uid

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win. -Mahatma Gandhi

In matters of conscience, the law of the majority has no place. Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.” -A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholar Usha Ramanathan describes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.
Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant. Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty” and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” - Edward Snowden

Special

Here is what the Parliament Standing Committee on Finance, which examined the draft N I A Bill said.

1. There is no feasibility study of the project]

2. The project was approved in haste

3. The system has far-reaching consequences for national security

4. The project is directionless with no clarity of purpose

5. It is built on unreliable and untested technology

6. The exercise becomes futile in case the project does not continue beyond the present number of 200 million enrolments

7. There is lack of coordination and difference of views between various departments and ministries of government on the project

Quotes

What was said before the elections:

NPR & UID aiding Aliens – Narendra Modi

"I don't agree to Nandan Nilekeni and his madcap (UID) scheme which he is trying to promote," Senior BJP Leader Yashwant Sinha, Sept 2012

"All we have to show for the hundreds of thousands of crore spent on Aadhar is a Congress ticket for Nilekani" Yashwant Sinha.(27/02/2014)

TV Mohandas Pai, former chief financial officer and head of human resources, tweeted: "selling his soul for power; made his money in the company wedded to meritocracy." Money Life Article

Nilekani’s reporting structure is unprecedented in history; he reports directly to the Prime Minister, thus bypassing all checks and balances in government - Home Minister Chidambaram

To refer to Aadhaar as an anti corruption tool despite overwhelming evidence to the contrary is mystifying. That it is now officially a Rs.50,000 Crores solution searching for an explanation is also without any doubt. -- Statement by Rajeev Chandrasekhar, MP & Member, Standing Committee on Finance

Finance minister P Chidambaram’s statement, in an exit interview to this newspaper, that Aadhaar needs to be re-thought completely is probably the last nail in its coffin. :-) Financial Express

The Rural Development Ministry headed by Jairam Ramesh created a road Block and refused to make Aadhaar mandatory for making wage payment to people enrolled under the world’s largest social security scheme NRGA unless all residents are covered.


Friday, March 3, 2017

10874 - Security of Aadhaar's data is under question, but pointing to the gaps could lead to a police case - Scroll.In


The official UIDAI has filed a criminal complaint against a writer-entrepreneur for an article demonstrating how stored biometric data could be misused.

Published Yesterday · 10:30 am

Anumeha Yadav

In the past week, reports of two criminal complaints related to the security of the Aadhaar database – a centralised database of biometric scans of over 100 crore Indians – has raised concerns about a bigger data breach.

On February 24, the Times of India reported that the Unique Identification Authority of India – which issues the 12-digit Aadhaar numbers that ensure targeted delivery of subsidies, benefits and services – had on February 15 lodged a complaint with the Delhi Police Cyber Cell against Axis Bank Limited, its business correspondent Suvidha Infoserve, and esign provider eMudhra for illegally storing biometric data and performing unauthorised Aadhaar authentication.

The Authority alleged that the firms performed multiple transactions using replay of stored biometrics – for instance, one individual supposedly performed 397 biometric transactions between July 14, 2016 and February 19 this year. It described this as a violation of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016, as the law does not allow the storage of biometric data.

Announcing additional safety measures, Authority officials stated that they have submitted a proposal to the IT Ministry on February 22 that from now on till May, all biometric devices would be registered with it, and an Aadhaar encryption key would be introduced in their hardware to ensure the data received was “captured live”.

Gaps in the system
While the investigation into the complaint is still on, the Asian Age reported on February 28 that the Authority had registered a separate police complaint against an individual, Sameer Kochhar, who heads the Gurgaon think tank Skoch Development Foundation. The complaint was in connection with an article, “Is a Deep State at Work to Steal Digital India”, Kochhar had published on February 11 in his magazine, Inclusion, about security vulnerabilities in Aadhaar systems. The article included a video demonstrating how unauthorised transactions were possible using replay of stored biometrics – the same malpractice for which the Authority had taken action against Axis Bank, Suvidha and eMudhra.

Two days after the article was published, the Authority’s chief executive officer, ABP Pandey, responded to it on Twitter by calling it a fake video and asking Kochhar to stop spreading rumours. Two weeks later, the agency registered the police case against Kochchar.




@SkochSameer @narendramodi @arunjaitley @TimesNow @ashwani_mahajan Video is fake. No evidence of connection to Aadhaar server. @amitabhk87

Confirming this, Deputy Commissioner of Police (Crime-South) Bhisham Singh said, “We have received a complaint from UIDAI that an individual Sameer Kochhar had floated a video and an article on Google, saying Aadhaar was not foolproof, the UIDAI says this is against Aadhaar Act, and we have registered a First Information Report.” Singh added that the FIR was not yet public and the police had not contacted Kochhar. “UIDAI says his claims are false, and we will investigate if this is so,” he said.

Another senior police official, who did not wish to be identified, said the case against Kochhar was registered under Sections 37 of the Aadhaar Act and several other provisions of the Act as well as the Indian Penal Code.

Section 37 says:
Whoever, intentionally discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication to any person not authorised under this Act or regulations made thereunder or in contravention of any agreement or arrangement entered into pursuant to the provisions of this Act, shall be punishable with imprisonment for a term which may extend to three years or with a fine which may extend to ten thousand rupees or, in the case of a company, with a fine which may extend to one lakh rupees, or with both.

On February 22 – before the police complaint against Axis Bank and the two other firms were reported – Kochhar leaked a letter purportedly sent by the Authority to one registered authentication user agency (whose name was masked) asking how it had performed multiple concurrent Aadhaar authentications on January 11 through the unauthorised use of stored biometrics of one individual.




The letter also stated that the Authority had detected a firm that was illegally using a “licence key”. Section 15 (2) of the Authentication Regulations of the Aadhaar Act — the Aadhaar Regulations are currently in Parliament — say a requesting entity can permit another agency or entity to perform a yes/no authentication by generating a “separate licence key”. In this instance, the second entity performs electronic know-your-customer requirements for financial transactions, even though it had no permission to do so.

The letter leaked on Twitter by Sameer Kochhar on February 22.
In an emailed response to Scroll.in, Kochhar said he had found out about the FIR against him from the Asian Age report, and that he had not yet been contacted by the Unique Identification Authority of India or the Delhi Police. “The story is available on www.inclusion.in and whatever other information and documents I have shared are on my Twitter timeline,” he stated. “I look forward to find out which parts of Aadhaar Act 2016 prohibit media reporting on its vulnerabilities.”

He also pointed out the Authority had not denied having issued the letter leaked by him.

Unique Identification Authority of India officials refused to share a copy of the police complaint or the basis of their action against Kochhar. “It may have been part of the original complaint against Axis Bank, and other, but we cannot share any details on this,” said Vikash Shuka, senior manager, communications and public outreach, at the Authority’s headquarters in Delhi. Shukla added that the Authority did not have a spokesperson who could publicly comment on the details of the complaint against Kochhar.

Shooting the messenger?
Prasanna S – a lawyer for petitioners who have challenged Aadhaar in the Supreme Court – said it was not clear that what Kochhar demonstrated was related to information gathered in authentication or enrollment, as Section 37 of the Aadhaar Act, which has been mentioned in the FIR against him, suggests. He accused the Unique Identification Authority of India of using Section 37 to stifle criticism and curtail speech. “If you criticise Aadhaar project, the government says ‘you are just saying so, you do not understand the project’,” the lawyer said. “Here, someone has demonstrated evidence of a security flaw and they are saying ‘how dare you expose its vulnerability’.”
“Do we now have to be worried about sedition against UIDAI?” he added, expressing concern at the Authority registering an FIR against a citizen for exposing a security vulnerability in Aadhaar.

Chinmayi Arun, executive director of the Centre for Communications Governance at the National Law University, Delhi said that “threatening concerned citizens who identify holes and errors that the authority should be fixing is foolish”. She added, “The UIDAI should be rewarding those who find its breaches – instead, we have attempts to intimidate them into silence through the abuse of the state’s police powers. The Aadhaar Act enables this intimidation and it is high time the Supreme Court put a stop to it.”

Kiran Jonnalgadda, co-founder of HasGeek, a community for start-ups for software development in Bengaluru, said Kochhar’s complaint and the Authority’s action against the three firms showed it had failed to provide sufficient technical protection against such attacks. “Replay attacks are a well-known problem, and the Application Programming Interface should not be storing the fingerprint on the device itself,” he said.

“The irregularities detected show they did not have sufficient technical protection, only legal protection against this,” he added. “The UIDAI provides for SMS, email alerts on authentication, but even this is optional.”

Jonnalgadda pointed out that new technical protection — of introducing registration of biometrics devices — was, in fact, added after Kochhar’s article. “The new technical protection kicked in after Kochar, a high profile individual, made an accusation, the video went public and UIDAI CEO replied on Twitter publicly saying, ‘Aadhaar is secure, do not spread rumours’, and then, after all this, they bothered to investigate,” he said.
He, too, said that someone raising a security issue in the system should be rewarded and not punished.
We welcome your comments at letters@scroll.in.