In 2009, I became extremely concerned with the concept of Unique Identity for various reasons. Connected with many like minded highly educated people who were all concerned.
On 18th May 2010, I started this Blog to capture anything and everything I came across on the topic. This blog with its million hits is a testament to my concerns about loss of privacy and fear of the ID being misused and possible Criminal activities it could lead to.
In 2017 the Supreme Court of India gave its verdict after one of the longest hearings on any issue. I did my bit and appealed to the Supreme Court Judges too through an On Line Petition.
In 2019 the Aadhaar Legislation has been revised and passed by the two houses of the Parliament of India making it Legal. I am no Legal Eagle so my Opinion carries no weight except with people opposed to the very concept.
In 2019, this Blog now just captures on a Daily Basis list of Articles Published on anything to do with Aadhaar as obtained from Daily Google Searches and nothing more. Cannot burn the midnight candle any longer.
"In Matters of Conscience, the Law of Majority has no place"- Mahatma Gandhi
Ram Krishnaswamy
Sydney, Australia.

Aadhaar

The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholar Usha Ramanathan describes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.

Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the # BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Saturday, March 31, 2018

13158 - Aadhaar Articles Dated 30th March 2018



Live Law
The Centre on Wednesday extended the March 31 deadline for mandatory Aadhaar enrolment for entitlement to 'Subsidies, Benefits and Services' under Section 7 of the Aadhaar (Targeted Deliveries of Financial and Other Subsidies, Benefits and Services) Act of 2016, to June 30. The Ministry of ...






The News Minute
Indian e-payment and e-commerce platform PayTM denied allegations that it is 'insisting' its customers to provide their Aadhaar card details as proof for Know Your Customer (KYC) authentication. However, several customers have come forward narrating how representatives of the e-commerce brand in ...






Business Standard
For the second time in the first three months of 2018, the vulnerabilities of the Aadhaar programme–the world's largest biometric database–were exposed when American business technology website ZDnet reported on March 23, 2018, that the personal data of millions of enrolled Indians could be ...





Bar & Bench
The CBDT has announced that the deadline for linking Aadhaar Card with PAN has been extended to 30.06.2018. This is in ostensible compliance with the directions of the Supreme Court. Unfortunately, this extension is utterly meaningless as returns have to be filed electronically and the system does ...








Economic Times
Aadhaar-PAN linking deadline extended to June 30: Here's what it means for taxpayers. ET Online | Mar 29, 2018, 19:42 ... The Central Board of Direct Taxes (CBDT) has extended the deadline for PAN-Aadhaar linking to June 30, 2018. This is the fourth extension given by the government for individuals ...






Firstpost
A report by The Quint, tells us how the document submitted by the Aadhaar CEO indicate how his own attempts at authentication have failed 19 percent of the time. The records submitted include supporting documents, including a record of all the attempts to authenticate his own Aadhaar identity ...





Times of India
MUMBAI: Police on Thursday identified a woman who allegedly used a bogus Aadhaar card of actor Urvashi Rautela (24) to book a room online at a five-star hotel in Bandra west on March 27. ... A booking for the room was made online after submitting Urvashi's fake Aadhaar card. "We are making ...






IndiaSpend
Mumbai: For the second time in the first three months of 2018, the vulnerabilities of the Aadhaar programme–the world's largest biometric database–were exposed when American business technology website ZDnet reported on March 23, 2018, that the personal data of millions of enrolled Indians could ...






Deccan Herald
Roopa Raganath, an IT professional who went to file her returns, has no Aadhaar card. She had to return without her work getting done. Neither the online system nor the counter would accept her returns without Aadhaar details. "I am told to apply for an Aadhaar now. But I don't believe in that document ...






India Legal
The Centre on Wednesday (March 28) extended the deadline for linking Aadhaar to avail of various services, subsidies and benefits under section 7 of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016, by three months to June 30. The decision came in ...






E-Pao.net
Imphal, March 29 2018: The All Jiribam Tribal Union has expressed dissatisfaction against the district authority Jiribam for imposing certain rules for Aadhaar enrolment, which is against the criteria given by the Government of India, conveyed a press release issued by president of All Jiribam Tribal Union ...






The New Indian Express
HYDERABAD: Digital payments major Paytm on Thursday took down its Rs 200 cash back offer for customers providing their Aadhaar number for KYC authentication. The move came after Express reported on Wednesday that the offer was available only to customers opting to give their 12-digit unique ...






Hindustan Times
Many transgender persons have an Aadhaar card with 'transgender' as the gender reflected on the card. However, PAN only accepts 'male' and 'female' during the application procedure. As a result, many in the transgender community have a PAN card with the gender assigned to them at birth, and a ...






Dailyaddaa (press release)
New Delhi : Under the Digital India initiative, An Aadhaar subscriber can now store his or her Aadhaar card with DigiLocker and to request any changes - such as updation of email ID or mobile number - he or she must visit the nearest Aadhaar enrolment center. According to official DigiLocker website ...

13157 - Insights from CEO of UIDAI's Aadhaar authentication log - Media nama

By   ( @Vidyut vidyut@medianama.com )     March 29, 2018   
Share This:            Share via Email   



Among the submissions made by Dr Ajay Bhushan Pandey, CEO of UIDAI to the Supreme Court on the 22nd day of ongoing hearings on the constitutional Validity of Aadhaar was his Aadhaar authentication history between November 1, 2017, and March 29, 2018. Here are some insights from examining the log.

The CEO of UIDAI himself has a 19% authentication failure rate

There are details of 26 authentication attempts, out of which 5 failed, which amounts to a failure rate of about 19.2%. This is higher than the failure rate claimed by Dr Pandey before the Supreme Court, even as he provided documents to the contrary. Vakasha Sachdev of The Quint has written in more detail about this.

The authentication failure rate for personal use of Aadhaar seems to be much higher

While the UIDAI work related authentications appear to be uniformly successful, Dr Pandey’s luck with authentications for using services Aadhaar is linked to appears to be worse, or at least no better than the examples brought up by the petitioners. Out of 9 authentication attempts (1 Vodafone + 7 ICICI + 1 IDFC), only 4 succeeded (1 Vodafone + 3 ICICI), which amounts to a failure rate higher than 50%.
All services for authentication require an AUA. UIDAI has several “Internal AUAs” for it’s own purposes. An AUA is just a 10 digit code that is recognized by the internal authentication system. So, in effect, the sucess rate that with “Internal AUAs” is literally similar to connecting your OTP system to your laptop and typing the OTP. Most of the variables are removed except your mobile sim connectivity. If you knock those out, his authentication success is less than 50% of attempts made.

The CEO of UIDAI has locked his own biometrics – to prevent misuse?

While the UIDAI is arguing before the Supreme Court that biometrics are perfectly safe, it turns out that the CEO of UIDAI himself has disabled the use of his own biometrics. Not a ringing endorsement, this.

OTP authentication does not appear to be easy either

Dr Pandey had explained in Court that Aadhaar is superior to Debit Cards, because of the complexity of entering a PIN for the illiterate masses. However, Dr Pandey’s own authentication history shows failures in authenticating Aadhaar using OTP for PhD holder and CEO of the UIDAI himself.

The authentication rate of 95% claimed for banks appears to be exaggerated

Dr Pandey’s log shows 7 attempts made at within a span of 1 minutes and 51 seconds at the ICICI Bank – 4 out of 7 failed, which is more than half the attempts made. One attempt made at IDFC Bank failed and was not attempted again.

How are there only 26 authentication attempts when UIDAI HQ has Aadhaar based attendance?

According to Nandan Nilekani (2013), the UIDAI headquarters attendance system is based on Aadhaar. Marking attendance is usually mandatory for all in government organizations. This raises several questions (Credit Twitter user @kingslyj):
  • Does Dr. Pandey work from home?
  • Was Nandan Nilekani lying in 2013?
  • Did UIDAI later abandon the use of Aadhaar for recording employee attendance? or
  • Or make exceptions because of authentication failures?
  • Or exceptions for specific officials?
  • Or is it that Dr. Pandey bypasses AEBAS and disables biometrics? Under what government rule?

UIDAI’s claim of not storing personal data is refuted by Dr Pandey’s authentication history log

The authentication history log clearly shows important information about Dr Pandey that we did not know before examining it. (Credit: Thread by Anand V)
  • Dr Pandey has at least one new or newly linked Vodafone number (Successful authentication with Vodafone). He also does not have any other phone numbers linked with Aadhaar after November 1, 2017.
  • Dr Pandey probably has 3 accounts with ICICI that he linked with his Aadhaar just before midnight on Republic Day. Any other accounts he may have were not linked within the last 5 months.
  • Dr Pandey has at least one IDFC account not linked with Aadhaar. They probably insisted on biometric authentication, since there do not seem to be any attempts made for OTP authentication.
  • Based on Dr Pandey’s use of Internal AUAs and the non-standard AUA “UIDAI Services”, Anand was able to make inferences and educated guesses about his patterns around management or demonstrations of the UIDAI services, namely:
    • “UIDAI services” is probably custom access he has from his office.
    • He probably gave someone or tested an authentication Demo at around 5:30 pm on the 5th of February.
    • Two authentications 5th Jan 2018 at 00:39:30 (think of it as a very late night on the 4th) and 6th Jan at 20:48:05 have the same UKC – sounds like extensive troubleshooting after Rachna Khaira’s expose in the Tribune about access to the UIDAI database being sold for Rs. 500 on WhatsApp.
    • He probably checked the authentication services on Republic Day at 7 pm – from office, likely.
    • He probably checked/tested something on 31st Jan just after 8 pm or, to extrapolate, like Anand “He definitely came home late and did not reach before 9 PM.”
    • A series of authentications in November and December on UIDAIEKYCPOC seem to indicate testing or demonstration of new KYC features – Limited KYC?

The vast majority of Dr Pandey’s Aadhaar authentications appear to be for work

Dr Pandey does not appear to link or authenticate using Aadhaar extensively in his personal life other than for the bank accounts with ICICI and mobile phone with Vodafone. He appears to avoid using the Aadhaar based attendance system as well. This is below average adoption of Aadhaar if we consider their “more than 4 crore successful authentications daily” – implying at least once a month use of Aadhaar per individual, higher if you consider the inactive Aadhaar numbers (children, dead people, wrong information, authentication failures…)
At 19% overall failure rate and much higher – closer to 50% for personal use like authenticating Aadhaar for phone or bank, and with locked biometrics, other than the work-related logins on non-public AUAs, Dr Pandey appears to be on the “exclusion” side of the Aadhaar argument rather than the “efficiency”.

13156 - Many Ambitions of the UID Project by Usha Ramanathan


13155 - UIDAI, and its CEO, are Yet to Say Anything That Can Help us Trust Them - The Wire


UIDAI, and its CEO, are Yet to Say Anything That Can Help us Trust Them

With only one biometric authentication, and five failed attempts, Ajay Bhushan Pandey's authentication history for five months doesn't exactly spark more faith in the UID system.



An unsecure application programming interface (API) operated by a state-run utility service provider is leaking Aadhaar details, according to a report published on Saturday. Illustration credit: Karnika Kohli


29/MAR/2018

Dear Mr. Ajay Bhushan Pandey,

Over the last five years, I have received multiple requests – some polite, some forceful, but mostly threatening – to hand over my data to the Unique Identification Authority of India (UIDAI), the organisation you head. Each time, I have most respectfully declined.

Trusting any third-party with items of importance is a task best handled with care. It also involves ascertaining that the organisation that you are handing over your data to is absolutely capable of taking good care of it.

It seems to me, from your public statements and Aadhaar authentication history – portions of which you made public in the ongoing Supreme Court hearings – that it is likely you might not be able to do so. Let me explain.

First up, finding and eliminating bugs in the Aadhaar system – which can lead to critical data leaks – is not one of your priorities.


Anand V@iam_anandv
12 Aug
Replying to @iam_anandv and 2 others

Hopefully as the series goes on, KUAs will be forced to follow standard security practices. Always happy to work with you on solutions.


CEO UIDAI
✔@ceo_uidai


UIDAI is working on a policy to enable security experts to report issues in a legal and safe manner.
1:42 AM - Aug 13, 2017
12
16 people are talking about this
Twitter Ads info and privacy

India has pushed and cajoled over a billion people into signing up, and there is no official public policy on how concerned security researchers can report potential vulnerabilities. This is akin to saying that ‘all is well, there are no problems because nobody has told us we have an issue’.

And yet, you say that hacking threats (from domestic and foreign entities) give you sleepless nights. Perhaps a bug-reporting policy would give you an extra couple of hours each night? “There are attempts almost every day to hack [the] Aadhaar system, but none has succeeded,” you said recently.

No one has succeeded? The real question is whether you would tell us if an attempt had been made, given your controversial and often misleading history of denials.

Indeed, you deny too much. In the past month, you said that the UIDAI has “trashed” the ZDNet report and “refuted” the Aadhaar data leak by a Delhi researcher.


CEO UIDAI
✔@ceo_uidai


UIDAI trashes ZDNet report, refutes Aadhaar data leak claim by Delhi researcher 



UIDAI trashes ZDNet report, refutes Aadhaar data leak claim by Delhi researcher

“There is no truth in this story as there has been absolutely no breach of UIDAIs Aadhaar database. Aadhaar remains safe and secure,” UIDAI said.economictimes.indiatimes.com

21
52 people are talking about this
Twitter Ads info and privacy

However, when you don’t say anything, it’s equally revealing. And there have been no public tweets denying The Tribune’s expose. I checked and checked, yet could not find any.

Moving on, you believe that the advent of Aadhaar and Aadhaar-linking cannot possibly result in any state or potentially hostile private entity constructing a 360-degree profile.


CEO UIDAI
✔@ceo_uidai

27 Apr
Replying to @dravirmani and 3 others

domain databases with Aadhaar name nos will remain federated/1


CEO UIDAI
✔@ceo_uidai


no database thus will have 360 degree view of any person/2
1:30 PM - Apr 27, 2017

See CEO UIDAI's other Tweets
Twitter Ads info and privacy

In the ongoing Supreme Court case, to prove this point, you made public your Aadhaar authentication history, but it actually revealed the following:

Between November 2017 to March 2018, you authenticated your Aadhaar identification a total of 26 times, of which five attempts failed. While it isn’t a good enough sample to derive any concrete conclusions, it’s more proof of how probabilistic Aadhaar is as an identification technology.

There’s a good chance that you currently hold three accounts in ICICI bank (bank accounts or credit cards), which are Aadhaar linked. It is possible to conclude that these are three distinct accounts, because the “UKC” fields are different, thus implying that these are different transactions and hence not the same account number (Linking one account number is usually a single transaction).



        A screenshot of Pandey’s authentication attempts.

You also have an IDFC account, which is curiously not Aadhaar-linked, since it failed once and there were no further attempts to link it again in the history.

While there is an Aadhaar-linked Vodafone postpaid SIM card in your name, you probably don’t have your insurance accounts linked with Aadhaar. There are probably no insurance policies linked with Aadhaar, since there were no attempts from AUAs which are insurance companies.

Unlike your predecessor, Nandan Nilekani, you don’t appear to use the Aadhaar-enabled biometric attendance system as you enter your office and start a day’s work. If you did, there would be more authentication attempts recorded.
Also unlike the famous Matunga hotel in Mumbai, whose owner eats there – and hence first-hand knows the potential problems with the food cooked there – you don’t generally use biometric authentication (only once) and hence may find it difficult to empathise with the troubles facing some of India’s poorest and most vulnerable.

You are indeed a good bureaucrat who loves demos and follows up on progress methodically. And you certainly do spend time at work when there is a crisis.

I hope that I have demonstrated to you with the examples and analysis so far, why I find your proposal to hand over my data very unconvincing. Since you hold a doctorate in computer science, might I remind you of an old joke about what metadata can reveal about a person:

“I know you called your doctor, then your insurance company, then your doctor again, then two cancer treatment centers, then your ex-girlfriend, then your wife. But don’t worry, I have no idea what you talked about.”

Actually, jokes are redundant when your out-of-touch responses themselves generate laughs, as when you claimed that there were no privacy concerns with the Aadhaar ecosystem because the main database is behind “13 feet-high, five-feet thick walls”.

This is not looking good at all. If you can’t laugh at yourself, it may be difficult to handle the stress of all those hacking threats and take prompt action.

I sincerely hope that you consider my rejection to hand over my data in the right spirit. As a citizen of the country, whose tax money helps fund your organisation, we are all in this together – even if we don’t see eye to eye on about my private data and your capability to keep it safe.

13154 - The mark of the devil: Why a group of Christians in Mizoram are objecting to Aadhaar - Scroll.In

AADHAAR CONTROVERSY
The mark of the devil: Why a group of Christians in Mizoram are objecting to Aadhaar

India’s unique identity programme is being linked by some people to a fearful Biblical prophesy.

Mizoram government employee Hmingtei claimed she was alarmed when she was flooded by text messages asking for “everything – bank account, mobile number – to be linked to Aadhaar”. “Even for salary, government is telling us we need to link Aadhaar,” said Hmingtei, who works at the department of information and public relations and only goes by one name.
Over the last couple of years, the Government of India has made Aadhaar, a 12-digit biometrics-based unique identity number, mandatory to access a variety of government benefits and services. The ever-expanding ambit of Aadhaar has been challenged on various grounds, including privacy and constitutional validity, with the matter currently in the Supreme Court.
Hmingtei is among thousands of citizens across India who are anxious about the spread of Aadhaar. However, her primary fear stems from a somewhat peculiar source: that getting a unique identification number is akin to being marked by the devil. In Mizoram, where Christians account for over 87% of the state’s population, Hmingtei has company.

Hexakosioihexekontahexaphobia

In Christianity, the devil is associated with the number 666. This comes from the Book of Revelation, the last book of the Bible, which has a prophecy that there will come a time when “no man will be able to buy or sell” except those marked by the name or the number of the beast (or devil): 666. The fear of this number even has a term for it: hexakosioihexekontahexaphobia.
From all accounts, the objections to Aadhaar by Hmingtei and a few other Christians stem from the fear of this prophecy.
Last year, in Mizoram, people who object to Aadhaar on these grounds formed a group called Mizoram Against Biometric Enrolment. People have also expressed similar concerns in Meghalaya, another Christian-majority state in the North East. And last week, a petitioner from Mumbai movedthe Supreme Court saying that Aadhaar violated his fundamental right to religion, and sought exemption from it on the grounds that Christianity did not permit it.

Devout government employees

Mizoram Against Biometric Enrolment consists entirely of state government employees. “We are around 400 people, all government servants,” claimed Hmingtei. “When we conducted a campaign on November 22, 23, and 24 last year, thousands of people joined us. We could not officially register them because they were not government employees.”
The president of Mizoram Against Biometric Enrolment is Lalziarana, a school teacher from state capital Aizawl. Lalziarana said he refrained from registering for Aadhaar as it went against his religious beliefs. “I am a Christian, but in the Bible, we have been asked not to do it,” he said.
He claimed that Aadhaar itself was not the beast but biometric enrolment was “preparation for the coming of the beast”. He said his fears were confirmed by Hmingtei, who claims to “have gone through spiritual enlightenment in 1994”.
Hmingtei explained, “During that time, the Holy Spirit led me through the whole Book of Revelation, and deep inside my heart I have [an] explanation of [the] Revelation. Now, as was explained by the Holy Spirit, the world is fulfilling the prophecy of the Bible.”
In most Christian denominations, the Holy Spirit is considered to be the third constituent of what is referred to as the “Holy Trinity”, with the others being God the Father, and God the Son (Jesus Christ).
Elaborating on her prognosis, Hmingtei added, “In our Bible, there is a prophecy that [the] whole world will be controlled by one group. This seems to be going that way, all the [biometric] data goes to UN [United Nations].”

No church support

Few churches in the state share the concerns of Mizoram Against Biometric Enrolment. On the contrary, they have repeatedly affirmed that there is nothing to fear from Aadhaar, and have even actively supported enrolment. As of March 15, the Aadhaar enrolment rate in Mizoram was 81.2 %. This has left the likes of Lalziarana disgruntled. He has stopped attending church.
“The church will support the government,” said Hmingtei, her voice tinged with disappointment. “I still go to church, but outside it I do my struggle against biometric enrolment.”
Do her friends and family believe in her cause?
“The government has made Aadhaar compulsory for so many services, so what can people do?” she said.
Asked about Mizoram Against Biometric Enrolment’s future plans, Hmingtei said she was optimistic. “Till now we hear good news, the court is delaying the compulsory linking to banks many times,” she said. “We know that our brothers and sisters in the mainland are fighting against it for privacy reasons, so we support them.”
Hmingtei claims she will not be swayed even if the court rules in favour of the government. “Even if it is mandatory, we will not do it, we will go by the Bible,” she said.
Support our journalism by subscribing to Scroll+ here. We welcome your comments at letters@scroll.in.

13153 - After Rajya Sabha Was Told Tribune Reporter Is Named In Aadhaar FIR, She Says She Is Too Confused About Whom To Trust In Govt - Outlook India


The Rajya Sabha was informed today that in an FIR filed by the cyber cell of the Delhi Police, 'the name of journalist of 'Tribune' newspaper finds a mention.'

Journalist Rachna Khaira said she is 'too confused' about “whom to trust” over the government's conflicting claims about the UIDAI's FIR against an explosive story she broke early this year in The Tribune.

The Rajya Sabha was informed today that in an FIR filed by the cyber cell of the Delhi Police, 'the name of journalist of 'Tribune' newspaper finds a mention.' The ambiguous statement by the Ministry of Home Affairs also contradicts the government's claim that the FIR has not been registered against Khaira or The Tribune. It is not clear whether Khaira is named as an accused, or is mentioned in description of the events pertaining to the story of the alleged data leak.

'The Delhi Police has reported that on the complaint of Deputy Director (Logistics and Grievance Redressal), UIDAI, an FIR under the Aadhaar Act 2016, u/s, 419, 420, 468, 471, IPC and u/s 66 Information Technology Act has been registered wherein the name of journalist of 'Tribune Newspaper' finds a mention. During the course of investigation, information related to the case has been asked from UIDAI,' the Rajya Sabha was told today.




What is this Mr Prasad? Breach of trust by u? U got a case registered against me. @rsprasad @UIDAI

Khaira told Outlook that "by putting out ambiguous statements time and again, the government in a way has accepted the ambiguous nature and working of the UIDAI." 

She was earlier categorically told by the Law Ministry that the FIR is not against her. "I don't know whom to trust," she said. "The law minister or the minister of state for home."

The FIR, anyway, doesn't seem to have made much headway with the Ministry of Home Affairs informing Parliament that even after more than two months, information is still being sought by the UIDAI. 

When asked if she was ever directly approached by the Delhi Police cyber cell in the matter, Khaira responded in the negative. 

In a report published early this year, Khaira had reported how demographic data associated with Aadhaar numbers was being sold by anonymous sellers over WhatsApp for just Rs 500. The investigative report titled "Rs 500, 10 minutes, and you have access to billion Aadhaar details"by The Tribune had revealed how its reporter purchased a service by anonymous sellers on WhatsApp and paid Rs 500 via Paytm to an agent of the group running a racket. The agent then created a “gateway” for the reporter and gave a login ID and password, thus giving unrestricted access to details, including name, address, postal code (PIN), photo, phone number and email, of more than 1 billion Aadhaar numbers submitted to the UIDAI, the Aadhaar issuing body.The Aadhaar issuing body UIDAI had called it 'fake news', and filed a complaint with the Crime Branch’s cyber cell under IPC Sections 419 (punishment for cheating by impersonation), 420 (cheating), 468 (forgery) and 471 (using as genuine a forged document), as well Section 66 of the IT Act and Section 36/37 of the Aadhaar Act.

According to The Indian Express, the FIR noted how the reporter got in touch with the other persons named in the FIR and goes on to state: “The above-mentioned persons have unauthorisedly accessed the Aadhaar ecosystem in connivance of the criminal conspiracy… The act of the aforesaid involved persons is in violation of (the various sections mentioned in the FIR)… Hence, an FIR needs to be filed at the cyber cell for the said violation.” 

The Department of Electronics and Information Technology, which is the nodal ministry in charge of the UID Authority of India, had however, clarified the complaint was not against the newspaper and Khaira, and maintained that the FIR is filed against 'unknown' accused. 

“UIDAI’s complaint is detailed and self contained,” the IT ministry said in its statement. “The details of known/ suspect/ unknown accused detailed at serial no 7 (S.no.7) of page 1 of the FIR states as ‘unknown’,” it said.

"My report has not only highlighted the ambiguity in the Aadhaar system but has also drawn attention of security researchers like Edward Snowden and Elliot Anderson who have challenged India's preparedness on cyber security," Khaira told Outlook.


Her report on an apparent security lapse in the UIDAI was followed by multiple stories on the same lines, all refuted by the UIDAI as 'fake news'.  

13152 - SC concerned about misuse of Aadhaar data by private firms - TNN


Amit Anand Choudhary | TNN | 

Mar 28, 2018, 01:25 IST

HIGHLIGHTS

UIDAI CEO gave SC a 4-hour presentation on how data was well protected and could not be breached

The SC said safety measures put by UIDAI may not be sufficient as there is no data protection law in the country

NEW DELHI: The Supreme Court expressed concern on Tuesday over the potential misuse of Aadhaar authentication data collected by private companies for commercial use and said that safety measures put by UIDAI may not be sufficient to deal with the problem as there is no data protection law in the country.

UIDAI CEO Ajay Bhushan Pandey concluded his four-hour PowerPoint presentation in the courtroom with a strong pitch to convince a Constitution bench of Chief Justice Dipak Misra and Justices A K Sikri, A M Khanwilkar, D Y Chandrachud and Ashok Bhushan that Aadhaar data was well protected and could not be breached.

However, the bench pointed out two loopholes in the system, the private operator at the time of enrolment in Aadhaar could keep a copy of the data to himself and, second, private companies which are using the Aadhaar platform could also collect the authentication data of customers. The court said in both cases the data could be misused for commercial gains.

“Security at your end would not ensure data protection. My concern is about the misuse of data at another end point,” Justice Chandrachud said while pointing out that authentication data could be collected by private companies.

Pandey contended that under the present system, UIDAI would never know for what purpose the authentication was done and it did not collect data pertaining to purpose, location and details of the authentication. He said collection of such data was prohibited under the Aadhaar Act.

The bench, however, said, “There are two ends of authentication. You said that you do not retain information on the purpose of authentication but the private entity before whom authentication is done could retain the data or the number at the time authentication was done and the information could be used for commercial purposes. What is there to prevent the private sector from collecting the data?” Justice Chandrachud asked the UIDAI chief.

The bench also said data collected by a private enrolment agency could easily be copied before sending it to the authority concerned.

The UIDAI chief admitted that the enrolment agency could copy the data and said that there was also the possibility that experts could tamper with the software used for collecting data but tried to allay the apprehension of the court by saying that people could be punished for indulging in such activities as it was an offence.

TOP COMMENT
Will appreciate the Supreme Courts stand here.
A Singh

“In IT world, what is secured today may not be safe in future. We have to upgrade the system continuously. In the last seven years there has not been a single breach from our data bank,” he said and briefed the court about various measures taken by the authority to protect Aadhaar data. He said only four digits of an Aadhaar number would be put in the public domain and the authority had a system in place to generate a virtual 16-digit alternative Aadhaar number.


He also told the bench in view of a large number of cases of authentication failure, the authority had decided to use face and fingerprints of people for authentication purpose.

13151 - Privacy Concerns be Damned: How the NaMo App is Being Used to Foster Modi Cult - The Wire


If you have signed up for the NaMo app, your personal details are being shared with or without your consent.


“Through my app I can reach out to 80 million people. Now in every party meeting we ensure that we open a stall and our people download the “NaMo” Modi app, so millions download it. So why should I have Twitter, I may as well have the Modi app and then post on social media,” Ram Madhav, BJP general secretary and the originator of the Modi app said in a taped interview to me for my investigative book I Am a Troll: Inside the BJP’s Secret Digital Army.

Unfortunately for Prime Minister Narendra Modi, who has not exactly been secretive about his disdain for two-way communication via press conferences, the gaping privacy holes in the carelessly designed NaMo app has ensured that data has been provided to third parties without the consent of those who had signed up.

Instead of being upfront about the transfer of data, first exposed by a French security researcher who claimed that the mobile application was sending personal information of users to a third party website – in.wzrkt.com – the handlers of the App surreptitiously changed the privacy policy of the website to accommodate for this lapse.

This raises larger questions about the principles and good faith policies practised by the PMO and is specially striking in the background of Modi’s office asking for personal data of 13 lakh National Cadet Corps (NCC) members so that he could individually interact with them. The NCC director general told the state directorates last month that the “collection of data will facilitate the interaction.. by downloading the Narendra Modi app in the cell phone of the cadets”.

So even impressionable children (NCC cadets are aged 13 years and above) are expected to sign up for the cult of Modi being fostered assiduously by the BJP.

In the same interview, I had asked Madhav about why the BJP and the Rashtriya Swayamsevak Sangh, which frowned on personality cults and took pride in being cadre-based organisations, were fostering a Modi cult. “No, no. We are fostering the cult of Government of India work. Modi happens to be the PM. Even the RSS is developing its app through which it will put its lectures etc online”.

Meanwhile, Congress president Rahul Gandhi launched a fierce attack on Modi, calling him the “big boss who likes to spy on Indians”. The BJP hit back, calling Gandhi a “liar” and alleging that the Congress was sharing its data with organisations like Cambridge Analytica (CA).

The BJP’s usual over-reaction was evident when it got law minister Ravi Shankar Prasad to take on Gandhi, followed by information and broadcasting minister Smriti Irani taking to Twitter to troll the Congress president: “Rahul Gandhiji even ‘chota Bheem knows that commonly asked permission on Apps don’t (sic) tantamount to snooping”. Gandhi, as is his wont, ignored her while BJP’s social media army sprung into action to make her tweet viral.

However, even the Modi government needs to understand that its huge emphasis on social media and Apps as well as Modi’s recent diktat that party tickets for all Lok Sabha MPs would depend upon their getting three lakh Facebook likes, especially in the backdrop of the data mining scandal involving CA, shows that he and his government do not care about citizens’ privacy.

Worse, despite the scandal involving CA in Donald Trump’s election campaign in the US, the Indian government has only ticked off Facebook. Modi’s emphasis on his MPs getting ‘genuine’ Facebook likes means the BJP is determined to double down on its gargantuan social media reach for the big poll battle of 2019, irrespective of charges against CA for manipulating voter preferences.

The use of data for unknown purposes by the NaMo App and also by others – the Congress too has admitted to sharing the data it collects – raises important questions related to governance. Political parties are “regulated” by the Election Commission of India but does the ECI have the technical competence to monitor the use of data by these and other Apps? Or should the telecom regulator, TRAI, be tasked with ensuring that all parties adhere to rules of the road when it comes to data security and privacy of voters/citizens?

Former chief election commissioner S Y Qureshi told me that he was “extremely concerned about the political manipulation of social media and the fact that the EC had no rules to keep an effective check on it. For example, the code of conduct applicable to mass media like newspapers and television channels does not apply to advertising on social media.

Modi’s elastic approach to the truth and the utter lack of transparency in governance have ensured that the government led by him indulges in one-way communication for which the NaMo App and social media are ideal vehicles. Modi has not addressed a single press conference in four-and-a-half years and his office repeatedly stonewalls Right to Information queries. So while a legitimate pillar of democracy – the non-embedded media– is threatened, the cheerleaders and embedded “panna pramukhs” in the media gush over their “saheb“.

So even in a democracy, if you want to reach out to the Prime Minister, you have to try using the NaMo App – privacy concerns be damned. The government’s disregard for citizens’ data privacy was also evident in the strange justification for the NaMo App and Aadhaar by tourism minister K.J. Alphons, who said “we will even strip for a white man and a US visa but complain about giving information to the our government”.

Clearly, neither Alphons nor the government he represents understands voluntary versus mandatory. Applying for a US visa is voluntary, Aadhaar is not. And nor is the Modi app when you are an NCC cadet and you are commanded to enrol.