The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholarUsha Ramanathandescribes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the#BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Monday, July 10, 2017

11591 - Aadhaar Crime Bomb - India Legal

July 8, 2017

 Access to basic services like health and education will also be determined by biometric scans.

The government’s decision to link these vital numbers to bank accounts could trigger a wave of economic offences. It is time this decision that threatens the banking system is reviewed
~By Ajith Pillai

Is India sitting on an Aadhaar crime bomb that will soon begin ticking? Imagine a scenario where money is transferred from your account into another or vice versa by an unknown entity without your knowledge; when your fingerprint is placed at a scene of a serious crime to implicate you; when criminals track virtually all your activities and plot their next move; when foreign funds are transferred into your bank with devious intent and you find your account blocked pending investigations into your mysterious source of foreign monies…. All this and much more is very much in the realm of possibility thanks to your 12-digit Aadhaar number.

And to speed us on the risk-prone biometric highway is the June 1, 2017 notification (No2/F. No P. 12011/11/2016-Es Cell-DOR) of the Department of Revenue under the Finance Ministry which makes it compulsory for account holders to link their accounts with their PAN and Aadhaar numbers before December 31. 2017. Companies too will have to submit the same identification numbers to the banks, of their board members or those who have been authorised to transact business on their behalf.
Many cyber security experts are of the view that the Unique Identification (UID) programme, launched in 2010, has evolved dangerously and will become a veritable password for those indulging in a range of cyber-related crimes. At the receiving end will be ordinary Indians who now have to furnish the number for virtually every activity of their daily life—from buying a cellphone to opening a bank account.

Illustration: Anthony Lawrence

To them, and to a sizeable section in the police, cyber-crime is an alien concept and the government’s reluctance to accept glitches in the UID programme has not helped. But despite all the apprehensions and a clutch of pending petitions in the Supreme Court relating to the validity of the scheme and privacy concerns, the government has been doggedly pushing ahead with ushering in a biometric revolution of the kind the world has hitherto not seen.

Initially meant to provide an identity for the poor and to ensure that there are no leakages in money transfers under various welfare schemes, the Aadhaar net has been widened to encompass virtually every aspect of life. School admissions, mid-day meal schemes, driving licences, pensions, income tax payments, rail and air tickets and soon, opening a bank account or maintaining one, will require the person’s Aadhaar number.
And each time one shares a number with a new agency/service platform, the number of points from which personal data can be accessed by undesirable elements multiplies. And once the data thief gains access to the data, which includes facial image, image of the iris and fingerprints, he can access the respective bank account because it will be linked to the Aadhaar card.
A copy of a fingerprint is all that will be required to effect transfers or payments into another account using the Bhim app or a point of sale (POS) machine which requires only a fingerprint as proof and bypasses the need to swipe a debit or credit card. The Bhim app, introduced to facilitate cashless transfers by the unlettered, necessitated the need to link UID numbers and data to banks. Now the government has mandated that all accounts holders must also be linked through Aadhaar.

Then PM Manmohan Singh and Congress leader Sonia Gandhi launching the Aadhaar number in Nandurbar, Maharashtra, in 2010. Photo: PIB

This gives a different dimension to data theft as it can facilitate serious financial fraud. It is no longer just about big corporations mining data to size up your credit rating or spending patterns to focus and target their marketing efforts. Neither is it about the CIA keeping a tab on India’s demographics. What we are talking about is an invasion of privacy which may come with a huge criminal quotient and could impact every citizen.

The dividends from data mining are so huge and the implications so varied that this has already begun. It will not be long before the crimes start. Here are some pointers which also reveal how data is not secure with the government:
  • On February15, 2017, the Unique Identification Authority of India (UIDAI) which is mandated to implement the Aadhaar scheme reportedly filed cases against employees of Axis Bank, Suvidha Infoserve and e-Mudhra for attempting unauthorised authentication and impersonation by illegally storing Aadhaar biometrics. The security breach came to light after 397 fake biometric transactions were carried out in five days of February.
  • On February 18, the Hindi news daily Dainik Bhaskar reported the arrest of six salespersons of telecommunications service provider Reliance Jio in Madhya Pradesh for selling SIM cards at inflated prices by using the Aadhaar data and fingerprint scans of other customers.
  • In April this year, the Aadhaar details of one lakh pensioners in Jharkhand who had seeded their UID numbers to bank accounts was freely available on the website of the Jharkhand Directorate of Social Security. A few days later, a leading national daily found that “secured” data was available on the websites of a scholarship database in UP; the PDS website of the Chandigarh administration; a pensioners’ listing in Kerala and the Swachh Bharat Mission.
  • A report released in May 2017 by the Centre for Internet and Society, a Bangalore-based organisation looking at multi-disciplinary research and advocacy in internet use, reveals that in the past few months, data of 13.6 lakh citizens was leaked from four major government data bases, including the portals of NREGA and National Social Assistance Programme.
  • A note generated on March 25 by an official of the Ministry of Electronics and Information Technology accessed by the New Indian Express, confirmed that biometric data was not secure. “There have been instances wherein personal identity or information of residents, including Aadhaar number and demographic information and other sensitive personal data such as bank account details etc. collected by various Ministries/Departments… has been reportedly published online and is accessible through an easy online search,” said the note displayed on the front page of the newspaper. The same ministry on March 5 had issued a statement that the Aadhaar data was absolutely secure.
The financial misuse of data has not been lost on experts. Sunil Abraham, executive director of CIS, has been quoted as saying: “Biometrics is an inappropriate technology for financial services. Linking Aadhaar, which has your biometric data, with bank accounts makes you a lot more vulnerable to financial frauds than before. Your fingerprint can easily be collected at a restaurant or any other public place and can be used to steal your identity and commit frauds. The government needs to rethink its use for Aadhaar as it will impact over a billion people.”

The Foreign Hand
In 2010-2012, Unique Identification Authority of India (UIDAI) awarded contracts for biometric profiling to three US-based Biometric Solution Providers (BSPs). These were—L-1 Identity Solutions, Morpho-Safran, and Accenture Services Pvt. Ltd. All three reportedly have business contracts with US, British and French intelligence agencies. There are also reports in the international media of former intelligence operatives in the employment of these companies and their subsidiaries.
The companies, as per the contract, were given Rs 20 crore each by UIDAI for their services. The charges paid per card was Rs 2.75.
This money went to foreign companies. The UID programme was not an indigenous effort as claimed by Nandan Nilekani, chairman of the UIDAI, when it was launched and the contracts with the foreign companies were signed.
The UIDAI has often made statements that the data collected is encrypted and inaccessible to the BSPs. But the contract with the three companies, accessed by an RTI activist, shows that they had access to unencrypted biometric data. As part of their contract, these BSPs had to weed out duplicate applications. This involved comparing the biometric data of all applicants which necessitated access to it.
It is not known whether the mass of biometric data was copied and stored abroad or sold. But given the demand for data, the possibility of this having happened cannot be ruled out. Also, one cannot say with certainty that it will not be put to use in future by intelligence agencies or exploited by corporates.
Clause 4.1.1 of Annexure ‘E’ of the contract admits that demographic data is inaccurate. Despite RTI requests, UIDAI has refused to provide Annexures ‘I’, ‘J’ and ‘K’ of its contracts with Biometric Solution Providers. It has even refused to comply with the orders to do so by the Chief Information Commissioner, citing security reasons. These annexures give the technical bids of the contractors which would specify the limitations.

Prashant Pandey, who knows a thing or two about cyber security and was the whistle-blower in the Vyapam scam, fears that the linking of Aadhaar cards to bank accounts could lead to serious frauds. He told India Legal: “Just imagine a trickster operating from outside India with leaked Aadhaar database and hundreds of POS machines with the biometric payment system, Bhim. He can pull money out from bank accounts to an anonymous destination abroad. The possibilities are immense unless security is tightened and data secured.”
Professor Anupam Saraph, an expert in governance of complex systems, describes the linking of Aadhaar to bank accounts as a move which will “enable benami bank accounts and scale benami transactions to destroy the Indian economy along with the Indian banking system”.

“The Aadhaar number is for all residents in India. It cannot hence, serve as ID for Indian citizens. It is not an ID card, but a number in a database. Every time people have to be identified, identification is needed by scanning biometrics from the UIDAI database, which is impractical.”
                                                                                             —Colonel Thomas Mathew, anti-Aadhaar campaigner
In his blog, Saraph lists several reasons why he feels the Aadhaar-bank account linking is dangerous. Innocent account holders, he notes, will find their UID numbers being used as “mules for money laundering”. Or their payments under government schemes easily compromised by tricksters. Worse, they can be “framed for economic offences” if someone deliberately transfers illegal money into their accounts. This, in turn, would lead to harassment and accounts being frozen pending investigation.
But how can fingerprints be copied and misused? Pandey pointed to the example of the Vyapam entrance examination scam for MBBS in Madhya Pradesh. Here, qualified persons fronted for the real candidates and wrote the exam on their behalf despite fingerprint scanners being used before allowing access into the examination hall. How were the scanners fooled? “The fake candidates merely copied the fingerprints of the real candidates on a silicon film and wore it on their thumb. This happened in not one or two cases but in several hundreds of them. What happened in Vyapam is proof of how unreliable fingerprint identification is,” he said.

Fingerprints from the Aadhaar database, once accessed, can easily be copied and used to implicate someone in a crime. Pandey believes it is a real possibility. “Your fingerprint can be placed at the scene of a crime by vested interests who can frame you with the help of the police. The prospect of misuse is frightening,” he said. Pandey hopes to demonstrate how Aadhaar data can be misused before the apex court.
Noted human rights activist and senior Supreme Court lawyer Indira Jaising said that privacy concerns are not to be taken lightly. She told India Legal: “As a citizen, why should I surrender all my personal details to the government so that it can be misused against me? Why should people know which hospital I go to or which school my child attends? Why should they know where I am travelling to or on which airline I have booked my tickets? Once all my activities can be mapped, the information can be used to perpetrate a crime against me. Why should I allow that?”
However, those who endorse the UID scheme brush aside privacy concerns by saying that such apprehensions reside only in the minds of those who are involved in illegal activity or have unaccounted wealth and would not like their bank transactions to be monitored. However, what is missed out is that there are already enough ways to keep tabs and there is no need to store personal data which can easily be stolen. “As for Aadhaar providing biometric proof of identity, the less said the better,” said Colonel Thomas Mathew, a Bangalore resident and one of the first to file a civil suit in the apex court against Aadhaar.
“The UID/Aadhaar number is for all residents in India (who could also be outsiders on an extended visa). It cannot hence, serve as an ID for Indian citizens. It is not an ID card, but a number in a database. The UID scheme envisages that people would be identified every time identification is needed, by scanning biometrics and querying the UIDAI database. This is impractical. UIDAI itself admits that demographic data is inaccurate. If demographic data is unreliable, UID cannot be proof of ID,” Mathew told India Legal.

As for the fallibility of biometric data, he quotes the 2010 study titled “Biometric Recognition—Challenges and Opportunities” by four US national academies—the National Academy of Sciences, the National Academy of Engineering, the Institute of Medicine and the National Research Council.
The first principal finding of the research was that “biometric recognition is inherently probabilistic and hence, inherently fallible”. According to estimates, under field conditions, the false matches are 1 in 16.
Added Mathew: “The actual number of false matches is even more—1 in 10. This fact is known from an ignorant, inadvertent admission of UIDAI in its counter-affidavit to my writ petition in which it stated that 80 million fake/ duplicate enrolments were detected (at a time when about 800 million enrolments were done). So, mathematical prediction is proved by ground reality data.”
Even in the Madrid train bombings case of 2004, fingerprints taken at the scene of the crime matched those of 20 people in the FBI database. When even the limited data bank of criminals with the FBI is fallible, imagine the probability of error when the entire population of a country as vast as India is involved.
Ahead of the 2014 general elections, the BJP had opposed the UID programme. In fact, Mathew was invited to make a presentation against Aadhaar before a BJP Parliamentary Party presided by LK Advani. The unanimous view then was that Aadhaar was a security risk and must be vehemently opposed. But things changed after the BJP came to power. Notes Mathew: “The party has done a complete ‘U’ turn without giving any reasons.”
In the final analysis, before the nation heads towards a total Aadhaar regime, it is perhaps time for the government to reassess the entire UID programme to plug the inherent security lapses. Also, it must not promote its use as proof of identity. It was only last month that the Union home ministry issued a communiqué: “Aadhaar (UID) card is not an acceptable travel document for travel to Nepal/Bhutan.” A valid national passport or election ID card issued by the Election Commission would however serve as proof.
Therein lies the harsh reality and identity crisis…