The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholarUsha Ramanathandescribes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the#BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Monday, May 1, 2017

11202 - Project Aadhaar Is All About Compulsion, Not Consent: Usha Ramanathan - Bloomberg Quint

Project Aadhaar Is All About Compulsion, Not Consent: Usha Ramanathan

April 30, 2017, 9:48 pm

It can be unnerving when you’re supposed to give your biometric data and personal information to the State. It’s scarier when you’re not certain how secure your information really is in the world’s largest such database. More so, when the government could technically be allowed to sell your data to private companies.
None of this is far-fetched. In fact, one can argue that the last of the three scenarios is backed by law – the Aadhaar Act of 2016. Take, for instance, the government’s move to make Aadhaar mandatory to file tax returns. This was done by amendments to the Finance Act last month. When opposition parties questioned the Finance Minister in the lower house on whether the government was making a voluntary programme like Aadhaar mandatory, he replied, “Yes, we are.” If that’s not disconcerting enough, the Attorney General of India, while arguing in the Aadhaar case in 2015, had denied that Indians have a right to privacy under the Indian Constitution.
Usha Ramanathan, who has been tracking Aadhaar since 2009, has vehemently opposed some of its provisions surrounding privacy and security. An independent law researcher and an advocate at the Supreme Court, Ramanathan spoke to BloombergQuint about how private companies are using the Aadhaar database by “seeding”, and how she feels there’s very little that Indians can do about it.
BloombergQuint reached out to the UIDAI on email and by phone, but received no response to queries.
Edited excerpts of the conversation with Ramanathan...
 How are commercial users/private companies linked to the Aadhaar interface?
There are many ways. One, as suppliers of various services to the UIDAI, including the hardware, the software, the programmes. The biometric providers who have to be pre-qualified. There is Section 57 of the Aadhaar Act 2016, which, among other things, makes it clear as the blue sky on a cloudless day that the Aadhaar Act could never have been a Money Bill. It allows private companies to use the UID database for ‘establishing the identity of an individual for any purpose’.
What has been challenged right from the start is the engagement of companies like L-1 Identity Solutions, MongodB, Accenture, Ernst Young and their respective roles in the project. A video put out by biometric solutions company Safran, on its YouTube page encapsulates the access private players have to the data base.
These are the people who are holding all our data. Sometimes, I wonder if it is because they already have the data with them that there is no known case of hacking or data breach from the UID database?
Also, do remember the companies who are with iSPIRT and are being asked to find a “WhatsApp moment” again by creating businesses and monopolies and winner-takes-all opportunities provided by the ID platform.

Former UIDAI Chairman Nandan M Nilekani speaks to a reporter. (Photographer: Amit Bhargava/Bloomberg News)
Former UIDAI Chairman Nandan M Nilekani speaks to a reporter. (Photographer: Amit Bhargava/Bloomberg News)
Then there is India Stack, with Nandan Nilekani as its mentor, ‘evangelising’ (their language) to the government what they want done with the UID database. And India Stack, which is quite literally intended to be just that – creating a stack of applications that will stack up data about all of us for their commercial use.
Why do you think the UIDAI can’t ensure that one’s personal data isn’t misused by these private companies?
There are all kinds of data exposures and blacklisting figures floating around. Various departments of the state and central governments have displayed full details in various databases on the web. Personal information about children, pensioners, PDS (public distribution system) beneficiaries, those on the drinking water and sanitation department’s list, and the list seems to be expanding real fast. Once it is out, there is no question of reining it in – whoever has downloaded it has it, that’s it. It is the UIDAI that, under the law, has to take action. Maybe they will, but these are government departments, so maybe they won’t. And anyway, the data has already been breached.
Now, in the middle of all these data leaks, the UIDAI keeps saying there is no problem with the data because their database is secure, and hasn’t been breached or hacked so far. Even if that is so, when will they start acknowledging that UID studded databases are a real risk? And that the UID project has spurred the idea of putting all manner of information on various databases. For instance, see what the Kerala leak produced.
In Parliament, the Minister said that more than 34,000 persons in the system have been blacklisted, like they did in the Dhoni episode. That’s a staggering number, but everyone seems sanguine about it. And here I am thinking, who got enrolled by them? Whose data did they collect? Why were they blacklisted? There is no requirement of a notice of breach that is to be given, so no one knows what all this means.
Seems this could be why they felt the need to deny the right to privacy for the people of this country. They knew they would be violating it in all these colourful ways.
What are your concerns with the procedure that a private operator, like a bank, follows to get empanelled on the eKYC API?
There is a 2016 Strategy Overview document that indicates how it can get empanelled. That is, by an MoU. It is a loose method, leaving a lot to the UIDAI. And since scalability is their priority, a lot of the reliance will be on encryption and access control and audits; only we will know nothing about it. It is amazing how non-transparent the UIDAI has become, especially since 2012. That was the last time they put out a report, even internally generated and without any names of authors (no scientific study is published without telling you who did the study). Since the biometric failures started, for instance, there has been no report.
Although the e-KYC process is based on a user’s consent, how does UIDAI ensure one’s personal data/biometrics are not misused by private operators?
What has happened so far suggests that they are trying to learn as they go along. So, when biometric recall got exposed, they filed an FIR against the whistleblower, and then said that the PoS (point of sale) devices will hereon be encrypted. When other problems get aired, presumably they will do something that will paper it over. I must confess that this is not very reassuring.
Consent, by the way, is the biggest sham in this project. It is the “mandatory-voluntary game” again. If the UID number has to be seeded everywhere, for any service or subsidy, what consent are we talking about? Compulsion is the only route, so I think we should stop pretending there is any choice and consent in this project.

 The UIDAI has created a “seeding ecosystem”, which ostensibly adds one’s UID to the database of beneficiaries. Why do you view “seeding” as a concern?
Nowhere does the Aadhaar Act permit ‘seeding’ of the number. But, as we know, seeding is the main activity for every person in this country today; to get a UID number, and then put it into every database that we can find. Or else, it will find us. So, private companies too are allowed not just to authenticate, but also to retain our numbers.
In doing eKYC, the information on the UIDAI database is passed on to the entity requesting the information. All except core biometrics; which exception, I must confess, doesn’t mean much because the private entity can always take biometrics separately from that collected for authentication. There is no prohibition in law. More recently, I am told, not only demographic information but a copy of the letter/card is also sent to the private entity. It should worry us that we don’t even know what is being passed on from the database.

People wait in queue at an Aadhaar camp in Agra, India. (Source: Twitter/ @UIDAI)

People wait in queue at an Aadhaar camp in Agra, India. (Source: Twitter/ @UIDAI)
In the contracts that were partially obtained through RTI, companies such as L-1 and MongodB and Safran would have two-year contracts, but the contract would say that they can hold and deal with that data for a seven-year period. These contracts really need to be up for public scrutiny, and hiding behind commercial interest and confidentiality is a sign of how non-transparent this project is.
Generally, there is no time limit on how long companies can retain our data. Privacy is not a mere matter of gossip, you know, like it has been made out to be. There are principles of what data can be collected, its accuracy maintained, when it is to be destroyed. When anyone says we have no right to privacy, what they are saying is that they do not need to heed any of these principles.
How exactly can seeding become a problem for Indians?
Whole businesses are being set up only to do profiling of people using the UID database and exploiting the seeding of number to make it ubiquitous. So they get authentication services from UIDAI, look at public databases to see what stories they tell about the person, and when they transact with that data, there is little that the UIDAI is going to be able to do about it. From the way the law has been made, and given the involvement of private players like Mr Nilekani and others -- who left the UIDAI and now work with him -- and considering their control over what happens to the project, it seems improbable that law, policy or practice, will challenge what they do.
Based on your research, what kind of fees does the UIDAI charge private entities for the use of its data?
The fees haven’t been fixed as yet, from what I know, and the decision about scale of fees has been deferred to the end of 2017. When changes have to be made to the database, then there is a certain fee, something in the range of about Rs 15. But then, no one really knows. So, those managing the machines more or less decide. Ask people trying to enroll, and you will see that in many places enrollers charge people for enrollment. That is illegal. But, then, what about this project has followed the law?
What kind of grievance redressal mechanism does a citizen have in the event that his biometric data or Aadhaar number has been compromised? Is there any remedy (other than intimating the UIDAI) that a citizen can avail in such a case?
None that anyone knows of. The regulations should have set out the mechanism, but plainly nothing has been established. Which explains why those not receiving rations because their fingerprints do not work find themselves without recourse. It is significant that in a case in the Delhi High Court, it is the UIDAI and not the Food and Civil Supplies (Department) that files in court when the complaint is that people are being turned away without rations because their biometrics do not work. But, there is no grievance redressal for people getting excluded due to failing fingerprints.
The project has never admitted to its wrongs and failures. They claim all problems are just teething troubles and people shouldn’t complain but be patient, everything will be alright at the end. It is just a matter of faith at this time of technology, they say.