The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholarUsha Ramanathandescribes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the#BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Sunday, May 21, 2017

11442 - Will Aadhaar leaks be used as an excuse to shut out scrutiny of welfare schemes? - Scroll.In

Will Aadhaar leaks be used as an excuse to shut out scrutiny of welfare schemes?
Aadhaar data of all 23 crore beneficiaries of Direct Benefit Transfer schemes could be publicly available, says a report by Centre for Internet and Society.

Published 13 hours ago.  

                                   Noah Seelam/AFP

In the past three months, there have been several reports about caches of Aadhaar data being publicly displayed on government websites across the country.

Personal information associated with the biometric-based 12-digit unique identification number, which the government wants every Indian resident to have, is mandated to be confidential under the Aadhaar Act, 2016.

But exactly how much Aadhaar data has been compromised by negligent government departments?

On May 2, researchers at the non-profit Centre for Internet and Society released a comprehensive report on the extent of the data breaches. They documented four government portals using Aadhaar for making payments and found that sensitive personal and financial information of nearly 13 crore people was being displayed on them, including details of about 10 crore bank accounts.

Two of the portals, for the Mahatma Gandhi National Rural Employment Guarantee Act and the National Social Assistance Programme, belong to the Union rural development ministry. The others are run by the Andhra Pradesh government for the workers’ insurance scheme Chandranna Bima and for filing Daily Online Payment Reports of MNREGA.

The researchers estimated that Aadhaar data of all 23 crore beneficiaries of the central government’s various Direct Benefit Transfer schemes could be publicly available. This means nearly a fifth of India’s population is potentially exposed to irreversible privacy harm, and financial and identity fraud.

The Unique Identification Authority of India, the agency which manages the Aadhaar database, had denied any breach of confidential data on May 3. But two weeks later, on May 17, the UIDAI wrote to the Centre for Internet and Society, asking it to provide more details. In the report, the researchers had demonstrated that Aadhaar numbers could be easily accessed on the National Social Assistance Program, a pensions scheme administered by the Ministry of Rural Development, even behind a login, and that this pointed to poor security standards. The UIDAI has now termed this as an instance of illegal access by the researchers.

CIS has clarified that it did not violate the Information Technology Act 2000 by adopting this research method, and that the organisation had notified concerned government departments, including the UIDAI, prior to publishing its report so that the sensitive data could be removed.

The rural development ministry, on its part, has changed how its MNREGA database is accessed, redacting Aadhaar numbers and bank account details of the beneficiaries. Senior officials of the ministry, however, denied making systemic changes in the wake of the Centre for Internet and Society report.

“The researchers claimed that financial information of over 10 crore individuals was available publicly, on pension and MNREGA portals,” said Nagesh Singh, additional secretary in the ministry, “but bank account details were displayed only on two state department websites of Andhra Pradesh and Telangana as these states are far advanced in transparency practices.”

“For all other states,” Singh added, “financial information and Aadhaar numbers were removed or masked last year. For pension schemes we masked the data in June 2016, and for MNREGA this data was removed in December. Even if any data was showing, it would only be for the particular block the resident is in, not for any other state workers.”

All this was done, he said, “because the UIDAI communicated to us that this information is sensitive and should not be displayed and the Aadhaar regulations prohibit display of Aadhaar numbers”. The Aadhaar (Sharing of Information) Regulations were introduced last September.

The chief executive officer of UIDAI, Ajay Bhushan Pandey, did not respond to Scroll.in’s questions emailed on May 19.

Contrary to Singh’s claims, social activists outside Andhra Pradesh and Telangana confirmed they could access bank account details of MNREGA workers until May 3. Only on May 4, two days after the Centre for Internet and Society report was released, did the details stop showing on the Management Information System.

“We could no longer access the electronic muster roll, and it started returning error messages,” said Ashish Ranjan of Jan Jagran Shakti Sangathan, a registered union of unorganised workers in Araria, Bihar. But until early May, he added, the Management Information System allowed anyone in any state to access the personal information of workers, even from other states.

Activists and beneficiaries relied on this system for two things. “Several of the new bank accounts have errors, and accessing this information directly helped get the discrepancies corrected without going to block level officials,” Ranjan explained. “It also helped track where the wages of workers were stuck.”
When activists asked why the data was no longer accessible, Ranjan said, rural development department officials said the Management Information System was changed “on the directions of the Supreme Court and the Union cabinet secretary.”

“This has been the pattern with the MNREGA MIS for long,” Ranjan said, referring to the information system. “Senior officials change access to a feature as they wish without clear processes or explanations.”

James Herenj, an activist with NREGA Watch, a non-profit which monitors the implementation of MNREGA in Jharkhand, had the same experience. “Bank account details were removed from the website last week,” he said, “this is a problem as we can no longer help MNREGA workers get data entry errors corrected.”
The Centre for Internet and Society researchers too contested the rural development ministry’s claim that Aadhaar numbers and bank account details were displayed only on Andhra Pradesh and Telangana government websites. They released a video clip showing them accessing bank account details and Aadhaar numbers of 801 MNREGA workers of Agara panchayat in Bengaluru through an internet search on March 25.

Screenshot of a Chandigarh Union Territory website displaying Aadhaar information.
Consent, please?
The Aadhaar Act, 2016 requires both government and private agencies to take informed consent before using a person’s Aadhaar for authentication, but there is little evidence that consent is sought before Aadhaar is seeded with personal and financial information.
Indeed, when the Supreme Court first permitted the voluntary use of Aadhaar for MNREGA in October 2015, Aadhaar numbers of 2.36 crore workers had already been seeded to their bank accounts, without the consent of over 99% of them.
The rural development ministry’s data shows that until June 2016, only about 4,10,000, or less than 1% of the 10.7 crore MNREGA workers, had agreed to Aadhaar-based payments. The ministry worked around this by organising “consent camps” to retrospectively collect proof of consent.
Poor standards
Writing in The Economic Times, Ram Sewak Sharma, chairperson of the Telecom Regulatory Authority of India and former director general of the Unique Identification Authority of India, argued that the reports about “Aadhaar leaks” on government websites failed to account for provisions of the Right to Information Act, 2005. Section 4 of this law provides for proactive disclosure of government decisions while Section 8 mandates public authorities to publish all information on welfare schemes, including details of beneficiaries.
This has created a situation, Sharma pointed out, where the transparency law may require even Aadhaar numbers of beneficiaries to be made public even though the Aadhaar Act mandates them to be confidential. 
Right to Information activists, however, said the authorities were anything but devoted to the transparency law. Crucial information they seek on the efficacy of Aadhaar in welfare schemes is routinely denied under Right to Information requests.
“The government is willfully manipulating information systems to subvert details of biometric failures,” said Amrita Johri, a member of the National Campaign for People’s Right to Information and an activist with the Right to Food campaign, which has petitioned the Delhi High Court against Aadhaar being mandatory for food rations. “We have come across instances of ration cardholders being turned back because of fingerprints being falsely rejected, or network failure, but on the Delhi government’s website, this is shown as the beneficiaries not having come to the ration shop at all.”
“Similarly, the government claims it has removed bogus ration cards through Aadhaar,” Johri added, “but they do not show any administrative action if such bogus cards were really found through Aadhaar even though Section 4 of the RTI Act requires disclosure of such decisions.”

Jharkhand Directorate of Social Security displayed Aadhaar numbers, bank accounts numbers and transaction details of over 15 lakh pensioners.
Johri is concerned that the “Aadhaar leaks” could become an excuse to deny people “other useful information”. “When we requested officials to display how many biometric transaction were not successful, they told us that in a few days, they will remove the entire MIS as there had received orders from the food ministry to not display demographic data associated with Aadhaar,” she said. “But we pointed out that it was the creation of a single identification number that is the problem. Why should information on all other government schemes be removed?”
The Centre for Internet and Society report points out that while the law now makes Aadhaar numbers confidential, the government has failed to specify data masking standards. Section 6 of the Aadhaar Regulations lays down that no government or private agency should publish Aadhaar numbers unless they are redacted or blacked out “through appropriate means”.
But this is too vague, the report points out. “In some instances, the first four digits are masked while in others the middle digits are masked,” Srinivas Kodali, one of the authors of the report, explained, “which means someone with access to different databases can use tools for aggregation to reconstruct information hidden or masked in a particular database.”
Kodali said that for information other than Aadhaar numbers, each ministry and department is required to classify the data that is sensitive, restricted or open, which they have failed to do. “The National Data Sharing and Accessibility Policy, 2012 requires securing information of sensitive and restricted data but it does not recommend the ways to do it,” he said. “The standards around information disclosure and control do not exist, and the Ministry of Statistics expert committee on this was unable to suggest one last month.”
“Even for MNREGA data,” Kodali continued, “the Ministry of Rural Development’s chief data officer should have classified the financial information as restricted or open when the database was first created. But did they do this.”
Nagesh Singh, the additional secretary, however said his ministry “does not have a chief data officer to do this”. “The ministry’s economic advisor is the official responsible for categorising data and advises us on this,” he added.
We welcome your comments at letters@scroll.in.