The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholarUsha Ramanathandescribes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the#BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Tuesday, April 18, 2017

11066 - How to fix Aadhaar: Destroy the database, issue a smartcard and make linking to services optional - First Post

By Aditya Madanapalle /  17 Apr 2017 , 10:21

So far, various people and agencies associated with Aadhaar have repeatedly proclaimed that the Aadhaar database is adequately secured. The list includes the Unique Identity Authority of India (UIDAI), UIDAI CEO Ajay Bhushan Panday, the Minister of State for Electronics and IT PP Chaudhary and IT Minister Ravi Shankar Prasad, who did it twice. The statements were in response to reports of various breaches and leaks in the wider Aadhaar ecosystem, but not in the Aadhaar database itself.
Arun Jaitley responded to concerns of data breaches in the Rajya Sabha, by saying “If firewalls can be broken, and hacking can be done, it will be done whether Aadhaar is there or not. Don’t say it is due to Aadhaar.”
Jaitley is missing the point, however. It is difficult to hack a database that does not exist.
The very existence of an Aadhaar biometric database makes it a high value target. Harsh laws can apply to Indian citizens, but it is difficult to bring to task state-sponsored foreign hackers.
Destroy the Aadhaar Database
Any database of the intimate details of the bodies of people is something that unnecessarily exposes the people to risk. The Aadhaar database can be repurposed for other uses, just because the database is there. Swarna Subba Rao, Surveyor General of India, while launching the Nakshe mapping service said, “We wanted to make passport mandatory for this service, but then not all people have passports, so we have made Aadhaar mandatory for people.”

This is despite the fact that the Aadhaar Act clearly states that “The Aadhaar number or the authentication thereof shall not, by itself, confer any right of, or be proof of, citizenship or domicile in respect of an Aadhaar number holder.”
A more insidious use for the service took place when the UIDAI itself asked the SC to not use Aadhaar for criminal investigations. The Goa Police, however, were handed over the biometric details of citizens, even though Aadhaar was not meant for that purpose.
The problem is that no biometric authentication system in the world is a hundred percent accurate. When finding a match with the Aadhaar database, the UIDAI itself claims a false positive rate of 0.057 percent. In the population the size of India, this marginal failure rate, as well as the false positive rate, can disproportionately affect lakhs of people if Aadhaar is not used for what it was built for, and the reason that the people of India have trusted the government with their biometric information.
Rajesh Bansal, senior advisor at Bankable Frontier Associates and former assistant director general at UIDAI has indicated that the fingerprints are themselves not stored on the server used for Aadhaar authentication, instead the database only stores the templates of the fingerprints needed for verification.
“We have various levels of firewalls and end to end encryption mechanisms to ensure that only authorised entities have access to the Aadhaar database. Also, fingerprints are never stored on the servers, only the templates are stored. Till now, there hasn’t been a single case of any compromise on our data” Bansal has said.

Image: Reuters
A biometric database is a civil rights issue, which is why developed countries such as the United States, the United Kingdom, Canada, France and Australia have resisted the creation of biometric databases for national identity schemes. In fact, a biometric database that was being maintained for five years was destroyed in the United Kingdom over concerns of privacy, and to “to scale back the power of the state and restore civil liberties.” Most of the goals of the UIDAI can be achieved without the need for a biometric database.
A biometric database gives the government too much unnecessary power over its citizens and the government is unnecessarily involved in the daily lives of the people. The PAN card, filing Income Tax returns, having a driving license, registering a vehicle, owning a SIM card and booking railway tickets are all in some way or other being linked to the Aadhaar database. The government can authenticate and verify identity without the need for having a biometric database. The Electronic Frontier Foundation recommends protests against any government that chooses to implement a national biometric database.
Experts in cybersecurity believe that the Aadhaar ecosystem needs to be secured better. The UIDAI and the authorities are repeatedly dodging the question of the security of the Aadhaar ecosystem by pointing out the flawless record of the Aadhaar database. The question of security is being addressed with more or less the same response, but the question of Privacy is also getting increasingly urgent. The situation is made worse by the lack of any dedicated laws on data security and privacy in India.
Issue an actual smartcard
One of the problems with Aadhaar is that it is not an actual smartcard. A hacked smartcard can be replaced with a new one, but biometrics cannot be replaced. Once they are hacked, people cannot regrow their fingers or replace their eyeballs. Even though Aadhaar is being mandatory for a number of reasons, it is not practically of any real use.

Getty Images
It cannot be used as a proof of identity or citizenship, according to the Aadhaar act. However, it is still used for banking services and for getting a passport. This begs the question: Why not use it as an identity proof?
There is no reason why a smart Aadhaar card cannot be used as a proof of identity or citizenship. If Aadhaar is linked to the PAN card, the bank accounts, the driving license, the passport and other documents, there is no reason why Aadhaar cannot be used instead of all these plastic cards.
The Aadhaar system exists in the air right now, without any physical presence or control in the hand of the users. Some may be fooled into thinking that as long as one is in possession of one’s own fingers, it cannot be hacked. This is, however, not necessarily true. Hacking fingerprints is surprisingly easy and low tech, and can even be achieved with just a candlestick.
In fact, if the merchant is unscrupulous, handing over your biometric information to pay for groceries is as much as a security risk as handing over the merchant your banking password. If a smartcard is used to authenticate transactions, there is that much less of a security risk, as in case of theft or loss, the smartcard can simply be replaced with a new one.

Would you tell a shopkeeper your debit card's PIN? No. Then why share your fingerprint? A fingerprint is like an unchangeable PIN. #Aadhaar

The Aadhaar card stands to benefit the citizens of the nation in a much better way if it is actually implemented as a smart card. This thought is such a natural progression over the very idea of a nationalised identity system, that the government has actually asked its users to not fall for Aadhaar “Smart Card” scams, where the Aadhaar details were being printing on plastic cards.
Make linking to services optional
The Aadhaar system, if implemented correctly, can actually make life easier for the citizens. One of the important aspects about this is giving the choice to the user, instead of making it increasingly difficult for users to choose not to get an Aadhaar card.

Giving a deadline for integration with third party services, puts unnecessary pressure on the citizens to get an Aadhaar card. Caregivers of the mentally ill, senior citizens and the differently abled are disproportionately affected by harsh deadlines. Aadhaar was initially introduced as an optional program, but it has been increasingly integrated into the daily lives of people.
Just as the UIDAI dodges questions on the security of the Aadhaar ecosystem by pointing out that the Aadhaar database is adequately secured, the UIDAI blames third parties for any issues that pop up with linked services. For example, if users have a problem with the Aadhaar number being linked to the Pan card, the blame for setting a harsh deadline goes to the Income Tax department, and not UIDAI.
Another major concern was the linking of Aadhaar for the distribution of benefits. Here, Aadhaar has shown its usefulness. Implementation of Aadhaar has saved the government Rs 36,144 crore over a period of just two years. In one smooth operation, over one million farmers in Karnataka received benefits, through direct dispersal.
However, the Supreme Court has ruled that those without an Aadhaar card should not be deprived of benefits. The government subsidies and benefits continued to be distributed even for those without an Aadhaar card, but there is a caveat. The actual implementation on the ground is a Hobson’s choice — you can either have an Aadhaar card or be in the process of getting one. In the same ruling, the SC said that the government cannot be stopped from using Aadhaar for authentication purposes, such as in the filing of income tax returns.
If there is no biometric database, the Government can take a number of approaches for a national identity program, without making it a civil rights concern. Giving the citizens granular control on what services they use Aadhaar for gives them the convenience of a digital identity, and at the same time takes away unnecessary power from the hands of the government.
Publish date: April 17, 2017 10:21 am| Modified date: April 17, 2017 10:21 am