DisFact #3: Aadhaar verdict; Facebook data breach; Bollywood's #MeToo moment
|Samarth Bansal||Sep 29, 2018||5|
Happy Saturday, readers!
Welcome to DisFact, my weekly India newsletter. Do let me know what I can do better, what you would like to see more of, or any other comments.
As I began writing last night, Facebook announced that the company had found a security bug that allowed hackers to gain access to nearly 50 million accounts. The company doesn’t know who was behind the attack, what information they had collected, and whether the attackers accessed user’s private messages and posts.
There is an important lesson here for Indian authorities: don’t be too sure about the security of software systems. I say this especially in the context of Aadhaar, which I explore in detail in this issue. Two things:
One, engage with the cybersecurity community. Don’t act dismissively. Incentivise white-hat hackers to find bugs in the system and then report the findings to authorities. Don’t label them as members of anti-Aadhaar lobby—that happens every time there is a report on Aadhaar’s security vulnerabilities.
No one at Facebook sat down to build an election interference function. They sat down to build a system for purposes that they thought were good, and are happy to brag to you about: sharing baby pictures, connecting the world, making piles of money by showing you ads, that sort of thing. All — most, anyway — of the bad effects of Facebook are emergent features of the system that they built for the good effects; that system itself, and its messy interactions with billions of people out in the real world, creates the bad effects.
Aadhaar verdict, explained
On Wednesday, the Supreme Court upheld the constitutional validity of Aadhaar. But it watered down various aspects of the program.
You probably know what Aadhaar is—and if you live in India, you would have one. But still: It is a 12-digit unique identity number. The first Aadhaar number was issued exactly eight years ago, on September 29, 2010. Aadhaar is the world’s largest biometric and identity database with over 122 crore numbers issued. It is not restricted to Indian citizens—anyone living in India for more than 180 days can enrol for the program.
One key thing: Aadhaar, though functionally same for all, has a different meaning in the life of the rich and the poor. It is a means of survival for the poor as the government has made Aadhaar mandatory to access essential welfare services. Their life depends on access to those services.
Controversy: To make sense of the judgement, you need to understand the contentious Aadhaar debate. Here is brief primer on the controversy.
What the government says
Aadhaar plugs the various holes in India’s subsidy services by eliminating middlemen.
Welfare programs? It includes the Public Distribution System (to distribute subsidised food and non-food items to India's poor), pension schemes, MGNREGA (India’s rural employment guarantee program), among others.
Identification: A major hurdle in the transfer of benefits to the needy is the lack of means to correctly identify such people. Aadhaar helps in better targeting for welfare programs, the government says, by providing a unique identity, making it easier to identify beneficiaries and improving service delivery.
Ghosts and duplicate beneficiaries existed in the pre-Aadhaar setup, the government says, who take “undue and impermissible benefits”.
Corruption: As a result, the benefit of welfare schemes does not reach those who are supposed to receive them. So Aadhaar helps to reduce corruption.
This is a decades-old problem: In 1985, former Prime Minister Rajiv Gandhi said that out of one rupee spent by the government for the welfare of the downtrodden, only 15 paise actually reaches those persons for whom it is meant.
Numbers: The government claims it has saved Rs 90,000 crore by using Aadhaar, a number disputed by activists.
What critics say
Four broad issues:
Exclusion: Is Aadhaar fulfilling its intended purpose of identifying beneficiaries and easy access to services?
This happens because of Aadhaar-related biometric authentication failures.
The exact reasons for the authentication failures are not clear and can range from enrolment errors, seeding errors, poor quality of fingerprints and poor internet connectivity.
Privacy: Aadhaar could become a tool for mass surveillance by the state, meaning Aadhaar is a way for the government to build a digital infrastructure to monitor life of citizens.
This [electronic] leash is connected to a central database that is designed to track transactions across the life of the citizen. This record will enable the state to profile citizens, track their movements, assess their habits and silently influence their behaviour. Over time, the profiling enables the state to stifle dissent and influence political decision making… Inalienable and natural rights are dependent on a compulsory exaction.
The government says this is not possible.
Data Security: Questions have been raised about the security of Aadhaar data. Various incidents have illustrated vulnerabilities in the Aadhaar ecosystem leading to unauthorised access and misuse of data.
Dive deep: Here is my detailed piece on Aadhaar’s data security debate for the Hindustan Times, exploring the arguments on both sides.
The push to make Aadhaar mandatory: In the last two years, the government had pushed to make Aadhaar compulsory for all sorts of things, from opening a bank account to access welfare services. The project was not envisioned to be used this way, critics say.
What the verdict said and what it means
The court said that Aadhaar doesn’t violate the right to privacy, downplayed concerns about data security, sided with the government that Aadhaar is a project of inclusion (and not exclusion), added restrictions on the use of Aadhaar and gave citizens more control of their data.
Dissent: One judge, Justice DY Chandrachud, dissented: he criticised various provisions of the Aadhaar Act and called it a fraud on the Constitution for the way it was passed in Parliament (as a money bill).
Here are some key points to note from the verdict:
You don’t need Aadhaar for: bank accounts, mobile phone connections, school admissions.
You still need to link Aadhaar with PAN card.
On exclusion: The court did not concur with the petitioners’ concern that Aadhaar should be shelved since authentication failure of biometrics resulted in the exclusion of the needy. (Hindustan Times)
“We are only highlighting the fact that the government seems to be sincere in its efforts to ensure that no such exclusion takes place and in those cases where an individual who is rightfully entitled to benefits under the scheme is not denied such a benefit merely because of failure of authentication. In this scenario, the entire Aadhaar project cannot be shelved,” the court said.
On data security and privacy: The court sided with the UIDAI, rejecting petitioners’ concerns regarding the establishment of a surveillance regime and the lack of adequate data protection provisions.
“We are of the view that it is very difficult to create profile of a person simply on the basis of biometric and demographic information stored in CIDR.”
Data obtained is very very minimal, the benefits especially to marginalised is large, the court said.
Information is collected in silos. And there is no merging of silos, the court believes.
What I found striking—the PPT: On technical questions concerning data security and privacy, the judges extensively referred to UIDAI CEO Abhay Bhushan Pandey’s presentation on Aadhaar’s architecture that he made before the court. Concerns raised by petitioners were about the possibilities of what the system can do. There were no technical counterpoints. Pandey used technical jargon to explain the Aadhaar system. It is my hunch that this presentation played a significant role in convincing the judges that all’s well.
I am trying to get a copy of the presentation to understand the finer details. But this incident illustrates why we need more tech-informed debate for policy issues.
For details on what the judgement says about data security and privacy, check my story for HT.
Restrictions on metadata: It appears that judges did realise that certain data can be misused for tracking purposes. So the court restricted the UIDAI to store
authentication transaction data for a period of six months, down from five years.
“retention of this data for a period of six months is more than sufficient after which it needs to be deleted”, except in cases where its required to be maintained by a Court or in connection with any pending dispute.
Empowering citizens: The court put in place judicial safeguards against misuse of individual data to empower citizens to control their data.
The government can’t access Aadhaar-related data without informing citizens: A citizen whose Aadhaar-related information is sought shall be afforded an opportunity of a proper hearing.
National security exception struck down: In the Aadhaar Act, there was one provision where the government can access Aadhaar data without your permission—on the grounds of “national security”. That provision was struck down.
To reformulate this provision: an executive higher than the rank of a Joint Secretary and a judicial officer should be members of the oversight committee to hear complaints against the sharing of data.
You can complain (earlier, you could not): The court suggested that the act “needs a suitable amendment” to include the provision that a citizen can file complaints in case of a data breach or rights violation. In the existing version, only the UIDAI had the authority do so.
Restricting private companies: The court struck down Section 57 of the Aadhaar Act that permitted corporate entities such as telecom companies to avail Aadhaar data.
What this means: Not clear at this point. On Thursday. I contacted over a dozen companies in the telecom, banking and finance sector to find out.
Many are waiting for a notification from their respective regulatory authorities; few say the judgement doesn’t affect them. There is a disagreement even in the legal community on the interpretation of this specific section of the verdict. Some argue it is now impossible for private companies to use Aadhaar data at all; others say Aadhaar can be used as long alternatives are made available to customers. (Hindustan Times)
Why this is significant: Private companies use Aadhaar data primarily for e-KYC (“Know Your Customer”) purposes. That speeds up the process and reduces the KYC cost for the company. If Aadhaar eKYC is made illegal, it will be a huge blow for the fin-tech industry.
Bollywood, Tanushree Dutta is saying something
What: In an interview with Zoom, Former Miss India and Bollywood actress Tanushree Datta had alleged that actor Nana Patekar had sexually harassed her on the sets of the 2009 Hindi film Horn Ok Pleassss.
Any other proof? Yes! The incident has been corroborated by two other women.
She was shooting what was supposed to be her solo song (later performed by Rakhi Sawant) when Nana Patekar was on set. Tanushree alleged that he pulled her by her arms, tried to teach her the dance steps and even got an “intimate” step added to the choreography just so that he could touch her. (The NewsMinute)
First, by journalist Janice Sequeira, narrated her account of the incident in a lengthy Twitter post.
Some incidents that take place even a decade ago remain fresh in your memory. What happened with #TanushreeDutta on the sets of “Horn Ok Please” is one such incident - I was there. #NanaPatekar
What Nana Patekar says: He denies the allegation. He is considering legal action. Ganesh Acharya, the choreographer, also denied Dutta’s version.
Yesterday, Nana Patekar's lawyer Shirodkar told news agency ANI:
“In process of sending legal notice to Tanushree Dutta as she has made false allegations and has spoken untruth. We will send the notice later today which will basically a notice seeking apology for her statements making allegations.”
Where is she now? Dutta now lives in New Jersey, USA. She has not appeared in films for years. She had spoken about it earlier as well—it’s not new information. But nothing happened then.
In an interview with HuffPost India, Tanushree Dutta said.
I didn't go to work after that. I mean, not a lot. I just did a couple of films here and there and that was that. You actually build walls around you when you see this behaviour. Despite my strong sense of self, this incident broke me. Because my defences didn't work. They were dense people. Nana Patekar, Ganesh Acharya, these are not bad people, they are evil people. Toughness works with intelligent people. There is a point where it becomes like 'she is being tough, don't mess with her'. My understanding and dealing with stuff comes from a very sophisticated area. These people are old-school sleazebags. They'll not get body language if you are trying to be tough. Their attitude comes from the fact that I am a man, I can do whatever the hell I want. I was so scared that I ran and sat in my van. He was misbehaving, he was grabbing my hands and pushing me around and started teaching me how to dance with rough behaviour.
On Bollywood’s silence, she said: (HuffPost)
They are all bloody complicit. And please don't give me bullshit about Patekar being powerful. He isn't. He's been a side actor who's leeched on to more powerful actors. He has barely managed to survive. If he thinks he can get away with it, just imagine the horrors actors with real power may have inflicted on women.
Some Bollywood actors have spoken up in support of the actress: The list includes, but is not limited to, Farhan Akhtar, Priyanka Chopra, Parineeti Chopra, Konkona Sen Sharma, Anurag Kashyap, Richa Chadha, Twinkle Khanna, Hansal Mehta, Kunal Kapoor, Vir Das, Sushmita Sen.
But…some big names had this to say:
1. Big B:
At #ThugsOfHindostan presser, when asked about Tanushree Dutta, Amitabh Bachchan said, "Neither am I Tanushree, not am I Nana Patekar, so how can I comment on this?" Wayyy to show solidarity for your colleagues, Bollywood. This country's superstars make us so proud.September 27, 2018
3. Amir Khan: “I don't think I can comment on it. But whenever something like this does happens it is really a sad thing. Now whether such thing has happened or not, it is for people to investigate," he said.
The question is: Will this have any impact?
Heartening to see support for #TanushreeDutta & @janiceseq85 & @SceneSorted who corroborated her story. But there will only be lasting impact if there are consequences for the perpetrators. Hope the powers that be are listening. It's a watershed moment!September 28, 2018
Talking about cases of sexual harassment turns controversial. From questioning the motive of the women who is speaking up to character assassination of the accused without hearing his side, everything happens. In this case, finding the truth is not hard. There were hundreds of the people on the set that day—an independent investigation would easily reveal what happened. But will the investigation happen?
Will this be treated as just another Bollywood gossip or is this our own #MeToo moment? In 2017, the institutional rot of Hollywood — and other industries, media and politics included— was exposed, and displayed how the industry “enabled and even encouraged wrongdoing, and then protected predators instead of their victims.”
#MeToo is not just about sexual harassment. It is about power hierarchies.
This is for Bollywood actors:
We like to tell ourselves that as long as we aren’t perpetrators ourselves, we’re merely bystanders. But if you read the stories closely, you will see that the offenders get away with it for so long and so many times over with the help, however unwitting, of the bystanders. Of us. (NYT)
Who is responsible?
The responsibility extends, we are coming to understand, beyond the perpetrator, implicating an entire network of people who help create the conditions that allow harassment to occur -- and to go unpunished.This is not a new realization for everyone, of course. For decades, women have experienced this, and they often tried to warn a society that appeared unready — or simply unwilling — to listen. But now the problem is impossible to ignore. (NYT)
Talk to me
Comments? Feedback? Suggestions? Write to me at email@example.com or hit reply to this email. And if you find this helpful, please spread the word. Thank you!