In your interest.
Online Personal Finance Magazine
No beating about the bush.
There is a distinct difference between identification and authentication. Worldwide, biometrics is mainly used for identification rather than authentication when the sample size is large. Yet, in India, the government and the UIDAI are trying hard to use the UID number for both identification and authentication
Given that the UID project—now branded as the Aadhaar project does not have legal sanction yet—the National Identification Authority (NIA) Bill was sent back by Parliament’s own standing committee, no cost benefit analysis yet, no feasibility study of any kind yet, it is interesting to look at the security issues of this project.
First of all, no expert worth his/her salt would believe that authentication using fingerprints works for a population anywhere close to this size. Worldwide, biometrics is mainly used for identification rather than authentication when the sample size is large. There is a distinct difference between identification and authentication which I would like to take some time to explain.
For instance, the US Federal Bureau of Investigation (FBI) has a biometric database of around 50 million or so people (note that this is not the biometric of American population which totals more than 250 million) which is checked against a fingerprint found in a crime site to see if a suspect is found among the people whose fingerprints are in the FBI database.
Matching of fingerprints for identification purposes requires careful, high resolution checks to see if two fingerprints are the same. Even with such a high resolution check, the FBI has made mistakes. In case of a terrorist incident in Spain a couple of years ago, it mistakenly nailed a lawyer from California based on fingerprint matching only to retract later. The FBI was later sued by the lawyer and it paid hefty compensation to the lawyer for its mistake.
Authentication is the process of checking only one fingerprint and at much lower resolution to see if the fingerprint in the database is the same as the one that is being produced for authentication.
Now how are the two different, you may ask?
To understand it, one needs to understand an important aspect, namely that this authentication at least as proposed by is done remotely and digitally. And herein lies the crucial difference. Thus, for instance if I have a digital image of your fingerprint, I can authenticate in your name. That is, I can impersonate you because I have the digital copy of your fingerprint. Now, it is not difficult to make a digital copy of your fingerprint. For instance, I can give you a glass of water to drink and when you touch that glass, your fingerprints will appear on that glass. By following a procedure—and instructions for such a procedure are available easily and even on the internet—I can then make a fake fingerprint made out of say ‘Fevicol’, wear it on my finger, and then use it for authentication. Thus, for all purposes, and as far as is concerned, I have impersonated you and I can now be eligible for the cash transfers that you are eligible for.
Please note that the above is possible in all circumstances—namely if authentication is to be done in automated fashion in say an ATM like machine or in a supervised condition where a supervisor picks up my fingerprint via a fingerprint scanner which he/she carries.
Now that the government is going to use UID for vast amounts of cash transfers, and given the proliferation of frauds in this country, one can imagine the windfall for fraudsters due to this. And add this to the fact that middle-men/agents who may carry this task in this country aren't exactly saints. They can lay their hands on fingerprints of a huge number of people either via digital copies or via making faking fingers and steal the entitlements of the people. Most people not knowing the technology behind all this would be clueless as to what is happening.
The above is by no means the only security issue with the UID project. There are many more serious security issues in this UID project. One of the other main ones is that of de-duplication. The whole UID project rests on the thesis that your identity, that is your biometrics—fingerprints and iris scans—are unique. Which means that each of the billion fingerprints in the database—assuming the database is say a billion strong—corresponding to the billion people are unique. That is, no two fingerprints corresponding to a particular finger in the database are the same. And how does ensure this? They claim to ensure this through a process which they call de-duplication.
Now what is de-duplication?
De-duplication is the following. Whenever a person’s biometrics—that is his/her fingerprints, and iris scans—are to be inserted in the database for the first time, there is a check made to ensure that these are not already present in the database, that is, they are not duplicated. That is, for each of the ten fingerprints of the person, a check is made against each and every fingerprint already present in the UID database corresponding to the particular finger to see if a similar fingerprint already exists in the database. Only if no similar fingerprint exists is the newly to be introduced fingerprint considered unique and introduced into the database. The UIDAI claims that this process is almost 100% accurate; that is, except for a small minute percentage, it will catch all the duplicates. And herein lies the problem. This claim is made by the UIDAI. However, there is no independent verification by any unbiased third party of this claim.
And this is the whole issue; should any sensible person believe the UIDAI’s claim when does not allow any independent third party access to verify its claim? Given that thousands of crores are at stake for and say finds that de-duplication is not working do you expect it to come out and say it?
There is no good reason to believe what UIDAI says is correct mainly because it has been completely non-transparent about the project, hasn't sincerely answered questions raised as part of RTI queries, as also has gone back on promised commitments to meet with independent experts who are part of civil society to discuss such issues.
I would not be surprised if de-duplication is not working and there are many persons out there, who have more than one UID allocated to them.
This is not all. There are other security issues as well. In any financial system based on authentication—and the UIDAI's system will deal with money worth thousands of crores to be doled out as cash transfers—there is a concept of a password. For instance, in case of internet banking or an ATM transaction, we have a PIN and we have different kinds of passwords such as login passwords or transaction passwords. No one in this world designs a system assuming 100% security. Perfect security does not exist and a good design while taking as much care on the security front has to always have a backup in case security is breached. That is the standard practice worldwide accepted among experts. Thus, for instance in case of a banking system, if my password is stolen, I call the bank, ask it to deactivate my current password and send me a new password. This basic principle is broken by because in the case of the system, the password is your biometric which cannot be changed. Thus, if you lose your biometric—and I have mentioned a way above by which your fingerprint image can be stolen—you are doomed. Because, you cannot get a new fingerprint, and your data will be lost forever to the person who stole your password. This is such a fundamental design flaw that it cannot be overemphasized. With how much ever care and how much ever security, there is a finite possibility that some people will lose their biometrics. In the current system, they will be shut down from the system for good.
In a way the above has already happened. In Mumbai, some fraudsters masquerading as official agents of for UID recruitment picked the biometrics of about 1,000 people. Now, these peoples’ identities are stolen for good; all the entitlements that they may be eligible for can be stolen by the fraudsters. The authorities, very stupidly, has asked these people to re-register for UID, something that is not going to help them because their biometrics is already lost and is with fraudsters and while re-registering them will pick the same biometrics from them again. Also, there has been a case where a laptop on which enrolment data was present was stolen.
Apart from all the other issues, there is always a possibility that the database itself is hacked into and stolen. Database could be a good target for terrorists. If I am not wrong, biometrics in this database is stored unencrypted, again a fatal mistake. Thus, if even part of this database is stolen, it is irreplaceable unlike a bank database where all that needs to be done is to deactivate the passwords and give new passwords to the customers. In the case, the only way out is to ask every Indian to undergo a surgery to change their fingerprints surgically, a practical impossibility not to mention other serious issues.
The UIDAI has no answers to the above questions, because there are none. The system’s security is flawed from the conception stage itself and it cannot be fixed so easily. It is indeed better to scrap this project and save taxpayers' money.
This is eighth part of a nine part series on UID
(Dr Samir Kelekar has a B Tech from IIT Bombay and PhD from Columbia University, New York. He is a security professional and runs a consultancy firm Teknotrends Software Pvt Ltd. He is also a holder of a critical US patent in the area of network security. Dr Kelekar consults in the area of security with banks, telecom companies and others.)
Is UID anti-people?–Part7: Incarnation of new geo-strategic tools, NCTC, NATGRID, UID, RFID and NPR
Is UID anti-people?–Part 6: The foundation for incessant intrusion
Is UID anti-people?–Part 5: Why UID is impractical and flawed “Ab initio”
Is UID anti-people?-Part 4: Does the implementation smack of corruption and negligence?
Is UID anti-people?-Part 3: Tall claims and tomfoolery of UID
Is UID anti-people? –Part 2: A bundle of contradictions, misconceptions & mirages
Is UID anti-people? The database state –Part1
NPR, NATGRID, NCTC and UID are unfolding without any legal mandate. It appears UID was, and remains, an attention diversion exercise. The real work is being done by Home Ministry to establish the world’s biggest surveillance database regime, with the active assistance of other willing players
"If everyone is thinking alike, someone isn't thinking" said George Patton who was a US General during World War II.
National Counter Terrorism Centre (NCTC), like a number of other related initiatives such as National Intelligence Grid (NATGRID), Unique Identification Authority of India (UIDAI) and Registrar General of National Population Register (NPR) is being established through governmental notifications or subordinate legislations, rather than legislation passed in Parliament, in manifest contempt towards legislatures, States and citizens' democratic rights.
Union Home Ministry, Government of India has notified the setting up of the anti-terror body called NCTC on 3 February 2012 through National Counter Terrorism Centre (Organisation functions Powers and Duties) Order 2012. NCTC is headquartered in New Delhi. It will have the power to carry out operations including arrest, search and seizure. It will draw its functional power of search and seizures under the provisions of the Unlawful Activities (Prevention) Act (UAPA), 1967 and amendments therein. It is supposed to work as an integral part of Intelligence Bureau (IB).
The notification mandates the terror-fighting agencies to share their inputs with NCTC and it also appoints the director and his core team. Director of NCTC will have full functional autonomy and he will have the power to seek information on terror from National Investigation Agency (NIA), NATGRID, intelligence units of the Central Bureau of Investigation (CBI), National Technical Research Organisation (NTRO) and Directorate of Revenue Intelligence (DRI) in addition to all seven central armed police forces including National Security Guard (NSG). He will report to the IB chief and the home ministry. The notification was issued under the Article 73 of the Constitution of India.
Expressing concern about the conspiracy of the non-state actors that disturbs the confidence of 'global investor', the 121-page 2009 report of the Task Force on National Security and Terrorism constituted by the undeclared undemocratic political party of pre-independence times - Federation of Indian Commerce and Industry (FICCI) - refers to assassination of Austrian Archduke Franz Ferdinand on 28 June 1914 by Gavrilo Princip, a Yugoslav nationalist, as a terrorist act that led to World War I. This war narrative runs all through the report that explicitly recommends the evolved framework of counter terrorism in the US, UK and Israel and commissioning of safe city plan by companies at page 96.
The fact is that politically powerful members of the Serbian military armed and trained Princip and two other students as assassins and sent them into Austria-Hungary for the act. The reasons for the war goes deeper, involving national politics, cultures, economics, and a complex web of alliances and counterbalances that had developed between the various European powers since 1870 including previous economic and military rivalry in industry and trade.
The FICCI report is quite shallow, and it deals with selective historical facts. It refers to possible targeting of Indian, Western and Jewish installations as retaliation against ongoing North Atlantic Treaty Organisation (NATO), a 28 nation military alliance led operations in Afghanistan. It contends that the link between Afghanistan and Jammu & Kashmir is permanent.
At page 70, the FICCI report argues for a secure e-network for connecting all district headquarters and police stations NATGRID under National Counter Terrorism Agency and observes, "As Nandan Nilekani goes into operationalising the UIDAI, there is a case for factoring inclusion data, as part of the national grid to assist in counter terrorism." This is not the first time that NATGRID and UID link is underlined.
Another joint report of the Associated Chambers of Commerce and Industry (ASSOCHAM), an undeclared political party of companies and KPMG, Swiss Consultancy titled "Homeland Security in India, 2010" had revealed it. ASSOCHAM's joint report of June 2011 with Aviotech, an initiative of the promoters of the Deccan Chronicle Group titled "Homeland Security Assessment India: Expansion and Growth" refers to the "The requirement in Biometrics for all the subsequent programs under the National Census will become significant." This shows where the NPR program which is linked to UID is headed.
It is noteworthy that the origins of the Unique Identification (UID) and Radio-Frequency Identification (RFID) process within the US Department of Defense started under Michael Wynne, former Under Secretary of Defense for Acquisition, Technology and Logistics (AT&L) from 2003 till 2005 that started the UID and RFID industry. Within NATO, two documents deal so far with unique identification of items. The first one is standardization agreement which was ratified in 2010. The second one is a "How to "guide for NATO members willing to enter in the UID business. Is India a NATO member? It appears to be behaving like one.
In such a backdrop, the most recent proposal of both the Election Commission of India and the Unique Identification Authority of India (UIDAI) to Union Home Ministry "to merge the Election ID cards with UID" is an exercise in rewriting and engineering the electoral ecosystem, underlining that the use of biometric technology and Electronic Voting Machines (EVMs) is not as innocent and as politically neutral as it has been made out to be. This proposal makes a mockery of the recommendations of the Parliamentary Committee on Finance on UID Bill. It is noteworthy that all EVMs have a UID as well.
Notably, Land Titling Bill makes a provision for linking land titles to UIDs of Indian residents. These acts of convergence will undermine the constitutional rights and change the meaning of democracy as we know it. It is an act of changing both the form and content of democracy and democratic rights in a new technology based regime where technologies and technology companies are beyond regulation because they are bigger than the government and legislatures.
At page 92 of the FICCI report, it is acknowledged that Government of USA has made concerted efforts to leverage IT as a weapon against terror and has spent billions of dollars on IT related projects. These projects include common information exchange, systems for mining data from collection of unsorted documents and databases, biometric identity cards etc. Launched in April 2010, World Bank's e-Transform Initiative that is working to converge private, public and citizen sector with an explicit ulterior motive to transform governments beyond recognition fit into the scheme of the US IT efforts.
The report seeks the role of the private sector in fighting terror. It underscores a "National Counter Terrorism Architecture". It recommends 'National Counter Terrorism Agency with all India jurisdictions as a central system for intelligence gathering, analysis and dissemination of information'. It approves of the 'formational of National Intelligence Grid as an integrated model of information sharing under the proposed National Counter Terrorism Agency' as 'an urgent imperative.'
At page 49, the report refers to UN Security Council Resolution 1373 adopted in September 2001 for initiating action if tangible evidence exists. It recommends intense attack should a Mumbai style attack happen again, as a hard option, and joint military interaction and economic free trade zone as a soft option.
It reveals that the subject of security has entered the corporate board room. Now they seek participation from non-governmental organisations (NGOs) for security education as part of corporate social responsibility (CSR) and private sector role in the national security and counter terrorism sector as well. It suggests amendments in the Private Security Agencies Act, 2005 to ensure licensing by a national regulator for those private security agencies which have an annual turnover of Rs100 crore or employing 10,000 or more guards and experience in security business to carry weapons. This appears to be the first step in the direction of privatization of national security sector and the second step being private sector participation in the NATGRID.
A perusal of the report gives the impression that given the fact that objections of Chief Ministers and member of Parliaments (MPs) are not rooted in concerns for civil liberties, they are simply interested in getting the Home Ministry to stop the misuse of Intelligence Bureau (IB) which has also been recommended by the FICCI report.
Concerns of citizens and progressive political parties are based on the grave threat potential of NCTC, NATGRID, NPR, UID/Aadhaar, Radio Frequency Identification (RFID) and DNA Profiling Bill for democratic rights which are under assault from both the central and state governments. What else can explain the studied silence of most of the Chief Ministers in the matter of biometric profiling through UID/Aadhaar and NPR that has been rejected by the Parliamentary Standing Committee on Finance. UID/Aadhaar, NPR and NATGRID and NCTC are two sides of the same coin. They are two ends of the same rope. They pose an unprecedented threat to constitutional rights and the federal structure of the country. Home Ministry's NCTC meets FICCI's demand and is obstinately reluctant to pay heed to the demands of citizens, Chief Ministers and opposition MPs and even MPs from United Progressive Alliance (UPA).
The Indian NCTC is a poor imitation of USA's National Counter Terrorism Centre (NCTC). US NCTC was formed in 2003. It is a governmental organization responsible for national and international counter terrorism efforts that advises government of US on terrorism. It works under US's Director of National Intelligence which operates on an annual budget of $49.8 billion and approximately 1,500 people. It draws experts from the CIA, FBI, the Pentagon, and other agencies who try to ensure that clues about potential attacks are not missed. Matthew G. Olsen was sworn as the Director of NCTC after his appointment was confirmed by the US Senate. He reports to the Director of National Intelligence and to the President of USA. In his earlier assignment, he has supervised the implementation of the Foreign Intelligence Surveillance Act.
USA's NCTC is headquartered in McLean, Virginia. The precursor organization of NCTC, the Terrorist Threat Integration Centre established on 1 May 2003, was created by the President of USA by an Executive Order. It was established in response to recommendations by the National Commission on Terrorist Attacks Upon the United States that investigated the terrorist attacks on 11 September 2001. The Intelligence Reform and Terrorism Prevention Act of 2004 renamed Terrorist Threat Integration Centre to NCTC and placed it under the United States Director of National Intelligence. NCTC analyzes terrorism intelligence (except purely domestic terrorism), stores terrorism information, supports USA's counter terrorism activities using information technology, and plans counter-terrorism activities as directed by the President of the United States, the National Security Council, and the Homeland Security Council.
India and USA Signed Counter Terrorism Cooperation Initiative on 23 July 2010. It was initiated on the sidelines of the visit of Dr Manmohan Singh to the US in November 2009. The then Union Home Secretary, GK Pillai signed for India whereas Ambassador Timothy J Roemer signed on behalf of the USA. Nirupama Rao, Indian Foreign Secretary was also present on the occasion.
It seeks to further enhance the cooperation between two countries in Counter Terrorism as an important element of their bilateral strategic partnership. The initiative, inter alia, provides for strengthening capabilities to effectively combat terrorism; promotion of exchanges regarding modernization of techniques; sharing of best practices on issues of mutual interest; development of investigative skills; promotion of cooperation between forensic science laboratories; establishment of procedures to provide mutual investigative assistance; enhancing capabilities to act against money laundering, counterfeit currency and financing of terrorism; exchanging best practices on mass transit and rail security; increasing exchanges between Coast Guards and Navy on maritime security; exchanging experience and expertise on port and border security; enhancing liaison and training between specialist Counter Terrorism Units including National Security Guard with their US counter parts.
Within India, NCTC traces its genesis, objectives, structure and powers of the proposed NCTC in the recommendations of a Group of Ministers in 2001 that reviewed the internal security system in the aftermath of the Kargil conflict that made a case for the establishment of a Multi Agency Centre (MAC), a permanent Joint Task Force on Intelligence and an Inter State Intelligence Support System, which were broadly accepted by the NDA Government. It seeks justification from the 2008 report of the Second Administrative Reforms Commission that recommended a Multi Agency Centre should be converted into a National Centre for Counter Terrorism with personnel drawn from different intelligence and security agencies.
NCTC's mandate is to draw up plans and coordinate action for counter terrorism. Its duties and functions are confined to counter terrorism. The Office Memorandum dated 3 February 2012 provides for a Standing Council consisting of the Director, NCTC, the three Joint Directors, NCTC and the Heads of the Anti-Terrorist Organisation or Force in each State. The Standing Council shall meet as often as necessary and may also meet through video conference. The Standing Council shall ensure that NCTC is the single and effective point of control and coordination of all counter terrorism measures. It is proposed to subsume the Multi Agency Centre in the NCTC. Home Minister has argued that the location of the NCTC, the Cabinet Committee on Security decided to place it within the Intelligence Bureau (IB) as per the guidance by the recommendations of the Group of Ministers made in 2001 that IB shall be "the nodal intelligence agency for counter intelligence and counter terrorism within the country."
It appears that there is complicity between Indian National Congress (Congress) and Bhartiya Janata Party (BJP). The latter appears more concerned about the form rather than the undemocratic and regressive nature of the proposals. Not surprisingly, in his key note address at the FICCI conference on national security and terror, former National Security Advisor Brajesh Mishra opined that at least the political leadership of Congress and BJP should unite and should not allow electoral politics to defeat in National Interest.
He advocated Federal Counter Terrorism Agency even if requires constitutional amendments terming States right to the subject of law and order as a mere political excuse but revealed that IB is involved in the business of political intelligence. In such a situation, his recommendation for NCTC like agency which operates under IB is quite inconsistent.
In the case of the USA, the 9/11 Committee recommended, "The NCTC should perform joint planning. The plans would assign operational responsibilities to lead agencies, such as State, the CIA, the FBI, Defense and its combatant commands, Homeland Security, and other agencies. The NCTC should not direct the actual execution of these operations, leaving that job to the agencies. The NCTC would then track implementation; it would look across the foreign-domestic divide and across agency boundaries, updating plans to follow through on cases."
It has been observed that legal experts who have analysed both US and Indian versions of NCTC that empowering an intelligence agency with executive action poses gravest threat to democracy and civil rights. At best NCTC is supposed to make information sharing better. Indian Home Ministry cannot do a cut and paste of selective USA's legislative provisions without a national anti-terrorism law being in place and without explicitly safeguarding civil liberties.
In any case in the US, the NCTC is a legal institution set up through legislation after bipartisan consultations, without legal powers to arrest, detain, interrogate, search, etc. The Indian NCTC has been set up by executive notification under the Unlawful Activities Prevention Act of 1967. This act of subordinate legislation does not have legislative mandate.
Parliamentarians and senior lawyers have been contended that IB is used for harassing political opponents. IB is supposed to undertake clandestine intelligence collection. However, it is strange that while giving powers of search and arrest to the NCTC is unwarranted at the centre such arbitrary powers are uncalled for even for states.
Several Chief Ministers have expressed persistent opposition. They were not consulted before the notification of the NCTC. It violates the federal structure of the country. The potential of misuse of NCTC by the IB is immense can create Emergency like situation. In his reply to the discussion on the President's Address and as part of motion of thanks on the President's address, the Prime Minister on 20 March 2012 told the Parliament, "Concerns have been raised that the Central Government is trying to encroach upon the jurisdiction of State Governments, and it has been suggested that they should be taken into confidence before this Centre becomes operational. The question of setting up the National Counter Terrorism Centre has been discussed at various fora since the report of the Group of Ministers, appointed by the previous Government, and the recommendations of the Second Administrative Reforms Commission, were submitted. Multi-agency Centre that was established in 2001 was a precursor to the NCTC and the need for a single and effective point of coordination for counter terrorism has been discussed in meetings on Internal Security of Chief Ministers in the last couple of years."
He further said, "As has been pointed out by some Members, a number of CMs have expressed their concern after the Order was issued and I have replied to them that there will be consultations before the next steps are taken. The consultation was held on 12 March 2012 with the Chief Secretaries and the DGPs from different State Governments… Therefore, adequate and full consultations will take place before the next steps are taken to operationalise the National Counter Terrorism Centre."
Prime Minister added, "I think that the idea of an NCTC and the manner in which the NCTC will function are two separate issues. The idea of National Counter Terrorism Centre, you have all agreed, is unexceptional. On the manner in which the NCTC will function, there may be differences of opinion, but I am confident that through discussions and dialogues, these differences can be narrowed down and a broad-based consensus can be arrived. That will be our effort, and, therefore, this House has the assurance that nothing will be done which will, in any way, infringe with the federal imperatives of our constitutional set-up."
Prime Minister's reply on NCTC failed to convince the MPs in the Parliament. It was stated by the Chairman, Parliamentary Standing Committee on Home Affairs in the Parliament in March 2012 that central government did not consult with the Chief Ministers of the States in constituting the National Intelligence Grid (NATGRID) and the National Counter Terrorism Centre (NCTC). He said, "These bodies encroach upon the federal structure of the country and dilute the rights of the States."
There was an unprecedented voting on this issue wherein President's Address mentioned it. About 82 votes were against the government's current proposal and 105 votes in favour. It is clear that there is massive opposition within the Parliament and outside it.
It has been argued in the Parliament that "in USA and the United Kingdom, there are Oversight Parliamentary Committees to look into the activities of the Intelligence Bureau, which is not here in India."
The opaque manner of Ministry of Home Affairs (MHA) merited strong objection because it has chosen not seek the consent of legislatures, states and citizens. The IB has no legal basis for its existence nor legal charter to do any operations work.
It is noteworthy that a 20 page Private Members' Bill titled "The Intelligence Services (Powers and Regulation) Bill, 2011" has been introduced the Lok Sabha by Manish Tewari (at present he is Union Minister of for Information and Broadcasting) "to regulate the manner of the functioning and exercise of powers of Indian Intelligence Agencies within and beyond the territory of India and to provide for the coordination, control and oversight of such agencies..”
Bills' Statement of Objects and Reasons reads: "Intelligence agencies are responsible for maintaining internal security and combating external threats to the sovereignty and integrity of the nation. These responsibilities range from counter-terrorism measures tackling separatist movements to critical infrastructure protection. These agencies are operating without an appropriate statutory basis delineating their functioning and operations. This tends to, among other things, compromise operational efficiency and weakens the professional fabric of these agencies. It also results in intelligence officers not having due protection when performing their duties. Assessments and gathering of information by intelligence agencies are catalysts for law enforcement units to act, necessitating that these be reliable, accurate and in accordance with law. This kind of efficiency has been hindered by obscured responsibilities that have plagued the functioning of the agencies."
It further reads: "Article 21 of the Constitution provides that no person shall be deprived of his life and personal liberty except according to the procedure established by law. The Supreme Court of India has carved a right to privacy from the right to life and personal liberty. Such rights to privacy are compromised when agencies undertake surveillance operations. In Re: Peoples Union of Civil Liberties v/s Union of India, the Supreme Court issued detailed guidelines regarding telephone tapping. A proper legal framework is required to regulate surveillance of the forms, using different technologies, as well. There is an urgent need to balance the demands of security and privacy of individuals, by ensuring safeguards against the misuse of surveillance powers of intelligence agencies. Therefore, legislation is imperative to regulate the possible infringement of privacy of citizens, while giving credence to security concerns."
It states, "In view of the reasons stated, the Bill seeks to enact a legislation pursuant to Entry 8 of List I of the Seventh Schedule of the Constitution of India to provide
a) A legislative and regulatory framework for the Intelligence Bureau, the Research and Analysis Wing and the National Technical Research Organisation;
(b) Designated Authority regarding authorization procedure and system of warrants for operations by these agencies;
(c) A National Intelligence Tribunal for the investigation of complaints against these agencies;
(d) A National Intelligence and Security Oversight Committee for an effective oversight mechanism of these agencies; and
(e) An Intelligence Ombudsman for efficient functioning of the agencies and for matters connected therewith. The Bill seeks to achieve the aforesaid objectives."
This Bill merits attention of MPs of all political parties so that it can be improved further. It needs to be examined by a High Powered Parliamentary Committee whose recommendations are mandatory. There is a need for a law and a Commission for Parliamentary Scrutiny and Audit of Intelligence Operations. This is glaringly illustrated by a private member's bill seeking to bring intelligence agencies under Parliamentary scrutiny introduced by the national spokesperson of Indian National Congress.
For sure, somewhere lack of accountability of these agencies pinches even the MPs of the ruling party. What can be more irrational than creating institutions like NATGRID and NCTC without the passage of the above Bill?
It is noteworthy that US version of NCTC too has a legal basis. UK "Joint Terrorism Analyses Centre" (JTAC), which is under the MI-5 (UK intelligence agency) too have legal basis under the Security Service Act, 1989. It has also been codified. JTAC is bound "by the provisions of the Intelligence Services Act, 1994. It is subject to the oversight of the Parliament's Intelligence & Security Committee". But the proposed NCTC in India does not have any legislative mandate. IB is "not accountable to Parliament".
In democracies like UK, British intelligence agencies and police record the proceedings which are inspected by UK Parliament's Intelligence & Security Committee. In India, Home Ministry appears to be resisting legislative scrutiny and undermining the federal structure of the country. Following strong disapproval of NCTC by states and human rights groups, Union Home Minister wrote to 10 non- Congress Chief Ministers.
NCTC is contrary to numerous constitutional, legal and administrative provisions. States rightly consider establishment of NCTC as an encroachment upon their law and enforcement powers and federalism features of Indian constitution. Citizens are deeply concerned about enforcement of civil rights by agencies like Home Ministry's NCTC, Registrar General of National Population Register (NPR) and Capt Raghu Raman headed NATGRID, Crime and Criminal Tracking Network and System (CCTNS) for automating police stations across the country, Sam Pitroda headed Public Information Infrastructure and Innovations and Planning Commission's Nandan Manohar Nilekani headed Unique Identification Authority of India (UIDAI) and surveillance and biometric technologies like Radio Frequency Identification (RFID). The legislative proposals like DNA Profiling Bill, 2012 also fall in this category.
There is an immediate need for parliamentary scrutiny of the pre-existing intelligence agencies and mandatory legislative consent for the creation of security, surveillance and database agencies besides the agreement of the States and the citizens. At present there is no transparency and accountability of the working of intelligence agencies and in the creation of the proposed agencies. At a time when the constitutionality of the National Investigation Agency (NIA) Act, 2008 itself is in question and found unacceptable by the States, the NCTC proposal was fated to meet stiff and bitter opposition from all.
It is noteworthy that Central Bureau of Investigation (CBI), National Investigation Agency (NIA) and NATGRID are exempted from the applicability of Right to Information Act, 2005, the only transparency law of India. This exemption for CBI and NATGRID which are not governed by any law at all is quite bizarre. Also exemption of NIA whose existential legality has been contested is questionable.
Such exemptions are unacceptable given the fact that central monitoring system (CMS), a centralised mechanism that is meant to assist in lawful interception of communications from landline, mobile and Internet without any lawful interception law in India.
India does not have any legal and constitutionally sound phone tapping and e-surveillance law. The birth of NCTC itself is illegitimate. The fact that it will rely on the databases of agencies which are themselves working without any legislative and democratic mandate is quite unnerving.
P Chidambaram's letter on NCTC to 10 Chief Ministers of Bihar, Gujarat, Himachal Pradesh, Jharkhand, Karnataka, Madhya Pradesh, Odisha, Tamil Nadu, Tripura and West Bengal failed to persuade the CMs. By now it is clear that the Home Minister's letter and Prime Minister's assurance has failed to convince the MPs, MLA, MLCs or Chief Ministers. Concerns of citizens about inbuilt threats to democratic rights from the NCTC and related proposals also merit the attention of both the states' legislatures and the Parliament.
While States and citizens are concerned about their rights and are resisting efforts to turn them into subjects of centralized powers, the emergence of a regressive convergence economy based on databases and unregulated surveillance, biometric and electoral technologies remains largely unnoticed and unchallenged. Political clout of technology based companies seems to be creating a property based rights regime through financial surveillance making national boundaries redundant.
NPR, NATGRID, NCTC and UID are unfolding without any legal mandate. It appears UID was, and remains, an attention diversion exercise. The real work is being done by the Home Ministry.
Even Parliamentary Committee on Finance erred in accepting Ministry's NPR initiative by implication in its recommendations while denouncing the illegality of biometric data collection. What is happening is the same Home Ministry will have Census data, NPR data, NATGRID data and the NCTC-their integration is creating world's most powerful database since mankind came into existence.
Non-Congress governments in states are acting like unthinking obedient boys in the matter of NPR, NATGRID and UID. Mere opposition to NCTC is hardly sufficient because with NPR, NATGRID and UID alone they can do what the central government wants without NCTC. NCTC is proposed to obey an illegal UN Security Council Resolution of 28 September 2001. India's cooperation has already been co-opted by entrusting Ambassador Hardeep Singh Puri, Permanent Representative of India to the UN. Thus, Manmohan Singh (head of Cabinet Committee on UID related issues including NPR), Montek Singh (head of UID as its under Planning Commission) and Hardeep Singh (head of UN Security Council's Counter Terrorism Committee) are working in tandem without any legislative oversight.
It's a case of three Sardarjis working to establish world biggest surveillance database regime with the active assistance of other willing players. They may have got some assurance the way British signed a peace-treaty with Maharaja Ranjit Singh in 1809 that was broken as soon as Maharaja died in 1839. Maharaja's son Duleep Singh remained at the mercy of the British Government in UK. The new players also appear to be at the mercy of US government and NATO.
National Intelligence Grid (NATGRID), Backbone of NCTC
National Intelligence Grid (NATGRID), established under Ministry of Home Affairs of the Government of India, aims to consolidate data gathered by various agencies, both private and public, and to make the same available to law enforcement agencies of India. NATGRID functions with a budget of Rs2,800 crore and a staff of 300.
When asked about the qualification of CEO of NATGRID, the process for appointment of CEO, names and headquarters of the companies and Government entities from which the data would be uploaded in the NATGRID and the names of the various Government agencies which would have an access with NATGRID database under RTI Act, the Home Ministry on 30 June 2011 replied, "NATGRID/MHA is out of purview of RTI Act, 2005 under Gazette Notification No306 dated 9.6.2011".
Capt P Raghu Raman says, "…the NATGRID is not an organisation, but a tool". It simply routes "information from 21 data sources to 10 user agencies ... it is like a Google of such data sources."
NATGRID will function as a central facilitation centre, to "data sources" such as banks and airlines, they are the Research and Analysis Wing (RAW), the Intelligence Bureau, Central Bureau of Investigation, Financial Intelligence Unit, Central Board of Direct Taxes, Directorate of Revenue Intelligence, Enforcement Directorate, Narcotics Control Bureau, Central Board of Excise and Customs and the Directorate General of Central Excise Intelligence. These agencies will get access to information from NATGRID. Security agencies can seek the details from NATGRID database. Data from Airline companies, Telecom Companies, etc. would be uploaded to NATGRID database. All the Security agencies will have an access to NATGRID.
Capt Raman, a former CEO of Mahindra Special Services Group wrote a paper "A National of Numb People", wherein he advises 'commercial czars' to create 'private territorial armies' to safeguard their empires. When in Indian Army, Raman wrote that India followed the NATO war policy with cheap "Warsaw equipment" ridiculing the Warsaw war doctrines. He argues that the latter relies on low-cost-arms-using Warsaw line-up that lets enemy forces advance until the time was ripe for them to strike back. NATO is equipped with state-of-the-art weapons that do not "cede an inch". Explicit and implicit eulogies for NATO appears pregnant with meaning and is consistent with NATO's new strategic concept that seeks to expand its sphere of influence and ever greater military spending, invest in new weapons and in their worldwide network of military bases. The regime that is unfolding using identification technologies and mega databases fits into the scheme of NATO.
(Gopal Krishna, a member of Citizens Forum for Civil Liberties (CFCL), is also an environmental and civil rights activist)
Is UID anti-people?–Part 6: The foundation for incessant intrusion
Is UID anti-people?–Part 5: Why UID is impractical and flawed “Ab initio”
Is UID anti-people?-Part 4: Does the implementation smack of corruption and negligence?
Is UID anti-people?-Part 3: Tall claims and tomfoolery of UID
Is UID anti-people? –Part 2: A bundle of contradictions, misconceptions & mirages
Is UID anti-people? The database state –Part1
Leakages in social welfare, for instance, are already being tackled successfully through both technological and social means, and the convenience of easy shopping can be achieved through much less dangerous and locally valid means than the creation of a national database. This is the sixth part of a nine-part series on the unique identification number scheme