The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholarUsha Ramanathandescribes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the#BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Thursday, March 31, 2016

9696 - Govt should protect citizens from surveillance instead of collecting data – Dr Gus Hosein & Dr Edgar Whitley Reddit AMA - Media Nama

By Sneha Johari ( @thejunebug ) on March 29, 2016

In this Reddit India AMA held last week, Dr Gus Hosein and Dr Edgar Whitley talk about the perils of Aadhaar, citizen privacy and surveillance, a law for privacy and the right to privacy. Dr Gus Hosein works with Privacy International, a London-based charity and is a Visiting Fellow at the London School of Economics, and Dr Edgar Whitley is an Associate Professor (Reader) of Information Systems at the London School of Economics. Here are snippets from the AMA:

On generating awareness on the online privacy breaches:

Hosein: .. For some people it is all about the specific scenario that raises their awareness — a data breach, or the lack of power resulting from a decision against them based on their data. For others it is the matter of principle — that any entity could have control over their lives in such a way.

The answer I can give for an entire country (the question asked about India) is that you need many many stories of many many different types that give rise to debate and more stories and more debate. Then you have a national conversationNonetheless I can say that the debate in India has come so far since 2007 when I first visited. At the time whenever we spoke to people about privacy they all laughed.

Since then, due to the hard work of individuals and organisations, the debate has advanced significantly — faster than anywhere else in the world… We’re still working on the best ways of doing this!

Whitley: Another approach is to build in technological features that minimize the potential privacy risks, so that they don’t arise in the first place. Clearly, this needs to be done in conjunction with awareness raising/education as well… Education can include adding the topic to the curriculum of Schools – increasingly schoolchildren are being taught about the risks of sharing sensitive personal information online – and privacy risks are part of that.

On a case where a company found out a customer’s info and address and went to their doorstep:

Hosein: India needs a privacy law. It’s as simple as that… Without it, you cannot regulate government activities nor industry activities…No one is really talking about anywhere is how hard it is to secure data; and companies and governments don’t like these laws making it their duty to protect our data. If they were finally held to account for this challenge of protecting our data, they may finally start collecting less and sharing it less. Only the law gets them to do this…

Whitley: Indeed, some organisations are starting to realise that, despite the claimed benefits of big data and data analytics, data are actually a toxic resource that they are better off NOT holding on to. This comes to the broader question about privacy rights/laws in India. The Aadhaar bill doesn’t address this kind of situation… The home visit seems to be a completely different issue, given you weren’t likely to become a future customer of the organisation.

On other countries rejecting UID/Aadhaar like projects, implications of Aadhaar and impact of biometric technology on civil liberties:

Whitley: In the UK between the launch, in 2005, of a biometric identity card scheme and its scrapping in 2010, following election of the coalition government, public mood about the “surveillance state” changed dramatically. It was also affected by the government losing the personal details of all families claiming child support etc. Since then the UK has developed an explicitly privacy friendly identity verification service.

Hosein: I think that any country that has an open debate about whether to start an ID system inevitably concludes that it is not a good idea to create a multi-purpose centralised mandatory system. So instead every other government with such a system has managed to sneak it in through the backdoor, by making it voluntary for instance until it is made mandatory, or blaming foreign entities. So these systems are always rejected whenever they are openly deliberated upon.. Creating a system that is multi-purpose and mandatory costs so much money, takes so many security risks, has to create so much buy-in from across government and the general public, that it is almost inevitable that it will fail either in being dreamed-up, being legislated, or being implemented.
The biometrics industry has seen a boom since 9/11… then there was a second wave, with India and other countries being sold the ‘development’ angle to biometrics… I am very worried about this. We have to watch for Indian companies and consultants travelling the world selling these systems.
For the link with intelligence agencies.. there is a surveillance industry out there profiting from all of these types of surveillance technologies and traditionally have links with either defence firms or involve ex-intelligence agency employees going into the private sector. I am not sure about the biometrics industry though — we haven’t tracked them as much as the communications surveillance industry.

Whitley: Again, there are technological alternatives at play – not just “the use of biometrics”. Some smartphones use fingerprint biometrics to authenticate the user of the phone but they are designed to NEVER share the fingerprint data with any other system (and don’t need to). They simply check whether the fingerprint presented now is the same as the fingerprint presented earlier. Aadhaar (currently) seems to require the fingerprint presented now to be matched (via a secure internet connection) with the fingerprint collected previously. This, of course, also creates an audit trail of when (and where) the fingerprint was checked and, as Gus mentioned, increases the costs of using the system considerably.

On costs being borne by the citizens:

Hosein: We can only hope for debate and deliberation. In the UK the Government did get their legislation and did try to build their system over a 5 year period until the next government repealed it. The costs are always borne by the next politician, the next government, and yes, ultimately the citizens. The risks are ours too. Not the creators of the idea…

Whitley: Good detailed analysis of some of the problems with biometrics and their exclusionary effects can be found in Magnet SA (2011) When biometrics fail: Gender, race and the technology of identity. Duke University Press, Durham.

On additional risks of Aadhaar and it being just another ID:

Hosein: There are many identifiers out there. With modern surveillance systems, our face, how we talk could be used to identify us. Our mobile number is an identifier, but more interesting and useful is our IMSI number for our mobile — it is mandatorily disclosed by our phone to mobile phone towers all the time..

The problem with all of these IDs is that you have no say over them, and they are leaking your information and your uniqueness all the time, making you traceable to anyone who is able to monitor. Our governments should be protecting us from these kinds of surveillance, whether done by agencies or the private sector, in our country or abroad. But instead, governments are spending their time and money getting into the business of data collection.
We need identity systems that empower us and protect our data. UID seems to be making all the wrong decisions on security, no decisions on privacy, and by making it practically mandatory, is taking all the power away from the individual. This is not what Indians need.

On what questions should citizens ask the government with respect to privacy issues, especially in the face of Digital India:

Hosein: This is a fascinating question that I’m still getting my head around. ‘Digital country’ initiatives are massive funding initiatives that end up in wasted money and useless IT. Again, politicians love announcing these initiatives and then waste billions of taxpayers money on it. The exchange for their ‘Digital’ initiatives should be that citizens deserve transparency on how their information is going to be used, have a privacy law in the country, and taxpayers need to be kept aprised on how the funds are planning on being spent.

On free WiFi:
Hosein: As for free wifi at railway stations are often insecure, allow for interception and other forms of surveillance, and can be used to track you over time. If something is free, odds are that someone’s up to no good.
Whitley: The issue with most of these “free” services is that they aren’t really “free” – the most common method of making money is through analysing the data and providing (targeted) advertising. One consequence is that there is normally no reason to tell the truth when registering for the free service.

Hosein: Sadly they don’t need your date of birth and instead grab unique identifiers from your devices or browsers (e.g. IDs or cookies), from your network connection (IP address). So they are still able to uniquely identify you. The solution isn’t just faking out the system. The true solution is a legislative fix: a privacy law.
On things that make you give up your privacy, protecting self and if open source is a better system:

Hosein: Yes, mobile operating systems are key challenges/risks/opportunities for privacy. Android is open, which has its advantages. But the most glaring problems are that i) it is very hard to stop the transfer of data to Google in the process; and ii) most handsets running Android are not updated for security faults.
That is, every operating system and app out there needs to be updated periodically to fix any security holes in the system… Android is a fragmented environment. Most phones are operating very old versions of the operating system, and are as a result very insecure. But it also comes down to the hardware which is not owned by anyone you ever contract with; and is capable of being hacked or leak information…
So what we need are open devices with open hardware, and open operating systems that are kept up to date and patched continuously. This is going to take some investment but I’m optimistic.
On passive surveillance to watch for threats and citizen security:

Whitley: This is probably not an either/or situation rather one where I would want to know the details of what kinds of “passive surveillance” you are thinking about. Certainly, better policing helps a lot, not least because this is a rapidly changing context – e.g.reports that the Paris attackers were using burner (one-time) phones rather than encrypted messages.
Hosein: I agree with Edgar. The interesting thing to date about those terrorist attacks, is that the individuals were all known to the authorities. Surveillance is certainly a part of the answer. But mass surveillance is highly unlikely to be effective, and it is unacceptable from a human rights and legal perspective… Nonetheless, politicians will likely seek more surveillance powers. Seeking powers is easy particularly after an atrocity. But when there is another attack further down the road, the politicians are not held to account for their focus on surveillance instead of other measures — they only respond with the need for more surveillance. Again, like ID, politicians like pointing to simple solutions and aren’t there to be held to account when their ‘solutions’ fail.
On types of passive surveillance, like people visiting radicalised sites etc

Hosein: I don’t have an easy answer to it. How do you create a law that allows only this form of activity? We always see the expansion of purposes in practice. So what starts with ‘radicalised sites’ will soon become other types of sites that you are more concerned about. Such sites are an exercise in religious freedom and freedom of expression. Are you going to be criminalised for web surfing, or is it for actual speech, or just ‘liking’ something? Are you going to be tracked across your professional and personal life because of ending up somewhere on the internet? I’m not sure that is an effective way of doing things.

Authorities draw friendship trees: who knows someone who knows someone who knows someone who may be related to a terrorist investigation. That is already 3 degrees of separation and may include hundreds of thousands of people to investigate. It’s very hard to do that.

On risks of (Aadhaar) being an authentication system:
Whitley: The most obvious risks is the audit trail associated with authentications to the central database (see comment below). The other risk is that, inevitably, there may be some circumstances where “any reasonable person” would see that the biometric data should be shared (FBI / Apple anyone?). To be fair to UID, to date they have resisted any such calls but if the data is held, inevitably people will try and get access to it.

Hosein: Part of the Snowden disclosures included statements about how intelligence agencies are getting copies of national identity databases of other countries. I don’t know how you can entrust such sensitive information with a single authority that can never keep it secure enough from foreign agencies.

On NSA spying on citizens of other countries, steps for prevention and what steps needs to be taken by India:
Whitley: It is helpful to note that it is probably not that helpful to think about this being THE national policy as this immediately leads to contradictions – THE national policy might be to fight terrorist threats AND THE national policy might be to make the country a good place to do e-business (which requires strong encryption – which runs counter to the first national policy). Often it is different parts of “the government” pushing for these different agendas – did the NSA really think about the effects of their work on the business models for US cloud providers? (e.g. the removal of the safe harbor provisions – Silicon Valley now ‘illegal’ in Europe: Why Schrems vs Facebook is such a biggie

Hosein: The incredible work by Edward Snowden gave us the evidence of what the UK and US Governments were up to (and a bit about others). The challenge is that we discovered they were doing everything they could: they were intercepting vast components of the internet (see XKeyScore and Tempora), they were monitoring activities on social networks (see Squeaky Dolphin), they were hacking entire companies, networks and individuals… The list goes on.

What is actually to be done in response?

1. Demand governments to come clean on how they are secretly interpreting communications surveillance law to somehow undertake all these activities. It is highly likely that every intelligence agency is now undertaking similar activities, if they weren’t already doing so.

2. Demand companies to take extensive measures to protect security and privacy of your data and communications. Some companies have taken basic steps of say implementing SSL in their web server connections. But so much more is needed. Some firms have started to implement encryption more widely — it’s a good start, but they must do so as openly as possible. So you make a good point about closed-source software. Open review of code is absolutely necessary to ensure that it can be trusted.

3. We need to take ownership of the ‘cybersecurity’ agenda created by governments to spy on more communications and interactions; and make it about protecting our devices, our networks, and our information.

4. Stronger legal protections. Again, India needs a privacy law. With that as a foundation, more work is needed across the world to strengthen safeguards in surveillance laws. Privacy is a qualified right; but surveillance can only be done in limited circumstances with strong privacy safeguards. The problem is that governments secretly interpret the laws and loosely implement safeguards. We need to push a reform agenda.

5. We have taken a number of cases against the UK Government and its spying — on all the issues I highlighted above. We are likely to end up soon at the European Court of Human Rights. We’ll get back to you once we see what happens.

Hosein: ..Colombia had to shut down its intelligence agency because of surveillance abuses; then we found that the other agencies were re-creating many of these powers. The Ugandan government was making claims around the benefits of hacking the communications devices of the opposition party and protest movements. The Egyptian intelligence agency was buying hacking technology…

Whitley: If NSA etc. have infiltrated the developers of, elliptical encryption curve software, then making the software open source doesn’t necessarily help in practice.. as appears to be happening in relation to some aspects of privacy (ironically, in a closed environment).

On phone interceptions:

Whitley: If you mean listen in on them, then how would you feel if this was a call where you whispered sweet nothings to your loved one but then discovered that someone else was hearing this as well. If you mean just recording the metadata, then the EFF has some great examples https://www.eff.org/deeplinks/2013/06/why-metadata-matters

Hosein: Governments are not necessarily investing vast amounts of resources to listening in to phone calls, they are gathering metadata (who is speaking to who, when) and generating metadata (can we understand the language of the call, the mood of the people on the call, etc.) and store that in a database(s) so that it is possible to do detailed analysis at a later time, e.g. bring up all your call information, all your locations, all your moods over a six month period because you knew someone who knew someone who knew someone who might have been subject of an investigation at some point. Finally, to intercept your call and monitor you in any way, it is up to them to provide the justification why it is necessary in a democratic society to do so. It’s not for you to ascertain whether it caused you harm in any way.

On what ‘right to privacy’ stems from:

Hosein: Is it a right that enables other rights, or is it a right that must be respected for its inherent value? Or is it about dignity and autonomy (which is true of all the other human rights)? I tried to explore the definition in this piece. https://www.privacyinternational.org/node/54