneylife Magazine
Fiercely independent and pro-consumer information on personal finance
Stockletters in 3 Flavours
Outstanding research that beats mutual funds year after year
MAS: Complete Online Financial Advisory
(Includes Moneylife Magazine and Lion Stockletter)