uid

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win. -Mahatma Gandhi

In matters of conscience, the law of the majority has no place. Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.” -A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholar Usha Ramanathan describes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.
Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant. Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017


Special

Here is what the Parliament Standing Committee on Finance, which examined the draft N I A Bill said.

1. There is no feasibility study of the project]

2. The project was approved in haste

3. The system has far-reaching consequences for national security

4. The project is directionless with no clarity of purpose

5. It is built on unreliable and untested technology

6. The exercise becomes futile in case the project does not continue beyond the present number of 200 million enrolments

7. There is lack of coordination and difference of views between various departments and ministries of government on the project

Quotes

What was said before the elections:

NPR & UID aiding Aliens – Narendra Modi

"I don't agree to Nandan Nilekeni and his madcap (UID) scheme which he is trying to promote," Senior BJP Leader Yashwant Sinha, Sept 2012

"All we have to show for the hundreds of thousands of crore spent on Aadhar is a Congress ticket for Nilekani" Yashwant Sinha.(27/02/2014)

TV Mohandas Pai, former chief financial officer and head of human resources, tweeted: "selling his soul for power; made his money in the company wedded to meritocracy." Money Life Article

Nilekani’s reporting structure is unprecedented in history; he reports directly to the Prime Minister, thus bypassing all checks and balances in government - Home Minister Chidambaram

To refer to Aadhaar as an anti corruption tool despite overwhelming evidence to the contrary is mystifying. That it is now officially a Rs.50,000 Crores solution searching for an explanation is also without any doubt. -- Statement by Rajeev Chandrasekhar, MP & Member, Standing Committee on Finance

Finance minister P Chidambaram’s statement, in an exit interview to this newspaper, that Aadhaar needs to be re-thought completely is probably the last nail in its coffin. :-) Financial Express

The Rural Development Ministry headed by Jairam Ramesh created a road Block and refused to make Aadhaar mandatory for making wage payment to people enrolled under the world’s largest social security scheme NRGA unless all residents are covered.


Search This Blog

Friday, July 14, 2017

11599 - On the Jio data leak: Mobile-Aadhaar linkage should be stopped, Aadhaar eKYC needs its own DSS - Medianama



July 10, 2017   

As we reported earlier today, a website called magicapk.com went up last evening, allowing anyone to search for personal details of Jio customers. That website has now been taken down, but issues regarding security standards, the source of this information, and the amount of information that may be made public through such leaks still persist. 

Some points:
1. The information was legit: There were a large number of people last evening who were tweeting that they had been able to access information that they could verify as legit. I tried it for a few people, and it worked. As did many others. Some people validated their own data. It was almost as if those tweeting saying the information is incorrect were a part of a campaign. It’s shameful that Jio is trying to deny that this ever happened, or that the data is inauthentic. It isn’t: we’ve got screenshots. Here are 2 redacted screenshots:

2. We do not know how much data got leaked: All we know is that many people were able to validate this information. It isn’t like Aadhaar Leaks, where we saw government departments put up excel sheets available on google search, and entire sites making rows of data easily accessible. That data was far more problematic: names, mobile numbers, addresses, bank account numbers and Aadhaar numbers.

3. We do not know why this site was put up: It could be someone trying to showcase how vulnerable the data is, and this was their way of alerting people about a breach/leak or vulnerability. We’ve had instances of security experts and ethical hackers try in desperation to get companies to fix vulnerabilities, and when ignored, they don’t know what to do. If the intent was bad, then this could have been a sort of proof of concept to show potential buyers that this data is legit.

4. We do not know where this data leaked from: It could have been via a direct selling agent who could have kept this data unencrypted, or from an internal source who stole the data, or there could have been a vulnerability in the setup. Unless there is transparency from Jio about where in its ecosystem the data leaked from, we will never know.

5. The site going down doesn’t mean new ones won’t come up again: If they have the data, they could potentially set up hundreds of sites, or dump that data online for others to take up.

6. It’s not clear whether Aadhaar data was leaked: Aadhaar numbers are a part of the form, but no one has, as yet, found that Aadhaar numbers were leaked. It’s illegal to publish Aadhaar numbers (“The Aadhaar number of an individual shall not be published, displayed or posted publicly by any person or entity or agency”; AADHAAR (SHARING OF INFORMATION) REGULATIONS, 2016, point 6)

7. Who’s responsible for data via eKYC? Jio got this information using the Aadhaar eKYC process: users consented to give their information to Jio via fingerprint authentication when buying a SIM card. The UIDAI transferred personal identification information to Jio, but does its responsibility end there?

8. We need a data security standard for Aadhaar eKYC: When you run a payment gateway or a site which uses credit card information, that has to conform to a certain data security standard (DSS), from an organisation called PCI, which specifies norms around data storage, transmission and retention, trying to limit the amount of data stored. For example, organizations have to have a particular security standard before they can store card information which is pre-filled. So, what kind of security and data protection processes and standards does the UIDAI mandate for entities like Jio before it allows for eKYC, to ensure that sensitive data, once procured, is kept safely? What kind of security does UIDAI mandate that Jio’s direct selling agents maintain? Who gets access to that data? Just like in case of credit card information, because a user has given consent, it doesn’t mean that UIDAI’s responsibility ends there. This problem will only increase as more businesses sign up for eKYC. There must also be penal provisions applicable if these standards are not followed.


9. Mobile linkage with Aadhaar should be stopped unless security standards are specified, validated on a regular basis: The government of India has, while misrepresenting a Supreme Court order, has made it mandatory to link mobile numbers to Aadhaar numbers. This should be stopped.