The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholarUsha Ramanathandescribes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the#BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Friday, July 14, 2017

11599 - On the Jio data leak: Mobile-Aadhaar linkage should be stopped, Aadhaar eKYC needs its own DSS - Medianama

July 10, 2017   

As we reported earlier today, a website called magicapk.com went up last evening, allowing anyone to search for personal details of Jio customers. That website has now been taken down, but issues regarding security standards, the source of this information, and the amount of information that may be made public through such leaks still persist. 

Some points:
1. The information was legit: There were a large number of people last evening who were tweeting that they had been able to access information that they could verify as legit. I tried it for a few people, and it worked. As did many others. Some people validated their own data. It was almost as if those tweeting saying the information is incorrect were a part of a campaign. It’s shameful that Jio is trying to deny that this ever happened, or that the data is inauthentic. It isn’t: we’ve got screenshots. Here are 2 redacted screenshots:

2. We do not know how much data got leaked: All we know is that many people were able to validate this information. It isn’t like Aadhaar Leaks, where we saw government departments put up excel sheets available on google search, and entire sites making rows of data easily accessible. That data was far more problematic: names, mobile numbers, addresses, bank account numbers and Aadhaar numbers.

3. We do not know why this site was put up: It could be someone trying to showcase how vulnerable the data is, and this was their way of alerting people about a breach/leak or vulnerability. We’ve had instances of security experts and ethical hackers try in desperation to get companies to fix vulnerabilities, and when ignored, they don’t know what to do. If the intent was bad, then this could have been a sort of proof of concept to show potential buyers that this data is legit.

4. We do not know where this data leaked from: It could have been via a direct selling agent who could have kept this data unencrypted, or from an internal source who stole the data, or there could have been a vulnerability in the setup. Unless there is transparency from Jio about where in its ecosystem the data leaked from, we will never know.

5. The site going down doesn’t mean new ones won’t come up again: If they have the data, they could potentially set up hundreds of sites, or dump that data online for others to take up.

6. It’s not clear whether Aadhaar data was leaked: Aadhaar numbers are a part of the form, but no one has, as yet, found that Aadhaar numbers were leaked. It’s illegal to publish Aadhaar numbers (“The Aadhaar number of an individual shall not be published, displayed or posted publicly by any person or entity or agency”; AADHAAR (SHARING OF INFORMATION) REGULATIONS, 2016, point 6)

7. Who’s responsible for data via eKYC? Jio got this information using the Aadhaar eKYC process: users consented to give their information to Jio via fingerprint authentication when buying a SIM card. The UIDAI transferred personal identification information to Jio, but does its responsibility end there?

8. We need a data security standard for Aadhaar eKYC: When you run a payment gateway or a site which uses credit card information, that has to conform to a certain data security standard (DSS), from an organisation called PCI, which specifies norms around data storage, transmission and retention, trying to limit the amount of data stored. For example, organizations have to have a particular security standard before they can store card information which is pre-filled. So, what kind of security and data protection processes and standards does the UIDAI mandate for entities like Jio before it allows for eKYC, to ensure that sensitive data, once procured, is kept safely? What kind of security does UIDAI mandate that Jio’s direct selling agents maintain? Who gets access to that data? Just like in case of credit card information, because a user has given consent, it doesn’t mean that UIDAI’s responsibility ends there. This problem will only increase as more businesses sign up for eKYC. There must also be penal provisions applicable if these standards are not followed.

9. Mobile linkage with Aadhaar should be stopped unless security standards are specified, validated on a regular basis: The government of India has, while misrepresenting a Supreme Court order, has made it mandatory to link mobile numbers to Aadhaar numbers. This should be stopped.