When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win. -Mahatma Gandhi

In matters of conscience, the law of the majority has no place. Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.” -A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholar Usha Ramanathan describes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.
Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant. Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty” and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” - Edward Snowden


Here is what the Parliament Standing Committee on Finance, which examined the draft N I A Bill said.

1. There is no feasibility study of the project]

2. The project was approved in haste

3. The system has far-reaching consequences for national security

4. The project is directionless with no clarity of purpose

5. It is built on unreliable and untested technology

6. The exercise becomes futile in case the project does not continue beyond the present number of 200 million enrolments

7. There is lack of coordination and difference of views between various departments and ministries of government on the project


What was said before the elections:

NPR & UID aiding Aliens – Narendra Modi

"I don't agree to Nandan Nilekeni and his madcap (UID) scheme which he is trying to promote," Senior BJP Leader Yashwant Sinha, Sept 2012

"All we have to show for the hundreds of thousands of crore spent on Aadhar is a Congress ticket for Nilekani" Yashwant Sinha.(27/02/2014)

TV Mohandas Pai, former chief financial officer and head of human resources, tweeted: "selling his soul for power; made his money in the company wedded to meritocracy." Money Life Article

Nilekani’s reporting structure is unprecedented in history; he reports directly to the Prime Minister, thus bypassing all checks and balances in government - Home Minister Chidambaram

To refer to Aadhaar as an anti corruption tool despite overwhelming evidence to the contrary is mystifying. That it is now officially a Rs.50,000 Crores solution searching for an explanation is also without any doubt. -- Statement by Rajeev Chandrasekhar, MP & Member, Standing Committee on Finance

Finance minister P Chidambaram’s statement, in an exit interview to this newspaper, that Aadhaar needs to be re-thought completely is probably the last nail in its coffin. :-) Financial Express

The Rural Development Ministry headed by Jairam Ramesh created a road Block and refused to make Aadhaar mandatory for making wage payment to people enrolled under the world’s largest social security scheme NRGA unless all residents are covered.

Thursday, April 13, 2017

11039 - Blundering along, dangerously - Fronline

Print edition : April 28, 2017



The Aadhaar project’s headlong push towards “total” enrolment of Indian citizens threatens the privacy of individuals on an unprecedented scale, while its patchy biometric system acts as a tool of denial for the most vulnerable. Meanwhile, the UID chugs along, regardless, fuelled by the avarice of private interests who seek to cash in on citizen data. 


IN the last seven years, the right to privacy of Indian citizens has been downgraded in several crucial steps. It was argued that Google and Facebook had more information than any other database; and that the voter IDs in several States, with personally identifiable information, were publicly available. 

Zealous advocates on a techno-utopian mission argued that the trifling matter of privacy would have to give way to the sheer convenience offered by technology. The argument went thus: it is only those who have something to hide who ask for privacy and, conversely, those who have nothing to hide ought not to worry about the loss of privacy

In August 2015, all this was brought to a head when the government categorically told the court that was hearing the unique identification number (UID) cases that the people of this country simply did not have a right to privacy. Significantly, at the same time as the right to privacy was being denied, before another bench of the court, the government was asserting that the offence of defamation in Section 499 of the Indian Penal Code needed to remain on the statute book so as to enable the government to protect the right to privacy. Privacy advocates were disparaged as espousing elite interests, that the poor have no interest in privacy, but only in being able to get their entitlements.

The spate of notifications making it mandatory to “seed” the UID number in a bewildering multiplicity of databases have placed the privacy debate on a wholly different plane. Crucially, they have highlighted concerns that the privacy rights of the poor, far from being an esoteric matter, are literally a matter of life and death for a large section of the population. In the process, the poor, the disadvantaged and the weak are in danger of losing not only their legitimate entitlements but their very dignity.

In September 2010, 17 eminent citizens, including Justice V.R. Krishna Iyer, Prof. Romila Thapar, Prof. Upendra Baxi, administrator S.R. Sankaran , Justice A.P. Shah, film-maker Amar Kanwar, social activists Aruna Roy, Nikhil Dey and Deep Joshi, and advocate K.G. Kannabiran, issued a statement asking for the UID project not to forge ahead without a law, without a feasibility report, and without considering its implications for privacy (see full text of the statement on page 30). Bezwada Wilson, the national president of the Safai Karmachari Andolan, a signatory, explains that the identity project does not seem to understand the principles of identity; what those employed as manual scavengers want, he explains, is to bury their identity, not perpetuate it. The notification making it mandatory to seed the UID number as a prelude to the rehabilitation of a person engaged in manual scavenging is precisely the problem that Wilson has been battling in his opposition to the UID project.
Women rescued from prostitution, bonded labour, victims of the 1984 Bhopal gas disaster, persons who are HIV-positive and needing anti-retroviral therapy (ART), those building toilets with state assistance, persons with disabilities, and children in the mid-day meal scheme are all being compelled to affix their UID numbers to different databases. There is simply no question of consent. Neither is there a provision to opt out. The language of entitlements has been displaced by “benefits”, “subsidies” and “services” in the Aadhaar Act 2016. Notification after notification begin with the bland statement that seeding the UID number “simplifies governmental delivery processes, bringing in transparency and efficiency, and enables beneficiaries to get their entitlements directly in a convenient and seamless manner… obviating the need for producing multiple documents to prove one’s identity”.

With these notifications, the privacy debate has moved onto another level, indeed onto another terrain, where the dignity of a person and the heightened vulnerability of the individual are added to the concerns of convergence, profiling and surveillance. These notifications also make plain the privacy interests of the poor in relation to the UID project.

Private interests, public data

One of the provisions in the Aadhaar Act 2016 which makes it impossible to justify its passage as a Money Bill is Section 57. It permits the “use of the Aadhaar number for establishing the identity of an individual for any purpose, whether by the state or any body corporate or person...”.

Indeed, much before the UID acquired the protection and sanction of the law, the growing cacophony of private companies’ interest in the project was articulated openly by business interests. They enthusiastically welcomed the implementation of the project because the system could be used to “leverage” businesses. In fact, when the Aadhaar Bill was being debated in the Rajya Sabha, parliamentarians cited the instance of TrustID, which advertised itself as “India’s 1st Aadhaar-based mobile app to verify your maid, driver, electrician, tutor, tenant and everyone instantly”. This is a business model in which the UID authentication is used as the foundation on which profiles are built.

BetterPlace offers “multipoint verification and safety capabilities through a combination of sources—location-based data analytics, digital footprint of an individual and Aadhaar information”.

In February 2017, OnGrid caused outrage when it tweeted an image with the photograph of a young man across which read:
Aadhaar Number: 8625-xxxx-7706
Name: Kxxxxx Sxxxxx
Mobile: xxxxxxxxxx
DoB: xx xx 1986
Gender: x
Aadhaar address: xxxx
Current address: xxxx
Police verification: xxxx
On the screen was “indiastack.org/ekyc”.
The website carried the description, “Aadhaar-enabled Trust Bureau of India”. “OnGrid is a trust bureau that modernises verification and background checks in India by linking an individual’s data, documents and incidents to his/her 12-digit aadhaar number for a faster and cleaner access to true identity and background.”

BetterPlace advertises itself as “leveraging multiple data sources, including Aadhaar—the massive database of biometric and demographic data of the entire country. BetterPlace has in place and continues to create a unique profile of every citizen with accurate and comprehensive personal, professional and social information.”

Data gathering about individuals, and profiling, are the business model of these UID-based companies, even as data emerge as the new property.

A closed circuit of interests

In 2013, a grouping of technology entrepreneurs got together as iSpirt—Indian Software Product Industry Roundtable. Nandan Nilekani is their mentor. Two others who stepped down from the Unique Identification Authority of India (UIDAI)—Pramod Varma, who was Chief Technology Architect of Aadhaar, and Sanjay Jain, who was Chief Product Manager—are volunteers with iSpirt and work on creating India Stack, which is a stack of applications being built on the UID platform. Their paid employment is with Ek Step, a philanthropy established by Rohini and Nandan Nilekani. They work on the stack, and, as Nilekani says in his book Rebooting India, evangelise it to the government. Some of the components of the stack were created and adopted when Nilekani was still Chairperson of the UIDAI. In 2009, even before the first enrolment, the Aadhaar Auth API (Aadhaar Authentication Application Programming Interface) was launched. In 2011 the National Payments Corporation of India (NPCI) launched the Aadhaar Payments Bridge and Aadhaar Enabled Payments System. The “National” and “India” in NPCI are misleading; established in December 2008 with N.R. Narayana Murthy as its first Chairperson, it is a company registered under the Companies Act as a non-profit, and Nandan Nilekani and Pramod Varma are honorary consultants telling the NPCI how to adopt the UID number in its working. In 2012 eKYC was launched. Then a hiatus, after which in 2015, eSign. In 2016, the Unified Payments Interface (UPI) was launched, as was the DigiLocker.

A technology-based structure is being evangelised to the government which will give a leg-up to fintech companies. In the Credit Suisse India Financials Report 2016, Nilekani candidly sets out the ambitions: India will go from being a data poor country to becoming a data rich country in two to three years. “Digital footprints” will form part of this data. “And as data becomes the new currency, financial institutions will be willing to forgo transaction fees to get rich digital information on their customers.”

The “go cashless” brigade’s zeal, in much evidence after demonetisation, is not confined to the innocent dream of replacing cash with more modern payment systems. In reality, cashless is the next big pitch to convert personal data of the mass of Indian citizens into tangible—and profitable—business opportunities.

Bungling with biometrics

The use of fingerprint authentication has proved to be a major hurdle for large sections of people in accessing rations across the country. In Rajasthan, for instance, government records show that up to 30 per cent of the households have not been able to avail themselves of rations using their fingerprints to authenticate. That means that in these households, nobody had fingerprints that work; in the rest, there is at least one person whose fingerprints work. Since 2011, reports from various parts of the country, including Andhra Pradesh, Karnataka and Jharkhand, have confirmed this phenomenon of mass-scale denial. Connectivity problems and quality of PoS (point of sale) devices add to the travails of the poor in a system that appears to be geared to deny what is their due. The Wattal Committee (December 2016) recognises the latter two, but makes no mention of biometric failure rates, when it asks that eKYC in the digital economy should not be made to work with biometrics. Instead, it suggests that the two-factor authentication could be a One Time Password (OTP) that is sent to a registered mobile number or email address.

In a case that the UIDAI has been fighting with the Central Bureau of Investigation since 2013, the CBI asked for the biometric database of all persons enrolled in Goa, and later narrowed its request to running sets of fingerprints across the UID database in connection with the investigation relating to the rape of a seven-year-old child in a school toilet. The UIDAI refused on grounds of protecting privacy and because the database is incapable of being used for forensics. Initially, in March 2014, the Supreme Court ordered that biometrics were not to be used except with the consent of the individual; but, in August 2015 the court changed its order, making an exception when a court directs that it be used in the course of a criminal investigation.

Around then, the UBCC was introduced to the UIDAI website. That is, the UIDAI Biometric Centre of Competence. The “mission” of the UBCC was “to design (a) biometrics system that enables India to achieve uniqueness in the national registry. The endeavour of designing such a system is an ongoing quest to innovate biometrics technology appropriate for the Indian conditions.” The way they saw it, the “nature and diversity of India’s working population adds another challenge to achieving uniqueness through biometric features”. It is therefore no surprise that fingerprints do not work in rural areas, or for the working classes.

In this context, the 2016 version of the “Strategy Overview” paper says: “Fingerprint: This is the most commonly used biometric attribute across the world but the large variation of quality of fingerprint in India may pose challenge to implementation of a reliable solution.”

In December 2016, Hussain Dalwai asked an unstarred question in Parliament: “ (a) Whether it is a fact that UIDAI has set up a Unique Biometric Competency Centre (UBCC); (b) if so, whether UBCC has been established to address the biometric challenges faced by UIDAI, if so, what are these challenges.” P.P. Chaudhary, Minister of State for Electronics and Information Technology, responded with: “(a): No, Sir.” And, “(b): Does not arise.”
Why was the Minister denying its existence? What happened to the UBCC?

The Aadhaar Act 2016 now protects the biometric database from scrutiny. It is not accessible where there are national security demands, or where a court orders it, and even the person whose biometrics are stored cannot view it—in the interests of protecting our privacy!

Insecurities in the UID system

Two recent episodes have exposed the insecurities in the use of biometrics in the UID system.
In February 2017, the UIDAI lodged a first information report (FIR) with the Delhi Police Cyber Cell against Axis Bank, which has partnered in the UID project from early on; Suvidhaa Infoserve, the bank’s business correspondent; and eMudhra, the eSign provider. The UIDAI complained that the three entities had illegally stored biometric data and performed unauthorised Aadhaar authentication. They were accused of performing repeated transactions through “replay” of biometrics that had been stored on their devices, which amounts to attempting unauthorised authentication and impersonation by illegally accessing stored UID data. The UIDAI noticed the infraction when, between July 14, 2016, and February 19, 2017, it was observed that 397 biometric transactions had been performed by one individual. It is reported that 194 of these transactions were performed through Axis Bank, 112 through eMudhra and 91 through Suvidhaa Infoserve. The three parties explained that this occurred when the system was being tested and that no actual transactions had taken place. Axis Bank has said that while there have been no breaches, they had suspended the services of Suvidhaa Infoserve.

Sameer Kochhar, an entrepreneur, publishes a magazine, Inclusion. On February 11, 2017, he published an article titled “Is a deep state at work to steal digital India?” A video accompanied the article, which showed how stored biometrics could be used to “replay” transactions much in the same manner as they did in the Axis Bank episode. The immediate reaction from the UIDAI was denial. Ajay Bhushan Pandey, the UIDAI’s CEO, tweeted, “Video is fake. No evidence of connection with Aadhaar server.” An FIR was lodged against Kochhar for making a false claim. In turn, Kochhar tweeted a letter from the UIDAI to a registered authentication user agency about multiple concurrent transactions on one date, January 11, using stored biometrics. The letter also referred to a “licence key” that had been illegally used by a firm to perform an eKYC function.

In a recent interview to CNBC-TV18, Pandey asserted that there was “not a single case of data leak from the UIDAI, data breach from UIDAI, not a single case of identity theft or financial loss has been reported to us”. He then went on to explain: “There are two parts of this whole problem. One is, as you know, the database which is inside the UIDAI and as I mentioned, no breach has happened and we are quite vigilant about it, because we can never say that we are 100 per cent and absolutely secure. In the security world, there is nothing called fully secure and absolute security.”

In another incident, a reporter with CNN News 18, along with a cameraperson, enrolled in two different enrolment stations, using two different names, Debayan Roy and Raj Kishore Roy, demonstrating the porosity of the enrolment process. The episode was telecast. There was little to doubt the incident was not to cheat the system, but to expose its weaknesses. The UIDAI filed an FIR against the reporter for impersonation and fabrication of documents. The two enrolments would have been detected during de-duplication and it is not that he would have got two UID numbers; nor was the operation secret and hidden, it was telecast. In 2014, Cobrapost had done an exercise which too demonstrated the ease with which anyone could enrol, with no documents and at a price.

In January 2012, the Home Ministry had threatened to withdraw from the UID process citing as a reason the manner of enrolment; that within three weeks, the Prime Minister had produced a compromise where the UIDAI shared enrolment 50:50 with the National Population Register being prepared by the Registrar General of India is one of the unanswered mysteries surrounding this project. The Intelligence Bureau too had complained in 2012. So, this is not the first time these questions have been raised. It is, however, the first time it has gone public since the Aadhaar Act 2016 was passed. This manner of use of the Act could have a chilling effect on those who see flaws in the system and who may refrain from letting the public know what they learn. Given that the UID number is being seeded, and used, in multiple sensitive places, including in financial transactions, this enforced silence could end up costing us very dearly.

Usha Ramanathan works on the jurisprudence of law, poverty and rights.