The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholarUsha Ramanathandescribes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the#BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Wednesday, March 8, 2017

10886 - Here’s Why You May Never Find Out If Your Aadhaar Data Has Been Hacked - Bloomberg Quint

March 2, 2017, 12:03 pm

The debate over the security of data collected and stored under the Aadhaar project is heating up. While the Unique Identification Project has always had strong supporters and equally strong detractors, the latest controversy has been sparked off by an alleged breach of biometric data.

On February 25, Mint reported that the Unique Identification Authority of India (UIDAI) had detected a breach of biometric data and filed a police complaint on February 15 against Axis Bank Ltd, business correspondent Suvidhaa Infoserve and e-sign provider eMudhra with the allegation of impersonation using illegally stored biometric information.

These entities deny storage of any data and claim that the business correspondent was merely testing the platform which accidentally sent authentication requests to the live server instead of the testing one. Still, the incident has sparked concerns about the security of data in the possession with the UIDAI and also the redressal mechanism in the case of a breach like this.

Interestingly, it turns out that the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act is silent on making the UIDAI liable for reporting any breaches.
Legal experts that BloombergQuint spoke to point out that while the international principles of data collection require that any breach or abnormal activity be revealed to the users and authorities quickly, the Aadhaar regulations give no such assurance.

Delhi-based lawyer Apar Gupta said that a user may never really get to know if there was a data breach in the Aadhaar database which compromised their personal data, unless the authority chooses to voluntarily disclose it.

“There is no provision under the act for notification to the public that there’s been a breach of their data. The breach includes both hacking of identity data and unauthorised authentication carried out by someone impersonating a citizen,” Gupta said adding that the authority is “whole and sole” and it isn’t liable to even disclose it under the Right To Information Act or to the parliament.

A broad comparison can be drawn to  system breach in the banking system last year which led to 32 lakh debit cards being compromised. While banks are not required to disclose details of the breach to the public, they are required to report it to regulators immediately. Customer protection provisions also ensure deposit protection to some extent.

In contrast, there is no regulatory oversight of the UIDAI which keeps it away from scrutiny, Gupta said. “There is an absence of a breach notification requirement under the Act,” he added.

Rahul Matthan, partner at law firm Trilegal said that all technological systems are likely to be breached at one point or the other and the Aadhaar Act has strong provisions against nefarious elements wronging the system.

“There is a clear violation of the law in this case no matter who has done it,” Matthan said while adding that it is  not clear where the violation has happened.

If a bank employee steals your money, there is nothing you can do since the bank expects all employees to behave properly. It’s the same thing here as all participants in the process are expected to keep information safe.
Rahul Matthan, Partner, Trilegal

Matthan said that storing of biometrics is wrong and illegal and the concern stems from the potentiality of people using this information left, right and centre.
He also added that protective provisions of the IT Act will apply to Aadhaar as well.

“Any data breach is required to be disclosed under the IT Act but whether that is followed or not is a separate question,” he said. Every authentication under the system is reported to the citizens through an SMS which is effectively informing them of unusual activity, he added.

However, there remains a loophole here for those who do not have their correct phone numbers updated in the Aadhaar system.
Gupta also said that even if one gets to know about their Aadhaar being misused, there is no guarantee under the Act that a redressal will be provided.

In chapter 7 of the Aadhaar regulations, there is a provision for a grievance redressal mechanism whereby a person can approach a call centre through phone or email which will provide residents with a tracking number till the matter is closed.
Gupta believes that this is not enough.

“Even the IT Act has the same absence of reporting principles as the Aadhaar Act so it is substantively insufficient,” he said. “There is no requirement for the call centre to give you a reasoned order like a public authority does. There is no specification to give you a reason if they don’t agree with you and why they can’t help you. The process doesn’t ensure that people’s dispute will be determined by the principles of natural justice.”

Additionally, Sunil Abraham, executive director of Bangalore-based Centre for Internet and Society told BloombergQuint that a privacy law was promised when the Aadhaar Act was being passed in the parliament. That never happened so the system remains deficient on redressal.

I don’t think there is a data breach provision in the act. They said don’t worry, a privacy bill is coming which never happened. But whether we have privacy bill or not, as long as there is centralised biometric data, we are in constant danger.

Sunil Abraham, Executive Director, Centre for Internet and Society