In 2009, I became extremely concerned with the concept of Unique Identity for various reasons. Connected with many like minded highly educated people who were all concerned.
On 18th May 2010, I started this Blog to capture anything and everything I came across on the topic. This blog with its million hits is a testament to my concerns about loss of privacy and fear of the ID being misused and possible Criminal activities it could lead to.
In 2017 the Supreme Court of India gave its verdict after one of the longest hearings on any issue. I did my bit and appealed to the Supreme Court Judges too through an On Line Petition.
In 2019 the Aadhaar Legislation has been revised and passed by the two houses of the Parliament of India making it Legal. I am no Legal Eagle so my Opinion carries no weight except with people opposed to the very concept.
In 2019, this Blog now just captures on a Daily Basis list of Articles Published on anything to do with Aadhaar as obtained from Daily Google Searches and nothing more. Cannot burn the midnight candle any longer.
"In Matters of Conscience, the Law of Majority has no place"- Mahatma Gandhi
Ram Krishnaswamy
Sydney, Australia.

Aadhaar

The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018

When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy

First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi

In matters of conscience, the law of the majority has no place.Mahatma Gandhi

“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi

“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.

Legal scholar Usha Ramanathan describes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.

Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.

Rajeev Chandrasekhar, MP Rajya Sabha

“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh

But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP

“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.

August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution

"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden

In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.

Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.

Announcing the launch of the # BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.

UIDAI's security seems to be founded on four time tested pillars of security idiocy

1) Denial

2) Issue fiats and point finger

3) Shoot messenger

4) Bury head in sand.

God Save India

Saturday, June 26, 2010

230 - Malaysian ID Card by Roger Clark

Malaysian IDCard by Roger Clark


1. Introduction

The Malaysian Government Multipurpose Card (GMPC) or MyKad is a standard credit-card-sized plastic token with an embedded microchip. It has been issued progressively since 2001, with the intention of being obligatorily used by the entire population of 18 years and over by the end of 2005 (or perhaps 2007).


The card displays several items of data, carries several categories of data in the chip, including a biometric, is used by multiple government agencies, and has been designed for extensibility and 'function creep'. It is subject to highly inadequate protections.


Various reports state that versions of the card have been issued bearing respectively a 32Kb and a 64Kb EEPROM (Electrically Erasable Programmable Read-Only Memory) chip, using the M-COS operating system. The larger version supports a digital signature key and digital signing (often mistakenly referred to as PKI). It is unclear to what extent each of the various applications is used.

This document provides some background resources related to MyKad.


2. The 'New Scientist' Report on the Launch of MyKad
'Malaysia pioneers smart cards with fingerprint data' New Scientist, 21 September 2001


The world's first national smart card scheme to store biometric data on an in-built computer chip has been introduced in Malaysia. The cards are compulsory for Malaysia's citizens and are encoded with a copy of the owner's fingerprints.


Pressure is growing in other countries for improved identification schemes, especially since the recent terrorist atrocities in the US.


"A lot of governments including the US will be looking at better identification systems to monitor the movement of people within their countries after the terror attacks," said Wan Mohamad Ariffin, smart card project director at Malaysia's National Registration Department. "We are willing to share our technology. It could be part of the solution to the security issue."


Although the strongest opposition to such schemes will probably come from civil liberties groups, technical experts also say that such measures will not thwart criminals or determined terror groups.


Identity theft


Ross Anderson, an expert in computer security at Cambridge University, says that smart cards may make forging ID cards harder but they are unlikely to provide a complete solution.


"You can maybe exert some downward pressure on identity theft by incorporating machine readable fingerprints of some kind or another," Anderson told New Scientist. "But, in this situation, making identity cards harder to forge is solving the wrong problem."


Anderson says that terrorist groups will simply subvert the system another way, by using a stolen birth certificate, for example. He also points out that, unless an individual has been identified by the authorities as a threat, smart cards will not help.


Nevertheless, smart cards should make fraud more difficult. Although most cards will give up their digital secrets to a determined expert, combined with digital signatures they make forgery more complicated.


This is important because the Malaysian government has said that the new cards are likely to be used to authorise financial payments and withdraw cash, as well as identify individuals to the authorities.
Digital signature


Markus Kuhn, also at Cambridge University's computer science department, says that the biometrics stored on a modern smart card will be authenticated by a central authority when the card is created, in the form of a digital signature.


This means that even if a card is stolen and a new fingerprint data inserted, anyone with a government scanner could recognise it as fake. "You can put a new fingerprint on the card but not forge its overall signature," Kuhn says.
But opposition to this type of smart-card system remains from civil libertarians. "I don't think that these will stop terrorist acts," says Yaman Akdeniz, director of Cyber-Rights & Cyber-Liberties. "They are more controlling measures. They let a government track you and know more about you."


The US government is currently increasing its capacity to track citizens. The Combating Terrorism Act of 2001, proposed shortly after the devastation of New York and Washington DC, would increase the powers of federal agents to wiretap individuals.


3. The Privacy International Report
Extract from Privacy International's Country Report for Malaysia (November 2004)


Since 1999, the Malaysian government has begun gradually phasing in a multi-purpose national ID smart card, that it intends all Malaysians to adopt by 2005.[31] The card, known as "MyKad," incorporates both photo identification and fingerprint biometric technology and is designed with six main functions: identification, driver's license, passport information (although a passport is still required for travel overseas), health information (blood type, allergies, chronic diseases, etc.), and an e-cash function.[32] The card can also function as an ATM card, although it is MyKad's least attractive feature and banks have discouraged customers from using the card for such purpose.[33] There are plans for adding additional applications for digital signatures for e-commerce transactions.[34]


The Malaysian government originally proposed placing the religious affiliation of all citizens on the cards, but complaints from the country's non-Muslim ethnic groups prompted the government to limit identification to Muslims only. In January 1999, it was announced that Islamic religious authorities in the capital, Kuala Lumpur, would be equipped with portable card readers in order to instantly verify the vows of Muslim couples found in "close proximity." In his 2002 budget speech, the Prime Minister proposed adding marital status and voting constituency information to the cards for the benefit of religious authorities and to minimize electoral fraud, respectively. Both proposals were sharply criticized by opposition Member of Parliament Teresa Kok as being an unnecessary invasion of privacy.[35] The anonymity of balloting is already a matter of concern for privacy advocates, even without MyKad. Traditional ballots are marked with a serial number that can be matched against a voter's name. While there is no evidence that the government has ever tracked individual votes, some opposition leaders allege that the potential to do so has had a chilling effect on some voters, particularly civil servants.
With so much personal information stored on the MyKad, even proponents of the card have acknowledged inherent privacy risks: "[h]aving the smart card will probably increase theft . . . because the attraction is there. There is a lot of personal information stored [on the card], including buying patterns which would attract (card cloning) syndicates," according to industry analyst Jafizwaty Ishahak. Recently, the National Registration Department (NRD) admitted that the practice of surrendering identity cards to security guards before entering certain premises may need to be changed because of privacy concerns.[36] The Consumers Association of Penang has argued that the cards make individuals' personal and confidential information too vulnerable and has recommended that the proposed Personal Data Protection Act address these risks specifically.[37]


The Federation of Malaysian Consumers Associations criticized the government for not implementing clear guidelines or consulting with the public on how MyKad is to be used, by whom and for what purpose. The Federation also challenged the security of the system, contending that the storage of personal information in a centralized database makes it vulnerable to tampering and sabotage. Later, in 2004, the Bar Council chief severely criticized the security and privacy risks related to the use of MyKad, and sought strong privacy laws to protect card holders against potential misuse, pointing out that personal data contained on the card could easily be accessed.[38] It is widely known that anyone with a card reader can access all information contained in the card.[39] In response to such critiques, the government is now reportedly drafting a bill to ensure the privacy of MyKad users and protect the information stored against unauthorized use.[40]


Users can access personal information on their cards at government kiosks and offices, after biometric authentication of their fingerprint. Access to personal information by others is hierarchical or compartmentalized. For example, only certain medical officers have access to sensitive health information. However, access to some personal information held in the MyKad system seems to be available, remotely via a network, to a wide range of third parties, including hotels, restaurants and ticket agents. Determining who has access to what information and for what purpose remains opaque for Malaysians.


MyKad is currently optional, but it automatically replaces other forms of expired identification and is quickly becoming a de facto requirement to access certain government and private-sector services. In December 1998, the government began requiring cyber cafés to obtain name, address, and identity card information from patrons. However it lifted this requirement in March 1999.[41] In some cases there may be penalties for not carrying the card. In 1998, the government announced that persons not carrying identification cards risk being detained by immigration authorities.[42] It is the government's intention that all of Malaysia's population over the age of 12 will be registered in the MyKad system by 2005. Those under the age of 12 are encouraged to apply for a junior version of the MyKad, which differs only in its lack of a photograph and thumbprint biometric.


[31] "Privacy of MyKad Holders to Be Protected by Law," New Straits Times, May 19, 2004, at 6.
[32] "Wise Up to Role of Smart Card," The Star, December 15, 2002.
[33] "Privacy of MyKad Holders to Be Protected by Law," supra. See also "Free Upgrade of MyKad to 64K," New Straits Times, June 16, 2004, at 5.
[34] "Card Sharps," The Bulletin (Australia), May 14, 2003; Joe Celko, "The Road to Dystopia: How much Information Can the Government Control?" Intelligent Enterprise, May 9, 2002. See also Rozana Sani, "Utilising PKI Applications in MyKad," New Straits Times, December 18, 2003, at 4.
[35] News Release, "Government Proposal to Add Marital, Constituency Information to MyKad Should Be Debated," MP for Seputeh Teresa Kok, September 27, 2002.
[36] Rosnazura Idrus, "Leaving MyKad at Guardhouse under Review," New Straits Times, July 9, 2003.
[37] "Smart IC Open to Abuse," The Star, April 18, 2001.
[38] "Bar Council Chief Seeks Laws to Protect MyKad Data," New Straits Times, April 3, 2004, at 8.
[39] "Privacy of MyKad Holders to Be Protected by Law," supra.
[40] Id. See also A. Shukor Rahman, "Evaluating Risks in MyKad," New Straits Times, October 20, 2003, at 21.
[41] "Cabinet: Cybercafes not Subjected to Restrictions," New Straits Times, March 18, 1999.
[42] Annie Freeda Cruez, "Malaysians Told: Carry ICs or Risk Detention," New Straits Times (Malaysia), May 14, 1998.
4. A Report from Justice, UK
Extract from 'Information Resource on Identity Cards' Justice, London (November 2004). Warning: The document was prepared by interns and some caution is needed.


49. Malaysian Identity Cards, known to its citizens as ICs and to the Government as the `MyKad', were first introduced by the British in pre-independent Malaya to help control the communist insurgency. Today, the card has a multi-purpose smart chip and looks very much like an ordinary credit card, incorporating a host of technological features. Malaysia's technological development has far out-paced the development of the legal system, and identity cards provide such an example. The advances in data storage technology have not been matched with adequate legal protection and safeguards.


50. The Malaysian Constitution does not provide for the issuance of ID cards. The National Registration Act 1959 (the 1959 Act) provides for the establishment and maintenance of a registry of all persons in Malaysia (Section 4 of the 1959 Act) and that every person in Malaysia be registered under the Act (Section 5 of the 1959 Act). The Register extends to all residents of Malaysia, and includes noncitizens who work or reside there. More importantly, the 1959 Act gives the Minister in charge of the National Registration Department, historically the Home Affairs Minister (the equivalent of the British Home Secretary), extremely wide and discretionary powers in respect of virtually every aspect of the national identity system under Section 6.


51. Under the 1959 Act, Malaysians citizens and permanent residents above the age of 12 years are eligible to apply for and ID card. Because an ID card is required for many legal activities, including opening bank accounts or dealing with the state, most Malaysian apply for an ID card when the reach the age of 12. Under the National Registration Rules 1990, every citizen or permanent resident over the age of 18 is required to apply for an ID card, and late applicants are fined a nominal sum.


52. The new ID cards are `smart cards' with an embedded 64K chip in each card that carries the personal information of the holder. The face of the card no longer has the holder's thumbprints, but has his or her ID number, full name, address, nationality, sex, and photograph. These cards are called the Government Multipurpose Card (GMPC) and were introduced as part of the Government's IT initiative, the Multimedia Super Corridor. The GMPC was marketed to the public as `MyKad'. Significantly, the Government sees the card as an interface device with not only government agencies, but also the private sector. The MyKad project is run by five different agencies, all of which have access to the data on the card - the National Registration Department (NRD) as the lead agency; the Road Transport Department (RTD); Royal Malaysian Police (RMP); Ministry of Health (MOH); and the Immigration Department (IMM).


53. The new ID cards replace the old identification cards and, if individuals choose, the driving license. In addition, it uses chip and biometrics identificationtechnology to identify individuals, can allow the Police and the Road Traffic Agency to access its information (driving license version only), and supplements the Malaysians International passport to facilitate efficient exit and re-entry from Malaysian Immigration checkpoints. Currently, even Malaysian passports are chip based. The new cards will be used for intra-Malaysia travel and by Malaysians when leaving or re-entering the country. Basic and critical medical information, such as allergies and blood type, are also stored in the chip. The new card, once registered with a local bank, can be used as an ATM or debit card [not recommended by banks], and once registered with the national transportation payment system, Touch n' Go, can be used to pay for things like bus tickets or road toll fares. The card can be used in lieu of three different bankcards.


54. The Public Key Infrastructure (PKI) in every MyKad [sic - the 'infrastructure' is external to the card] enables users to conduct secured e-commerce and transactions using a digital certificate over networks such as the Internet. Authenticity and integrity of the data is protected and inaccessible to anyone, apart from the relevant government agencies and the owner of the MyKad. Information contained in the chip can be accessed using three different devices, all of which are largely inaccessible to the public, but will soon be carried by the police.


55. Issues relating to the cards can be divided into legal and technological categories.


56. The Personal Data Protection Act was passed in 2002 and provides similar safeguards as the UK's Data Protection Act 1998, including the appointment of a Data Protection Commissioner. However, the Act has yet to come into full effect, on the grounds that it will be a burden to businesses. There are no other safeguards against the abuse and privacy of data in the new ID cards. Even the Malaysian Constitution does not provide for the protection of privacy.


57. The Malaysian Government asserts that the new ID cards employ state-of-the-art technology that incorporates multiple layers of security features: `these features include the card authentication using symmetric key cryptography, a multi applications Operating Systems with firewalls and a secure chip platform.' However there is real concern that there are no adequate protections for personal data. The smart card readers can be used by virtually any government agency. Further, the willingness to share data with the private sector without the prior consent of the citizen concerned is worrying.


58. A joint survey by the Electronic Privacy Information Centre in Washington and Privacy International in the UK summed up the risks: Users can access personal information on their cards at government kiosks and offices, after biometric authentication of their fingerprint. Access to personal information by others is hierarchical or compartmentalized. For example, only certain medical officers have access to sensitive health information. However, access to some personal information held in the MyKad system seems to be available, remotely via a network, to a wide range of third parties, including hotels, restaurants and ticket agents. Determining who has access to what information and for what purpose remains opaque for individual Malaysians. 40


59. Malaysia leads the world in the frequency and scope of everyday use of ID cards. However, the system employed is not without problems. Although the issuing and scanning procedures appear to be sound, there are significant concerns over the lack of legal and technological provisions to ensure data protection; a fact which is particularly worrying considering the wide range of personal information stored. Concerns have been voiced about both function creep and access to information with regard to the draft Bill in the UK, and the Malaysian experience highlights the fact that any legislation needs to incorporate strict controls on access to, and subsequent use of, personal information.