The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholarUsha Ramanathandescribes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the#BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Sunday, April 9, 2017

11008 - #DestroyTheAadhaar or Reform the Aadhaar? - The Wire

#DestroyTheAadhaar or Reform the Aadhaar?

Focusing solely on getting rid of Aadhaar, or destroying it, is a waste of gunpowder. The underlying issues of online privacy and civil liberties will still remain.

A broader fight for privacy and against surveillance is necessary. Credit: Reuters

Activity around Aadhaar, the unique ID program launched by the Indian government in 2009, has reached a furore. It appears as if every other day, another government ministry adds yet another scheme to the list that requires the ID. At the same time, just as many new critics come forth to decry how the Aadhaar is becoming a tool for state control and surveillance.

Opponents of the Aadhaar project are correct that there are multiple concerns around privacy, but by villainising the initiative they are losing an opportunity to address deeper democratic concerns that this program raises. Instead of calling for a total shutdown of Aadhaar, critics ought to call for new laws and reforms to protect privacy and prevent abuses in general, beyond any single program such as Aadhaar.

Opponents express concern that Aadhaar is a means to instil mass surveillance. One refrain on Twitter has been, “Repeat after me: Aadhaar is surveillance technology masquerading as secure authentication technology.” Aadhaar critics seem particularly concerned about additional biometric information (biometrics), the facial image, complete set of fingerprints and iris scans of both eyes, which are collected during the application process. Most discussions of biometrics seem to focus on the fingerprints and iris scans and not on the facial photo that is also collected. Opponents claim that biometrics form the basis for a clandestine surveillance state. However, while biometrics pose a real and dangerous concern when it comes to identity theft (and worrying consequences for authentication), they are unlikely to be used for clandestine surveillance.

Marginal utility for surveillance
Governments already have tremendous surveillance tools without the use of fingerprints and iris scans. Technologically, using fingerprints or iris scans for clandestine mass surveillance would be highly impractical. Depending on the locations where the government would want to track the physical presence of people, it would need to set up biometric sensors to cover all physical spaces in the country. These sensors, essentially cameras, would need to capture a high-resolution image of every person’s fingers or eyes. And since people would most likely be moving about in a crowd, these cameras would need to be of fixed focus and fixed angle. It would take several cameras in a location in order to catch a direct image of fingers or eyes. It would be far easier to use facial recognition technology, which is approaching near total accuracy, with far less stringent constraints. On the other hand, the day that everyone is required to stare directly into a camera or give a finger impression at every site, it will be open and clear that there is an open, not clandestine, surveillance state.

The marginal necessity of Aadhaar for surveillance holds true for online activities and consumption behaviours as well. Online, the government can monitor traffic by capturing data traffic at the Internet service provider level or at interconnection exchanges, those communication hubs where the networks of different providers, such as Airtel and Vodafone, connect to each other. When it comes to consumer behaviour the government can use credit card and online wallet transaction data to see where a person is spending their money without going to all this effort of assigning 1.3 billion IDs. In India a person must furnish ID proof to purchase even a prepaid SIM card, which is already the basis for a comprehensive surveillance system, since mobile phones are constantly giving out their present location. So many commercial activities are also linked to mobile phones, from digital wallet payments and bank transactions to ordering pizza, that the phone number can serve just as well as any unique ID.

Furthermore, Aadhaar cannot penetrate where standard surveillance cannot see. When one shops on Amazon or Flipkart or transfers money through online banking, the communications between the browser or app and the remote site are encrypted. This means that while the government can tell that a person visited the site, it cannot know what they bought or watched, unless the vendor hands that information over. The presence of Aadhaar does not alter this basic equation unless the communications are not encrypted to begin with.

Private sector privacy
On the other hand, the ‘anti- surveillance, therefore anti-Aadhaar’ argument does little to address the concerns posed by private companies. Ironically, most websites that publish articles against Aadhaar host several trackers that collect identifying information on visitors.

Researchers have shown that people inadvertently reveal a great deal about themselves online through the use of private services. It is possible to tell a person’s sexual orientation, religion and political preferences from their social circles. An Amnesty research article says it is even possible to tell a person’s religion from what they listen to on Spotify. Much of this information is collected by third parties, known as data brokers, and sold.

The government too can purchase this information. So, for example, it doesn’t need Aadhaar to tell who belongs to which religious minority, it can just buy that information.

Recently a British company launched an app that lets a person take a picture of any random stranger and the app would pull up the stranger’s Facebook page if it found a match with their Facebook profile picture. The app creator may have been violating Facebook’s terms of use but it seems unlikely that any laws were broken. It is not even clear that there is a privacy breach since people voluntarily upload their images to Facebook, and they ought to know that those images are available to everyone. It wouldn’t take much for a private group to build an app that let them identify people on the street and get their political affiliation, perhaps to intimidate them from voting at election time.

Situations such as this require public debate and legal clarity on what information can be collected and distributed and under what circumstances. Strong laws and vigorous enforcement on what kinds of data are collected, purpose for collection and how they are shared would go much further to prevent tragedy than destroying the Aadhaar.

Some Aadhaar opponents make the argument that Aadhaar makes linking databases together much easier. This is true but any government that is seriously in the surveillance game will not be deterred by the lack of a common ID. There is nothing complicated about linking databases together. All it takes is some common information that ideally also uniquely identifies the records in each database. For years now the government has used name, father’s name and date of birth, but other keys could be mobile numbers, election/ration/PAN card, drivers license or passport. Each new form of identity or service requires a pre-existing one, which is how databases can be daisy-chained. Of course, verification methods are imperfect and some people register themselves multiple times in the same ID database, but that is a minor problem.

Going back to another US example, in November 2002 the New York Times reported on a Department of Defense project called Total Information Awareness that would attempt to gather as much information on potential threats. “If deployed, civil libertarians argue, the computer system would rapidly bring a surveillance state,” the article said. “The system would permit a team of intelligence analysts to gather and view information from databases, pursue links between individuals and groups, respond to automatic alerts, and share information efficiently, all from their individual computers.” After public outcry US Congress decided that this system posed too much of a threat to American citizen’s civil liberties and cancelled the program. 

The plans for TIA did not include a unique ID assigned to every citizen, indeed it was primarily to target non-citizens. This should dispel the idea that the ID is the linchpin to a surveillance system.

India has its own version of TIA, called Natgrid. Even if the Aadhaar identification project was shut down, it is likely that Natgrid would continue. As this Hindu editorial points out, such a system requires additional protections against government abuse. Another program called Centralised Monitoring System (CMS) is designed to allow the government to listen in on any phone call. The capability to eavesdrop exists with or without the Aadhaar ID.

Legislation is imperative
The ruling majority has so far shunned all calls for a privacy law and the government’s attorney general has argued in the Supreme Court that there is no constitutional right to privacy in India. That needs to change. A full discussion of what constitutes electronic privacy is beyond the scope here, but, in brief, people should be able to use the Internet without intermediaries such as ISPs collecting data on their activities and without remote servers collecting more data than is needed to provide the service. The flow of data between a user’s computer and the other endpoint should be encrypted to prevent third parties, such as governments or cyberspies, from knowing what is being communicated. The government’s authority to collect data also needs to be circumscribed.

Since service providers on the Internet – such as Internet service providers, e-commerce sites, content providers and financial institutions – often legitimately end up collecting detailed information on their visitors, they need to make every effort to protect that information. This can be better achieved by making data security a core function of the company with board-level oversight and responsibility. For example, in recent years Yahoo has suffered multiple data breaches which might have been avoided if the recommendations of the technology department had not been ignored in favour of marketing objectives. Similar high-level responsibility needs to be assigned for government systems as well. Not only do governments owe it to their citizens to protect their data, but even non-classified information can be a matter of national security. If governments inadvertently leak personal information about citizens that is then used against them for fraud, the entire nation suffers.

When breaches do occur, they need to be disclosed and those who are affected need to be informed. Some people may individually make decisions on how to respond, but in other cases security experts can provide guidance to the public, but only if they know what kind of breach occurred and the extent of the damage. For example, if a compromised website was storing user passwords in plain text then everyone affected would need to change their password. On the other hand, if the passwords were stored in encrypted format, then individuals could decide based on whether they had used a unique password for the site or it was a password shared across sites. 

For this to happen the law must mandate timely and useful disclosure of breaches. Otherwise, fearing a loss of market share or image, too often compromised sites cover up breaches in the hope that they will go undetected.

Finally the government needs to ramp up its ability to investigate cyber crimes, system breaches and bot attacks in order to trace the guilty parties, not just within the country but across borders. That also involves improving working ties and creating networks with law enforcement agencies in other countries. Some of this is already happening but time is of the essence to come fully up to speed.

Aadhaar has brought privacy concerns into focus and leaders across the political spectrum are paying attention. However, focusing on getting rid of Aadhaar, or destroying it, is a waste of gunpowder. The underlying issues of online privacy and civil liberties will still remain. Rather than trying to stop the government from implementing Aadhaar , all stakeholders ought to press for increased privacy protections, board-level responsibility for online data security, breach disclosure laws and strengthening of enforcement of cybercrime laws, due process and civil liberties.

Otherwise, even if the battle against Aadhaar is won and the system is scrapped, the war against surveillance would remain, but it may be hard to mobilise the public again.

Sushil Kambampati (@SKisContent) is the founder of YouRTI.in, where anyone can suggest an RTI query simply and anonymously. He writes about online security and privacy.