Aadhaar

The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholarUsha Ramanathandescribes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the#BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Saturday, April 28, 2018

13380 - AADHAAR Seeding Fiasco: How To Geo-Locate By Caste and Religion In Andhra Pradesh With One Click - Huffington Post




Is this Big Brother enough for you?
A public online dashboard on a website maintained by the Andhra Pradesh government allows anyone with an internet connection to use "religion" or "caste" as a search criterion to identify the homes of 5,166,698 families in 13 districts in Andhra Pradesh. The vulnerability was first spotted by Srinivas Kodali, a security researcher.

HuffPost India is not revealing the website to protect the privacy of those listed in its database.

On using the dashboard, HuffPost India found the precise latitude and longitude of homes inhabited by Muslim families, Dalit families, Hindu homes and even Zorastrian families. When HuffPost India checked back on the database, the number of families enrolled had increased, suggesting the database continually updated and the privacy implications are growing every hour. HuffPost India is not publishing the exact numbers, as this is sensitive information.

The dashboard uses Aadhaar numbers as a unique identifier to compile detailed information about beneficiaries of a widely-promoted government subsidy programme.

SCREENSHOT FROM ANDHRA PRADESH GOVERNMENT WEBSITE
This publicly available dashboard allows anyone with an internet connection to search and geo-locate people by caste and religion

The Andhra Pradesh case illustrates that the real value of Aadhaar for state governments is not biometric authentication, as is commonly assumed, but rather the Aadhaar number itself. And the real risk to citizen privacy isn't the security of UIDAI's biometric database, but the relentless, and unsecured, the seeding of Aadhaar numbers into every single database including income tax, property records, bank loans, phones, bank accounts, and beneficiary records.

Aadhaar-seeding, privacy advocates say, showcases the ability of using Aadhaar to create giant, detailed, searchable citizen databases and confirms their worst fears about how India's big-data governance revolution can be subverted to target vulnerable citizens.

"Creating public, searchable, digital profiles of minorities makes them potential targets of attack," said Kavita Srivastava, who has investigated scores of communal riots as National Secretary of the People's Union for Civil Liberties.

"A database like this, means anyone can simply Whatsapp the locations of the homes of victims to rioters. It is very scary."
"In the past, rioters used crude forms of targeting, which allowed at least some victims to escape," Srivastava said, recalling how in the anti-Sikh riots of 1984, several Sikh families removed their name-plates from outside their homes in an effort to blend in with their neighbours. In the Gujarat riots of 2002, victims told this reporter that rioters came armed with electoral rolls to identify Muslim homes.
A digital, geo-tagged, public database - searchable by religion and caste - like the one in Andhra Pradesh, makes it much easier to target potential victims. Opening the database to the public in such communally polarised times is particularly foolish, Srivastava said. But, as the examples of 1984 and 2002 illustrate, even state administrations cannot be trusted with such detailed information.

"A database like this, means anyone can simply Whatsapp the locations of the homes of victims to rioters. It is very scary," Srivastava concluded.

Database Threat
A cursory exploration of the AP government dashboard revealed the phone numbers, bank account numbers, and IIFSC codes of those enrolled in the database. The website had also published the Aadhaar numbers of approximately 100,000 beneficiaries, according to Kodali, a security researcher who spotted the vulnerability. Publishing Aadhaar numbers is an offence under India's Aadhaar Act. Kodali said he alerted the Universal Identification Authority of India, the National Critical
Information Infrastructure Protection Centre, and CERT-In, the Indian government's cyber-response cell.

"The authorities masked the Aadhaar numbers after I wrote to them. But 50 lac phone numbers are still available on the site for anyone to take," Kodali said. "We find that authorities seem to forget to mask Aadhaar numbers each time they upload a new batch of data." The data still visible on the website is enough to clean out the bank accounts of those thus exposed.


SCREENSHOT FROM ANDHRA PRADESH GOVERNMENT WEBSITE
A screenshot revealing the precise latitude and longitude of a particular beneficiary's home in Andhra Pradesh

The full 360
The Universal Identification Authority of India (UIDAI), the agency that oversees Aadhaar, insists that Aadhaar cannot be used to profile citizens. The authority, as it frequently reiterates in public statements, only gathers basic demographic information and biometrics, and its authentication service only provides a "Yes/No" answer.

"By design, the technology architecture of UIDAI precludes even the possibility of profiling individuals for tracking their activities," the authority stated in an affidavit to the Supreme Court in July last year, claiming government agencies "will never have or will not be able to build a 360-degree view of any of its customers or beneficiaries."

Aadhaar information, the UIDAI has said on multiple occasions, is 'federated' – i.e. scattered across databases – rather than centralised in one place.

Privacy researchers contest this categorisation.
"If you can take a unique identifying number and use it to find data in different sectors, then the federated database loses its meaning," explains Pam Dixon, Executive Director of the World Privacy Forum, an American public interest research group. "That number can be cross-walked across all the different parts of their life."

In Andhra Pradesh, authorities created a software platform, called the People's Hub, that used the Aadhaar number as the unique identifier to cross-walk, or merge, data from 29 different departments, an official told HuffPost India. Some of these departments – like a school scholarship database - held information about a citizen's caste, other departments had pension data, still others had religion data. In a final stroke, the government conducted a "smart-pulse" survey in which they geo-tagged the homes of beneficiaries of all government schemes, and linked it to the Aadhaar numbers of the inhabitants of each home.

Aadhaar numbers, in effect, became the glue that fuses all these discrete databases into one master database, which allows authorities to search the database using any defined search criteria in a single click: be it caste, religion, gender, age, or physical location. By opening the database to the public, they have given that power to anyone with an internet connection.

To describe a database as federated is one thing, Dixon concluded, "but unless the rules for that database federation have been set up appropriately, it really doesn't matter nearly as much."