News

Oil, gas and defence firms in Norway have been hit by a series of sophisticated hack attacks

Dec 21st, 2011 | By | Category: News

Hackers attack Norway’s businesses

Nov.20, 2011 in National security

Oil, gas and defence firms in Norway have been hit by a series of sophisticated hack attacks.

Industrial secrets and information about contract negotiations had been stolen, said Norway’s National Security Agency (NSM).

It said 10 firms, and perhaps many more, had been targeted in the biggest wave of attacks to hit the country.

Norway is the latest in a growing list of nations that have lost secrets and intellectual property to cyber thieves.

The attackers won access to corporate networks using customised emails with viruses attached which did not trigger anti-malware detection systems.

Targeted attacks

The NSM said the email messages had been sent to specific named individuals in the target firms and had been carefully crafted to look like they had come from legitimate sources.

Many of the virus-laden emails were sent while the companies were in the middle of negotiations over big contracts.

It said user names, passwords, industrial drawings, contracts and documents had been stolen and taken out of the country.

The NSM believes the attacks are the work of one group, based on its analysis of the methods used to target individuals, code inside the viruses and how the data was extracted.

The agency said it was publishing information about the attacks to serve as a warning and to encourage other targeted firms to come forward.

“This is the first time Norway has revealed extensive and wide computer espionage attacks,” the NSM said in a statement.

Singled out

It said it found out about the attacks when “vigilant users” told internal IT security staff, who then informed the agency.

However, the NSM said, it was likely that many of the companies that had been hit did not know that hackers had penetrated their systems and stolen documents.

Security firms report that many other nations and industrial sectors have been targeted by data thieves in recent months.

The chemical industry, hi-tech firms and utilities appear to have been singled out.

(BBC news)



DHS Discloses Privacy Protection Hides Spying

Dec 20th, 2011 | By | Category: News
20 December 2011DHS Discloses Privacy Protection Hides Spying 


[Federal Register Volume 76, Number 244 (Tuesday, December 20, 2011)]
[Notices]
[Pages 78934-78935]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-32483]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Office of the Secretary

Published Privacy Impact Assessments on the Web

AGENCY: Privacy Office, DHS.

ACTION: Notice of Publication of Privacy Impact Assessments (PIA).

-----------------------------------------------------------------------

SUMMARY: The Privacy Office of DHS is making available seven PIAs on
various programs and systems in DHS. These assessments were approved
and published on the Privacy Office's web site between September 1,
2011 and November 30, 2011.

DATES: The PIAs will be available on the DHS Web site until February
21, 2012, after which they may be obtained by contacting the DHS
Privacy Office (contact information below).

FOR FURTHER INFORMATION CONTACT: Mary Ellen Callahan, Chief Privacy
Officer, Department of Homeland Security, Washington, DC 20528, or
email: pia@hq.dhs.gov.

SUPPLEMENTARY INFORMATION: Between September 1, 2011 and November 30,
2011, the Chief Privacy Officer of the DHS approved and published seven
Privacy Impact Assessments (PIAs) on the DHS Privacy Office web site,
www.dhs.gov/privacy, under the link for ``Privacy Impact Assessments.''
These PIAs cover seven separate DHS programs. Below is a short summary
of those programs, indicating the DHS component responsible for the
system, and the date on which the PIA was approved. Additional
information can be found on the web site or by contacting the Privacy
Office.

    System: DHS/FEMA/PIA-018 Suspicious Activity Reporting (SAR).
    Component: Federal Emergency Management Agency (FEMA).
    Date of approval: September 9, 2011.
    FEMA, a component of DHS, manages a process for SAR. This process,
assigned to FEMA's Office of the Chief Security Officer, is designed to
collect, investigate, analyze, and report suspicious activities to the
Federal Bureau of Investigation's (FBI) Joint

[[Page 78935]]

Terrorism Task Force, Federal Protective Service, and/or other federal,
state, or local law enforcement authorities required to investigate and
respond to terrorist threats or hazards to homeland security. FEMA is
conducted this PIA because this SAR process collects, maintains, and
uses PII.

    System: DHS/NPPD/US-VISIT/PIA-007(a) Biometric Interoperability Between
 the U.S. Department of Homeland Security and the U.S. Department of Justice.
    Component: National Protection and Programs Directorate (NPPD) and
United States Visitor and Immigrant Status Indicator Technology (US-
VISIT).
    Date of approval: September 16, 2011.
    In 2006, the US-VISIT Program of DHS and the Criminal Justice
Information Services Division of the FBI, Department of Justice (DOJ),
developed an interoperability project to support the sharing of
information among DHS, DOJ, and their respective stakeholders. This PIA
update was conducted to reflect the expansion of DHS-DOJ
interoperability to include new users and uses not covered. In
addition, this PIA allows users to access more data in IDENT.

    System: DHS/ICE/PIA-031 Alien Medical Tracking Systems.
    Component: Immigration and Customs Enforcement (ICE).
    Date of approval: September 26, 2011.
    ICE provides medical care to and maintains medical records about
aliens that ICE detains for violations of U.S. immigration law. The ICE
Health Service Corps, a division of ICE's Office of Enforcement and
Removal Operations, has several information technology systems that are
used to track information from medical records for aliens in ICE
custody for various monitoring and reporting purposes. These are the
Social Services Database, Hospitalization Database, Significant
Detainee Illness Spreadsheet, Mental Health Coordination Database,
Epidemiology Database, and Performance Improvement Database. This PIA
describes the data maintained in these medical tracking systems, the
purposes for which this information is collected and used, and the
safeguards ICE has implemented to mitigate privacy and security risks
to PII stored in these systems.

    System: DHS/ICE/PIA-004(a) ICE Pattern Analysis and Information
Collection (ICEPIC) Update.
    Component: ICE.
    Date of approval: October 26, 2011.
    ICE has established a system called the ICEPIC system. ICEPIC is a
toolset that assists ICE law enforcement agents and analysts in
identifying suspect identities and discovering possible non-obvious
relationships among individuals and organizations that are indicative
of violations of the customs and immigration laws as well as possible
terrorist threats and plots. The PIA for ICEPIC was published in
January 2008. This PIA Update was completed to provide transparency
related to the Law Enforcement Information Sharing Service that enables
law enforcement agencies outside DHS to query certain information
available through ICEPIC. Additionally, through LEIS DHS law
enforcement personnel are able to query external law enforcement
agencies' sensitive but unclassified law enforcement information.

    System: DHS/ICE/PIA-015(c) Enforcement Integrated Database Update.
    Component: ICE.
    Date of approval: November 7, 2011.
    The Enforcement Integrated Database (EID) is a DHS shared common
database repository for several DHS law enforcement and homeland
security applications. EID captures and maintains information related
to the investigation, arrest, booking, detention, and removal of
persons encountered during immigration and criminal law enforcement
investigations and operations conducted by ICE, U.S. Customs and Border
Protection, and U.S. Citizenship and Immigration Services, all
components within DHS. The PIA for EID was published in January 2010.
In July 2010, a PIA Update for EID was published to address an
expansion of the information entered into EID and the scope of external
information sharing. This EID PIA Update addresses planned changes to
the types of information shared and an added method of sharing.

    System: DHS/S&T/PIA-006 Protected Repository for the Defense of
Infrastructure Against Cyber Threats (PREDICT).
    Component: Science and Technology.
    Date of approval: November 8, 2011.
    The S&T Directorate's PREDICT system has undergone a PIA 3-Year
Review. The PIA requires no changes and continues to accurately relate
to its stated mission. PREDICT is a repository of test datasets of
Internet traffic data that is made available to approved researchers
and managed by an outside contractor serving as the PREDICT
Coordination Center. The goal of PREDICT is to create a national
research and development resource to bridge the gap between (a) the
producers of security-relevant network operations data and (b)
technology developers and evaluators who can use this data to
accelerate the design, production, and evaluation of next-generation
cyber security solutions, including commercial products.

    System: DHS/ALL/PIA-013(a) PRISM System Update.
    Component: DHS.
    Date of approval: November 10, 2011.
    DHS Management Directorate, Office of the Chief Procurement Officer
is the owner of the PRISM contract writing management system. PRISM
provides comprehensive, Federal Acquisition Regulation-based
acquisition support for all DHS headquarters entities. The purpose of
this PIA update is to reflect changes to the collection of information,
and the addition of a classified PRISM system.

    Dated: December 12, 2011.
Mary Ellen Callahan,
Chief Privacy Officer, Department of Homeland Security.
[FR Doc. 2011-32483 Filed 12-19-11; 8:45 am]
BILLING CODE 9110-9L-P


Black Hat: System links your face to your Social Security number and other private things

Nov 24th, 2011 | By | Category: News

Black Hat presentation to show how photos, facial recognition and overlapping databases will lead to less privacy

By Tim Greene, Network World


Soon it will be practicable to take someone’s photo on a smartphone and within minutes know theirSocial Security number and a range of other private data like their personal interests, sexual preference and credit status, researchers will tell the Black Hat security conference this week.

The technique calls for linking faces of random individuals to images in databases that contain other information about them and using that information to project Social Security numbers, says Alessandro Acquisti, a professor at Carnegie Mellon University, who will present the research at the conference.

He says if he can arrange the logistics, he will demonstrate the technique at the show using an application on a smartphone that taps cloud-based databases and facial recognition software. He uses Social Security numbers as an example of what can be projected, but other information such as sexual orientation and credit ratings can also be inferred, he says.

The point, Acquisti says, is to show that a framework of digital surveillance that can go from a person’s image to personal data exists today and will only get better as technologies improve, making privacy more scarce and making surveillance readily available to the masses. “This, I believe and fear, is the future we are walking into,” he says.

He admits the method is far from foolproof, but that the individual pieces of technology are developing rapidly and could be ready for use in the real world in the foreseeable future. He is working on projections of how long it will take for the technologies involved to develop to the point of being reliable.

Acquisti bases his presentation on three pieces of research he and his team carried out. The first took the primary Facebook images that people posted to establish their identity. The team compared the Facebook images using PittPatt face-recognition software to identify other photos of the same person in another database, namely that of a popular dating service where people registered under phony names.

After the software made a match, actual people looked at the pictures to determine how accurate the matches were. They considered just PittPatt’s best guess for each photo.

The software correctly identified 1 in 10 dating site members, which the researchers say is pretty good considering the experiment used just one photo — the Facebook profile photo — to identify the person with the known identity.

Plus, they only considered PittPatt’s best guess. Had they considered the second and third best guesses, accuracy might improve as well, he says.

The second experiment photographed random college students and asked them to fill out a questionnaire. Meanwhile, the photo was compared to others in online databases to identify the students realtime and compile other photos of them.

The students checked the photos and found they were accurate about a third of the time.

The third experiment took the subjects’ Facebook profiles and, from inferences made from the profiles, predicted the first five digits of their Social Security numbers and their interests and activities.

The last part is an implementation of a Social Security number-predicting algorithm Acquisti presented at Black Hat two years ago. Based on when and where a person was born, the algorithm predicts the first five digits, which are based on location. It can then guesses the remaining digits, but that could take 100 tries.

 

All contents copyright 1995-2011 Network World, Inc. http://www.networkworld.com

 



Facial recognition security, privacy issues grab FTC attention

Nov 24th, 2011 | By | Category: News

Facial recognition technology on the rise as governments increase use; Facebook, Microsoft implement it

By Michael Cooney, Network World

The Federal Trade Commission the week said it will hold a workshop that examines how burgeoning use of facial recognition technology impacts privacy and security.

From the FTC: “Facial recognition technology has been adopted in a variety of new contexts, ranging from online social networks to digital signs and mobile apps. Its increased use has raised a variety of privacy concerns. The FTC workshop will gather consumer protection organizations, academics, business and industry representatives, privacy professionals, and others to examine the use of facial recognition technology and related privacy and security concerns.”

The agency said the workshop will look at many topics including:

The workshop will take place in Washington, DC on Dec. 8, 2011 is free and open to the public.

Use of facial recognition technology is growing fast. One of its biggest pushes could come in the form of Microsoft’s Windows 8.  Network World recently wrote that the software giant is building facial recognition technology into Windows 8, offering a more secure way to access your computer.

This month the U.K.’s largest airport,  Heathrow, will install facial recognition scanners for international and domestic passengers to prevent illegal immigration in the country, the IDG News Service reported. The facial recognition technology comes from Aurora Computer Services, a U.K.-based company. It’s called the Aurora Image Recognition (AIR) system and uses a camera with an infrared flash, which the company says can function in either bright or low light. It can identity a person from about 3 feet away. The camera verifies a person’s identity using biometric details, identifying a person in 4.7 seconds, a time that includes properly positioning a passenger, according to Aurora.

The changing face of biometrics

And facial recognition technology has raised privacy concerns. Recently Connecticut Attorney General George Jepsen expressed concern that Facebook’s “Tag Suggestions” face recognition feature compromises consumer privacy, and asked for a meeting with company officials.

According to an IDG News Service story: In Facebook’s desire to promote photo sharing and tagging among its users, it appears to have overlooked a critical component of consumer privacy protection, which is an opt-in requiring users to affirmatively consent before Facebook can use those images, Jepsen wrote in a letter this week to Facebook’s director of public policy and its product and regulatory counsel. Jepsen joins European Union (EU) regulators and consumer advocacy groups that are questioning the feature on Facebook.

The Electronic Privacy Information Center and three other advocacy groups filed a complaint asking the U.S. Federal Trade Commission to require Facebook to get affirmative opt-in consent from users before collecting and using their biometric data.

 

All contents copyright 1995-2011 Network World, Inc. http://www.networkworld.com



Biometric: UID Glitch Hits Senior Citizens

Oct 27th, 2011 | By | Category: News

The bigger the privacy violation the more progress it makes away from its real goals - Many senior citizens are facing difficulties as the Biometric machines are unable to read their fingerprints. 

 

Neelam Pandey, Hindustan Times
New Delhi, October 26, 2011

The government’s much-hyped scheme of issuing a unique identification number (UID) to citizens has hit a roadblock in Delhi. Many senior citizens are facing difficulties as the biometric machines are unable to read their fingerprints. Said an operator recording fingerprints in GK-I, “Due to old age, the lines on fingers virtually disappear and the machines are unable to register them. But we have been told to follow the rules.”

“I stood in the queue thrice, but the operator said my fingerprints were not being processed. They said they had to follow the guidelines and my form was rejected” said GK-I resident ML Khetrapal.

Along with this, cameras used by officials are unable to read the irises of people who have had their cataracts removed. Delhi revenue minister AK Walia said, “We were not aware of this problem. We’ll take it up in our review meeting next week.”

A regional officer of the Unique Identification Authority of India said, “We’ve  asked the agency implementing it (UID) to submit a report.”



ISRAEL: Justice Ministry cracks case of massive information theft

Oct 25th, 2011 | By | Category: News

By BEN HARTMAN AND JOANNA PARASZCZUK
10/25/2011 00:44

Government employee sells identification numbers, addresses and other details of 9 million Israelis.

Investigators from the Justice Ministry announced on Monday that they have cracked a massive information theft case, in which a former employee of the Ministry of Social Affairs and Social Services stole and copied the personal details of over nine million Israelis, and sold the data to a private buyer.The theft included the publication of detailed personal information on the millions of victims, including many minors, deceased persons and citizens living abroad. The information, which is accurate as of 2006, includes full names, ID numbers, addresses, dates of birth, family status, names of siblings and other information. It also includes an extensive search engine and allows the user to determine all of the extended family relations of any Israeli in the database.

RELATED:
Biometric ID database to be launched in November 
Biometric passports – how will spies cope? 

The database could also represent a serious security threat in that it affords anyone who accesses it online the ability to look at the place of residence and next of kin of all types of people in the political and military echelon, whose personal data is otherwise classified.

At the moment there are six suspects involved, and the Tel Aviv Magistrate’s Court has placed a travel ban on all six, barring them from leaving the country.

The theft took place in 2006, when a contract worker hired by the Ministry of Social Affairs and Social Services made a copy of the database after taking it home from work. The employee, who was responsible for safeguarding the database, is then believed to have given a copy to a friend of his, who later passed it to a classmate from his Jerusalem yeshiva.

That classmate allegedly sold the data to a businessman who collects personaldata databases for a rather nominal fee of a few thousand shekels. The businessman who bought the data then allegedly gave it to a programmer who built a program called “Agron 2006,” that included all of the stolen material.

Shortly thereafter, a different computer technician crossed paths with the database, and according to the Justice Ministry, uploaded it to the Internet, where it could be accessed in its entirety by anyone in the world.

The technician then allegedly launched a website with a step-by-step guide on how to download a copy of the database and how to use it. The technician, who operated under the name “aRi,” also found ways to mask the IP address of the computers he used and cover his tracks at nearly every turn, the ministry said.

In 2009, following a police investigation that yielded no results, the Law, Information and Technology Authority of the Justice Ministry began probing the case. Over the course of the investigation they compiled mountains of evidence from hard drives, hard discs and cloud-computing storage.

Altogether the investigation compiled six terabytes of data, roughly 6,000 gigabytes.

Investigators said they were particularly dismayed by the discovery that the former employee had a copy of the Ministry’s adoption database for the Jerusalem and Tel Aviv area. The database is considered one of the most sensitive in the country, and includes specific information on the parents of adopted children.

Investigators said they have found no evidence that the document was leaked. The investigation also reportedly turned up data related to national security, as well as voter-registration lists.

According to a statement by the Justice Ministry on Monday, the uploading of the database “will make it easier to carry out forgery and fraud, and provide the necessary information to carry out identity theft. It helps create fraudulent documents that appear authentic, therefore allowing people to bypass security systems. It could also have an effect on the democratic processes in elections, in that it makes it easier for someone to impersonate someone else in the voting booth.”

Following the Justice Ministry’s announcement regarding the population database leak, and ahead of Interior Ministry plans to pilot a biometric database next month, civil rights lawyers warned on Monday of “irreversible damage” should biometric data be leaked.

Leaked biometric data, including fingerprints, could greatly increase the risk of identity theft, according to civil rights lawyer Avner Pinchuk, head of the Association for Civil Rights in Israel’s Privacy and Information project.

“The leak of the population database is a warning to all citizens of Israel not to give their fingerprints to those who don’t know how to secure sensitive personal data,” said Pinchuk.

Pinchuk noted that the Interior Ministry admitted recently that any biometric data leakage could cause “irreparable damage” to citizens, while assuring the public it is capable of securing its planned biometric database.

“The ministry is conducting a misleading campaign to promote its biometric database pilot and for years has refrained from issuing quality ID cards that are impossible to fake so that it could ‘sell’ the public on the idea of a biometric database,” said Pinchuk. “But this database will only serve to greatly increase the risk of identity theft, just as experts have warned.”

Speaking to The Jerusalem Post from New York on Monday, CEO of the IT firm Green Armor Solutions Joseph Steinberg said that the theft should encourage efforts to create more stringent means of identification.

“One of the things I’ve been arguing for a long time is that any information that’s public, or not difficult for the public to obtain, shouldn’t be used to authenticate anyone,” said Steinberg. “The government is going to have to come up with more stringent means to prove someone’s identity. Having just your date of birth or ID number won’t be sufficient [in Israel] because now it’s common knowledge that anyone has access to this.”



The Dark Side Of Biometrics: 9 Million Israelis’ Hacked Info Hits The Web

Oct 24th, 2011 | By | Category: News

BY NEAL UNGERLEIDER Today

Biometrics are the next big thing in government and homeland security. But the recent theft of the personal information of 9 million Israelis living and dead–including the birth parents of adoptees and sensitive health information–could have big ramifications for foreign governments.

Every time a foreigner comes to the United States, their biometric data–fingerprints and photographs–are processed into a massive database called US-VISIT. The service prevents identity fraud and helps find criminals, and countries all over the world have adopted similar systems. Now Israel’s has been hacked, leading to the leak of personal information of nearly every single citizen there (even some dead ones) onto the Internet.

Authorities in the Middle Eastern country announced the arrest on Monday of a suspect responsible for the massive data theft. He’s a contract worker at the Israeli Welfare Ministry who was allegedly engaged in small-scale white collar crimes after-hours and who is accused of stealing Israel’s primary national biometric database in 2006. He had access to the database, which is part of the country’s population registry, through his office.

The stolen database contained the name, date of birth, national identification number, and family members of 9 million Israelis, living and dead. More alarmingly, the database contained information on the birth parents of hundreds of thousands of adopted Israelis–including children–and detailed health information on individual citizens.

Shortly after being fired from his job for unrelated offenses, the unnamed suspect began passing the database around to members of Israel’s surprisingly numerous Hasidic Jewish criminal underworld. According to the ultra-Orthodox Jewish Yeshiva World Newsthe stolen biometric database was passed around by six separate suspects, who made copies of the records in exchange for cash.

Identity theft and petty Internet crimes being what they are, the stolen biometric information quickly made its way online. One of the secondary suspects uploaded the whole of Israel’s biometric records database to the Internet under the name “Agron 2006.” A quick Google search reveals numerous torrents and uploaded copies of the database easily available for download.

According to Yoram Cohen of the Israeli Justice Ministry, “Any person who handles personal information and any citizen should lose sleep over the chain of information from the now exposed theft of the Population Registry information.”

There’s only one problem: Biometric databases are the future. The Indian government is building the world’s largest biometric database, which will handle the personal information of nearly 1 billion citizens and give millions easy access to health care and education. Many European Union members such as Germany and the Netherlands automatically include biometric information on passport RFID chips. Here in the United States, the FBI is building a billion-dollar biometric database that will give every single police department and sheriff’s office in the country instant access to millions of mugshots and fingerprints. While they might be scary and big brother-ish, biometric databases save massive amounts of taxpayer money and help streamline lumbering bureaucracies.

In the Israeli case, a valuable database was stolen through an inside job. Although the information was stolen by a white-collar criminal with an identity theft jones rather than by a hostile intelligence service or an enemy hacker, the end effect was the same.

The Federal Bureau of Investigation and the Department of Homeland Security have been less than forthcoming about efforts to secure the data contained in their respective biometric databases. However, a DHS privacy impact assessment conducted for the Coast Guard’s “Biometrics at Sea” program found numerous privacy concerns and weak spots that required additional security. Both the FBI and Homeland Security’s databases will retain decades’ worth of personal information, photographs, and fingerprints.

In the end, the government–and taxpayers–have chosen the efficiency and cost savings of biometric databases over the privacy and civil liberties concerns that experts have raised. But as the Israeli example shows, today’s biometric database could easily become tomorrow’s warez download.

[Image: Flickr user Bob AuBuchon]



Information Technology – Israel New Biometric ID database raises significant privacy concerns

Sep 22nd, 2011 | By | Category: News

 The act as a whole (and the biometric database specifically) raises significant concerns. Privacy advocates have urged the Home Office to re-evaluate the potential grave risks to information security and privacy that the database poses – for example, the irreversibility of biometric data loss and the public’s general mistrust of the government’s ability to secure the database. A proposition to transform the database into a blurred set-base that would enhance security and privacy was recently offered by Professor Adi Shamir, a well-known cryptographer. However, despite backing from the Law Information and Technology Authority, the government eventually rejected Shamir’s proposition.

 

Contributed by Pearl Cohen Zedek Latzer

 

September 20 2011

New regulations and orders introduced by the Ministers’ Committee for Biometric Applications have paved the way for a two-year trial period for the issuance of biometric identification documents (IDs). The Ministry of Home Affairs is in the process of making its final preparations and aims to start issuing the IDs shortly. The IDs will contain encoded fingerprints and a facial image, and will be stored in a national database. A campaign led by privacy activists against the controversial biometric database has thus far failed to yield a positive result.In December 2009 the Israeli Parliament (the Knesset) enacted the Biometric Identifiers and Biometric Data Inclusion in Identification Documents and a Database Act.(1) The act is intended to tackle the large-scale loss and theft of identification cards and passports, which may then later be used by criminals or terrorists.The Biometric Data Act is far reaching. Following a two-year trial period, every citizen will be compelled to provide two fingerprint samples and a facial photograph, to be digitally stored in a national database and on chips embedded in passports and national IDs (mandatory in Israel for citizens over the age of 16). The digital ID will also carry a certified electronic signature that can be used as a substitute for regular handwritten signatures in the execution of transactions.

The biometric database is not intended solely to manage the processing of ID and passports applications. It will also serve as a valuable source of information for law enforcement agencies, under the supervision of a new authority that has been established specifically for that purpose by the Ministry of Home Affairs.

The act as a whole (and the biometric database specifically) raises significant concerns. Privacy advocates have urged the Home Office to re-evaluate the potential grave risks to information security and privacy that the database poses – for example, the irreversibility of biometric data loss and the public’s general mistrust of the government’s ability to secure the database. A proposition to transform the database into a blurred set-base that would enhance security and privacy was recently offered by Professor Adi Shamir, a well-known cryptographer. However, despite backing from the Law Information and Technology Authority, the government eventually rejected Shamir’s proposition.

The new regulations under the Biometric Data Act include procedures for:

  • issuing a biometric ID;
  • taking fingerprints and facial images from applicants;
  • encrypting and securing the data; and
  • transferring data between authorities.(2)

A governmental order accompanies the regulations and sets specific rules for the two-year trial period.(3)During this period (starting in November 2011), biometric IDs will be issued to Israeli citizens, subject to their written and signed consent. At the end of the trial period, professional auditors will evaluate the extent of the trial’s success, under a set of pre-determined parameters and following feedback from applicants. Unless the Ministry of Home Affairs decides otherwise, in light of the trials results and public debate, the Biometric Data Act will come into full effect at the end of the trial period and all citizens will be obliged to provide their biometric data, which will be included in IDs and passports, and stored in the national database.

 

For further information on this topic please contact Haim Ravia or Dan Or-Hof at Pearl Cohen Zedek Latzer by telephone (+972 9 972 8000), fax (+972 9 972 8001) or email (haimr@pczlaw.com ordano@pczlaw.com).

Endnotes

(1) The full wording of the Biometric Data Act (in Hebrew) is available at http://law.co.il/media/computer-law/biometric_law.pdf.

(2) The full wording of the new regulations (in Hebrew) is available at http://law.co.il/media/computer-law/biometric_id_reg.pdf.

(3) The full wording of the governmental order (in Hebrew) is available at http://law.co.il/media/computer-law/biometric_id_decree.pdf.

 

 



Biometric: FTC takes aim at Facial Recognition security – privacy issues

Sep 20th, 2011 | By | Category: News


Michael Cooney

Layer 8

Michael Cooney

 

Facial recognition technology on the rise as governments increase use; Facebook, Microsoft implement it

By Layer 8 on Tue, 09/20/11 – 10:16am.

The Federal Trade Commission the week said it will hold a workshop that examines how burgeoning use of facial recognition technology impacts privacy and security.

From the FTC: “Facial recognition technology has been adopted in a variety of new contexts, ranging from online social networks to digital signs and mobile apps. Its increased use has raised a variety of privacy concerns. The FTC workshop will gather consumer protection organizations, academics, business and industry representatives, privacy professionals, and others to examine the use of facial recognition technology and related privacy and security concerns.”

More FTC news: Got acne? There’s NOT an iPhone, Android app for that, FTC says

The agency said the workshop will look at many topics including:

  • What are the current and future uses of facial recognition technology?
  • How can consumers benefit from the technology?
  • What are the privacy and security concerns surrounding the adoption of the technology; for example, have consumers consented to the collection and use of their images?
  • Are there special considerations for the use of this technology on or by children and teens?
  • What legal protections currently exist for consumers regarding the use of the technology, both in the United States and internationally?
  • What consumer protections should be provided?

The workshop will take place in Washington, DC on December 8, 2011 is free and open to the public.

Use of face recognition technology is growing fast.  One of its biggest pushes could come in the form of Microsoft’s Windows 8.  Network World recently wrote that the software giant  is building facial recognition technology into Windows 8, offering a more secure way to access your computer.

This month the U.K.’s largest airport, Heathrow, will install facial recognition scanners for international and domestic passengers to prevent illegal immigration in the country, the IDG News Service reported.  The facial recognition technology comes from Aurora Computer Services, a U.K. based company. It’s called the Aurora Image Recognition (AIR) system and uses a camera with an infrared flash, which the company says can function in either bright or low light. It can identity a person from about three feet away. The camera verifies a person’s identity using biometric details, identifying a person in 4.7 seconds, a time that includes properly positioning a passenger, according to Aurora.

And facial recognition technology has raised privacy concerns.  Recently Connecticut Attorney General George Jepsen expressed concern that Facebook’s “Tag Suggestions” face recognition feature compromises consumer privacy, and asked for a meeting with company officials.

According to an IDG News Service story: In Facebook’s desire to promote photo sharing and tagging among its users, it appears to have overlooked a critical component of consumer privacy protection, which is an opt-in requiring users to affirmatively consent before Facebook can use those images, Jepsen wrote in a letter this week to Facebook’s director of public policy and its product and regulatory counsel.  Jepsen joins European Union (EU) regulators and consumer advocacy groups that are questioning the feature on Facebook.

The Electronic Privacy Information Center and three other advocacy groups filed a complaint asking the U.S. Federal Trade Commission to require Facebook to get affirmative opt-in consent from users before collecting and using their biometric data.



Canada to launch biometric passports by 2012 – Critics warn privacy at risk

Sep 18th, 2011 | By | Category: News

By Amy Chung, Postmedia News September 15, 2011

Some countries, such as France and Germany, implemented “ePassports” (with Empty Biometric information on their chip) five years ago to allow their citizens to travel to the U.S. under its Visa Waiver Program, which requires participating countries to have specified security measures on their passports. Canadians do not require a visa to enter the U.S. and are not subject to the program. Despite the new passport’s enhanced security features, some information security experts say the document is not necessary and can be vulnerable to privacy leaks.

The current Canadian passports will soon be replaced with a more high-tech design. Photograph by: Tom Hanson   Read more: http://www.canada.com/news/Canada+launch+biometric+passports+2012/5404109/story.html#ixzz1YHrR1K6w

 

OTTAWA — Canada’s long awaited ePassports will be ready by the end of 2012, making this country the last among G8 nations to have enhanced digital security measures on the documents.

The electronic passport program was first announced as part of the government’s National Security Policy in 2004.  Also known as a biometric passport, the document looks like the traditional book but will contain an electronic chip encoded with the bearer’s name, sex, date and place of birth, as well as a digital image of the person.

According to Passport Canada, 95 countries have issued approximately 350 million Biometric passports worldwide.

Asked why Canada was so late in bringing about the passports, Passport Canada spokeswoman Beatrice Fenelon said the agency had to repatriate overseas passport printing to Canada, which was completed in 2006, and it had to implement new facial recognition technologies.

Also, Fenelon said between 2007 and 2009, the department was flooded with increased numbers of passport applications when the U.S. Western Hemisphere Travel Initiative required Canadians to show their passports to enter the United States.

“As a result, the organization was not able to turn its full attention to the ePassport project until 2009, when planning began in earnest,” Fenelon wrote in an email.

Some countries, such as France and Germany, implemented “ePassports” (with Empty Biometric information on their chip) five years ago to allow their citizens to travel to the U.S. under its Visa Waiver Program, which requires participating countries to have specified security measures on their passports. Canadians do not require a visa to enter the U.S. and are not subject to the program. Despite the new passport’s enhanced security features, some information security experts say the document is not necessary and can be vulnerable to privacy leaks.

“After 9/11, the U.S. pressured the visa waiver countries to get (ePassports). Canada was out of that, but we were encouraged to go along with it,” said professor Andrew Clement, who coordinates the Information Policy Research Program at the University of Toronto. Clement says there has not been enough discussion to say if there are any problems with our current passport.

“With the 19 hijackers, there were a couple who had expired visas and not travelling under false documents. So it’s a bit of security theatre. So I think this was brought in for other reasons and there hasn’t been any debate if it’s a good thing or not,” said Clement. He said the facial recognition technology can allow border agents to screen your image in other databases like watch lists, creating risks of misidentification.

“It’s concerning that our everyday activity is surveyed, even if our behaviour is innocent, it could get the attention of authorities unnecessarily,” said Clement.

Postmedia News

© Copyright (c) Postmedia News

Dr. Ann Cavoukian, Information & Privacy Commissioner of Ontario, Canada



Australia: Monash Council’s debate on Bometric library scanners

Sep 14th, 2011 | By | Category: News

13 SEP 11 @ 04:48PM BY TIM MICHELL

UPDATE 8pm: MONASH Council tonight met to consider plans to use biometric scanners to monitor library staff.

The system would involve staff checking in and out of work by having their fingers scanned, rather than using timesheets.

But Australian Services Union assistant branch secretary Igor Grattan said the system was an invasion of privacy that angered library staff and councillors.

“Staff have a very real concern about what it means for their privacy and how the information will be used,” he said.

“A lot of the workers are part-time workers and casual workers … they’re worried that if they speak up they could be out of a job.”

Five Monash councillors called a special meeting for tonight to push to ban the use of the scanners.

But after a meeting lasting 10 minutes, councillors voted to consider the idea further before making a decision.

Cr Geoff Lake said he was determined to block the “draconian” technology.

“Our staff are our greatest asset and they deserve to be treated as intelligent human beings and not like cattle.”

Council chief executive David Conran said the system would not be introduced unless it was widely accepted by staff and did not compromise their security.

Mr Grattan said several questions remained unanswered about the system, but staff told the union the council wanted to start the rollout next month.

A council spokesman said Woolworths and the public sector used similar systems.

Woolworths’ Siobhan Quinn said the company had used finger scanners for about 15 years with no major issues.

Follow as Monash Council debates the issue live tonight.



UK ISP Entanet Slams Revived Plans to Monitor and Intercept your Online Comms

Sep 14th, 2011 | By | Category: News
|
By: MarkJ -  Score: 2055
isp entanet broadband uk
Communications and networking provider Entanet has today “raised concerns over the feasibility”, security and cost of the UK governments plan to expand its existing internet snoopingdata retention laws to potentially cover more than just your basic email and website access logs.At present a voluntary code already requires Internet Service Providers (ISP) to maintain a basic log of their customers email and website accesses, but not the content of your communications, for a period of between 6 and 12 months.

The UK is still working to introduce this and may now even expand such powers under its controversial £2 Billion Communications Capabilities Development Programme (CCDP), which use to be called theInterception Modernisation Programme (IMP) before it was renamed as part of a new counter-terrorism strategy (CONTEST).

Entanet’s Head of Marketing, Darren Farnden, said:“The idea of the IMP/CCDP is to collect and store all electronic communications including emails, social networking sites, website browsing histories and phone calls to help the police and, more likely, GCHQ fight cybercrime and terrorism. The problem with the IMP/CCDP is not only the huge privacy issues that it throws up but also the immense technical challenges.[We are concerned about] the feasibility of communications providers such as Entanet being required to collect and store this immense amount of data. We also raised concerns over the security of this data and how the government expects to protect it from potential hackers. Let’s face it, the Government doesn’t have the best track record in this area. We have had everything from lost laptops to website hacks in the past. Our views haven’t changed.”

The move appears to run contrary to the coalition governments own May 2010 commitment to “end the storage of internet and email records without good reason“. The European Commission (EC) has also begun to question related rules and at least one report has suggested that such measures could even be “illegal“. None of this seems to concern the current UK government.

Home Office Position on Communications DataThe UK communications market is one of the most highly competitive and technologically driven in the world. This means we now have access to many new forms of internet based communications, such as social networking sites, online role-playing games and instant messaging.Criminals use new technology to communicate with each other and to target their victims. The police need to keep up with modern communication methods to be able to investigate serious crime. This is essential in protecting public safety.

Much of our current capability is based on an era of fixed and mobile telephones and was not designed to deal with the growth in the use of the internet. With internet service providers often based abroad, and fewer communications being itemised for billing purposes, investigative capability is declining.

The Communications Capabilities Development programme was set up to look at how we can preserve communications capabilities to protect the public in the future, as internet-based communications technology becomes increasingly popular. We will legislate to ensure this is compatible with the government’s approach to civil liberties and use of communications capabilities.

Crucially the government claims that this new approach is “not about developing new, more intrusive powers“, although few appear to see it that way. It’s also important to stress that the government has yet to outline precisely what CCDP will mean for ISPs. The current documents contain no firm details, although new legislation is expected to be announced “in due course“.



Biometric: Cracks appear in Unique Identification Authority of India’s enrolment process

Sep 7th, 2011 | By | Category: News
 

NEW DELHI: The Home Ministry has identified flaws in the Biometric enrolment process followed by the Unique Identification Authority of India, citing cases where people have got UID numbers on the basis of false affidavits.

“Biometric collection is a compulsive tail-chasing – The bigger the privacy violation the more progress it makes away from its real goals”

“Biometric collection is a compulsive tail-chasing – The bigger the privacy violation the more progress it makes away from its real goals”

 

Cracks appear in Unique Biometric Identification Authority of India's enrolment process

NEW DELHI: The Home Ministry has identified flaws in the enrolment process followed by the Unique Identification Authority of India, citing cases where people have got UID numbers on the basis of false affadivits. 

In a note written to the Cabinet Committee on UIDAI headed by Prime Minister Mannohan Singh, the ministry has questioned the security of the biometric data captured by the UIDAI and pointed out uncertainties in its revenue model.

The UIDAI has sought an additional 15,000 crore to do biometric scanning of all residents of the country through its own registrars, a proposal that is being opposed by the home ministry and the planning commission, as the government has already tasked the census office with the primary responsibility of collecting biometric data of all indian residents for a National Population register card.

The data collected by the census office is supposed to be shared with the UIDAI and every NPR card will carry the UID number of the card holder. The census office is part of the home ministry and so far has collected biometric data for 30 lakh individuals.

Photo: Jonathan Torgovnik

In its comments on the UIDAI’s proposal, reviewed by ET, the home ministry has urged the Cabinet to restrict the authority’s multi-registrar model of biometric enrolment to the already decided level of 20 crore by March 2012. The UIDAI has issued 2.87 crore unique IDs by August 24.

“The home ministry, the Planning Commission and others have given their comments,” Home Minister P Chidambaram said about the UIDAI proposal for more funding on Thursday. He also said that the Cabinet Committee on UIDAI (CCUIDAI) would take a call on the overlap between the NPR and the UIDAI.

P chidambaram, India home minister

P chidambaram, India home minister

“Cases have come to light wherein enrolments were being done on the basis of affidavits which were being sold by unscrupulous persons without any verification,” the ministry has warned in a note to the CCUIDAI, stressing that UIDAI registrars enrol residents on a ‘walk-in’ basis, based on documents whose authenticity is not checked.



Hackers Forge Certificates to Break into Spy Agencies

Sep 5th, 2011 | By | Category: News

By Andreas Udo de Haes, webwereld.nl-    Sep 4, 2011 11:33 pm

 

After breaching the Dutch CA (Certification Authority) DigiNotar, Iranian hackers managed to sign forged certificates for the domains of spy agencies CIA, Mossad and MI6. Leading certification authorities like VeriSign and Thawte were also targeted, as were Iranian dissident sites.

 

The cyber attack on DigiNotar, a Dutch subsidiary of VASCO Data Security International Inc, is much more serious than previously thought. In July, hackers gained access to the network and infrastructure of several of DigiNotar’s CAs. Once inside, they generated hundreds of forged certificates for third-party domains.

With these certificates hackers can potentially syphon off user login credentials by spoofing a legitimate site, complete with a functioning but forged SSL-certificate, apparently issued by DigiNotar.

The forged certificates match domains of the U.S. Central Intelligence Agency, the Israeli secret service Mossad, and the British spy agency MI6. On top of that, the hackers created false certificates of other CA’s like VeriSign and Thawte, in an attempt to also misuse their trusted position in securing Internet communications.

Vulnerable Domains Revealed

The partial list of domains with forged certificates was published on Saturday by Gervase Markham, programmer at Mozilla. Sources close to the investigation into the DigiNotar hack have confirmed to Webwereld that the list is authentic. Chrome engineer Adam Langley also told Webwereld Google has the same list.

Later, the Dutch public broadcaster NOS published the full list of over fifty domains for which false certificates were issued. Among them are Google, Yahoo, Microsoft and Skype, as well as numerous sites popular among Iranian dissidents. The cyber attackers even created fake certificates with messages praising the Iranian Revolutionary Guard, NOS reported.

It’s still unknown how successful the hackers have been in harvesting logins and spying on e-mail and chat messages. Most certificates have either elapsed or were revoked after DigiNotar discovered the breach in mid July.

Chris Soghoian, security and privacy researcher at Indiana University and Graduate Fellow at the Center for Applied Cybersecurity Research, said the list is a “very interesting set of sites.” However, he’s skeptical that the hackers could have penetrated into the networks of the spy agencies with the forged certificates.

“Actually I think the secret service domains are the least alarming part. It’s sexy, and will probably lead to a lot of questions and interest from government agencies. Of course, nobody wants to get caught with their pants down, but there’s really no classified information on these domains. Those are on separate, secured internal networks. So the practical security impact of the Iranian government getting a certificate for the CIA is nill. It’s really just very embarrassing, that’s all,” said Soghoian in an interview with Webwereld.

Still, the cyber hack at DigiNotar has a very high profile. “What is alarming is that they forged certificates for other CA’s, like VeriSign and Thawte. But the most problematic are sites like Google and Facebook. And also Walla, which is one the biggest mail providers in Israel.” Through forged SSL certificates of these sites the Iranian regime would be able to syphon the accounts and online communications of countless people, explained Soghoian.

Sites Block Access

Google has already updated its Chrome browser so it blocks access to any site which uses a DigiNotar certificate. Mozilla and Microsoft are expected to issue patches for their browsers soon. The Microsoft Security Response team tweeted earlier: “We’re in the process of moving all DigiNotar CAs to the Untrusted Root Store which will deny access to any website using DigiNotar CAs.”

This means hundreds of Dutch government sites will become inaccessible by browsers over the coming days if the agencies don’t switch to another certificate issuer in time.

Last week, Dutch security company Fox-IT carried out a forensic examination of the cyber hack at DigiNotar. The preliminary results prompted the government in The Hague to go into crisis mode, putting in effect an immediate stop to any DigiNotar services, and taking over the operational management of the DigiNotar Certification Authority.

The report on this investigation will be sent to the Parliament and made public on Monday.

DigiNotar did not respond to a request to comment on this story.

 



Germany says “nein” to full-body scanners

Sep 4th, 2011 | By | Category: News

Germany has decided against deploying full-body scanners at German airports; after a 10-month trial, in which 1,280,000 passengers were scanned, the government said that the false alarm rate was just too high

Published 2 September 2011


Germany has decided against deploying full-body scanners at German airports; after a 10-month trial, in which 1,280,000 passengers were scanned, the government said that the false alarm rate was just too high

After trials which lasted ten month, the German government has decided against deploying full-body scanners at German airports.

The German Interior Ministry said that “the technology is not mature enough for the available equipment to be used in practice” and that it will therefore not be installed at the county’s airports “for the time being.”

The ministry spokesperson said that the agencies responsible for airport security were leaning toward supporting the use of body scanners to “improve efficiency and effectiveness of air transport security checks,” but that the trials showed that there were “too many” false alarms.

FlightGlobal quotes sources in the German federal police as saying that the false alarm rate was “significantly higher than 50 percent.”

There were also concerns about the health effects of backscatter X-ray scanners, so the system tested used millimeter wave technology.

The test was conducted at the Hamburg Airport from September 2010 to July 2011, and involved scanning 1,289,000 passengers.

 



Parties Divided Over Procurement Process For Biometric Register

Sep 1st, 2011 | By | Category: News

You may not comment or ask questions…. Ghanaian politicians, demo for Biometric voting system…

Source: Donald Ato Dapatem - Daily Graphic
General News1 day ago

The Electoral Commission (EC) and two political parties were yesterday sharply divided over the procurement process and selection of a vendor for the supply of equipment for the intended biometric voters registration.

Dr Kwadwo Afari Djan - Chairman of Electoral Commission

Dr Kwadwo Afari Djan - Chairman of Electoral Commission

While the representatives of the New Patriotic Party (NPP) and People’s National Convention (PNC) took issue with legality of the procurement process, the EC maintained that the process for selection of a supplier was within the ambit of the law.

However, the National Democratic Congress (NDC) was of the view that its representative was invited to observe a demonstration exercise by companies shorted-listed for the biometric voters registration and not to make comments, contributions and arguments.

It all began when the EC extended invitation to the political parties to observe demonstration by companies short listed for the biometric voters registration, note down points of concern and make observation for discussion at the next Inter Party Advisory Committee (IPAC) forum.

Dr Matthew Opoku Prempeh and Mr Bernard Mornah, representatives of the NPP and PNC respectively, who arrived at the demonstration grounds at the EC offices in Accra when the process had already begun, were requested to sign a code that they would not talk, question or make comment but only observe and make notes, a situation they described as an affront to their constitutional rights to seek information.

Before the demonstration could end, the two representatives challenged the legality of the entire process because, according to them, the EC had informed them that one of the companies which was disqualified had taken the issue to the Public Procurement Authority which had also ordered EC to stop the procurement process until the apparent irregularities were resolved.

However, Mr David Adenze Kangah, Deputy EC Chairman, said the EC was going on with the process despite the intervention of the Public Procurement Authority because under the Procurement Law, organisations like the EC could proceed with such process if the process was of major national importance and time bound.

Apparently not satisfied with the arguments of the EC, the representatives of the NPP and PNC staged a walkout but Mr Hamid Girdo, the Electoral Advisor on Electoral Issues for the NDC and representatives from the Democratic Freedom Party (DFP) and the EGLE stayed throughout the observation period because that was what the letter inviting them stated.

Mr Girdo said he and his colleagues from the DFP and the EGLE stayed because they were made aware that only two companies which were shortlisted were making the demonstration after which the one that met the requirement would be selected.

Therefore, he said, there was no need to make comment at such a gathering and that they were aware that they would have the opportunity at an IPAC forum to express their views, concerns and make comments.

Explaining to the Daily Graphic, Mr David Adenze Kangah noted that the political parties were never invited to any meeting but to only observe the demonstration by companies shortlisted and note down points of concern, contributions and other observations for discussion in the next Inter Party Advisory Committee (IPAC) forum.

Expatiating further, Mr Mornah said after turning a deaf ear to the persistent calls for an urgent IPAC forum on the intended biometric registration from both the PNC and the NPP, the EC on Monday wrote to the parties to participate in the observations of the process the following day.

He said to their surprise, when they got to the EC premises they were asked to sign a code that they would not talk, question or make any comment but only observe and make notes, a situation he described as an affront to his constitutional right to seek information.

He said although the political parties were not part of and would not be interested in participating in the procurement process, as major stakeholders in the electoral process they had to ensure that there was proper improvement in the biometric process.

Dr Opoku-Prempeh explained on an Accra radio station that while the political parties would not want to be part of the procurement processes by the EC, their views must be heard in the selection and undertaking of the biometric registration process.

“I would rather walk out and go and tell my party that the EC is taking this country down a path that may not be well for us,” he said.


 




Expert warns facial biometrics could compromise privacy

Aug 31st, 2011 | By | Category: News

As facial biometric technology becomes increasingly ubiquitous, IT experts warn that these systems can easily be abused and therefore require stringent privacy policies and data encryption

Published 30 August 2011

 

As facial biometric technology becomes increasingly ubiquitous, IT experts warn that these systems can easily be abused and therefore require stringent privacy policies and data encryption.

In an interview with Information Security Media Group, Beth Givens, the founder and director of the Privacy Rights Clearinghouse, cautioned that organizations using biometric facial solutions should encrypt their data.

“If they back up those applications with good, solid privacy policies and practices, they’ll be in good shape,” she said.

Givens explained that a major problem with facial recognition technology is the chance that sensitive information could be compromised. As evidence, Givens pointed to a Carnegie Mellon University study where researchers used only a photo of a person’s face and publicly available information to track down that individual’s birth date, personal interests, and Social Security number.

“To me, that’s astounding,” Givens said. “There are many places where you can get a person’s birth date; in fact, that’s public information. But being able to link it to a Social Security number as well as personal interest is another matter entirely, that takes it to an all new level.”

To help protect against the loss of sensitive data, Givens encouraged organizations to investigate biometric encryption.

 



Mohammed Garba heads presidential election tribunal

Aug 30th, 2011 | By | Category: News

….access to INEC’s biometric data will compromise national security. He referred to the case of INEC vs AC 2009, 2NWLR, part 1126, p.524 at 618, which he said makes the privacy of the voter sacrosanct.

 

BY GOWON EMAKPE

August 29, 2011 10:48PM

 

 

 

Following the suspension of Ayo Salami as President of the Court of Appeal, another judge of the court, Garba Mohammed, on Monday presided over the Presidential Election Petition Tribunal.

At the resumed hearing of the tribunal yesterday, Mr Mohammed, who assumed the role of the presiding chairman of the tribunal, adjourned indefinitely ruling on the application by the Congress for Progressive Change (CPC), asking it to enter judgment in its favour over alleged failure of the Independent National Electoral Commission (INEC) to allow it unfettered access to ballot papers and other electoral materials used in the April presidential election.

The CPC is seeking to be declared winner of the April 16, 2011 presidential election, following the alleged refusal of INEC to grant the party access to sensitive electoral materials, in order to substantiate their allegation that the election was rigged in favour of President Goodluck Jonathan.

At the hearing yesterday, counsel to CPC, Oladipo Okpoyesi, asked the tribunal to enter judgment in its favour over INEC’s failure to comply with the tribunal’s directive to grant the party access to electoral materials.

But in INEC’s counter affidavit, the commission said if the CPC were allowed access to the database, it would technically contravene the rights of the voters under the provisions of the Electoral Act and the Nigerian Constitution as a whole.

Also in opposition, counsel to Mr Jonathan and Namadi Sambo, Alex Izinyon, and counsel to the Peoples Democratic Party (PDP), Joe Gadzama, insisted that the order of court was “for simplicita access, and not opening of software”. Mr Izinyon cited Section 125 (3) of the Electoral Act and paragraph 42 (5b) of the first schedule to the Act, to buttress the fact that access to INEC’s biometric data will compromise national security. He referred to the case of INEC vs AC 2009, 2NWLR, part 1126, p.524 at 618, which he said makes the privacy of the voter sacrosanct.

No judgement in sight

Mr Salami, the suspended chairman of the tribunal, had granted an order compelling INEC to allow the CPC and their forensic experts to have access to all electoral materials to analyse and examine all relevant documents relating to the April presidential poll. The tribunal also ordered INEC to provide CPC with the list of local contractors engaged by the commission to print ballot papers used in the presidential election.

The CPC filed a petition at the tribunal to challenge the result of the April presidential poll, alleging irregularities and non-compliance with the 2010 electoral act. The party is contesting the result of the election in about 20 states of the federation and are to call 151 witnesses to prove its case.

Joined as defendants in the suit are the Independent National Electoral Commission (INEC), 1st defendant; chairman of INEC, Attahiru Jega (2nd defendant); winner of the election and Nigerian president, Goodluck Jonathan (3rd defendant); his deputy, Namadi Sambo (4th defendant); the Peoples Democratic Party (5th defendant) and the Resident Electoral Commissioners for the 36 states, including the Federal Capital Territory, (6th-42nd respondents).

Having listened to submissions by the counsels, Mr Mohammed, who led other three Justices, said “ruling on the motion is hereby reserved and would be delivered on a date to be communicated to counsel.”

 



India: The Unique Biometric Identification project is a mission of surpassing ambition

Aug 30th, 2011 | By | Category: News

The Indian Express

Tue Aug 30 2011, 03:51 hrs

The Unique Identification project is a mission of surpassing ambition — it aims to provide every Indian citizen a unique 12-digit number that can be used to call up basic demographic and identity information through biometric scans. The government sees it as giving every Indian an acknowledged existence, ensuring that no one is locked out of social entitlements for the lack of a scrap of official paper. It hopes to ensure sharper targeting of welfare programmes, minimise leakages and collapse the many cumbersome IDs currently in use, into a single number. Critics of the project have focused on the privacy hazards and surveillance possibilities of the scheme. The UIDAI’s rationale has been that the clear benefits outweigh potential dangers to privacy, which can, in any case, be averted by strong safeguards.

However, the philosophical battle apart, the UID has a more concrete cost-benefit analysis to contend with. The project’s cost has escalated many times since it was first conceived in February 2009. A single UID, earlier estimated to cost around Rs 31 per person, may now end up in the Rs 400-500 territory. First, the finance ministry balked at the new levels of spending — partly data compilation costs, from designated registrars — and suggested the UID mesh its efforts with the national census wherever possible. It also wants to trim the biometric technology costs — the iris scan has nearly tripled the UID’s price tag. While the UID defends its choices, and says the high volume of iris devices and software demanded by India will bring the price down, others in the Planning Commission claim the iris scan was intended as an extra measure to prevent duplication, not thrown in with every ID. These are not arguments to be settled on notions, and it would be timely for the UID to make a persuasive case for its choice. The Planning Commission has also expressed its concern about the UID’s registrar system (which includes public and private companies), asking for clear lines of responsibility and supervision. The UIDAI had even suggested a cash incentive for some of these registrars, a plan that met with serious objection

 

 



Massive Biometric Project Gives Millions of Indians an ID

Aug 29th, 2011 | By | Category: News

More than 16 million Indians’ people have since been enrolled, and the pace is accelerating. By the end of 2011, the agency expects to be signing up, 1 million Indians a day, and by 2014, it should have 600 million people in its database. It takes about 10 minutes to enter someone into the Aadhaar database. A single UID, earlier estimated to cost around Rs 31 per person, may now end up in the Rs 400-500 territory. The reason: in one hour there are only 60 minutes it is 6 people per hour the “mission” is to provide 1 million ID’s per 24 hours… all that efforts just to create a USELESS invasive Biometric’s  collection on a “national database”…. India is a democratic country… with democratic privacy laws (!!!???)… {Innovya}

  • By Vince Beiser
  • August 19, 2011  |
  • 1:27 pm  |
  • Wired September 2011
  • 

    In India, hundreds of millions of impoverished people have no ID—which means no bank account, credit, insurance, or government aid. Photo: Jonathan Torgovnik; Fingerprints: Getty

    In India, hundreds of millions of impoverished people have no ID—which means no bank account, credit, insurance, or government aid. Photo: Jonathan Torgovnik; Fingerprints: Getty

 

The courtyard, just off a busy street in a Delhi slum called Mongolpuri, is buzzing with people—men in plastic sandals arguing with one another, women in saris holding babies on their hips, skinny young guys chattering on cheap cell phones. New arrivals take up positions at the end of a long queue leading to the gated entry of a low cement building. Every so often, a worker opens the gate briefly and people elbow their way inside onto a dimly lit stairway, four or five on each step. Slowly they work their way upward to a second-story landing, where they are stopped again by a steel grille.

After a long wait, a lean woman in a sequined red sari, three children in tow, has finally made it to the head of the line. Her name is Kiran; like many poor Indians, she uses just one name. She and her school-age brood stare curiously through the grille at the people and machines on the other side. Eventually, an unsmiling man in a collared shirt lets them into the big open room. People crowd around mismatched tables scattered with computers, printers, and scanners. Bedsheets nailed up over the windows filter the sun but not the racket of diesel buses and clattering bicycles outside. Kiran glances at the brightly colored posters in Hindi and English on the walls. They don’t tell her much, though, since she can’t read.

A neatly dressed middle-aged man leads the children to a nearby table, and a brisk young woman in a green skirt sits Kiran down at another. The young woman takes her own seat in front of a Samsung laptop, picks up a slim gray plastic box from the cluttered tabletop, and shows Kiran how to look into the opening at one end. Kiran puts it up to her face and for a moment sees nothing but blackness. Then suddenly two bright circles of light flare out. Kiran’s eyes, blinking and uncertain, appear on the laptop screen, magnified tenfold. Click. The oversize eyes freeze on the screen. Kiran’s irises have just been captured.

Kiran has never touched or even seen a real computer, let alone an iris scanner. She thinks she’s 32, but she’s not sure exactly when she was born. Kiran has no birth certificate, or ID of any kind for that matter—no driver’s license, no voting card, nothing at all to document her existence. Eight years ago, she left her home in a destitute farming village and wound up here in Mongolpuri, a teeming warren of shabby apartment blocks and tarp-roofed shanties where grimy barefoot children, cargo bicycles, haggard dogs, goats, and cows jostle through narrow, trash-filled streets. Kiran earns about $1.50 a day sorting cast-off clothing for recycling. In short, she’s just another of India’s vast legions of anonymous poor.

Now, for the first time, her government is taking note of her. Kiran and her children are having their personal information recorded in an official database—not just any official database, but one of the biggest the world has ever seen. They are the latest among millions of enrollees in India’s Unique Identification project, also known as Aadhaar, which means “the foundation” in several Indian languages. Its goal is to issue identification numbers linked to the fingerprints and iris scans of every single person in India.

That’s more than 1.2 billion people—everyone from Himalayan mountain villagers to Bangalorean call-center workers, from Rajasthani desert nomads to Mumbai street beggars—speaking more than 300 languages and dialects. The biometrics and the Aadhaar identification number will serve as a verifiable, portable, all but unfakable national ID. It is by far the biggest and most technologically complicated biometrics program ever attempted.

Aadhaar faces titanic physical and technical challenges: reaching millions of illiterate Indians who have never seen a computer, persuading them to have their irises scanned, ensuring that their information is accurate, and safeguarding the resulting ocean of data. This is India, after all—a country notorious for corruption and for failing to complete major public projects. And the whole idea horrifies civil libertarians. But if Aadhaar’s organizers pull it off, the initiative could boost the fortunes of India’s poorest citizens and turbocharge the already booming national economy.

It takes about 10 minutes to enter someone into the Aadhaar database. Photo: Jonathan Torgovnikf

It takes about 10 minutes to enter someone into the Aadhaar database. Photo: Jonathan Torgovnik

 

 

It takes about 10 minutes to enter someone into the Aadhaar database.
Photo: Jonathan Torgovnik

The Indian government has tried to implement national identity schemes before but has never managed to reach much more than a fraction of the population. So when parliament set up the Unique Identification Authority of India in 2009 to try again with a biometrically based system, it borrowed a trick used by corporations all over the world: Go to an outsourcer. The government tapped billionaire Nandan Nilekani, the “Bill Gates of Bangalore.”

Nilekani is about as close to a national hero as a former software engineer can get. He cofounded outsourcing colossus Infosys in 1981 and helped build it from a seven-man startup into a $6.4 billion behemoth that employs more than 130,000 people. After stepping down from the CEO job in 2007, Nilekani turned most of his energy to public service projects, working on government commissions to improve welfare services and e-governance. He’s a Davos-attending, TED-talk-giving, best-seller-authoring member of the global elite, pegged by Time magazine in 2009 as one of the world’s 100 most influential people. This is the guy who suggested to golf buddy Thomas Friedman that the world was getting flat. “Our government undertakes a lot of initiatives, but not all of them work,” says B. B. Nanawati, a career federal civil servant who heads the program’s technology-procurement department. “But this one is likely to work because of Chairman Nilekani’s involvement. We believe he can make this happen.”

The Unique Identification Authority’s headquarters occupies a couple of floors in a hulking tower complex of red stone and mirrored glass on Connaught Place, the bustling center of Delhi. As chair of the project, Nilekani now holds a cabinet-level rank, but his shop looks more like a startup than a government ministry. When I show up in February, the walls of the reception area are still bare drywall, and the wiring and air-conditioning ducts have yet to be hidden behind ceiling tiles. Plastic-wrapped chairs are corralled in unassigned offices.

“I took this job because it’s a project with great potential to have an impact,” Nilekani says in his spacious office, decorated with only a collection of plaques and awards and an electric flytrap glowing purple in a corner. He’s a medium-size man of 56 with bushy salt-and-pepper hair and a matching mustache. His heavy eyebrows and lips and protuberant brown eyes give him a slightly baleful look, like the villain in a comic opera. “One basic problem is people not having an acknowledged existence by the state and so not being able to access things they’re entitled to. Making the poor, the marginalized, the homeless part of the system is a huge benefit.”

Aadhaar is a key piece of the Indian government’s campaign for “financial inclusion.” Today, there are as many as 400 million Indians who, like Kiran, have no official ID of any kind. And if you can’t prove who you are, you can’t access government programs, can’t get a bank account, a loan, or insurance. You’re pretty much locked out of the formal economy.

Today, less than half of Indian households have a bank account. The rest are “unbanked,” stuck stashing whatever savings they have under the mattress. That means the money isn’t gaining interest, either for its owner or for a bank, which could be loaning it out. India’s impoverished don’t have much to save—but there are hundreds of millions of them. If they each put just $10 into a bank account, that would add billions in new capital to the financial system.

To help make that happen, Nilekani has recruited ethnic Indian tech stars from around the world, including the cofounder of Snapfish and top engineers from Google and Intel. With that private-sector expertise on board, the agency has far outpaced the Indian government’s usual leisurely rate of action. Aadhaar launched last September, just 14 months after Nilekani took the job, and officials armed with iris and fingerprint scanners, digital cameras, and laptops began registering the first few villagers and Delhi slum dwellers. More than 16 million people have since been enrolled, and the pace is accelerating. By the end of 2011, the agency expects to be signing up 1 million Indians a day, and by 2014, it should have 600 million people in its database.

More than 1.2 billion indians will be in the system—the biggest biometrics database on earth. Photos: Jonathan Torgovnik

More than 1.2 billion indians will be in the system—the biggest biometrics database on earth. Photos: Jonathan Torgovnik

 

 

More than 1.2 billion indians will be in the system—the biggest biometrics database on earth.
Photos: Jonathan Torgovnik

The village of Gagenahalli sits amid a placid quilt of green millet and tomato fields in the hinterlands of Karnataka state, some 1,300 miles south of Delhi. Bulls with tassels on their horns pull wooden carts decorated with deities and demons past tiny, cheerily painted houses of dried mud. Old men and skinny cows lounge in the shade of baobab trees. It’s a lovely place to visit but a hard place to live. Many of Gagenahalli’s 8,500 residents are landless peasants, and about three-quarters subsist below India’s official poverty line, earning less than a dollar a day.

Most Indians still live in rural hamlets like this, so getting them enrolled in Aadhaar requires some creativity. One evening not long ago, a man walked through Gagenahalli’s red-dirt streets beating a drum and calling the villagers to gather outside—the traditional way to make public announcements. He explained that the government wanted everyone to visit the village schoolhouse in the weeks ahead to be photographed.

A few days later, Shivanna, a stringy 55-year-old farmer—again, with just the one name—presents himself in a cement classroom commandeered by the agency. He doesn’t know what it’s all about, nor is he particularly interested. “When the government asks to take your picture, you just go and do it,” he shrugs. Shivanna takes a worn plastic chair at one of the four enrollment stations set up about the room. All the computer gear and the single bare lightbulb are plugged into a stack of car batteries and kerosene-powered generators—the village gets only a few hours of electricity a day from the national grid.

A young man in a polo shirt records Shivanna’s personal information in a form on his laptop. It’s bare-bones stuff: name, address, age, gender (including the option of transgender). He has Shivanna look into a camera mounted on the laptop. Once the Aadhaar software tells him he’s got Shivanna’s full face in the frame and enough light, he snaps the picture. The program runs similar quality checks on the agent’s work as Shivanna looks into the iris scanner and then puts his fingers on the glowing green glass of the fingerprint scanner. “We had to dumb it down so that anyone could learn to use the software,” says Srikanth Nadhamuni, Aadhaar’s head of technology, as he watches the scan progress.

About 100 miles east of Gagenahalli is Bangalore, the center of India’s booming IT industry. In one of its southern suburbs, across a busy street from Cisco’s in-country headquarters, sits the office building housing Aadhaar’s Central ID Repository. The information collected from Shivanna the farmer, Kiran the rag sorter, and every other person enrolled in the Aadhaar system gets sent here, electronically or via couriered hard drive.

This is Nadhamuni’s domain. He’s a trim, energetic, half-bald engineer with geek-chic rectangular glasses. His English is full of the awesomes and likes that he picked up in Silicon Valley, where he worked for 14 years. In 2002, he, his engineer wife, and their two kids returned to India, and a year later he and Nilekani launched a nonprofit dedicated to digitizing government functions. Nilekani even kicked the organization a few million dollars.

Some of the projects that Nadhamuni worked on—computerizing birth and death records, improving the tracking of schoolkids in migrant worker families—impressed upon him how much India needed a central identity system. When Nilekani asked him to be point man for the task of wrangling Aadhaar’s data, Nadhamuni says, “I was, like, delighted.”

The offices, like the identity program’s Delhi headquarters, are still under construction. When I tour them, rolls of carpet tied with string are stacked along a wall, and workers’ bare feet have left plaster-dust prints in a corridor leading to an unfinished meeting room. The rows of cubicles that will eventually accommodate roughly 400 workers are only about half full. The wall intended for a dozen video monitors showing incoming data packets is, for now, empty.

Getting the poor into the system is a huge benefit, says Nandan Nilekani. Photo: Jonathan Torgovnik

Getting the poor into the system is a huge benefit, says Nandan Nilekani. Photo: Jonathan Torgovnik

 

 

Getting the poor into the system is a huge benefit, says Nandan Nilekani.
Photo: Jonathan Torgovnik

Each individual record is between 4 and 8 megabytes; add in a pile of quality-control information and the database will ultimately hold in the neighborhood of 20 petabytes—that is, 2 x 1016 bytes. That will make it 128 times the size of the biggest biometrics database in the world today: the Department of Homeland Security’s set of fingerprints and photos of 129 million people.

The unprecedented scale of Aadhaar’s data will make managing it extraordinarily difficult. One of Nadhamuni’s most important tasks is de-duplication, ensuring that each record in the database is matched to one and only one person. That’s crucial to keep scammers from enrolling multiple times under different names to double-dip on their benefits. To guard against that, the agency needs to check all 10 fingers and both irises of each person against those of everyone else. In a few years, when the database contains 600 million people and is taking in 1 million more per day, Nadhamuni says, they’ll need to run about 14 billion matches per second. “That’s enormous,” he says.

Coping with that load takes more than just adding extra servers. Even Nadhamuni isn’t sure how big the ultimate server farm will be. He isn’t even totally sure how to work it yet. “Technology doesn’t scale that elegantly,” he says. “The problems you have at 100 million are different from problems you have at 500 million.” And Aadhaar won’t know what those problems are until they show up. As the system grows, different components slow down in different ways. There might be programming flaws that delay each request by an amount too tiny to notice when you’re running a small number of queries—but when you get into the millions, those tiny delays add up to a major issue. When the system was first activated, Nadhamuni says, he and his team were querying their database, created with the ubiquitous software MySQL, about 5,000 times a day and getting answers back in a fraction of a second. But when they leaped up to 20,000 queries, the lag time rose dramatically. The engineers eventually figured out that they needed to run more copies of MySQL in parallel; software, not hardware, was the bottleneck. “It’s like you’ve got a car with a Hyundai engine, and up to 30 miles per hour it does fine,” Nadhamuni says. “But when you go faster, the nuts and bolts fall off and you go, whoa, I need a Ferrari engine. But for us, it’s not like there are a dozen engines and we can just pick the fastest one. We are building these engines as we go along.”

Using both fingerprints and irises, of course, makes the task tremendously more complex. But irises are useful to identify the millions of adult Indians whose finger pads have been worn smooth by years of manual labor, and for children under 16, whose fingerprints are still developing. Identifying someone by their fingerprints works only about 95 percent of the time, says R. S. Sharma, the agency’s director general. Using prints plus irises boosts the rate to 99 percent.

That 1 percent error rate sounds pretty good until you consider that in India it means 12 million people could end up with faulty records. And given the fallibility of little-educated technicians in a poor country, the number could be even higher. A small MIT study of data entry on electronic forms by Indian health care workers found an error rate of 4.2 percent. In fact, at one point during my visit to Gagenahalli, Nadhamuni shows me the receipt given to a woman after her enrollment; I point out that it lists her as a man. A tad flustered, Nadhamuni assures me that there are procedures for people to get their records corrected. “Perfect solutions don’t exist,” Nilekani says, “but this is a substantial improvement over the way things are now.”

For the past year or so, Mohammed Alam, 24, has spent his nights in a charity-run Delhi “night shelter” for the homeless. Inside the weathered cement building, nearly 100 men and one 3-year-old boy in various states of dishevelment sprawl on worn cotton mats in a gloomy open room. A bloody Bollywood action movie flickers on a small TV sitting on a folding table in a corner. The stench of ammonia wafts from the group bathroom across the foyer.

Alam looks markedly healthier than most of his compeers, his glossy black hair elaborately gelled and his teal shirt and jeans spotless. He left his home in Lucknow because of family problems he’d rather not specify and has been getting by in the capital ever since, doing odd labor jobs. In a good month, he pulls in about $50. That makes it hard to afford his own place to live. But the Unique Identification Authority came to enroll the shelter’s inhabitants a few weeks ago, and Alam just received a letter from the authority with his randomly generated 12-digit Aadhaar number.

The authority doesn’t issue cards or formal identity documents. Once enrolled, each person’s eyeballs and fingertips are all they need to prove who they are—in theory, anyway. For now Alam keeps the folded-up letter in his pocket. It serves as ID when the police stop him, he says. But more important, he just used it to open a bank account. “I tend to spend more money when it’s on me,” he says.

Local grocers could act as banks, doling out cash and accepting deposits for a small fee.

That’s exactly the kind of thinking Nilekani is counting on. One of his first major coups was persuading India’s central bank to declare the Aadhaar number adequate identification to issue no-frills accounts. Bringing biometrically verified banking to the poor could lead to enormous savings in government benefit programs—for both the recipients and the state. Today, a pensioner in a village like Gagenahalli has to take a bus to the nearest town to collect his monthly payment in cash. That’s time and money lost for him. Meanwhile, more than 40 percent of the government’s $250 billion in subsidies and other spending on the poor will be siphoned off by scammers over the next five years, according to investment group CLSA. Both problems could largely be solved if instead the funds were sent straight to bank accounts held by biometrically verified recipients. “It’s like having 1.2 billion pipes through which you can send the benefits directly,” Sharma says. Connecting the poor to banks could also enable some of them to get loans to start businesses or pay for their children’s education.

Banks, however, are in short supply in the countryside, where most Indians live; the one nearest to Gagenahalli is 7 miles away. That’s one reason only 47 percent of Indian households have bank accounts (compared with 92 percent in the US). So Indian financial institutions have begun introducing “business correspondents” into bankless areas, essentially deputizing some shopkeeper or other trusted local who has access to a little cash to handle villagers’ tiny deposits and withdrawals. Here’s how it’s supposed to work: Say Shivanna wants 50 rupees from his savings account. Instead of schlepping miles to an actual bank, he goes to the little kiosk down the road from his house. The guy in the kiosk scans Shivanna’s fingerprints with an inexpensive handheld machine. (There are several on the market already; other similar gadgets—and even cell phone apps—that scan irises are in the works.) Then he transmits the image via cellular network to the tech hub in Bangalore and gets a simple confirmation-of-identity message. (The same process works for deposits.) Once Shivanna’s identity is validated, the kiosk guy gives him his cash or deposit receipt, minus a small commission. Shivanna’s bank reimburses the kiosk guy. Shivanna saves time and money, the kiosk guy makes a little profit, the bank gets more capital, and the rising tide lifts all boats.

Many Indians' finger pads have been worn smooth by years of manual labor. Photo: Jonathan Torgovnik

Many Indians' finger pads have been worn smooth by years of manual labor. Photo: Jonathan Torgovnik

 

 

Many Indians’ finger pads have been worn smooth by years of manual labor.
Photo: Jonathan Torgovnik

In practice, of course, all kinds of things might go wrong. “Some iris scanners can be fooled by a high-quality photo pasted onto a contact lens,” says a senior exec from a biometrics-equipment maker working on the project. Fingerprints can be lifted from almost anything you touch, and a laser-printer reproduction of one will have tiny ridges of ink that may fool scanners. Or a corrupt Aadhaar worker could pair a scammer’s name with someone else’s biometrics. The system is being built with open architecture so other agencies and businesses can add their own applications. The idea is to make Aadhaar a platform for all kinds of purposes beyond government benefits and banking, much like a smartphone is a platform for more than making phone calls. In January, the Indian Department of Communications declared Aadhaar numbers to be adequate ID to get a mobile phone. It’s easy to imagine the numbers being used to authenticate airline passengers, track students, improve land ownership records, and make health records portable. But opening up the Aadhaar system so widely makes it vulnerable. Each record is encrypted on the enroller’s hard drive as soon as it’s completed, and the central database will have state-of-the-art safeguards. Still, Sharma acknowledges, “there’s no lock in the world that can’t be broken.”

Anyway, Nadhamuni points out, credit card numbers are stolen all the time, but everyone still uses them because the card companies have come up with enough ways to spot when they’re being used fraudulently. In the big scheme of things, credit card fraud is a relatively small problem compared with the gigantic benefit of being able, say, to buy stuff online. He believes the same calculus will hold for Aadhaar. And if Aadhaar data is stolen, they have countermeasures to deal with it.

There’s also the question of whether India’s cell phone network, which will carry the bulk of the verification requests, can handle such a load. “We expect to be getting 100 million requests per day in a few years,” Nadhamuni says. “And the authentication needs to happen fast. The answer needs to come back in maybe five seconds.” Partly to meet that demand, the federal government is investing billions to massively expand the nation’s broadband capacity. “It’s not there yet,” Nilekani says. “But if someone had told you 10 years ago that there would be 700 million mobile phones in this country today, you’d say he was smoking something.”

The technological problems may pale compared to the potential civil liberties issues. Anti-Aadhaar protesters showed up at Nilekani’s January speech at the National Institute of Advanced Studies. Several anti-Aadhaar websites have sprung up. And members of parliament and prominent intellectuals have criticized the whole idea. (A Christian sect even denounced it as a cover for introducing the number of the Beast.)

Technically, Aadhaar is voluntary. No one is obligated to get scanned into the system. But that’s like saying no American is obligated to get a Social Security number. In practice, once the Aadhaar system really takes hold, it will be extremely difficult for anyone to function without being part of it. “I find it obnoxious and frightening,” says Aruna Roy, one of India’s most respected advocates for the poor (and, like Nilekani, one of Time’s 100 most influential people). India, she points out, is a country where people have many times been targeted for discrimination and violence because of their religion or caste.

Earlier this year, privacy concerns scuttled an effort to give every citizen of the United Kingdom a biometric ID card, and similar worries have slowed ID plans in Canada and Australia. “But the intentions were very different. It comes more from a security and surveillance perspective,” Nilekani says. “Many of these countries already have ID. In our situation, our whole focus is on delivering benefits to people. It’s all about making your life easier.”

The Unique Identification Authority is very deliberately not collecting information on anyone’s race or caste. But local governments and other agencies subcontracted to collect data are permitted to ask questions about race or caste and link the information they harvest to the respondent’s Aadhaar number. In Gagenahalli, for instance, agents asked villagers several extra questions about their economic conditions that the Karnataka state government requested. “I haven’t seen any agencies asking for caste or religion, but the fact that they can seems problematic,” admits a midlevel Aadhaar official who asked to remain anonymous. And while the agency has pledged not to share its data with security services or other government agencies, “if they want to, they can,” says Delhi human rights lawyer Usha Ramanathan. “All that information is in the hands of the state.” It’s not an unreasonable concern; in the wake of the Mumbai terror attacks, security is a major preoccupation in India. Armed guards, x-ray machines, and metal detectors are standard features at the entrances of big hotels, shopping centers, and even Delhi subway stations. Police officials have told Indian newspapers that they would love to use Aadhaar numbers to help catch criminals. And, in fact, some of the agency’s own publicly available planning documents mention the system’s potential usefulness for security functions. “We would share data for national security purposes,” Nilekani admits. “But there will be processes for that so you have checks and balances.” Every official I speak with, from Nilekani on down, seems impatient when I bring up this issue. They breezily remind me that there’s an electronic data privacy bill before parliament—as though the mere fact that the government is thinking about the issue is enough.

For supporters, the bottom line is simple: The upsides beat the downsides. “Any new technology has potential risks,” Nilekani says. “Your mobile phone can be tapped and tracked. One could argue we already have a surveillance state because of that. But does that mean we should stop making mobile phones? When you have hundreds of millions of people who are not getting access to basic services, isn’t that more important than some imagined risk?”

Indeed, Kiran, the mother of three at the Mongolpuri enrollment station, actively wants the government to have a record of her and her children. She’s a bit mystified when I ask if the idea worries her. If you’ve never read a newspaper, let alone fretted over your Facebook privacy settings, the question of whether the government might abuse your digital data must seem pretty abstract—especially when you compare it with the benefits the government is offering.

The first thing Kiran plans to use her Aadhaar number for, she says, is to obtain a city government card that will entitle her to subsidized groceries. “I’ve tried very hard to get one before, but they wouldn’t give it to me because I couldn’t prove I live in Delhi,” she says. Having that proof will take some other stress off her mind, too. She’s constantly afraid the police will order non-Delhi residents to leave the overcrowded slum, but now she has something to show them if they do.

Her three children come running up, fresh from having their own irises scanned. They’re excitedly waving their receipts for the numbers that will be attached to them for the rest of their lives. “It was fun!” 7-year-old Sadar says. “It wasn’t scary at all.”

Vince Beiser (@vincelbwrote about activists combating Chinese online censorship in issue 18.11.