When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win. -Mahatma Gandhi

In matters of conscience, the law of the majority has no place. Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.” -A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholar Usha Ramanathan describes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.
Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” - Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the#BreakAadhaarChains campaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uid and@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Monday, January 15, 2018

12679 - Aadhaar Articles Dated 15th January 2018

Economic Times
In order to provide more choice to citizens authenticating using Aadhaar, the Unique Identification Authority of India (UIDA) has introduced face authentication along with fingerprints and iris. This measure will be used in "Fusion" alonng with existing modes of authenication such as fingerprints, iris and ...

Economic Times
Aadhaar, which captures an individual's personal details along with biometrics like fingerprint and iris, has been mandated to be used for ... The Aadhaar-issuing authority expects the existing biometric lock feature along with new virtual ID facility being rolled out in coming months to address various ...

Times of India
NEW DELHI: A majority of farmers and retailers preferred linking sale of subsidised fertilisers to Aadhaar under direct benefit transfer (DBT) scheme as it has reduced diversion of cheap urea for industrial use or being smuggled to neighbouring countries, while 98 per cent farmers surveyed said the ...

Times of India
NEW DELHI: The idea of a single over-arching identity number for all citizens issued by the state is not new, but in most developed countries, passport and driver's licence remain the most-accepted IDs. Here is a look at why Aadhaar is really unique. ID cards started as a tool to track citizens.

Since its launch under the UPA government in 2009, Aadhaar, the 12-digit unique identity number issued to Indian residents based on their biometric and demographic data, has grown to boast of 1.19 billion members as on November 30, 2017. It is the world's largest biometric ID system, with experts ...

The Central Government launched a unique identity project called Aadhaar in 2009 that would represent every person residing in India. The current government gave it more teeth and made it mandatory for everyone to link it with various schemes and instruments. This has already helped the ...

Firstpost (satire)
The nation is witnessing a serious debate surrounding the safety of citizens' information that is being exchanged through UIDAI. After news reports of Big Data leaks connected to Aadhaar surfaced in the public domain, the BJP government at the Centre has defended the leaks by calling it events that ...

The New Indian Express
The discussion touched upon how the aadhaar details of school children were being published online along with their caste, religion, address and other details. “The problem with having such information leaked once online is that even if the state government takes it down, the information will still be ...

The Siasat Daily
Gorakhpur: Due to Aadhaar card compulsion, students of Nepal are not able to submit forms of Uttar Pradesh Madrasa Education Board. The last date to submit application is January 20. In this situation those students of Nepal see their future in dark. Thousands of Nepali students study in madaris of ...

12768 - Lord Hanuman Walk Into an Aadhaar Centre. What Does the UIDAI Do? - The Wire


Do Mehmood Akhtar and a Hindu god really get LPG cylinders delivered to them? Does the government have the institutional capacity to stamp out the problem created by its flawed enrolment ecosystem?

The UIDAI needs to use this opportunity to clarify whether it has the institutional capacity to deal with fakes like Lord Hanuman and a Pakistani spy.
What could Mehmood Akhtar – a Pakistani high commission staffer who was expelled from India after he allegedly engaged in espionage  – and Lord Hanuman possibly have in common?
Strangely enough, publicly available evidence indicates the following. One, an Aadhaar number. Two, an LPG connection that is linked to their respective Aadhaar numbers. And three, a bank account that is also linked to their Aadhaar numbers.
On October 27, 2016, the Delhi police detained Akhtar for allegedly possessing sensitive defence documents. He however, identified himself as Mehboob Rajput, and produced an Aadhaar ’card’ bearing the name and an address in Old Delhi’s Chandni Chowk.
The address on the Aadhaar card – 2350, Gali Near Madari, Rodgran Mohalla, Chandni Chowk, New Delhi 110006 – is correct, except that the house is actually on G B Road, Delhi’s red-light area, nearly a kilometre away. He was promptly declared persona non-grata, and was asked to leave immediately.
Did the Pakistani spy really apply, and receive, an Aadhaar number? It’s theoretically possible – any resident of India can sign up and enrolments do not require proof of Indian citizenship.
While the Unique Identification Authority of India (UIDAI) was silent at the time, news reports quoted senior Delhi police officials who confirmed that Akhtar’s “Aadhaar document” had been obtained through “fraudulent means”, through a man named Yaseer (who supplied fake identification information) and with the involvement of one or more Aadhaar operators employed with an enrolment agency.  
In other words, it appears as if Akhtar had not merely taken a piece of paper and photo-shopped random bits of information onto it, but had instead genuinely obtained an Aadhaar number by supplying fake information. 
While only the UIDAI can confirm this for sure, there is no public evidence that contradicts the Delhi police’s account.
In Parliament, the Modi government has been evasive. In December 2016, Rajya Sabha MP K.V.P Ramachandra Rao asked whether it was “a fact that a Pakistani spy caught in New Delhi in October carried an Aadhaar card issued in his name” and “if so, whether the Government is assessing the possibility of misuse of Aadhaar cards.”
Junior IT minister P.P Chaudhary’s reply was a non-answer, refusing to clearly state one way or the other if the spy received a valid Aadhaar number. His reply, which comes along with a long boilerplate response of how “Aadhaar is generated after quality checks”, merely states that  “Aadhaar is not proof of citizenship or nationality”.
At the time, media organisations did publish this story widely (ScrollHindustan TimesBusiness StandardDeccan ChronicleRediff), and in the process, reproduced his Aadhaar ‘card’, which also displayed his Aadhaar number (The Wirehas withheld the number and has intentionally blurred it out in the picture below).
An edited screenshot of Rajput's Aadhaar card. Credit: The Wire
An edited screenshot of Rajput’s Aadhaar card. Credit: The Wire
Here comes the kicker though.
As of last month (December 13, 2017 to be precise), Akhtar’s alleged Aadhaar number was still active. A screenshot from the UIDAI’s website (shown below), which allows users to check whether an Aadhaar number exists and is active, confirms this.
On December 13, 2017, The Wire sent an email questionnaire to UIDAI CEO Ajay Bhushan Pandey, asking specifically if Akhtar had succeeded in enrolling under the name Mehboob Rajput for an Aadhaar number and if the Aadhaar number that was published by various media organisations last year did actually belong to him and was genuine.
The Wire also asked whether it was possible if the number had been deactivated and reissued to another person. Pandey has not responded while Vikash Shukla, senior manager, communications and public outreach with UIDAI, promised that they would send a response within a couple of weeks.
However, two days after the The Wire’s email was sent – on December 13, 2017 – the status of the Aadhaar number on the UIDAI website changed. It is now no longer “valid” and has presumably been deactivated.
If one checks the status of Akhtar’s alleged Aadhaar number on the UIDAI website now, an error symbol pops up with a short message: “**** **** **** is not a valid Aadhaar.”
Before and after deactivation, however, it was possible to check, using the Indian Oil Indane’s website, that an LPG connection has been attached to the above Aadhaar number. A screenshot of the “OMC (oil marketing company)”-Aadhaar linkage is shown below.
Once the consumer number is known, it is easy to obtain the history of linked bank accounts with that account (through another public link).
A few things stand out here if indeed a valid Aadhaar number was issued to the Pakistani spy. 
Firstly, Mehmood Akhtar was deported in October 2016. And yet, two bank accounts (shown in the screenshot above) were linked with the Aadhaar number on October 17, 2017 and October 26, 2017 – a full year after the alleged holder of the fraudulently-obtained Aadhaar was deported.
Secondly, an LPG connection, which has been receiving subsidy payments, was issued in the name of one “Mr Baijnath”, residing in Agra (Khuldabad Gas Service) and was also linked to this Aadhaar number.
Lastly, and curiously, the addresses don’t match. Before the Aadhaar number was rendered invalid, the UIDAI’s website listed a Delhi address (as confirmed by the Delhi police and the address listed on Akhtar’s Aadhaar “card”) whereas the LPG ID seems to indicate an Agra address. Most importantly, however, the names ( Baijnath versus Mehboob Rajput) don’t match either.
Employees at the Khuldabad Gas Service agency admitted to The Wire that no verification is normally carried out when it comes to linking Aadhaar to an LPG connection. Mr. Baijnath’s phone number has been unavailable (‘out of service’) for the last week.
Officials at the Indian Overseas Bank – the last bank account to which Akhtar’s Aadhaar number was linked – declined to comment on whether adequate verification had taken place while linking the Aadhaar number in question.
Lord Hanuman and bank seeding
‘Hanuman’ was given an Aadhaar number as early as 2014, and it was subsequently deactivated by UIDAI, three years ago. A Business Standard report from 2014 – which lists out the Aadhaar number issued – quoted UIDAI director general Vijay Madan as saying that the Hanuman incident was “an exceptional case”.
However, once again, a search shows that a bank account has been linked with this Aadhaar number very recently, on November 11, 2017 as can be verified, using Indane’s website (as shown in the screenshots below).
How and why does this happen? Typically banks are expected to perform validation of the Aadhaar number and the name of the account holder to check if the linkage is valid ( the UIDAI calls this demographic authentication). Name mismatches are however very common (PAN linkagePDSother documents) and every demographic authentication request, though very cheap, is still charged by UIDAI, and the costs add up as the volume increases.
Hence, it is possible that banks sometimes skip authentication, and instead accept the provided Aadhaar number at face value. Furthermore, a deactivated or cancelled Aadhaar number does not automatically invalidate all the linked accounts immediately yet.
Three paths
There are three possible conclusions that can be drawn from what we’ve discovered. 
The first – which is the most probable and comes with the most serious consequences – is that the Akhtar and Hanuman were indeed issued valid Aadhaar numbers and that these numbers have now been seeded by totally different people in various places because the intermediaries (the LPG dealers and the banks) didn’t carry out proper verification.
The second scenario is that Akhtar and Lord Hanuman were never issued the Aadhaar numbers that were reported about widely in various mainstream news publications and that they had always been issued to other people. While unlikely, if this is true, it raises a troubling question: why was Akhtar’s number deactivated just two days after The Wire reached out to UIDAI? 
Thirdly, the spy and Hanuman indeed signed up and received valid Aadhaar numbers, which were then deactivated and re-issued to new people. This is highly unlikely as a twelve-digit Aadhaar number can accommodate up to 80 billion people. It seems improbable, therefore, that the UIDAI re-issued a number to someone else as it cannot possibly run out of Aadhaar numbers in the foreseeable future.
Why UIDAI’s response is insufficient
The Unique Identification Authority of India (UIDAI) is not taking this problem seriously. The government of India continues to push Aadhaar linking to every aspect of a resident’s civil life, from birth to death. When publicly questioned about the purpose of linking Aadhaar to bank accounts, the UIDAI CEO has responded that it is required for eliminatingbenami accounts that are used for money laundering.
Yet in at least one case, it appears likely that a known Pakistani spy’s Aadhaar number was not cancelled or deactivated for more than a year – until it was pointed out explicitly – which in turn allowed bank accounts to be linked with that number during that period.
While it is superficially straightforward to blame the bank, or the oil marketing company, the true problem lies not in the usage of the Aadhaar number, but in its issuance. To keep enrollment costs low, the UIDAI has consistently preferred outsourcing to third parties, who optimized their own earnings, without any regard to the guidelines issued by the authority.
The scale of the problem can be understood by looking at the number of blacklisted operators.
DateSourceTotal number of Banned Enrolment Operators
From 2011 to 27th April 2016LS SQ 5911,974
From 2011 to December 2016Hindu Business Line33,000
From 2011 to 10th April 2017Hindu Business Line34,000
From 2011 to 12th Sep 2017Times of India49,000
Operators banned between 10th April 2017 and 12th Sep 2017Difference between the above 2 columns (49,000 – 34,000)15,000

DateSourceTotal number of Active Operators
As of 19th August 2016UIDAI60,000
As of 9th April 2017Indian Express40,000
As of 12th Sep 2017Operators banned between 10th April 2017 and 12th Sep 2017 (from the table above)25,000 (40,000 – 15,000)
The urge for operators to maximise their earnings  also resulted in the invention of the ghost kit, which probably pushedfake identities into the Aadhaar database for close to a year, without the UIDAI being aware of it. The news reports about the ghost kit were however met with the boilerplate response “Aadhaar is safe and reliable”.
The risks from a national security point of view, however continue to grow, both in scope and numbers, and there have been at least 18 known cases where Aadhaar numbers were issued to hostile actors from neighbouring countries, on the basis of bogus address and identity documents.
While UIDAI’s CEO claims that if everyone links their bank accounts with Aadhaar numbers, benami accounts can be detected with ease, the cases of the ISI spy Mehmood Akhtar and Lord Hanuman both appear to disprove this assertion.
In a constitutional democracy such as ours, elected governments inherit legitimacy and trustworthiness because of the inherent strength of the democratic process. For instance, bonds and currency issued by the government form the basis of all economic activities, because of the trustworthiness of the sovereign that guarantees them, and hence are tightly controlled by the Reserve Bank of India.
It can be useful to think of Aadhaar along similar lines, as an “identity currency”, backed by the sovereign might of a democratically elected government. Yet, it is neither proof of citizenship or age (as admitted by UIDAI), or even an address proof by itself, and 120 crore such “identity currency units” (Aadhaar numbers) have, so far, been largely created by third party enrolment agencies, a vast majority of whom have subsequently been dismissed on the grounds of being unscrupulous entities.
Further, unlike the RBI, which has a rigorous process for reporting and destroying fake currencies, UIDAI it appears is struggling with the institutional bandwidth to deactivate and deal with fake identities.
Anand Venkatanarayanan is a senior engineer at Netapp. Views expressed here are personal and do not reflect the views of his employer. 

12767 - After 4 Judges' Dissent, Lone Woman Judge Now Left Out of Sabarimala, Adultery Cases - News 18

Even though the cases include women-centric issues such as allowing menstruating women to enter Kerala's Sabarimala Temple and making adultery a gender-neutral law, the lone woman judge in the top court doesn't seem to be the part of the adjudication.

Utkarsh Anand | CNN-News18Updated:January 14, 2018, 1:09 PM IST

New Delhi: At a time when allocation of important cases among judges in the Supreme Court has resulted in four seniormost judges speaking out openly against Chief Justice of India (CJI) Dipak Misra, another development may rattle the ranks.

On Saturday afternoon, the Supreme Court registry notified eight Constitution Bench cases, which will be heard from January 17.

Even though the cases include women-centric issues such as allowing menstruating women to enter Kerala's Sabarimala Temple and making adultery a gender-neutral law, the lone woman judge in the top court doesn't seem to be the part of the adjudication.

Justice R Banumathi is presently the only woman judge in the Supreme Court, out of the working strength of 25 judges, but she is not likely to be a member of the five-judge bench, which will decide various issues pertaining to the rights of women.

Incidentally, Justice Banumathi was also left out of the previous Constitution benches, which were set up on orders of then CJI JS Khehar and had ruled upon validity of triple talaq and right to privacy. Although right to privacy was a nine-judge-bench matter, she was not included on the bench.

And now, she is again not going to be a voice in the eventual rulings in cases such as Sabarimala, adultery and also decriminalisation of homosexuality and the right of women to enter the Fire Temple for Parsis.

Notably, holding an unprecedented press briefing on Friday afternoon, four most senior judges — Justices J Chelameswar, Ranjan Gogoi, Madan B Lokur and Kurian Joseph — had questioned the CJI's mandate and manner of allocating cases across various benches in the top court.

According to a notification by the court registry, the list of eight cases begins with Aadhaar matter and the rest of the Constitution Bench cases have been listed in the same batch.

Since Aadhaar is a case which was last heard by a Constitution Bench on December 15, it can be anybody's guess that all eight matters in this batch will be heard by the same Constitution Bench – something that has many precedents too.

The Constitution Bench in Aadhaar case is headed by Chief Justice of India Dipak Misra and includes Justices AK Sikri, AM Khanwilkar, DY Chandrachud and Ashok Bhushan.

Therefore, the same composition of the judges will now hear the eight cases of vital importance for the nation, and for women, without including the only woman judge in the apex court.

Judgments in the Supreme Court are presumably delivered on constitutional touchstones, without any consideration of gender, caste or class.

Women judges, like all other judges in the court, also follow the same legal and constitutional principles and thus, they don't have to necessarily rule favourably on issues of gender.

Yet it is still ironic that an institution that has always upheld the gender rights and has stood up for equality and equal rights for women should put on display an apparent lack of gender diversity on constitution of benches, in particular for such cases.

This is also intriguing that the institution, which has only three days ago recommended appointment of another woman as a judge in the Supreme Court, has failed to accommodate the lone woman judge on the Constitution Bench that will arbiter women's rights.

The spirit of the law is that "justice should not only be done but seem to be done". And to realise this spirit, gender diversity must be on display. 


Sunday, 14 January 2018 | Swapan Dasgupta | in Usual Suspects

On the one hand, there were the speakers from the Opposition who insisted that it was the worst of times. India, they claimed, was in a state of acute distress with mounting joblessness, rural distress, macro-economic confusion, the GST muddle and policy inertia. On the other hand, the Government side insisted that India had turned the corner and that the structural reforms introduced by a Government with great political will, were now beginning to show results despite the absence of galloping GDP growth. They pointed to the astonishing rise in FDI, the buoyancy of the stock markets, the benign rates of inflation and the commendable work on upgrading infrastructure done by the Government.In the penultimate day of the all-too-brief Winter Session of Parliament, there was a brief but interesting discussion on the economy in the Rajya Sabha. Anyone who heard that debate, including Finance Minister Arun Jaitley’s very erudite reply, would have been struck by the two very different accounts of where India stands today.

This mismatch of perceptions was also evident in the Prime Minister’s meeting with the country’s top economists last week. It would be accurate to say that the big tribe of economists — and India has an over-supply in this department — feels a little miffed these days. First, they are yet to get over their collective bewilderment over the demonetisation of November 2016. As of now, very few of the top economists of the world have endorsed demonetisation because they have been unable to fathom the logic of disruption in a functioning economy. 

Secondly, economists as a profession are extremely disappointed that the Government has downgraded their elevated status and pay greater heed to managers and those who implement programmes rather than those who proffer macro-economic advice. The sullenness of the economists as a tribe loosely corresponds to the anger among the professional intellectuals who feel unwanted by the Narendra Modi regime.

Then, with objections that are a little different from economists, are the civil liberties and NGO activists who entertain deep misgivings over the widening scope of Aadhaar. The objections are two-fold.

First, there are concerns over privacy and the possibility that the minefield of data, including biometric records of individuals, may be prone to hacking by a determined band of internet pirates who have made life very tense for the world economy. 

The concerns over privacy may well be partially justified since India has a poor record of keeping data confidential. Greater awareness of privacy and the enactment of tough data protection laws are imperative, although it does not need a fugitive Snowden to lecture us on the subject.

Secondly, there are the objections from the NGOs. These are a little more difficult to fathom. The activist NGOs, particularly those working in rural areas and ostensibly to improve the quality of life for the poor, have long complained of the leakage of development funds and the dysfunctional public distribution system. Many of those complaints are legitimate. In the past there have been documented cases of bogus MNREGA rolls and rations that are diverted to the open market. One of the great advantages of Aadhaar is that facilitates direct transfer of funds to beneficiaries and keeps a tab of actual beneficiaries of the PDS. It is undeniable that the use of Aadhaar has brought down the organised loot of Government funds exponentially. So why are NGOs so resolute in their opposition to it?

Part of the reason could lie in the political sub-agendas of NGOs. Despite the pretence of being non-political, most of the NGO activists are intensely political and harbour a deep hostility towards the BJP in general and Modi in particular. The Government has fuelled their hatred by cracking down on the misuse of foreign funding for political ends. In many case, foreign contributions have dried up entirely, sometimes affecting the personal livelihood of individuals.

Then there is the larger question of the celebration of poverty. In an ideal world, the role of NGOs should be transient. Having identified a problem and working towards its ultimate solution, NGOs should have their own redundancy as their ultimate objective. Unfortunately, the reality is a little more awkward. NGOs have developed a vested interest in both the continuation of poverty and the ineffectiveness of Government poverty-alleviation schemes. Aadhaar actually posits a real solution to the problems the NGOs have been highlighting for decades. It should have been promoted by the NGOs and where necessary they should have taken up individual problems — and there are individual problems —with the concerned authorities. Instead, they have been promoting a form of negativism that prompts the inescapable conclusion that the continuation of poverty and even destitution is something that feeds the NGOs. This may be a cynical view but is painfully close to reality.

The Modi Government, it would seem, has embarked on systems-based approach to create an architecture of growth and prosperity. This has involved taking tough decisions to ensure greater tax compliance, effective utilisation of official funds, removal of discretionary powers of officials and the simplification of rules and procedures. All these measures affect sections of the old economy adversely since they have developed an expertise in ‘managing’ the environment to their own advantage. Evasion of taxes, for example, have added to the competitive edge of individual enterprises. Likewise, the absence of cross-verification that both Aadhaar and GST allow possible transactions that have hitherto stayed below the radar. And the aggressive promotion of electronic transactions through banking channels have hit at the cash economy.

India is in a stage of exciting transition. It is inevitable that there will be resistance and opposition. What is being attempted is the dismantling of an old structure and its replacement by a new modern economic structure.

12765 - Security flaw in mAadhaar app can allow hackers to steal your Aadhaar data: Security researcher --Tech Observer

A Security researcher alias Elliot Alderson has tweeted a serious security vulnerability in UIDAI’s mAadhaar app for Android devices.

January 13, 2018 6:49 pm

A Security researcher alias Elliot Alderson has tweeted a serious security vulnerability in UIDAI’s mAadhaar app for Android devices. 

A Security researcher alias Elliot Alderson has tweeted a serious security vulnerability in UIDAI’s mAadhaar app for Android devices. According to the researcher, the Aadhaar mobile app is saving user sensitive data including the biometric data in a password protected local database. The password for the database is generated using a random number “123456789 as seed” and a hardcoded string db_password_123 which remains same for every phone.

Besides this, Elliot has also uploaded a proof-of-concept on Github to demonstrate the flaw. He made an application with the exact same code as it was written in the Aadhaar app to prove that even if you run it multiple times, it will give you the same password over and over again instead of the randomised password the app is supposed to generate.

The researcher has stated that if a person is able to crack the password, they can access the entire Aadhaar account details of the user. He further said that as per the documentation for the mAadhaar app, the app will store personal details and the user’s photo in their local database.

UIDAI has however confirmed that the app creates a local database with innocuous data like user preferences. Further, they said that since the app doesn’t ask for any biometric data, such data can’t be compromised.

Hi #Aadhaar ! Can we talk about the #BenefitsOfAadhaar for the #India population?

I quickly check your #android app on the #playstore and you have some security issues...It's super easy to get the password of the local database for example...

According to Ankush Johar, Director at Infosec Ventures, although the exploitability of this issue is pretty low, nonetheless, information as critical as Biometrics along with other PII is something that should not be exposed to even the slightest risk.
“Recently, with alleged leakage of Aadhaar details of over a billion citizens, hackers might already have access to every information printed on our Aadhaar cards and can easily replicate it. Even though a person has replicated your Aadhaar card, he/she will still need your Biometric info for authentication. If by any chance the hackers are able to gain the biometric data as well, then it will catastrophic,” said Johar.

He further said, “As the UP cloning fraud showed us that making a physical clone of the fingerprints is not too difficult, such leakage could do irreversible damage as you can change your passwords but you cannot change your fingerprints.”