The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholarUsha Ramanathandescribes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the#BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Tuesday, April 4, 2017

10945 - Four Reasons You Should Worry About Aadhaar’s Use of Biometrics - The Wire

Four Reasons You Should Worry About Aadhaar’s Use of Biometrics

Aadhaar is premised on the infallibility and security of an individual’s biometric data – her fingerprints and iris scans. But this is just a myth.

Unlike passwords and credit card information, once a person’s biometric information is compromised, it can never be replaced. Credit: Flickr/cafecredit.com CC 2.0

The opposition to Aadhaar mostly centres on the issues of surveillance and privacy. While these are very important issues, the lofty platform on which Aadhaar stands is supported on the myth that biometric based identity is infallible, robust and safe. None of this is true, which therefore brings into question the very utility of Aadhaar, as also the unforeseen complications it may cause.

Need to update biometric information throughout lifetime
This is enshrined in sections 6 and 31(2) of the Aadhaar Act:

Five points are immediately apparent:
  1. This flies in the face of UIDAI’s repeated advertisements that Aadhaar enrolment is a “one-time” affair. It is not and will never be.
  2. This recognises the fact that biometrics is a changeable entity. Some of the obviously imaginable reasons are ageing, manual labour, injury, illness, etc. But is there a way whereby a person can look in the mirror or look at his fingers and estimate that he is due for update? There is no objective means to comply with the aforementioned sections.
  3. Since the promise of Aadhaar as a unique identity hinges on the uniqueness of biometrics, it would be logical to assume that any update to biometric data should go through the same rigour as a new enrolment. Regulation 19(a) under Chapter IV of the Aadhaar (Enrolment and Update) Regulations, 2016 is pretty clueless here:
  4. What biometric authentication, when the purpose is to update the biometrics? Is there implied expectation that the person is supposed to revisit the enrolment centre before all ten fingers and two irises go out of range?
  5. The conditionality imposed here is without precedent or law, not even for the worst convicts. Aside the ethical question, it is potentially a perpetual source of harassment, with no clearly defined solution.
  6. Periodic update of biometrics has already been institutionalized for the poorer sections of our society through such things as mandatory Aadhaar authentication for PDS rations. The other India can be easily netted by such things as mandatory eKYC for mobile SIMs from time to time.
No access to biometric records in the database
Section 28(5) of the Aadhaar Act disallows an individual access to the biometric information that forms the core of his unique ID. There are four problems with this.

  1. This leaves no room to verify whether the biometrics have been recorded correctly or not in the first place, when that same information forms the basis of identity.
  2. This leaves open the possibility of fraudulently replacing a person’s biometric identity. Even the enrolment operator (with a software hack) could upload someone else’s biometrics against another person.
  3. This is totally unlike other identity documents (like say passport), where all information necessary to serve as proof of identity is printed on the document itself. It serves as receipt for the information supplied and is in the custody of the individual to whom it matters.
  4. As there is no access to the biometrics in the database, there is technically no means to ascertain beforehand whether one or more of the biometrics is due for update. The only way to guess is after facing an authentication failure on the field.
Uncertainty of biometric authentication
Under various sections of the Aadhaar Act (sections 4(3), 7, 8 and 57), an individual may be required to undergo biometric authentication as proof of identity. This is problematic for several reasons.
  1. Biometric authentication is essentially a method of image recognition (or pattern matching) and always results in a probabilistic score, rather than a clear match/mismatch. This has been clearly revealed in the security breach case involving Axis Bank, Suvidhaa Infoserveand eMudhra. The source of UIDAI’s suspicion was that several authentication requests yielded the exact same score, which could not be possible if live fingerprints were used.
  2. Variability of the matching score is influenced by a variety of reasons, like the way the fingerprint/iris image is captured, different makes of biometric devices and above all, ageing and resultant changes to the human body. Biometric authentication can thus never serve as a fail-safe proof of identity. It must always be supplemented by an alternative proof, which then defeats the very purpose of biometric identity.
  3. The entire burden of uncertainty is borne by the individual. If authentication fails on all counts, the only recourse available is to update the biometrics in the database, which is again governed by ambiguous regulations (see part 1).
  4. Large scale authentication failures are already a reality across states where Aadhaar authentication has been made mandatory for welfare programmes like PDS and pensions.
  5. Authentication using mobile OTP is sometimes advertised as a failure option to biometric authentication. This is a complete antithesis to biometric identity, as it essentially considers a person’s mobile no. to be his unique ID.
  6. Mobile OTP in the context of banking transactions is totally different, as it is used as an additional layer of security over and above PIN/password. Here it is being served as an alternative to biometric authentication, which effectively leaves mobile OTP as the only layer of security.
Risk of identity theft
Use of biometric authentication as a means of identity presents a persistent and immitigable risk of identity theft. The UIDAI’s defence is on three counts: one, the database is sufficiently encrypted and protected against breaches; two, biometric collection at the authentication end is encrypted (either in software or in hardware); three, there are penal provisions in the Aadhaar Act to deter any unauthorised access. But the technology behind Aadhaar is such that none of these measures is of any worth. Just consider the following:
  1. To commit an Aadhaar-enabled fraud, it is sufficient to fake the biometric authentication, so the security of the database itself is not a factor to consider at all.
  2. At the authentication end, no matter where the biometric image is encrypted, it is always possible to tap the raw signal just prior to that, using a software or hardware hack as may be needed. It is thus easily possible to both skim the biometrics of an unsuspecting user, as also supplant a previously copied image.
  3. If the UIDAI’s defence against copied biometrics is to flag exact matching scores through successive authentication attempts, it can be easily fooled by adding a small randomization to the sample each time.
  4. Biometric authentication can even be faked externally, without any software or hardware hack. Fingerprints can be copied from a variety of surfaces (even from the surface of the scanner device itself) and used to create a dummy finger. Similarly, iris image could be skimmed from photographs and supplanted on an artificial eye-like object. It should always be remembered that at the other end is a machine, so a few rounds of trial and error are all that would be needed to perfect the fraud.
  5. Through all the above, the only assurance that biometrics are captured from a live individual is the honesty of the operator, which is no improvement from the situation without Aadhaar.
  6. What makes biometric authentication particularly risky is that biometric identity once breached is unusable for life. Penal provisions to punish anyone are immaterial here. Contrast this with regular authentication systems based on password or PIN. They could be changed as a regular practice, or at least upon knowledge of breach.
  7. The potential gains from Aadhaar related fraud are huge, so we should expect people to invest their time, effort and money to stay ahead of the system.
L. Viswanath is engineering professional working in Bengaluru. He blogs at bulletman.wordpress.com.