The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholarUsha Ramanathandescribes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the#BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Wednesday, March 1, 2017

10866 - As Security Violations Erupt, Operator of India’s Biometric Database Stands at Troubling Crossroad - The Wire

Why was the Delhi police and not a national investigation agency roped in to probe what may be the first publicly-known misuse of biometrics by an authorised agency?

Aadhaar security and privacy violations must stop. Credit: Reuters

On the streets of Hyderabad, one can purchase an Aadhaar number or a copy of an Aadhaar card for as little as Rs 5 per copy from small traders – xerox shops and the like. ‘Data brokers’ in Delhi and Mumbai, if one goes by well-sourced rumours, offer the same in larger quantities and at bulk rates. This was sparked in some measure after demonetisation, when the demand for Aadhaar numbers and a number of other identification cards was at an all-time high.
Identity theft is not new in India and it has increasingly become clear that there are a number of technical and interrelated privacy concerns surrounding the Aadhaar system.
While privacy advocates have been demanding investigations into a number of isolated (yet concerning) incidents over the past few years, the Unique Identification Authority of India (UIDAI) has paid little heed.
In the past few weeks, there have been three major incidents related to violation of privacy and security of Aadhaar. The first is an incident that I am directly involved with, where a website was found to have publicly displayed the Aadhaar numbers of over five lakh minors. This website was eventually shut down – although we don’t know for how long the data was online, whether the guardians of these minors in question would be notified of such a data breach and whether any criminal or civil action is being taken against the operators of the website.
The other two incidents are inherently linked. Earlier this week the Chairman of the Skoch Group, a think-tank known for its governance awards, wrote a post that alleged issues with Aadhaar’s security; notably with the way several intermediaries stored biometric data. The post included a video that showed an Android application performing an Aadhaar authentication process by storing a user’s biometrics after the initial first use.  The UIDAI CEO, who initially called it fake on Twitter and ignored the allegation, has now likely ordered an investigation over such a possibility.
The Aadhaar act limits the scope of an individual to file a complaint about misuse of his own Aadhaar information. It is only possible for UIDAI to order an investigation as defined in the Act, which understandably leaves the general public worried. It also classifies the biometric information as sensitive personal data and makes it a crime to store any such data. Any offences committed under the Aadhaar Act could attract jail time for up to three years.
The last, and third, incident is probably most significant. Just a week after the Skoch incident, media reports showed that the identification authority had issued notices to three agencies – who had been authorised by UIDAI to act as important intermediaries in the Aadhaar infrastructure pipeline – and issued notices about possible misuse of user biometrics under sections 29, 37, 42 and 43 of the Aadhaar Act.

But who are these authorised agencies and what do they do?

A look at Aadhaar’s infrastructure pipeline. Credit: CDAC

The three agencies in question are Axis Bank, Mumbai-based Suvidhaa Infoserve and Bengaluru-based eMudhra.

These companies are basically service providers empanelled by UIDAI to provide authentication and e-KYC services of Aadhaar to other private players by connecting to Aadhaar databases through an Authentication Service Agency (ASA). An authentication user agency (AuA) provides authentication services to identify Aadhaar holders, a KYC user agency(KUA) would provide services to know your customers(KYC). There are other companies like Suvidhaa Infoserve which is a application service provider which provides software to AUA or KUA agencies. The Aadhaar infrastructure ecosystem has a lot of companies which were involved in creating the database and currently provide access to it for other companies through application programming interfaces (APIs).

One notice received by an authentication user agency from UIDAI as shared by Skochs Group CEO on Twitter. Credit: Twitter
In its notice, UIDAI has alleged that there were concurrent transactions (separate transactions happening at the exact same time) with the same biometrics through these agencies. These transactions could not be possible if the agencies had not locally stored the user’s biometric data. In cyber-security parlance, this is commonly known as a ‘relay attack’ where a person’s legitimate credentials are used to perform fraudulent transactions.
Plain, common-sense logic tells us that the time difference between different and separate requests should be take couple of minutes – even if a second transaction was initiated almost immediately. In their defense, at least one of these agencies have claimed that they were performing application testing and that the tester was using his own biometrics. Even if that was the case, any programmer familiar with testing would ask why was the testing being performed on production Aadhaar servers, which store sensitive information, than on a secondary staging server with test data?
With its notices, UIDAI has finally acted on what’s currently to be believed as first public misuse of biometrics by some of the authorised agencies in its infrastructure pipeline.
Parallel databases
It is an open secret that nearly every state government and its police department are building their own parallel databases based on Aadhaar data. These parallel databases now seem to be storing biometrics as well. This creates debate over Aadhaar-enabled payments and financial fraud and not just only about privacy.
It is interesting to know that a user’s biometrics being stored at collection is certainly possible and is an attack vector listed by a research study conducted by IIT Delhi. The study briefly mentions how the UIDAI has put in place several steps to prevent and has mitigations to prevent similar attacks. But if the entire collection process has been conducted through unsecured biometric devices, then no cyber security agency or professional can do anything at this stage.
Based off the UIDAI’s complaint, it would not be a complete stab on the dark to to assume that hardware which collects biometrics could be compromised. Security issues exists at multiple levels. Hardware security is more important than software layer, as software can be upgraded or patched but issues in chip design cannot be changed overnight. For example, If you are using a Chinese phone to collect biometrics, there is some likelihood that the Chinese manufacturer could be sending data to a remote server without anyone knowing. An RTI filed (shown below), that asked if UIDAI had a list of authorised biometric scanners, went unanswered. However, soon after that, authorities announced that such list was being created.

A copy of the RTI concerning authorised hardware manufacturers.
While this certainly could be a false alarm altogether, it is UIDAI responsibility to investigate every such complaint. What is strange though that the Delhi cyber crime cell has been asked to investigate this instead of national cyber investigation agencies like the CBI’s cyber crime cell, or CERT-In or the National Critical Information Infrastructure Protection Center (NCIIPC) under grounds of national security. Delhi cyber crime’s cell has only been functional for the last two years, and whether it has the technical capability to look into such matters is a serious question. As Aadhaar is a project of national importance, there is a stronger case to be made for national cyber security agencies to be involved in this matter.

The closed manner in which UIDAI has been conducting these matters undermines the security of a billion people. Take for instance the issue of a website exposing the Aadhaar details of lakhs of minors. After filing the complaint, we are yet to receive acknowledgement or an enquiry from the UIDAI or other relevant authorities, even after filing an incident report. How are individuals to claim compensation if this isn’t a two-way conversation? While it is certainly an encouraging step, that the UIDAI has sent notices involving a few hundred potentially fraudulent transactions, this closed atmosphere needs to change immediately.