The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholarUsha Ramanathandescribes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the#BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Thursday, June 28, 2018

13749 - Twisting the Truth Around Aadhaar in the Land of Luddites - The Wire

The pugilistic UIDAI chief Ajay Bhushan Pandey attempts to draw a disingenuous distinction between 'secrecy' and 'privacy'. He is wrong on the law as well as on the underlying concept.

A man goes through the process of eye scanning for the Unique Identification (UID) database system, also known as Aadhaar, at a registration centre in New Delhi, India, January 17, 2018. Picture taken January 17, 2018. Credit: Reuters/Saumya Khandelwal - RC1F67907F80


Joseph Goebbels, the famed guru of Nazi propaganda, is supposed to have once said: “If you repeat a lie often enough, it becomes the truth.”

Goebbels appears to have found a devoted disciple in the UIDAI (Unique Identification Authority of India) and its head honcho, Ajay Bhushan Pandey, who’ve been relentlessly arguing that Aadhaar is one of the most secure systems ever. And that there’ve been no data breaches till date.

Nothing could be further from the truth. Even since its inception, the Aadhaar ecosystem has been characterised by some of the most egregious breaches ever. An undercover investigation by The Tribune demonstrated how Aadhaar details of more than a billion Indians could be accessed for a paltry sum of Rs 500! All thanks to the carelessly cultured regime of Aadhaar enrollment agencies (comprising village-level operators and the like) who were offered wanton access to the database by the “authority”.

A later breach involving an entrepreneurial engineer, Abhinav Srivastava, demonstrated how unauthorised private parties (such as Srivastava) could conduct Aadhaar authentications on their own. All thanks to the sheer callousness of government agencies such as National Informatics Centre (NIC)  in opening up their applications (in this case, “e-hospitals”) to surreptitious spoofing. Till date, there has been no known action taken against NIC.

More recently, two cybersecurity experts, Srinivas Kodali and Karan Saini found that a government website effectively permitted unauthorised third parties to access Aadhaar style authentication services. There are countless other horror stories doing the rounds.

And yet, the authority and its creative chairman continually claim that there has been no “breach”. They even go to the extent of branding those that complain against Aadhaar as tech “luddites”.

So consistent has been their stand that that they repeated the same claim in the Supreme Court… on oath! Funnily enough, they even contended that a five-feet thick wall would ensure the perpetual security of Aadhaar data. One wonders who the Luddites really are.

The claims of UIDAI are nothing more than a deliberate attempt to obfuscate and mislead. Worryingly, they also demonstrate an irksome ignorance of basic privacy tenets; not to mention the express provisions of the Aadhaar Act, under whose benevolent umbrella, the chairman and others at UIDAI draw their authority.

            A woman registers for Aadhaar. Credit: Reuters

Section 28 of the Aadhaar Act makes clear that the UIDAI has to ensure the security and confidentiality of all “identity information” held by it, either directly or through its various partners/affiliates. In fact, so strict is the obligation that the authority has to even protect against the “accidental destruction or loss” of data.

Importantly, protectable data under the Act has been defined to include not only “biometric” data, but also an individual’s Aadhaar number and demographic information (address, telephone number etc).

The Tribune breach more than amply demonstrated that all of the above was compromised: for a paltry Rs 500, one could enter any Aadhaar number and get access to the corresponding demographic information and even biometric data (defined under the Act to include a “photograph”).

I have recounted all of this meticulously in a writ petition filed before the Delhi court, where I’ve sought to make the government accountable for these various breaches; and claimed damages from them for violating my right to privacy.
A right that has now been affirmed by a nine-judge bench of the Supreme Court of India in the Puttuswamy case to merit the highest level of protection under the law of our land; namely as a “fundamental” constitutional right.

Unfortunately however, the Aadhaar Act engenders a classic conflict of interest-type situation, in that it relies on the “authority” to take action against itself! As John Perry Barlow, the founding father of internet freedom,  famously said: “Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds.”
Fortunately, however, not all is lost. The Information Technology (IT) Act as well as common law doctrines enable the common man to directly sue the authority and its various affiliates and hold them accountable for privacy lapses. Unfortunately, while the remedy under section 43 of the IT Act for a privacy breach is constitutionally suspect, in that it permits a government-appointed person to unilaterally adjudicate upon what is essentially a legal dispute, the various common law doctrines to protect privacy (deriving from an area of law called tort law) are more robust.

I have highlighted all of this in the writ petition mentioned earlier and requested the court to appoint an expert committee that would investigate these various breaches and the level of compliance with reasonable security/privacy policies by the Aadhaar authority. Given the obfuscatory claims around the breaches, such a neutral investigative report would go a long way in helping us understand the true extent of the breaches and the damage(s) caused to privacy interests.

Interestingly, in The Indian Express piece referred to earlier, the pugilistic Pandey attempts to draw a disingenuous distinction between “secrecy” and “privacy”; claiming that Aadhaar numbers are not “secret” and, therefore, need not be protected.
He is wrong on the law, and wrong on the underlying concept. While privacy and secrecy are no doubt inter-related, the right to privacy does not depend on something being an absolute “secret”. Rather, privacy is about the level of control that one has over information pertaining to oneself. I decide how much information I want to give out and to whom. Merely because I dole out my Aadhaar number to a couple of service providers does not mean that other service providers are entitled to access this number without my permission.  

The same with my telephone number, email ID and so on. Privacy ultimately is about self-determination and my ability to control my public persona.  Even otherwise, the terms of the Aadhaar Act and the IT Act make amply clear that one’s Aadhaar number operates as a “password” and is to be protected as such.

It bears noting that the “Aadhaar” project was never designed with privacy in mind. Much like a number of other programmes in India, it began with one set of objectives, namely to eliminate identity fraud whilst providing for government benefits. This quickly morphed into another set of objectives once its potential for private gain was realised. Indeed, at the heart of the Aadhaar debate today is not just government control over data subjects. But the ability of private corporations to exploit our data (the new “oil”) for their own commercial gain.

Section 57 of the Aadhaar Act enables such private enterprises to ride on the backbone of Aadhaar authentication architecture. Little wonder then that an entire ecosystem of private enterprises have developed around Aadhaar. One such enterprise is iSPIRT, that has the blessings of Nandan Nilekani, the technocratic mastermind behind Aadhaar.

In a now deleted tweet, a colleague of Nilekani’s recounted a dinner conversation where he allegedly quipped that the best way to roll out new projects in India is to “Make it too big to reverse”.

"Too big to reverse" – confessions of intentions are easier over a nice dinner in friendly company. https://t.co/szXbmJzhnu
— Salil Tripathi (@saliltripathi) May 26, 2018

The Aadhaar enterprise is no doubt a “big” one today. But bigger things have been reversed by our courts in the past.
Indeed, the “bigness” of an enterprise should be no consideration for courts that adjudicate on critical issues of civil liberties. Liberties that foster our autonomy and help us blossom to our fullest potential. For in the end, these are what define us as humans and distinguish us from machines, artificially intelligent or otherwise.

Shamnad Basheer is the Founder and Managing Trustee of IDIA, an initiative to empower underprivileged communities through legal education.