The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholarUsha Ramanathandescribes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the#BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Tuesday, July 25, 2017

11624 - Aadhaar gets new security features, but this is why your data still may not be safe - Hindustan Times

The government is pushing for the unique identity, to register everything from infant children to bank accounts, but the biometrics of millions of people are not foolproof.

AADHAAR CONTROVERSY Updated: Jul 19, 2017 11:06 Ist

Aman Sethi and Samarth Bansal 
New Delhi, Hindustan Times

On February 11, the Unique Identification Authority of India (UIDAI) woke up to a public disclosure of an existential vulnerability in Aadhaar, the identification system that has recorded the biometric details of over 1 billion Indians.
In public, UIDAI claimed Aadhaar was completely secure as a user had to physically press her finger onto a biometric reader connected to the authority’s impregnable servers to conduct any transaction.

But UIDAI’s experts had long known of one critical weakness: if an unscrupulous operator saved a copy of a user’s biometric fingerprints on his computer, he could transact on the user’s behalf by simply replaying the fingerprint stored on his computer.

On February 11, a YouTube clip illustrating such a replay attack was leaked online. On February 24, UIDAI filed a criminal complaint, alleging that an employee of Suvidhaa Infoserve had used Axis Bank’s gateway to UIDAI’s servers to conduct 397 biometric transactions between July 2016 and February 2017 using a stored fingerprint. Axis Bank representatives did not respond to requests for comment.

“The transaction went through because one of their own developers was trying to do this,” said UIDAI chairman Ajay Bhushan Pandey, who told HT that such breaches were very rare, much like aeroplane crashes, “Can somebody say a plane won’t crash? Question is how we minimise the risk.”

This vulnerability, Pandey said, would be eliminated by new security measures. The Registered Device Notification issued on January 25, mandated the registration and encryption of each of millions of biometric readers currently in use in Aadhaar’s sprawling infrastructure by June 1. But on May 24, UIDAI pushed the deadline to September 30 citing “logistical limitations”. It is unclear if the new deadline will be met.

Aadhaar “assumes that all the service providers are trustworthy, and will keep all the keys, certificates etc safe and away from prying eyes,” said Dr Sandeep Shukla, head of the Computer Science department at IIT Kanpur. “However, if one of the Aadhar-enabled service providers go rogue, all the security they have suggested will be compromised.”

Today, Aadhaar is defenceless against replay attacks even as the Union government pushes for its use to register everything from infant children to bank accounts. Worse, experts like Dr Shukla warn that even implementing the security upgrades will not safeguard the identities of 1 billion Indians.

Private companies enrol new users on behalf of UIDAI and authenticate enrolled users when they access an Aadhaar-enabled service.

The Safety Framework
Aadhaar is still defenceless against replay attacks. Experts warn that security upgrades will not safeguard identities of 1 billion Indians.


01Provide your finger print to the biometric reader (public device) for authentication purposes.

02The optical sensor of the biometric reader captures a photograph of your finger print and transfers that to the computer via a USB cable.

03The host computer converts the fingerprint into a template which is then converted to a PID (Personal ID) block.

04The PID block is sent to the UIDAI through a series of intermediary gateway servers.

05The UIDAI server responds with either Yes/No (successful/failed authentication).

The host computer can store user’s biometrics.
These stored biometrics can be used without individual’s consent for authentication.
Stored fingerprint can be used to make an artifical finger using 3D printer.
PID block not encrypted, and so vulnerable to interception by hackers.
Host computer is also connected to public internet servers and hence vulnerable to viruses and malware, that can steal the PID block.


01Provide your fingerprint to the biometric reader (registered device) for authentication.

02No upgrade to reader hardware. However, when the reader is connected to the host computer for the first time, the computer will register the reader’s serial number.

03A software upgrade in the computer will bind the fingerprint with the registered biometric reader’s ID and timestamp, to create an encrypted PID.

04The encrypted PID block is sent to the UIDAI server through series of gateways.

05The UIDAI server responds with either Yes/No (successful/ failed authentication).

Even a registered biometric device can be "cloned" by a hacker to fool the UIDAI servers into thinking that the system is using an authorised device.

Encryption still occurs in the computer, so a stored biometric can be used by a skilled hacker.

“Enrollment software is owned and written by UIDAI, so trust in the process is high,” said a cyber security expert who examined the Suvidhaa-Axis Bank breach. “The biggest problem with authentication is UIDAI must work with private companies, deploying proprietary software on public internet services.”

“In any kind of system, the basic core will always be secure, but any such core system has to interact with a larger ecosystem and this ecosystem always bring the problem to the table,” said Vinayak Godse, director of the Data Security Council of India, NASSCOM’s premier data protection organisation.

Godse said UIDAI tries to control this ecosystem (see box) by publishing software specifications, and pushing entities like banks to comply with these guidelines.

Authentication software must receive a fingerprint from a biometric reader, process it and send it on to UIDAI for authentication. By law, fingerprint copies cannot be stored. But banking software is complex, making it hard to spot vulnerabilities hidden amidst millions of lines of code.

In the Suvidhaa-Axis Bank case, the expert said, a developer had illegally added a feature where an engineer could test the software by using a stored fingerprint rather than pressing his thumb onto a biometric reader each time he ran the test.
The new regulations try to secure the biometric reader, rather than the banking software.

By September 30, banks must pair their existing biometric readers with new software that registers each device with UIDAI’s servers. Once registered, the device must mark each fingerprint it records with a unique signature and encrypt it.
But Shukla, the expert from IIT Kanpur, said registering each biometric reader with UIDAI isn’t enough as readers can be cloned, the way that hackers routinely clone phone SIM cards.
Ultimately, UIDAI wants manufacturers to develop a reader with a chip to perform authentication functions. But all hardware, Shukla said, can be cloned, raising the question if Aadhaar can ever be truly secure.

The debate over biometric reader security, some experts say, is a consequence of UIDAI’s conceptual misunderstanding about biometrics. Fingerprints are personal but public information, in the way that someone’s name is personal because it is their name, but is known to everyone and hence public.
“One must be careful in using biometrics as an authenticator,” said Shweta Agarwal, a Computer Science professor at IIT Madras. “There is technology to lift a person’s fingerprint, say from a book she is reading or from high resolution images posted on social media.”

In 2014, for instance, hacker Jan Krissler recreated the fingerprints of Germany’s defence Minister Ursula von der Leyen from close-up photographs in a government press release.Advances in technology mean stolen prints can be used to make three-dimensional replicas.

“I’ve actually seen someone do that on my reader,” said a UIDAI-certified biometric device vendor, describing a test in which an Aadhaar transaction was performed using a fingerprint etched onto a fake plastic thumb. “I couldn’t believe my eyes.”
Rather than confront these vulnerabilities, UIDAI has obfuscated facts.

In a UIDAI document titled Facts about Aadhaar, published in August 2016, UIDAI claimed the Aadhaar ecosystem already used registered biometric devices despite the fact that such devices will be introduced in October this year at the earliest.

The document also claims that biometric sensors “are increasingly implementing liveness detection to ensure any attempt at making fake fingers/iris etc are prevented.” Yet none of the biometric readers certified by UIDAI have been tested for liveness detection, according to documents reviewed by HT.

Ultimately, the government’s decision to force 1.2 billion Indians to surrender their information to an opaque and unaccountable system like UIDAI is a political rather than a technological choice.

Godse from the DSCI said society must weigh Aadhaar’s risks against its benefits. “Giving choice to the consumer is a very important kind of expectation that a modern day society should enjoy on any system, be it private or public,” said Godse. “Choice and freedom associated with it.”