The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholarUsha Ramanathandescribes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the#BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Tuesday, March 29, 2016

9673 - Updating Aadhaar for better privacy - The Hindu

March 28, 2016

Rahul Tongia

"Privacy with Aadhaar isn’t just an abstract issue, but related to the fundamental view of how data is to be accessed and used.” Picture shows Aadhaar enrolment in progress in Chennai. Photo: M. Vedhan

Each authorised user of the system would get a longer number that is generated to be unique, but based on the base UID number.

To its proponents, Unique Identification (UID, branded Aadhaar) is the solution to citizen empowerment. To its opponents, UID is a violation of not only citizen privacy but even citizen rights. In reality, like any programme or project, it can be anything we design it to be. It is only through purposeful design that we can ensure that risks and unintended consequences are kept under control. The government passed the Aadhaar Bill giving statutory rights for the programme, but this still leaves privacy as a specific challenge. However, this can be addressed.

Stated goal of UID
Privacy with Aadhaar isn’t just an abstract issue, but related to the fundamental view of how data are to be accessed and used. Leaders of the UID project stated in past discussions that privacy was not only paramount, but easily handled because the UID system would only be a yes or no identification system (relying, of course, on the accuracy of underlying registration). The system can be queried to verify if a person is who she claims to be based on the registration. Per design, the UID system would not know or care whether the person was Above Poverty Line or Below Poverty Line — such things would be the prerogative of the users of the system such as banks, service providers, or development schemes (here, users are not the citizens but system users like listed).

At one level, this sounds appealing. But the problem is precisely the use of UID beyond the intended and appealing aspects, by its partners and systems providers. As Henry Wadsworth Longfellow wrote poetically if not prophetically, “I shot an arrow into the air, It fell to earth I know not where.” Instead of UID being agnostic to how the system gets used by others, UID’s design should assume the worst, and try to prevent linking of databases by third parties, or unintended usage. Otherwise, these could lead to not only an abstract violation of privacy but also very specific and troubling asymmetries in commercial transactions and citizen empowerment/rights, including through profiling. We have already seen advertisements of private entities offering to use the Aadhaar database for commercial/private uses.

Who has rights to the data? This needs clarity. The problem with rights to access is the possibility of unintended access. One thing we can learn from other large IT systems is that the boundary matters — just worrying about outsider hackers is wrong for IT systems since most IT security breaches involve an insider (and also mistakes). Similarly, UID’s privacy cannot be viewed simply from an internal database and its security perspective but rather the ecosystem of users of UID. UID is only as secure as its weakest link. This is where segregation of data can help.

We must ensure that the UID database is not used in a manner that can hurt the citizens either accidentally or through mission creep with unintended consequences. It’s worth thinking about what could go wrong.

The solution
What if we could have a UID that was never inter-linkable across users, but yet at the same time uniquely linked to the person through biometrics? The answer is we can, through the use of not a single UID, but a base UID (like we have today) plus modifications per user (if not per use). Instead of, say, MNREGA using the 12-digit number like today, each authorised user of the system (such as MNREGA, a bank, and so on) would get a modified (longer) number that is cryptographically generated to be unique but based on the base UID number in such a way that it could be proven to be functionally the same. Technologically, this would use a one-way hash that would be irreversible so that the longer number or code couldn’t reveal the base UID number.

The benefits of this would be twofold. First, a corporation or other user could not create a linked database for profiling — they would all have different UID+ numbers. Second, to even get the UID+, the cryptographic process could be restricted to authorised users. This way, we could prevent the UID becoming a casual identifier. For instance, in the U.S., the social security number morphs into something required by the cable TV operator when you raise a service complaint! Of course, in India we risk a similar link/identifier — our mobile number.

This same concept of separation applies to security from an Indian government-citizen perspective. Given that Indian and global private technology companies are inevitably involved, breaking up the data (analogous to the UID versus UID+), where it’s stored, broken up, and so on can improve security.

From UID to UID+
One has to get the technology right for any programme, but its long-term success depends on people wanting it. Even if due to misinformation, perceptions matter. Recall how the U.S. nuclear power industry was effectively stalled even before the Three Mile Island accident due to a combination of secrecy, arrogance, and “trust us” instead of engagement and communication.

The proposed update of UID to a UID+ system can address many of the concerns, and its roll-out need not be viewed as a failure of the original system but simply an update. The next step should be an analysis of how it can be done without disrupting the existing UID database(s).

The good news is almost anything is feasible, computationally. We simply need to update our mindset of a Unique ID — there can be many such unique numbers, just like many people now have multiple and even disposable email addresses. There will be a small overhead for such designs, including one-time update costs for those who are already using the current UID number, but this is a worthwhile investment for something meant to last more than a citizen’s lifetime.

(Rahul Tongia is a Fellow at Brookings India, and Adjunct Professor at Carnegie Mellon University. All views are personal.)
Keywords: AadhaarUIDUnique Identificatio